Sarah Henderson (Victoria, Liberal Party) Share this | Hansard source

It's my pleasure to rise and make a contribution on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. I want to start my contribution by saying very clearly that the national security threat in this country has changed quite dramatically, as the director-general of ASIO made very clear in evidence during the last estimates. Foreign interference and espionage will soon overtake terrorism as the biggest national security threat to Australia. We have, of course, a very proud history of combating the physical threats to Australia's national security. For instance, since September 2014 Australia's law enforcement agencies have disrupted 21 major terrorist attack plots, 138 people have been charged as a result of 66 counterterrorism related operations around Australia and 50 terrorist offenders are currently behind bars for committing a Commonwealth terrorism offence. I'm very pleased to say that the Australian government has passed 22 tranches of national security legislation.

But, as we've just heard in the excellent contribution from Senator Paterson, who is the chair of the PJCIS, the increasingly larger threat to Australia's national security is in the threat posed by cyberattack—digital disruption—and other non-physical ways in which Australia's freedoms, its democracy and its national security can be compromised. That is why this particular bill is so important. The PJCIS has done an incredible amount of very fine work to identify the urgent need to pass this bill and to implement these emergency powers as well as to conduct further consultation with industry in relation to the second tranche of amendments to our law that are required.

I want to briefly reflect on my first speech in this place. I certainly raised my concerns about the protection of critical infrastructure back in October 2019, when I spoke about the need to keep our nation strong and the need to protect Australia's security and strategic interests and how we had taken enormous strides to combat terrorism and foreign interference, support our intelligence agencies and build our defence capability. But I also made the very strong point that, when things aren't working, we have to call them out. At that time, Australia's critical infrastructure assets weren't appropriately protected—our airports, our power stations, our data networks, our communications infrastructure and our ports, including the port of Darwin. I made the point very strongly that they should not be falling into foreign hands when there was a national security threat. Since that time, led by the Treasurer, there have been some very important reforms to our foreign acquisition laws so that critical infrastructure is better protected, the sale of critical infrastructure to foreign interests can be stopped on national security grounds and the disposition of critical infrastructure assets can be forced on national security grounds. On that note, as an aside, I welcome the Minister for Defence's decision to launch a Department of Defence investigation into the long-term leasehold of the Port of Darwin by a Chinese-owned company. I welcome the work that the Minister for Defence is doing in that regard.

As we've heard in this debate, Australia has seen increasing cyberthreats and attacks on critical infrastructure such as water services, airports, hospitals and even our own parliamentary network. Throughout 2019-20, Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking to exploit and harm victims for profit. For example, multiple regional hospitals were the victims of a cyberattack, and as a result some health services to large regional communities, including surgeries, were disrupted. A major national food wholesaler was the victim of a cyberattack which affected its systems and temporarily disrupted its ability to provide food to Australians at a time of unprecedented pressure on the food and grocery sector. A water provider had its control system encrypted by ransomware. Had the system not been restored quickly enough from backups, that could have disrupted the supply of potable water to a regional population hub, and it had the potential to impact the economy, given the reliance of primary industry on this water supply. In June last year the Prime Minister advised that the Australian government was aware that Australia's critical infrastructure was being targeted by a sophisticated state-based actor.

In the 2020-21 financial year alone, the Australian Cyber Security Centre received over 67,500 cybercrime reports—an average of one every eight minutes—representing an increase of nearly 13 per cent over the previous year. Cybercrime reports recorded total self-reported financial losses of more than $33 billion. In particular, as we have heard in this debate, Australia has seen a worrying escalation of ransomware attacks on individuals and businesses, exacerbated by the fact that cybercriminals are now moving away from low-level ransomware operations and towards attacks which extract heavy ransoms from large or high-profile organisations. These cybercriminals can cause—and are causing—enormous damage in the way they are encrypting networks, extracting data and often threatening to publish stolen material online. These attacks go to the heart of Australia's democracy and its freedom, and they represent a grave threat not just to our economy but also to our national security.

The Morrison government is committed to protecting Australia's critical infrastructure to secure the essential services all Australians rely on—everything from electricity and water to health care and groceries. The intelligence agencies, which do so much fine work to keep Australians safe, have raised the red flag on the urgent need to act quickly to take further action to protect our critical infrastructure. Amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will ensure that the government is well placed to assist entities which are responsible for critical infrastructure assets to respond to serious cyberattacks as the first step in the strengthening of Australia's critical infrastructure security.

The reforms outlined in this amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure in a number of different ways. The bill expands the definition of 'critical infrastructure' to include the energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, health care and medical, space technology, transport, and water and sewerage sectors. It introduces a cyber incident reporting regime for critical infrastructure assets. When critical infrastructure assets are under attack we need to know about it, and we need to know about it urgently, so that we—government, intelligence agencies and industry—can work together to combat these attacks. The bill also makes government assistance available to industry as a last resort and subject to appropriate limitations. The government will be able to provide assistance immediately prior to, during or following a significant cybersecurity incident to ensure the continued provision of essential services.

Recent cyberattacks and security threats to Australian critical infrastructure make these reforms critically important to deliver, and of course they reflect the response to the recommendations from the Parliamentary Joint Committee on Intelligence and Security, which has brought forward these elements as a priority. The reforms will bring our response to cyberattacks more in line with the government's responses to threats in the physical world. As I mentioned at the beginning of my contribution, we can be mightily proud of the way in which we have combatted terrorism, but this is the new frontier, where no physical presence on our soil is necessary to represent a serious threat to our national security and our economy.

Importantly, the legislation will enable the government to provide emergency assistance or directions immediately before, during or after a significant cybersecurity incident to mitigate and restore essential services. As we know, nearly every essential service is run by sophisticated digital networks via sophisticated communications systems, and that of course makes the delivery of those services so much more efficient and ensures that we have state-of-the-art services in this country. But having all of this critical infrastructure underpinned by very sophisticated digital networks also presents new vulnerabilities in the way in which we are required to protect this infrastructure.

So this is a very important bill. This is a very important bill for Australia's democracy, for our economy and for our national security. I commend the work of the PJCIS in bringing forward its recommendations to ensure that our government works and acts quickly to address the further reforms which are required. I commend this bill to the Senate.