Zed Seselja (ACT, Liberal Party, Minister for International Development and the Pacific) Share this | Link to this | Hansard source

I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The first priority of the Morrison Government is the safety and security of Australians.

Millions of Australians use power, water, banking and health services on a daily basis and do not have to think about the supporting systems and infrastructure that deliver those essential services to our community and across the country.

Imagine a day without power or water because the systems that reliably deliver these services to our homes have been attacked or deliberately disrupted.

A prolonged and widespread failure in the energy sector, for example, could have catastrophic and far-reaching consequences. Such an incident may lead to shortages or destruction of essential medical supplies; impact food, groceries, water supply and telecommunications networks; disrupt transport, traffic management systems and fuel; reduce or shutdown banking, finance and retail services; and leave businesses and governments unable to function.

The introduction today of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is a significant step in the protection of the critical infrastructure and essential services which all Australians rely upon.

Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security.

While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.

Australia is facing increasing cyber security threats to essential services, businesses and all levels of government. In the past two years we have seen cyber-attacks on federal Parliamentary networks, logistics, the medical sector and universities – just to mention a few.

Internationally, we have seen cyber-attacks on critical infrastructure including water services and airports.

COVID-19 has also strained the ability of critical infrastructure to deliver essential services. These disruptions show how quickly events can cause widespread physical, financial or psychological damage.

While owners and operators of critical infrastructure are best placed to deal with such threats, it takes a team effort to bring about positive change. That is why the ongoing security and resilience of critical infrastructure must be a shared responsibility – by all governments and the owners and operators of the infrastructure. The cost of inaction is far too great to ignore.

This Bill signifies an enhanced effort to ensure the ongoing security and resilience of critical infrastructure and the essential services they provide for all Australians.

The Bill will extend the application of the Security of Critical Infrastructure Act 2018 to additional sectors and assets within those sectors that are critical to:

•   maintaining basic living standards for the Australian population;

•   sustaining Australia's wealth and prosperity;

•   Australia's national security and defence; and

•   the security of large or sensitive data holdings.

This includes communications, transport, data and the cloud, food and grocery, defence industry, higher education and research and health.

The Bill will build on the regulatory regime in the existing Act by introducing a new framework designed to uplift the all-hazards security and resilience of critical infrastructure assets, and provide Government with greater visibility of cyber attacks.

Part 2A of the Bill requires entities to adopt and comply with a risk management program that ensures critical infrastructure assets are protected and safeguarded from all-hazards. This obligation is designed to uplift core security practices of critical infrastructure assets by ensuring entities take a holistic and proactive approach to identifying, preventing and mitigating risks.

Part 2B of the Bill creates a framework that requires entities to report cyber security incidents to the Australian Signals Directorate. The purpose of this framework is to establish a comprehensive understanding of the cyber security risks to critical infrastructure assets.

Through greater awareness, the Government can better see malicious trends and campaigns which would not be apparent to an individual victim of an attack. This will ensure that the Government can appropriately advise and assist entities across the economy to better safeguard their assets from cyber attacks.

The Bill also facilitates the Government to work with industry to strengthen the cyber preparedness and resilience of entities that operate assets of the highest criticality to Australia's national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.

The enhanced cyber security obligations will support a bespoke, outcomes-focused partnership between Government and Australia's most critical assets and will build an aggregated threat picture and understanding of cyber security risks to critical infrastructure in a way that is mutually beneficial to Government and industry.

These obligations will require the responsible entity for a system of national significance to undertake one or more prescribed activities requested by the Department of Home Affairs, including:

•   developing cyber security incident response plans to prepare for a serious cyber incident.

•   undertaking cyber security exercises to build cyber preparedness.

•   undertaking vulnerability assessments to identify vulnerabilities for remediation, and

•   providing system information to build Australia's situational awareness.

While private industry is best placed to protect critical infrastructure, some threats are too sophisticated or disruptive to be handled alone.

That is why Part 3A of this Bill provides Government with last resort powers to respond to a serious cyber incident that is having, has had or may have an impact on a critical infrastructure asset and there is a material risk to Australia's national interests. These new powers will ensure government is able to act effectively and decisively in responding to cyber attacks that go beyond the capability or capacity of industry to respond.

Under the Bill, the Minister for Home Affairs will be able to authorise the Secretary of Home Affairs to:

•   give directions to a specified entity for the purposes of gathering information – positioning government to understand the nature of the incident and determine alongside industry any further action that might be necessary

•   give directions to a specified entity requiring the entity to take certain actions or do certain things in response to the incident – limited to where the entity is unwilling or unable to resolve the incident; or

•   request an authorised government agency to provide assistance in responding to the incident – it may be necessary for the Government to step-in and take the necessary actions to defend the asset where directing an entity to take specified action would not be practical or effective.

These new powers will be subject to stringent authorisation and oversight mechanisms, including:

•   the Minister for Home Affairs being satisfied that there is a material risk that the incident has or will seriously prejudice,

o the social or economic stability of Australia or its people; or

o the defence of Australia; or

o national security.

•   Government only being able to take action if the entity is unwilling or unable to take all reasonable steps to resolve the cyber security incident. This is reflective of the Government's continued view that industry are primarily responsible for responding to incidents impacting their business.

•   Any direction or action authorised must be reasonably necessary and proportionate, and technically feasible to comply with.

•   Finally, before authorising a request to directly intervene, the Minister for Home Affairs must obtain the agreement of the Prime Minister and the Defence Minister.

The Bill has been developed through extensive consultation with industry. This includes consulting with over 3,000 people and receiving close to 350 submissions over two separate periods of consultation on a consultation paper and exposure draft legislation.

I would like to thank Industry for the constructive approach to the consultations and their assistance in developing the legislation with the Department.

The final Bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate check and balances. This includes mandatory industry consultation periods, reporting mechanisms and oversight by IGIS.

However this is not the end of consultation, the Government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner.

An enhanced partnership with industry will be key to the success of these reforms. Strengthening Government's cooperation and collaboration with industry is a vital part of improving the resilience of Australia's critical infrastructure.

In 2021, the Government will re-launch the Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience and a revised Critical Infrastructure Resilience Strategy to further embed the genuine industry government partnership approach to managing the security and resilience of our critical infrastructure.

This enhanced industry engagement mechanism will be central as we commence co-design of the sector-specific requirements and best practice guidance which will underpin the Risk Management Program.

To ensure the Risk Management Program obligations are fit for purpose and drive genuine security uplift, we will work with industry to ensure the rules are proportionate to the risks impacting each sector, recognise existing approaches and impose the least regulatory burden necessary. These obligations will not commence for a given sector until we have completed this co-design work with industry.

The Bill demonstrates the Government's commitment to uplifting the security and resilience of Australia's critical infrastructure assets.

It guarantees the continued growth of Australian industry and the ability for businesses to compete in overseas markets.

It allows Australians to have uninterrupted access to essential services and ensures that our society and living standard continues to be the envy of the world.

And it ensures that Australia continues to be a safe, prosperous and wealthy nation.

I commend this Bill to the Senate

Ordered that further consideration of the second reading of this bill be adjourned to the first sitting day of the next period of sittings, in accordance with standing order 111.