Anne Ruston (SA, Liberal Party, Minister for Families and Social Services) Share this | Hansard source

This Security Legislation Amendment (Critical Infrastructure) Bill 2021 responds to the recommendations of the Parliamentary Joint Committee on Intelligence and Security's advisory report on the bill and the statutory review of the Security of Critical Infrastructure Act 2018. The government acknowledges and thanks the committee for its work, both in relation to this bill and to other government national security priorities.

Cybersecurity threats targeting Australia's national and economic interests are increasing in frequency, scale and sophistication. Twenty-five per cent of cybersecurity incidents that the Australian Signals Directorate responded to last year were found to be targeting the nation's critical infrastructure, including energy, water, telecommunications providers and our essential health networks. As the Director-General of Security noted in his recent annual report, there is:

… potential for Australia's adversaries to pre-position malicious code in critical infrastructure, particularly in areas such as telecommunications and energy. Such cyber enabled activities could be used to damage critical networks in the future.

And:

Australia's threat environment is complex, challenging and changing.

This brings into focus the importance of these amendments and why the government has accepted the committee's recommendation to expedite the introduction of these important measures. The PJCIS has made 14 recommendations in the advisory report, notably, including that the bill be split into two, with a first bill to incorporate the measures to respond to cyberincidents and cyberincident reporting, as well as associated definitions and powers, and for a second bill to be introduced following industry consultation to include the remaining preventative measures. The PJCIS indicated that the measures in the bill should be legislated in the shortest possible time, given the moral imperative of the government and our security agencies to harden our essential services and ensure the continued safety of the Australian community.

The measures in the bill will expand the scope of the Security of Critical Infrastructure Act to include assets in an additional 11 industry sectors as critical infrastructure assets; provide a mechanism to require cyberincident reporting; enable government responses to serious cybersecurity incidents; and retain associated definitions and powers. The bill also includes a provision that the PJCIS may conduct a review of the operation's effectiveness and implications of the reformed security of the critical infrastructure legislative framework in the Security of Critical Infrastructure Act not less than three years from when this bill receives royal assent in accordance with recommendation 14 of the advisory report. The government will respond to the remaining PJCIS recommendations relating to the second bill as soon as possible.

Engagement with industry will not stop with the passage of this bill. The government will continue to work collaboratively with industry to support the implementation of their obligations with the ultimate goal of reducing the likelihood and the severity of catastrophic impacts to Australia's critical infrastructure. Malicious cyberactivity represents a threat to Australia's way of life. It can undermine our sovereignty, democratic institutions, economy and national security, and it is the responsibility of all Australians to protect themselves against it. Accelerated digitisation during the pandemic has made Australia more vulnerable to cybersecurity threats and emboldened malicious actors. These measures will be a step towards ensuring cyber-resilience for all Australians.

I commend the bill to the Senate. I also table a correction to the revised explanatory memorandum relating to this bill.