Kristina Keneally (NSW, Australian Labor Party, Deputy Leader of the Opposition in the Senate) Share this | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. In 2019 the Prime Minister, Mr Morrison, called a big press conference here at Parliament House. He fronted the media with his then ministers for Home Affairs and Defence standing beside him. He told Australians we were under attack. He said that Australian organisations and Australia's critical infrastructure, including all levels of government, were subject to sophisticated and malicious cyberattacks.

The threat that Mr Morrison spoke about that day is very real and very sophisticated. It's a threat that demands an equally sophisticated response. Instead, in 2019 Australia got just another Mr Morrison photo-op: an announcement. It has taken more than two years to get the follow-up. That's what this bill is today: two years later, after the photo-op, we finally get the follow-up. In that time the Morrison government has allowed its cybersecurity strategy to expire, even as the Australian Cyber Security Centre amplified its warnings that the cyberthreat was growing in its scale and complexity. In that time the Morrison government ignored urgent advice to do even the bare minimum to uplift Australian cybersecurity, such as by introducing a mandatory ransomware payment scheme, instead leaving this to the opposition, to Labor, to introduce before finally adopting Labor's call for a national ransomware strategy.

In the time since Mr Morrison's big announcement the cybersecurity threat environment has continued to shift and evolve, and the bill we are considering today is very different to the one the Morrison government originally sought to pass: a bill that was referred to the Parliamentary Joint Committee on Intelligence and Security. That this bill today is so very different to the Morrison government's original bill underscores the importance of the bipartisan Intelligence and Security Committee and its important role in scrutinising legislation in the national interest. This bill is so very different to the government's original legislation because the committee unanimously agreed that, quite simply, the Morrison government had not finished its work on this bill and that the work it had done, it had not done well enough.

The original bill sought to uplift security and resilience in all critical infrastructure sectors, promising that the government would work in partnership with responsible entities of critical infrastructure assets to establish a clear, effective, consistent and proportionate approach to the security of critical infrastructure. The government promised that it would ensure these new requirements did not duplicate existing regulatory frameworks. The bill proposed four major areas of reform. The first was to expand the coverage of critical infrastructure from four to 11 sectors; second, to introduce positive security obligations for critical infrastructure assets; third, to enhance cybersecurity obligations for assets deemed to be systems of national significance; and, finally, provision for a government assistance regime to allow, as a last resort, the emergency powers of the government to step in and secure Australia's security critical infrastructure.

In principle, these are sound and, indeed, crucial policy priorities. But the committee found that, far from being a clear and effective approach, far from being an exemplar of collaboration and far from avoiding regulatory burden, the Morrison government's bill was an irreconcilable mess for which it could not recommend passage. I will quote from the committee's report:

While the Committee strongly supports the aims of the SOCI Bill, it would need a significant amount of re-drafting to pass in its entirety and respond adequately to many of the concerns expressed to it during this review. This would delay significantly the time-critical elements of the Bill.

So as not to delay the urgent provisions that will help to secure Australia's critical infrastructure from cyberthreats, the committee recommended that the bill be split into two and that the considerable work of co-designing sector-specific positive-security obligations be deferred to a subsequent bill. The amended bill that we have before the chamber today is but a portion of the original framework in the original government bill.

The bill that Labor will be supporting today introduces the most-urgent elements of an enhanced cybersecurity framework. Most importantly, it expands critical framework coverage from four sectors—electricity, gas, water and ports—to 11, now encompassing communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. The bill also introduces mandatory notification requirements by an entity to a relevant Commonwealth body, but within 84 hours rather than 12, as originally proposed by the Morrison government. This is an important concession to the feedback received from stakeholders. The bill also defines 'significant impact' in the context of a cybersecurity incident as being when the incident has 'materially disrupted the availability of essential goods or services provided using the asset'.

Lastly, the bill introduces last-resort emergency government assistance powers whereby the minister may authorise the secretary of the department to direct an entity to gather information or to undertake an action, direct that an action not be undertaken or authorise the Australian Signals Directorate to intervene when a cybersecurity incident has occurred, is occurring or is likely to occur. This last measure generated significant concern during the inquiry. Indeed, this is a considerable power for the government to wield. The committee heard assurances from the department that this power would be used rarely, if at all. But, to ensure against any mission creep and to build in stronger safeguards and oversight, the committee made an important recommendation that the government has accepted in this amended bill—that is, that the department's secretary must now report to the committee any use of these powers—and the stated intentions of cooperation and consultation are better enabled by the provisions of this bill.

On the remaining elements of the government's critical infrastructure plan—the significant work of regulatory obligations that will apply to critical infrastructure assets and systems of national significance—the Morrison-Joyce government has been told to go back, do better, listen better and return with another bill that represents that consultation. To make sure that Mr Morrison and his colleagues have really heard the feedback that was overwhelmingly delivered to them via the intelligence and security committee, I want to draw out some of the issues raised during the committee's hearings on this bill.

As a member of the committee, I can assure this chamber that we received substantial evidence in submissions to the inquiry. The submissions were received from companies that will be directly affected by the bill, representative organisations, cybersecurity and technology companies, trade unions, state governments, Commonwealth agencies, academics, international experts and legal peak bodies. I'd like to thank all submitters for their diligent participation and constructive approach. Almost uniformly, submitters expressed reservations with the government's approach to developing its security critical infrastructure regime. They reported a lack of active engagement and consultation and a lack of information provided to them. They reported a rushed time line—a scramble to review something incredibly complex, extraordinary in its breadth and gravity and with long-lasting implications. And, consistently, submitters raised issues with the government's approach of legislating a mere shell of an idea, the significant detail of which would be left to the delegated legislation, meaning that neither the parliament nor the affected entities could fully know the impact, impost and cost of the proposed regime.

It was the unanimous assessment of the Parliamentary Joint Committee on Intelligence and Security that this chaotic Morrison government has rushed and botched such a critical piece of legislation. In the interests of national security and in constructive bipartisan negotiation, the committee has amended some important elements of the critical infrastructure bill and salvaged the portions that can be passed today. Hence Labor will be supporting this legislation today.

Before finishing I want to highlight an important feature of the committee's report—one that I commend to Mr Morrison and his Liberal-National colleagues. The committee heard expert evidence that cyber-enabled operations spanning disinformation, data theft and technical disruption can render democratic infrastructure vulnerable in new ways. Such operations, as was witnessed in the 2020 presidential election, target political parties, news organisations and social media and have the potential to undermine democratic systems. We heard from former Director of the Cybersecurity and Infrastructure Security Agency in the United States Mr Christopher Krebs, who said:

Our strategies have to be connected against countering disinformation … This is important for critical infrastructure as well. If you go to the point about an uneven underinvestment for cybersecurity in the critical infrastructure community, there is virtually no investment in countering disinformation. Nowhere more important is that right now than in the deployment of COVID-19 vaccinations. We are seeing an active threat environment from Russia and China for vaccine diplomacy. We're also seeing it from conspiracy theorists and antivaxxers in general.

Mr Krebs went on to say in the context of election security that, ahead of the 2020 presidential election, the US government prepared for attacks on electoral systems and hacks of media websites and voter databases. He warned that the 'more pervasive aspect' was the broader campaign 'to undermine confidence in leadership, government and democratic institutions through disinformation operations'.

Reflecting on his own experience as a senior national security official of publicly announcing that his country was experiencing a major cyberattack, Mr Krebs said that it should only be public officials, such as those from national security agencies, that make such announcements, especially during election campaigns, in order to avoid the perception of political interference. Mr Krebs said:

… you never want the incumbent with the ability to put their thumb on the scale and change the outcome of the election … you would not have wanted a White House press conference for those sorts of announcements because that, in and of itself, can be politicised.

These are important pieces of advice from Mr Krebs, and the bipartisan Joint Committee on Intelligence and Security unanimously agreed and recommended that the government review the cyberthreat to our democratic institutions. The committee also recommended that the government review the caretaker conventions for cyberincidents in an election context. On this important point, I ask the Morrison government to heed the advice of the committee. I note that in Senate estimates ASIO Director-General Mike Burgess indicated that he is reviewing and considering how he would approach a cyberevent in the context of an election and flagged he would seek to brief the opposition. It is important that the Morrison government heeds the advice provided by Mr Krebs, heeds the evidence provided by Mr Burgess and heeds the recommendation of the bipartisan intelligence and security committee.

The Morrison-Joyce government's attitude to cybersecurity is, quite frankly, dangerously one dimensional. This is not just a defence or intelligence issue. Cybersecurity must be understood as a whole-of-society endeavour. It involves the broader community. It involves small business. It involves large corporations. It involves individuals. There must be robust, active and collaborative partnerships across government and industry and amongst experts. At a time of, quite frankly, global crisis brought on by the pandemic, by disinformation and by threats to cybersecurity what we need is clarity, certainty and confidence. I urge the government as it starts its work on bill 2 to amend the Security of Critical Infrastructure Act to do its work properly, to consult properly and to truly co-design workable, effective and positive security obligations for Australia's critical infrastructure. I look forward to that bill coming to the parliament once that work has been done.