Concetta Fierravanti-Wells (NSW, Liberal Party) Share this | Hansard source

Over quite some years, I have repeatedly spoken about the national interest and our national sovereignty in reducing our dependency on the Communist regime in Beijing. As part of this, I have continued to stress how vital it is that we overhaul our critical infrastructure and foreign investment framework. This includes expanding the parameters of national interests to ensure we protect our national sovereignty. We need to look at practical ways to protect that sovereignty, starting with the port of Darwin. Post pandemic, we need to debate some difficult issues, including a clear direction on how we will ensure that we do not place ourselves in the same circumstances.

To date, critical infrastructure ownership has been, regrettably, restricted to ports and utilities assets like gas, water and electricity. Notwithstanding that, many of our critical assets, like the port of Darwin, are in the hands of entities with close ties to Beijing. I have been calling for critical infrastructure legislation to be strengthened to expand the coverage of this legislation to more sectors, including banking, finance, food and groceries, agriculture, health and medical, transport, data, communications and IT, and airports. Indeed, the Bills Digests for the Security of Critical Infrastructure Bill 2017 noted several stakeholders had suggested that the legislation should apply to additional sectors, including those that I have been advocating for. Regrettably, the Parliamentary Joint Committee on Intelligence and Security, which inquired into the bill in March 2018, was satisfied that additional sectors did not need to be included. However, it recommended the government:

… review and develop measures to ensure that Australia has a continuous supply of fuel to meet its national security priorities.

And as part of that process:

… should consider whether critical fuel assets should be subject to the Security of Critical Infrastructure Bill 2017.

I am pleased that finally the PJCIS has come to the realisation that it made a mistake, including about critical fuel assets, and that the Morrison government has finally worked out that protecting Australia's critical infrastructure to secure the essential services that all Australians rely on—everything from electricity and water to health care and groceries—is long overdue. It seems to have finally dawned on the Morrison government, despite the many warnings, that the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that have, I believe, already resulted in significant consequences to our security, economy and sovereignty.

The PJCIS reported on the SCI bill in September 2021. The government has followed the advice of the committee and split the bill. Bill No. 1 addresses three components. Firstly, the reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure to include the energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors. Secondly, the bill introduces a cyberincident reporting regime for critical infrastructure assets. Thirdly, it makes government assistance available to industry as a last resort and subject to appropriate limitations. Government will be able to provide assistance immediately prior to, during and following a significant cybersecurity incident to ensure the continued provision of essential services.

Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver. The objects of the SCI Act are to improve transparency and facilitate cooperation and coordination between the various levels of government in Australia. The aim of this is to allow information to be collected so that risks that may exist within current structures can be readily understood and managed. Whilst these changes are overdue, as I have also advocated, we should look at expanding restrictions that could be imposed to prevent acquisition, lease et cetera by entities, whether Australian owned or controlled or with foreign directors or directors with dual nationalities taking over Australian businesses or companies, including looking at reciprocity of ownership. There seems to be no legal or constitutional reason to prevent the SCI Act from being expanded to cover the subject of ownership as well as its current subject areas. I note the comments of the committee regarding the overall review of the act and how it will now be undertaken more effectively after the passage of bill 1.

I reiterate another concern that was raised by the committee in its report regarding the unknown regulatory burden of positive security obligations on industry. In submissions to the committee, an overwhelming concern from industry representatives was the unknown nature of the majority of the regulatory impact or burden to be imposed by the proposed new provisions. While the bill outlines and defines the types of obligations and some of the elements of those obligations that industries will have to comply with, most of the detail of what businesses will have to do and by what means is not prescribed in the bill. This detail is proposed to be designed and outlined in rules to be presented in delegated legislation. Without certainty regarding definitions and regulatory requirements, affected industries cannot plan for the potential impact and cost of the framework's requirements.

As chair of the Senate Standing Committee on the Scrutiny of Delegated Legislation, I believe this bill highlights yet again the propensity of the executive to relegate important obligations to delegated legislation. I welcome the committee's comments at paragraph 2.61 of its report. While this process of designating rules outside of the legislation is identified as providing for flexibility and consultation, most industry submitters expressed a preference for this detail to be included in the primary legislation, or that detail to be negotiated and provided in instruments to be considered alongside an amending bill before the framework be considered and passed through parliament. Indeed, at paragraph 3.6 the committee goes on to assert:

The significant detail left to be resolved by sector rules in delegated legislation instead of in the primary legislation does not allow the Committee, the Parliament, or the effected entities sufficient confidence of the full impact of the legislation.

I now turn to other concerns. The committee examines the threat to be countered, noting that the:

…threat of cyber security vulnerability and malicious cyber activity has become increasingly evident in recent years.

When outlining these threats and the increasing challenge of preparing, hardening and countering assets, Mr Mike Pezzullo, AO, Secretary of the Department of Home Affairs, stated:

Basic cyber security protections will always help, but malicious actors, such as cybercriminals, state sponsored actors and state actors themselves will defeat the best defences that firms, families and individuals can buy. We have to do what we can, of course, to defend our own networks and devices against known vulnerabilities.

The bill presupposes that any attack would come from external forces, but what if the threat comes from within the entity? What concerns me are the number of companies and subsidiary companies of overseas state-owned entities that operate across a broad spectrum of our economy and, more pertinently, the number who have majority or part ownership of critical assets. As the committee points out in its report:

The application of asset definitions only to assets that are located within Australia… further confuses the potential application to digital elements of critical infrastructure entities that have parts of their functional infrastructure or data located offshore…

As I have reiterated in speeches in this place which explore the legal contours of Chinese-controlled investment in Australia, there's a paper that I have previously cited by professors Roman Tomasic and senior lecturer Ping Xiong which stated that in 2003 China established the State-owned Assets Supervision and Administration Commission which oversees state shares in major SOEs. That paper states that in 2016 there were 66 major Chinese SOEs with a presence in Australia across most industry sectors. Of these, 39 were centrally controlled with 139 subsidiaries. The other 29 were provisionally controlled with 84 subsidiaries. We know that for Chinese companies corporate governance is limited. Rather, they are subject to corporate social responsibility norms underpinned by article 19 of China's company law, which requires that the Communist Party of China have its operatives embedded in their organisations to carry out their activities. The CCP is front and centre of SOEs, irrespective of whether they operate inside or outside China. Further and probably most significant is the issue of Australian businesses carried on by, or land acquired from, government—be that Commonwealth, state, territory or local government—not being subject to foreign acquisition procedures under the FATA Act, except if proposed to sell to a foreign government investor and if the subject of the sale was public infrastructure. A foreign government investor includes foreign governments, state-owned corporations and corporations in which a foreign government or separate government entity alone or together with one or more associates hold a substantial interest. This exemption afforded to acquisition of land or business from governments is very troubling given the nature of the pronouncements by Premier Dan Andrews in Victoria and his Belt and Road Initiative plans, as well as the extent of the reach of agreements between China and Premier McGowan's WA government.

This is the critical point that must be considered: the Commonwealth can regulate activities of governments only if there is a constitutional head of power that allows it to do so. In broadening any national security test consideration of the removal of the exemption relating to governments will be a critical test of the government's political fortitude in effecting real change. Hence, unless we remove that exemption so that all acquisitions by foreign entities are subjected to scrutiny and the national interest test, we will not address the elephant in the room—namely, investment by the CCP and its entities in Australia, especially in strategic assets. There has not, as far as I know, been any update to this listing. There is no public listing of PRC companies or PRC invested projects in Australia. The most accurate source of this is the PRC itself, but the PRC investment and corporate presence in Australia to some extent is held within Treasury. These figures are not publicly available and are often simply approvals rather than records of actual investments. China, obviously, has the best figures, but they are not publicly available. China has established a chamber of commerce in Australia to oversee the activities of its state owned entities, both national and provincial.

This body is highly influential, given it represents the owners of many billions of dollars. It branches right across the broad spectrum of energy, aviation, foreign relations, financial industry sectors, legal—you name it, they're there. The massive financial power, and thus influence, of this body on Australian companies and governments has not yet been fully appreciated. It is time that the public was made aware of the corporate reach of these PRC SOE companies, and this includes details of what government agencies know of their holdings and activities. A public database of Australian assets owned by Chinese entities or entities of countries with state owned entities that own assets would be an informative national resource for economic and security purposes, but, to my knowledge, such a database does not exist.

Accordingly, I found the recent ABC program on the Pandora papers, on 4 October, to be a very informative program. Indeed, it reaffirmed my concerns, which I have raised in the Senate, with respect to foreign investment matters. I do not normally agree with Senator Whish-Wilson, but I do agree that there should be a public beneficial-owners register. Indeed, I am on the record urging the government to establish a register so that Australians can know—indeed, they should know—about foreign ownership of assets in Australia. All Australians are entitled to know who owns what in their country, especially who owns those critical assets that are vitally important if attacks, particularly attacks from within, happen. Therefore, amendments to the SCI Act are the first step in strengthening Australia's critical infrastructure security, but there is, I fear, a lot more work still to be done.