Carol Brown (Tasmania, Australian Labor Party, Shadow Assistant Minister for Infrastructure and Regional Tourism) Share this | Hansard source

It is pleasing to see the government's recognition of the increasing cybersecurity threats facing essential services, businesses and all levels of government with the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2021. To understand the need for this legislation, we need only consider the recent cyberattack on the major US oil-and-gas pipeline. The pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media and universities. Queensland's largest regional water supplier, Sunwater, recently revealed that it was targeted by hackers in a cybersecurity breach that went undetected for nine months. In this case, the hackers left suspicious files on a web server to redirect visitor traffic to an online video platform.

A recently published report produced for the World Economic Forum revealed that 80 per cent of senior cybersecurity leaders see ransomware as a dangerous, growing threat that is threatening our public safety. The cyber incident in the US underscored that, increasingly, providers of essential services are more vulnerable to widespread cyberthreats, both here and abroad. The increasing digitisation of critical infrastructure sectors such as oil and gas and the associated industrial systems is changing the nature of cyber risk. The government's original approach to address this alarming and growing threat was to expand the definition of critical infrastructure from four sectors to 11 systems of national significance—namely, communications, financial services and markets, data storage or processing, defence industries, higher education and research, energy, food, health care, space technology, transport, and water and sewage. At the same time, the government also sought to introduce additional reporting requirements for cyber incidents affecting critical infrastructure, along with new government assistance measures for critical infrastructure assets and additional positive security obligations for critical infrastructure assets.

When the Parliamentary Joint Committee on Intelligence and Security considered the government's initial approach, it noted that threats to critical infrastructure are often complex and serious, and usually require a swift and comprehensive response. Given this, the Parliamentary Joint Committee on Intelligence and Security formed the view that the government's attempt to introduce both the assistance measures and the new positive security obligations along with the sector-specific requirements all at once would end up achieving neither aim. Following the release of the findings of the parliamentary joint committee, it is pleasing to see that this legislation reflects a more considered approach than the one the government originally proposed.

By accepting the recommendation of the parliamentary joint committee that legislation relating to the security and protection of our critical infrastructure should be split, the Senate is now able to consider this first bill, which relates to the expansion of sectors deemed to be of national significance, the additional reporting requirements and the new assistance measures. The positive security obligations and sector-specific requirements are to be covered in further legislation, which should allow the government to conduct genuine and meaningful consultation with industry.

The threats to Australia's critical infrastructure are not solely contained to cyberattacks. They can include natural hazards, espionage, chemical or oil spills, and insider actions. These all have the potential to significantly disrupt our critical infrastructure. Delays and disruption of fuel supplies and other pressures on our supply chains have made Australians increasingly aware of the vital role played by key parts of our national supply chain infrastructure. The global pandemic has also led to heightened awareness of the essential roles undertaken by our transport and logistic workers. Essential workers play a key role in securing and protecting our critical infrastructure. They access key transport infrastructure and ensure that the goods our economy and our society need are delivered when and where they are needed. For this, we can thank the maritime workers and truck drivers of our nation. These critical workers have kept our country and economy going throughout the pandemic with little thanks or help from this government. In fact, the government won't even officially recognise the essential role played by our maritime workers. The federal government has done nothing to facilitate the vaccination of these key workers, nor have they acted to ensure that maritime crew changes can take place in a safe and effective manner. Instead, we have seen repeated outbreaks of COVID on board ships transporting goods to and from Australia and crew being forced to remain on board vessels for over 12 months because crew changes are rarely facilitated in Australia. I remind the government that there is much more to critical infrastructure than physical premises or assets.

In addition to the government assistance and mandatory notification requirements provided for in this piece of legislation, the bill also provides for oversight arrangements. On the recommendation of the parliamentary joint committee, the secretary to the department is required to report to the committee as soon as possible after government assistance measures are requested. This is an important safeguard that will ensure that the parliament, through the committee, will be aware of the operations of the act and whether the provisions are meeting the threat that they have been drafted to address. In addition to this, the parliamentary joint committee will review the operations of the act three years after it receives royal assent. This measure will help ensure that our security regime, put in place to protect our critical infrastructure, remains fit for purpose.

Security legislation is often complex and can have dire ramifications if we get it wrong. That is why consultation and review processes are so important. As I understand it, there was considerable concern from stakeholders that the consultation process leading to the government's initial proposed legislation was too rushed and that input, concerns and feedback were not acknowledged or addressed. It is my sincere hope that, by splitting the original legislation into two bills, the government will avail itself of the renewed opportunity to consult with stakeholders and that their concerns and suggestions will be given due consideration.

I commend the bill to the Senate.