Perin Davey (NSW, National Party) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. The increasingly interconnected nature of critical infrastructure exposes vulnerabilities in our nation and for our national security that could result in significant consequences, not just for security but for our economy and our sovereignty. Attacks on our critical infrastructure require a joint response involving government, business and individuals, reflecting the interrelated nature of the threat. Our government is already working in partnership with critical infrastructure entities to co-design sector-specific requirements to manage and respond to security risks across critical infrastructure sectors. The government will continue to work with these entities that are responsible for critical infrastructure to ensure that, as we go forward, a second phase of reforms is implemented in a manner that secures appropriate outcomes without imposing unnecessary or disproportionate regulatory burdens. But the reforms outlined in this bill will strengthen our existing ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure, by including a cybersecurity incident reporting regime for critical infrastructure assets, and by making government assistance available to industry as a last resort and subject to appropriate limitations. These reforms are necessary because, while we haven't suffered a catastrophic attack on critical infrastructure to date, we are not immune, and we have seen attacks overseas that we don't want to see repeated in our own markets.

International cyber incidents, such as the ransomware attack on US company Colonial Pipeline which affected the distribution of fuel to customers on the east coast of the United States, demonstrate the potential for these attacks to cause devastating harm. We are facing increasing cybersecurity threats to our essential services, businesses and all levels of government. In the past two years we've seen cyberattacks on federal parliamentary networks, the logistics sector, the medical sector and on universities, just to mention a few, and while, thankfully, they didn't have significant consequences, they certainly had consequences that we need to address, and we need to make sure we are protected in the future.

The Australian Cyber Security Centre's Annual cyber threat report contains an overview of the cyberthreats affecting Australia and how the ACSC is responding, and provides vital advice on how all Australians and Australian organisations can protect themselves against those threats. In the 2020-21 financial year the ACSC received over 67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly 13 percent on the previous financial year. Cybercrime reports admitted via ReportCyber at cyber.gov.au recorded total self-reported financial losses of more than $33 billion. Ransom demands by cybercriminals range from thousands to millions of dollars. Almost 500 ransomware-related cybercrime reports were received via the ReportCyber website, which is an increase of nearly 15 percent compared with the previous financial year. And cyber criminals are moving away from low-level ransomware operations. They are moving towards extracting hefty ransoms from large or high-profile organisations through increasingly sophisticated technological mechanisms. To increase the likelihood of ransoms being paid, these cybercriminals are encrypting networks and exfiltrating data, then threatening to publish stolen information on the internet.

These shifts in targeting and tactics have intensified the ransomware threat to Australian organisations across all sectors, including critical infrastructure, which is why these reforms are so important. These reforms will be implemented through strengthening the Australian government's capacity to identify and manage the national security risks of espionage, sabotage and coercion resulting from foreign involvement in Australia's critical infrastructure. The government amendments to this bill, the Security Legislation Amendment (Critical Infrastructure) Bill 2021, which amends the Security of Critical Infrastructure Act 2018, have been made to expand the security of critical infrastructure to cover 11 critical infrastructure sectors. This includes energy, communications, financial services, defence industry, higher education and research, data storage and processing, food and grocery, health care, medical, space technology, transport, and water and sewage sectors—all sectors that are vitally important to our day-to-day lives and to the lifestyle we have grown accustomed to in our nation.

The amendments will also apply the reporting obligations of critical infrastructure ownership and operational information to the register of critical infrastructure assets to the added critical infrastructure sectors. It will allow the government to mandate cyberincident reporting for critical infrastructure sectors to the Australian Signals Directorate's Australian Cyber Security Centre. It will also introduce government assistance measures providing powers for the government to respond to security incidents that seriously prejudice Australia's prosperity, national security and defence. Importantly, it will enable the Parliamentary Joint Committee on Intelligence and Security, PJCIS, to conduct a review of the operation, effectiveness and implications of the bill not less than three years from when the bill receives royal assent. That point is vitally important, because that adds to the scrutiny capacity of this parliament over the bill, to make sure that it is operating effectively, efficiently and as intended. It will allow the PJCIS to have an overview and a watching sight of how the bill is being implemented and to provide a review and any relevant recommendations when the review is conducted in three years time. As a member of the parliamentary committees for the scrutiny of bills and delegated legislation, I find that parliamentary scrutiny over such issues is very important and adds to the robustness of our legislation going forward.

The government assistance powers that are proposed as part of this bill have been proposed as a result of the consultations, which revealed a strong community expectation that, in emergency circumstances and as a matter of last resort, the government will use its technical expertise to protect Australia's national interests and restore the functioning of essential services. Collaborative resolution will always remain the most effective method of resolving an incident, and that is why it is the government's first preference to work with industries and with our critical infrastructure providers to maintain our national security. However, it is the government's ultimate responsibility to protect the availability of Australia's critical infrastructure, and, in such emergency circumstances, it is crucial that the government has last-resort powers to respond to the incident or mitigate its impact.

The government recognises that industry should and will, usually, be the first responder to the vast majority of cybersecurity incidents, with the support of government where necessary. However, under the provisions in this bill, the government does maintain the ultimate responsibility—as would be expected by the Australian public—and this is in Australia's national interests. So, as a last resort, government assistance will enable the government to protect critical infrastructure sector assets in the event of an imminent attack, during an attack or following a significant cyberattack. These last-resort powers may only be exercised where a cybersecurity incident has occurred, is occurring or is imminent; where an incident has had, is having or is likely to have a relevant impact on a critical infrastructure asset; or where there is a material risk that the incident has seriously prejudiced, will seriously prejudice or is likely to seriously prejudice the social or economic stability of Australia or its people, the defence of Australia or national security. They could also be brought in where there is no existing regulatory mechanism that can be used to address the cyberattack. The intervention power may only be authorised once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence. It is not a free-for-all. There are protections built in to ensure that it is truly used as a mechanism of last resort.

I want to reiterate that this bill has been consulted on. It's very important to understand the level of consultation that has occurred. From August to September, the Australian government consulted publicly on this bill and on protecting critical infrastructure and systems of national significance through the consultation paper. There were over 2,000 participants from over 500 entities who took part in town hall meetings, sector-specific workshops and bilateral meetings to support the development of the reforms, including the sector-specific thresholds.

The Department of Home Affairs received 194 submissions on the consultation paper, and in November 2020 the government consulted publicly on an exposure draft of the bill. Home Affairs also spoke to over a thousand individuals during that public consultation on the exposure draft, which opened on 9 November and closed on 27 November. There were also 122 further submissions received during the exposure draft consultation period. There were also the PJCIS hearings and, as we acknowledged at the time, many sectors have had multiple challenges to deal with during the pandemic.

In saying that, the consultation on this bill has been thorough. Amendments have been made in response to that consultation and the bill, as it now stands, is robust and fit for purpose, and I commend it to the chamber.