David Van (Victoria, Liberal Party) Share this | Hansard source

We undoubtedly live in a digital age, one where no corner of the globe has been left untouched. This interconnectivity has brought with it a significant number of benefits to society. However, this also means that human life and society have become increasingly dependent on modern information technology. Recent advances in new information and communication networks have led to a shift towards newly emerged paradigms, such as smart grids, IOT—or the internet of things—cloud computing, big data, and edge and fog computing.

One of the most fundamental responsibilities of a government is to ensure the security of its citizens. This means that we must ensure that the infrastructure that underpins the very functioning of our society is secure. While past cyberattacks were focused mainly on IT environments, the trends show that cyber risks are now greater in the operational technology environment. Software and data that are critical to the provision of essential services such as power, water, health care, transportation and communications must be protected from criminals and terrorists if the nation's security is to be assured. The imperative is to ensure that the continuous delivery of essential services is not only clearly legal but also moral.

The cyber threat to critical infrastructure continues to grow, and this represents one of most serious national security challenges that we must confront. The increased integration of IOT technology as well as the digitisation of many systems upon which our critical infrastructure rely means that many of the systems that our society relies on are increasingly under threat from cyberattacks. As outlined in Australia's Cyber Security Strategy 2020, the Australian government is committed to protecting the essential services that all Australians rely on by uplifting the security and resilience of critical infrastructure.

Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on our federal parliamentary networks, logistics, the medical sector and universities, just to name a few. Internationally we have seen cyberattacks on critical infrastructure. Recently the Colonial Pipeline in the United States, which supplies half of that country's east coast with fuel, was shut down for six days, leading to the President declaring a state of emergency. It led to fuel shortages and to the company having to pay a $4.4 million ransom. We saw attacks against the Ukraine's power grid in 2015 and 2016, resulting in large parts of the country losing power for hours on end. These and countless other examples go to show that this is a real and present threat that has real-world consequences.

All Australians rely on critical infrastructure to deliver essential services that are crucial to our economic prosperity and our way of life, such as electricity, communications, transport and banking. Critical infrastructure is increasingly interconnected and interdependent. Connectivity without proper safeguards creates significant vulnerabilities. Interconnectedness means that the compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across Australia's economy and national security. Threats across a range of hazards from natural threats, including meteorological or climate hazards, to human induced threats, including unlawful interference, cyberincidents, espionage and chemical or oil spills, as well as from trusted insiders, all have the potential to significantly disrupt critical infrastructure.

As the majority of Australia's critical infrastructure is owned and operated by private industry or state and territory governments, it is vital that our approach to ensuring the resilience of Australia's critical infrastructure is clear, effective, consistent and proportionate. That government alone can succeed in addressing the challenges and vulnerabilities regarding cybersecurity should not be our expectation. Critical infrastructure owners and operators, whether public or private, must take every precaution to protect their digital assets and networks. However, we believe the government must take necessary steps so that it can protect critical infrastructure from various threats.

Amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will ensure the government is well placed to assist entities responsible for critical infrastructure assets to respond to serious cyberattacks, as the first step in strengthening Australia's critical infrastructure security. Reforms outlined in the bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure so that it includes energy, communications, financial services, defence industry, higher education, research, data storage or processing, food and groceries, health care and medical, space technology, transport, water and sewerage sectors. It will introduce a cyberincident reporting regime for critical infrastructure assets. By making government assistance available to industry as a last resort and subject to appropriate limitations, this assistance will be available immediately prior to, during or following a significant cybersecurity incident to ensure the continued provision of essential services.

By defining what is and isn't critical infrastructure, the government is better able to allocate resources and responsibilities during a crisis. The definitions have been refined in partnership with industry to ensure that only those assets that are truly critical are captured. The assets have been identified as critical based on their impact on the social or economic stability of Australia, the defence of Australia or Australia's national security. Currently, the Security of Critical Infrastructure Act 2018 requires entities responsible for critical infrastructure to provide ownership and operator information for the Register of Critical Infrastructure Assets. The cyberincident reporting regime builds on the existing obligations in the Security of Critical Infrastructure Act. Once turned on, for each sector, it will require infrastructure entities to report incidents to the Australian Cyber Security Centre through the ReportCyber portal and provide ownership and operator information for the register. This will enable a quick and effective government response to cybersecurity incidents by providing a greater situational awareness of threats to those assets.

Critical infrastructure entities will have up to 12 hours to report a critical cybersecurity incident once they become aware of it and up to 72 hours to report other cybersecurity incidents. The time frame for reporting cybersecurity incidents aligns with the reporting regimes such as APRA's prudential standard CPS 234 and the EU's GDPR. The reporting of cybersecurity incidents is vital to help the government develop an aggregated threat picture and comprehensive understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry. Reporting of cybersecurity incidents will provide better, proactive and reactive incident response options, which can range from providing voluntary assistance to industry to building a better culture of cybersecurity.

These reforms will provide for government assistance measures. These measures are necessary as there may be situations where a cyberthreat or incident is occurring or has occurred which can or will pose a serious risk to our national security interest. The assistance measures will focus on protecting and defending assets that provide a critical role in Australia's economy, society or defence when the owner or operator of those assets is unable to do so. Noting the importance of these assets for an effective functioning of Australian society, it will be a criminal offence not to comply with directions made under the assistance regime. These assistance powers are necessary due to the current threats we face and expectations from the community that, where Australia's national interests are under threat, the government will use its technical expertise to ensure essential services remain functioning.

Debate interrupted.