James Paterson (Victoria, Liberal Party) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. I'm pleased to have the opportunity to do so, having chaired the inquiry into the legislation. The Parliamentary Joint Committee on Intelligence and Security tabled its report out of session, so I'll speak to our recommendations as well as to this bill. At the outset, I thank my fellow members of the PJCIS, in particular the former deputy chair, Mr Byrne, and the shadow minister for home affairs, Senator Keneally, for the constructive and bipartisan way they worked with me and Liberal colleagues on the committee for our report and its recommendations.

Every 32 minutes a critical infrastructure asset suffers a cyberattack by a state or non-state actor. COVID-19 has seen a shift to even more of our lives being online, deepening our reliance on digital systems to navigate life and business like never before. Throughout the pandemic, the total number of reported cyberattacks in Australia increased by 13 per cent.

Many Australians are familiar with the criminal ransomware gangs and their for-profit motives in launching cyberattacks to extort economic advantage for themselves personally. These are serious and ever-present threats to the cybersecurity of our businesses large and small, as well as to individual Australians. Recent high-profile attacks against JBS Foods, the Nine Network and Colonial Pipeline powerfully illustrate the broader cost of these tactics to our economy.

However, the trend which focused the minds of PJCIS members the most on the urgent challenge facing us is the involvement of nation-states who use the cyber-realm as a new frontier to threaten our security, our sovereignty and our freedom. Our cyberchallenges are increasing in complexity as a result of the evolving security environment in the Indo-Pacific region. Grey-zone tactics which lie between peace and war, where foreign states use cyberintrusion and digital espionage, among other tools, to threaten our interests, are increasingly being relied upon, particularly by authoritarian states. Independent experts who appeared before the PJCIS told us that it was likely that foreign state actors are already prepositioned on sensitive networks and that that presence could be activated against our interests as a prelude to a regional crisis. ASIO Director-General Mike Burgess recently confirmed this fear as part of his annual report to the parliament, reaffirming the very real and serious risk we face as a nation and the urgent need to respond decisively.

Given how interconnected our digital systems are, it is not very difficult to imagine the society-wide consequences if, for example, our financial system were shut down, or if our food supply chains were suddenly disrupted. This would be debilitating, not only for individual Australian citizens but also for our country and particularly for our ability to project power into the region. With the evolving cyberthreat, it is clear that the digital world is the new battlefield, and Australia, along with our critical infrastructure service providers, needs to be armed to respond.

The recent public attribution, by Australia and many of our allies, of the Microsoft Exchange attack to the Chinese government and its agents is a concrete and recent example of this danger. It also highlights how there's not always a clear distinction between state and non-state actors when it comes to cyberthreats, with the Australian Signals Directorate's Rachel Noble telling the PJCIS that the Chinese government effectively propped open the doors of businesses around the world to enable cybertheft and extortion to take place by criminal actors.

It is worth noting in passing that there is a very high technical and political threshold for attributing cyberattacks. So the decision to do so in this instance by so many countries, including the European Union, NATO, all of the Five Eyes members and Japan, is a significant one. There have, of course, been other high-profile attempted and successful cyberintrusions which have not been publicly attributed, including against this parliament, against our political parties and against the Australian National University.

There is a clear recognition from both government and industry that we need to do more to protect our nation against these sophisticated cyberthreats. Our security agencies urgently need emergency powers to defend us from these threats. Of equal importance, however, is the need for critical infrastructure providers themselves to harden their own defences against this attack and to protect the essential services that we all rely upon. They have an obligation to do so, not just to protect their employees, their shareholders and their customers but in the national interest.

The PJCIS has considered this bill over the past year, over four public hearings and with 88 submissions also supplemented by classified briefings from security agencies on the threat environment. The challenge that the committee faced in this inquiry was to find an appropriate balance between, on one hand, what has been clearly demonstrated as an urgent need for the emergency intervention powers and, on the other hand, the legitimate concerns from industry that additional regulation could impose a financial burden and, particularly, could do so at a time that is sensitive for our economy as we recover from the pandemic.

In 14 recommendations, the committee has advised the government to adopt a two-step approach towards strengthening Australia's critical infrastructure against cyberattacks in particular. This two-step approach would give our security agencies the emergency tools they need to counter the urgent cyberthreats, in one bill, while giving industry additional time to finalise the co-design process of additional security obligations in a collaborative way with the government. The committee has recommended that the government legislate, in this first bill, those last-resort intervention powers for the Australian Signals Directorate, the expansion of the number of sectors captured by this legislation from four to 11, and the enhanced cyberincident reporting obligations. The proposed government amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 do just that.

The committee proposed immediate passage for these three key provisions and the associated enabling clauses because they were the most urgent and essential, and because the other clauses of the bill, whilst still important, attracted the most concern during the inquiry process. I do acknowledge that, while the broadest concern aired in the inquiry related to the positive security obligations recommended to proceed in a second bill after further consultation, there was opposition to the emergency assistance powers—in particular, from the tech sector. These are extraordinary powers and, while the committee did understand the desire on the part of the tech sector for their use to be judicially reviewable, given the clearly stated intention of the government for them only to be used in crisis scenarios, we did not think it was workable or desirable for these issues to be litigated in the courts in the event of a major national emergency. Instead, the PJCIS has recommended that it is notified of any use of these powers and that we'd be briefed on the circumstances of their use. This will allow the committee, on behalf of the parliament, to ensure that they are genuinely only used as a last resort, as the government has outlined.

The government is carefully considering the rest of the committee's recommendations, and I want to thank the government, in particular, the Minister for Home Affairs, Karen Andrews, for its engagement with the committee and for the implementation of our recommendations so far, reflected in this amended bill that we're debating today. I'd also like to thank the Director-General of the Australian Signals Directorate, Rachel Noble, and the head of the Australian Cyber Security Centre, Abigail Bradshaw, for their candid engagement with the committee and for the vitally important work that they do in combating these serious threats to our country. It's my hope that, equipped with these powers, and, ultimately, the passage of the second bill, these key agencies are able to work with industry, effectively to combat these threats.

The emergency reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of 'critical infrastructure' to now include energy; communications; financial services; the defence industry; higher education and research; data storage or processing; food and groceries; health care and medical; space technology; transport; and water and sewerage sectors by also introducing that cyberincident reporting regime for critical infrastructure assets. That's particularly important to make sure that we have a complete and full picture of the threat environment that we face. In evidence put to the committee, it is clear that there is underreporting of those cyberincidents and that there may be many more incidents occurring and, indeed, potentially, payments being made by firms in response to ransomware that are never reported and which we're never aware of. We do need to have a full picture.

Finally, we are making government assistance available to industry as a last resort, and subject to those appropriate limitations. This is the need outlined very articulately by the secretary of Home Affairs, Mike Pezzullo, in his evidence before the committee in July this year. He said that he would prefer to have that power on the statute books tonight. We haven't quite delivered as a parliament by getting them on the statute books in July, but I hope that very soon we'll have them on the statute books—after royal assent. That's because it is absolutely important our agencies have the powers they need to respond to that crisis scenario, although we hope it will never eventuate.

Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver. It's true that most companies do willingly cooperate with the Australian Signals Directorate when they suffer an attack. The government assistance mechanisms are an important tool of last resort to assist companies that are unwilling or unable to respond to a serious cyberincident. Unfortunately, during our inquiry, the committee did hear an example of at least one systemically important business that failed to cooperate with authorities in a timely way, leading to a nationwide disruption of its services. This business was then reinfected in a second attack. In the event of a crisis, our security agencies must have last-resort powers to avoid a situation like this and to keep critical infrastructure up and running if providers are unwilling or unable to do so themselves. These are world-leading powers which are vital for the task at hand, but they will be subject to strong safeguards and appropriate oversights.

There may be other businesses, as I said before, who have never reported that they were under attack. While the volume of cybercrime reporting has increased, the Cyber Security Centre stated in its latest annual threat report that reported cybersecurity incidents may not reflect all the cyberthreats and trends in Australia's cybersecurity environment. Mandatory cyberincident reporting for critical infrastructure assets will give the government a clear picture of the cyberthreat environment. This will ensure that our cybersecurity policies and the significant powers that we entrust our security agencies with accurately reflect and are proportionate to the threats and trends in Australia's cybersecurity environment.

Of course, cybersecurity is not just the government's job. Industry has a vital role to play, too. The passage of the subsequent bill, after further consultation and co-design, is essential to ensure a comprehensive response to the long-term security of our critical infrastructure. The second phase of these reforms will be implemented according to the PJCIS recommendations by further amending the Security of Critical Infrastructure Act and capturing those remaining elements of the SOCI bill, in particular the risk management program, the systems of national significance and the enhanced cybersecurity obligations.

I encourage industry and the Department of Home Affairs to continue to work productively together through the co-design process to refine the proposed regulations that make sure we strike the right balance so we can deliver those additional protections that we all agree are necessary. It is my hope that, by the time any revised second bill is referred to the PJCIS, the major concerns industry raised through the first inquiry will have been resolved so that we can quickly deal with it and it can be expeditiously legislated. While Australia has not yet suffered a catastrophic attack on critical infrastructure, as other speakers have said in this debate, sadly we are not immune, and the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result in significant consequences for our security, our economy and our sovereignty. This demands both a swift response, which we are dealing with today, and a comprehensive response, which I hope we deal with in short order. I'm confident that the two-step approach adopted by the government to urgently expedite emergency powers for our security agencies to protect Australia's critical infrastructure does just that, and I commend the bill to the Senate.