Senate debates

Monday, 22 November 2021

Motions

Security Legislation Amendment (Critical Infrastructure) Bill 2021; Second Reading

12:35 pm

Photo of Kristina KeneallyKristina Keneally (NSW, Australian Labor Party, Deputy Leader of the Opposition in the Senate) Share this | | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021. In 2019 the Prime Minister, Mr Morrison, called a big press conference here at Parliament House. He fronted the media with his then ministers for Home Affairs and Defence standing beside him. He told Australians we were under attack. He said that Australian organisations and Australia's critical infrastructure, including all levels of government, were subject to sophisticated and malicious cyberattacks.

The threat that Mr Morrison spoke about that day is very real and very sophisticated. It's a threat that demands an equally sophisticated response. Instead, in 2019 Australia got just another Mr Morrison photo-op: an announcement. It has taken more than two years to get the follow-up. That's what this bill is today: two years later, after the photo-op, we finally get the follow-up. In that time the Morrison government has allowed its cybersecurity strategy to expire, even as the Australian Cyber Security Centre amplified its warnings that the cyberthreat was growing in its scale and complexity. In that time the Morrison government ignored urgent advice to do even the bare minimum to uplift Australian cybersecurity, such as by introducing a mandatory ransomware payment scheme, instead leaving this to the opposition, to Labor, to introduce before finally adopting Labor's call for a national ransomware strategy.

In the time since Mr Morrison's big announcement the cybersecurity threat environment has continued to shift and evolve, and the bill we are considering today is very different to the one the Morrison government originally sought to pass: a bill that was referred to the Parliamentary Joint Committee on Intelligence and Security. That this bill today is so very different to the Morrison government's original bill underscores the importance of the bipartisan Intelligence and Security Committee and its important role in scrutinising legislation in the national interest. This bill is so very different to the government's original legislation because the committee unanimously agreed that, quite simply, the Morrison government had not finished its work on this bill and that the work it had done, it had not done well enough.

The original bill sought to uplift security and resilience in all critical infrastructure sectors, promising that the government would work in partnership with responsible entities of critical infrastructure assets to establish a clear, effective, consistent and proportionate approach to the security of critical infrastructure. The government promised that it would ensure these new requirements did not duplicate existing regulatory frameworks. The bill proposed four major areas of reform. The first was to expand the coverage of critical infrastructure from four to 11 sectors; second, to introduce positive security obligations for critical infrastructure assets; third, to enhance cybersecurity obligations for assets deemed to be systems of national significance; and, finally, provision for a government assistance regime to allow, as a last resort, the emergency powers of the government to step in and secure Australia's security critical infrastructure.

In principle, these are sound and, indeed, crucial policy priorities. But the committee found that, far from being a clear and effective approach, far from being an exemplar of collaboration and far from avoiding regulatory burden, the Morrison government's bill was an irreconcilable mess for which it could not recommend passage. I will quote from the committee's report:

While the Committee strongly supports the aims of the SOCI Bill, it would need a significant amount of re-drafting to pass in its entirety and respond adequately to many of the concerns expressed to it during this review. This would delay significantly the time-critical elements of the Bill.

So as not to delay the urgent provisions that will help to secure Australia's critical infrastructure from cyberthreats, the committee recommended that the bill be split into two and that the considerable work of co-designing sector-specific positive-security obligations be deferred to a subsequent bill. The amended bill that we have before the chamber today is but a portion of the original framework in the original government bill.

The bill that Labor will be supporting today introduces the most-urgent elements of an enhanced cybersecurity framework. Most importantly, it expands critical framework coverage from four sectors—electricity, gas, water and ports—to 11, now encompassing communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, and water and sewerage. The bill also introduces mandatory notification requirements by an entity to a relevant Commonwealth body, but within 84 hours rather than 12, as originally proposed by the Morrison government. This is an important concession to the feedback received from stakeholders. The bill also defines 'significant impact' in the context of a cybersecurity incident as being when the incident has 'materially disrupted the availability of essential goods or services provided using the asset'.

Lastly, the bill introduces last-resort emergency government assistance powers whereby the minister may authorise the secretary of the department to direct an entity to gather information or to undertake an action, direct that an action not be undertaken or authorise the Australian Signals Directorate to intervene when a cybersecurity incident has occurred, is occurring or is likely to occur. This last measure generated significant concern during the inquiry. Indeed, this is a considerable power for the government to wield. The committee heard assurances from the department that this power would be used rarely, if at all. But, to ensure against any mission creep and to build in stronger safeguards and oversight, the committee made an important recommendation that the government has accepted in this amended bill—that is, that the department's secretary must now report to the committee any use of these powers—and the stated intentions of cooperation and consultation are better enabled by the provisions of this bill.

On the remaining elements of the government's critical infrastructure plan—the significant work of regulatory obligations that will apply to critical infrastructure assets and systems of national significance—the Morrison-Joyce government has been told to go back, do better, listen better and return with another bill that represents that consultation. To make sure that Mr Morrison and his colleagues have really heard the feedback that was overwhelmingly delivered to them via the intelligence and security committee, I want to draw out some of the issues raised during the committee's hearings on this bill.

As a member of the committee, I can assure this chamber that we received substantial evidence in submissions to the inquiry. The submissions were received from companies that will be directly affected by the bill, representative organisations, cybersecurity and technology companies, trade unions, state governments, Commonwealth agencies, academics, international experts and legal peak bodies. I'd like to thank all submitters for their diligent participation and constructive approach. Almost uniformly, submitters expressed reservations with the government's approach to developing its security critical infrastructure regime. They reported a lack of active engagement and consultation and a lack of information provided to them. They reported a rushed time line—a scramble to review something incredibly complex, extraordinary in its breadth and gravity and with long-lasting implications. And, consistently, submitters raised issues with the government's approach of legislating a mere shell of an idea, the significant detail of which would be left to the delegated legislation, meaning that neither the parliament nor the affected entities could fully know the impact, impost and cost of the proposed regime.

It was the unanimous assessment of the Parliamentary Joint Committee on Intelligence and Security that this chaotic Morrison government has rushed and botched such a critical piece of legislation. In the interests of national security and in constructive bipartisan negotiation, the committee has amended some important elements of the critical infrastructure bill and salvaged the portions that can be passed today. Hence Labor will be supporting this legislation today.

Before finishing I want to highlight an important feature of the committee's report—one that I commend to Mr Morrison and his Liberal-National colleagues. The committee heard expert evidence that cyber-enabled operations spanning disinformation, data theft and technical disruption can render democratic infrastructure vulnerable in new ways. Such operations, as was witnessed in the 2020 presidential election, target political parties, news organisations and social media and have the potential to undermine democratic systems. We heard from former Director of the Cybersecurity and Infrastructure Security Agency in the United States Mr Christopher Krebs, who said:

Our strategies have to be connected against countering disinformation … This is important for critical infrastructure as well. If you go to the point about an uneven underinvestment for cybersecurity in the critical infrastructure community, there is virtually no investment in countering disinformation. Nowhere more important is that right now than in the deployment of COVID-19 vaccinations. We are seeing an active threat environment from Russia and China for vaccine diplomacy. We're also seeing it from conspiracy theorists and antivaxxers in general.

Mr Krebs went on to say in the context of election security that, ahead of the 2020 presidential election, the US government prepared for attacks on electoral systems and hacks of media websites and voter databases. He warned that the 'more pervasive aspect' was the broader campaign 'to undermine confidence in leadership, government and democratic institutions through disinformation operations'.

Reflecting on his own experience as a senior national security official of publicly announcing that his country was experiencing a major cyberattack, Mr Krebs said that it should only be public officials, such as those from national security agencies, that make such announcements, especially during election campaigns, in order to avoid the perception of political interference. Mr Krebs said:

… you never want the incumbent with the ability to put their thumb on the scale and change the outcome of the election … you would not have wanted a White House press conference for those sorts of announcements because that, in and of itself, can be politicised.

These are important pieces of advice from Mr Krebs, and the bipartisan Joint Committee on Intelligence and Security unanimously agreed and recommended that the government review the cyberthreat to our democratic institutions. The committee also recommended that the government review the caretaker conventions for cyberincidents in an election context. On this important point, I ask the Morrison government to heed the advice of the committee. I note that in Senate estimates ASIO Director-General Mike Burgess indicated that he is reviewing and considering how he would approach a cyberevent in the context of an election and flagged he would seek to brief the opposition. It is important that the Morrison government heeds the advice provided by Mr Krebs, heeds the evidence provided by Mr Burgess and heeds the recommendation of the bipartisan intelligence and security committee.

The Morrison-Joyce government's attitude to cybersecurity is, quite frankly, dangerously one dimensional. This is not just a defence or intelligence issue. Cybersecurity must be understood as a whole-of-society endeavour. It involves the broader community. It involves small business. It involves large corporations. It involves individuals. There must be robust, active and collaborative partnerships across government and industry and amongst experts. At a time of, quite frankly, global crisis brought on by the pandemic, by disinformation and by threats to cybersecurity what we need is clarity, certainty and confidence. I urge the government as it starts its work on bill 2 to amend the Security of Critical Infrastructure Act to do its work properly, to consult properly and to truly co-design workable, effective and positive security obligations for Australia's critical infrastructure. I look forward to that bill coming to the parliament once that work has been done.

12:49 pm

Photo of Lidia ThorpeLidia Thorpe (Victoria, Australian Greens) Share this | | Hansard source

The Greens will not be supporting the Security Legislation Amendment (Critical Infrastructure) Bill. Very few key stakeholders, in fact, support this bill, so we cannot support it in its current form. The government, as usual, is introducing even more half-baked legislation that no-one actually wants so those opposite can stand here and pretend to be doing something. This legislation is a greedy little power grab, and the Greens cannot support it in its current form. I foreshadow a second reading amendment in my name which outlines our main concerns. I'll go over some of our concerns.

This bill is not supported by key stakeholders in the logistics, technology and education sectors, among others. In the review of this bill that was undertaken by the Parliamentary Joint Committee on Intelligence and Security, numerous stakeholders reported insufficient consultation by the government with their respective sector or industry. The government's failing to consult is nothing new to me. Believe me, as a First Nations woman, I know that this government does not know the difference between consultation and consent. We know Labor has a problem with that too. In the case of this bill, the government failed to consult, and many of our key stakeholders don't consent. In fact, many stakeholders reported that this bill would result in the imposition of an excessive regulatory burden on their businesses, including the potential duplication of regulatory systems. These stakeholders will now have more regulatory and compliance burdens heaped upon them. I note that for the education sector there is no new additional funding to allow them to comply.

From the position of the Australian Greens, the critical flaw in this bill is that it imposes very, very serious obligations on entities that, I remind the chamber, have not been properly consulted. These obligations include the potential for the takeover of businesses or operations by government security agencies. They also include the ability for the minister to authorise the Secretary of the Department of Home Affairs to direct one of these entities to gather information; undertake an action or direct that an action not be undertaken; or authorise the Australian Signals Directorate to intervene when a cybersecurity incident has occurred, is occurring or is likely to occur. In short, the government and its spy agencies can take over the operations of an industry, based on the decision of the minister. This is wrong, and the stakeholders have not asked for this. This bill would give the minister considerable powers under the guise of protecting the security of critical infrastructure.

As I said at the beginning, this is a greedy little power grab that has been done without proper consultation and without any real co-design—we know the government loves that word 'co-design'—with the affected sectors. The Australian Greens will not be supporting it. I move:

At the end of the motion, add ", but the Senate notes that:

(a) this bill proposes to introduce an extended supervision order regime that would allow a Supreme Court of a state or territory to make orders in relation to a person who has completed a sentence of imprisonment;

(b) the Criminal Code Act 1995 already contains provisions that permit a court to make a similar order in relation to the same category of offender;

(c) the new extended supervision order regime proposed by this bill does not repeal the existing similar provisions;

(d) the extended supervision order regime in this bill departs in very significant ways from the model proposed by the third Independent National Security Legislation Monitor; and

(e) over 70 counter-terrorism laws have passed this Parliament in the last two decades, many of which have not been supported by human rights organisations because they create broad, extensive, and often overlapping powers, as is the case with the regime proposed by this bill".

12:54 pm

Photo of Jim MolanJim Molan (NSW, Liberal Party) Share this | | Hansard source

( Australia faces what is without doubt the most uncertain strategic environment it has faced since 1945. For the last 75 years Australia has achieved prosperity and security to a degree almost unheard of in human history.Much of that security and prosperity is due to the stabilising presence of the United States. I acknowledge, as someone who has worked with, trained and fought beside the United States, that the United States is far from a perfect power but it is a far better world power than many others. Australia has benefited from the relationship with the United States. But the world is changing and Australia is trying to change to accommodate the new world. The new world has characteristics of the old world. The new world is still based on power politics. The new world has nations and leaders who do not have as much of an interest in the world order as Australia does. The new world has powers like China who look back on the appalling way that the old world treated them and want to take that out on the new world—on our world.

For 75 years, when most of our critical infrastructure was built, Australia knew that, because of our geographical location and because of our alliances, we faced no direct threat in this country. This was a luxury that we are only now really coming to appreciate. We now find that our region, the Indo-Pacific or the western pacific or whatever you want to call it, is pretty well the centre of the world's strategic environment and certainly the world's interest. Several things are happening in our region which make the Security Legislation Amendment (Critical Infrastructure) Bill 2021 and the government amendments in 2021 very important indeed.

The first is that the military power of the United States to stabilise our region has fallen by 30 to 50 per cent since the end of the Cold War. This is admitted by the United States in how they express their national defence strategy. For a long period of time many of us have thought that the United States' power was infinite. It's not and we might find ourselves on our own.

The second is that we've seen an increase in the military power of China, Russia, Iran and North Korea. China has the largest army, navy, maritime militia, integrated air defence and what are called substrategic rocket and missile forces in the world. Qualitatively they are approaching the standard of the United States. Let's not forget that Russia is a Pacific power with close military and economic links to China. Let's not forget that Iran is the source of just about every problem in the Middle East at the moment and is supposedly a month away from getting the bomb. Of course North Korea is an unpredictable nuclear power with an unpredictable leader.

The third thing that is relevant to Australia's situation and this bill is that we in Australia have seen over the last two COVID years how vulnerable Australia is to outside influence, in terms of not just supply chain issues, which are terrifyingly real, but also an ability by external actors to reach into any country through cyberspace and impact on our day-to-day life.

Much of our prosperity is due to our interconnected world. Much of the efficiency of how our country functions is due to that interconnectedness. Much of the way our security—internal and external—functions relies on cyberspace. The use of actual space, where satellites fly, depends on cyberspace for the transmission of data. The crossover between cyberspace and the real world is now what is important. At present we are probed in cyberspace thousands of times per day. Many of those probes are successful. Some are from criminals, some are from countries and some are malign actors that exist between criminals and nations. What we see today is nothing compared to what we might see in the lead-up to conflict or to war. We have not seen one country, such as China or Russia, apply their full cyber-resources to attacking another country through cyberspace. We have not seen it yet. We've seen small examples in the Baltic countries, probably by Russia. We have seen impacts on parts of India's electricity sector, probably by China. But we will only see the full cybercapability of certain nations applied to other countries in the lead-up to, or actually in, war. And the prospect of war in our region is real. China says it will reincorporate Taiwan, even if it has to use force. President Biden has reaffirmed US support for Taiwan, which makes the US policy of ambiguity even more ambiguous. These are worrying times.

Australia, as a nation, is vulnerable, and this bill is one step in addressing our vulnerabilities. The level of cyberattacks on Australia's critical infrastructure is bad enough now, but in certain circumstances it could be much worse. Most of us are aware of the reliance of our hospitals, transport, financial systems and military systems on the internet, but what many don't realise is that many of our military systems rely on exactly the same civilian systems to pass data as do hospitals, transport and banks. Our infrastructure has never been more important than it is now, and we need this bill.

Amendments to this bill will ensure that the government is well placed to assist entities and those responsible for critical infrastructure assets to respond to serious cyberattacks as the first step in strengthening Australia's critical infrastructure security. The reforms outlined in the amended bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure. This bill expands the definition of critical infrastructure to include energy; communications; financial services; the defence industry; higher education and research; data storage or processing; food and groceries; health care and medical; space technology; transport; and water and sewage sectors. It introduces a cyberincident reporting regime for critical infrastructure assets. It makes government assistance available to industry as a last resort, subject to appropriate limitations. Under this bill, government will be able to provide assistance immediately prior to, during or following a significant cybersecurity incident to ensure the continued provision of essential services.

The Security of Critical Infrastructure Act 2018 strengthened the Australian government's capacity to identify and manage the national security risk of espionage, sabotage and coercion resulting from foreign involvement in Australia's critical infrastructure. The government amendment to this bill amends the Security of Critical Infrastructure Act 2018, and is the first phase. The second phase of these reforms will be implemented by further amending the Security of Critical Infrastructure Act 2018, capturing the remaining elements from the Security Legislation Amendment (Critical Infrastructure) Bill, and the risk management programs, systems of national significance and enhanced cybersecurity obligations of industry. Recommendations six to 14 of the Parliamentary Joint Committee on Intelligence and Security are currently being considered by the government. I recommend this bill to the Senate.

1:03 pm

Photo of Carol BrownCarol Brown (Tasmania, Australian Labor Party, Shadow Assistant Minister for Infrastructure and Regional Tourism) Share this | | Hansard source

It is pleasing to see the government's recognition of the increasing cybersecurity threats facing essential services, businesses and all levels of government with the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2021. To understand the need for this legislation, we need only consider the recent cyberattack on the major US oil-and-gas pipeline. The pervasive threat of cyber-enabled attack and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and increasing at an unprecedented rate. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years, cyberattacks have struck federal parliamentary networks, the health and food sectors, media and universities. Queensland's largest regional water supplier, Sunwater, recently revealed that it was targeted by hackers in a cybersecurity breach that went undetected for nine months. In this case, the hackers left suspicious files on a web server to redirect visitor traffic to an online video platform.

A recently published report produced for the World Economic Forum revealed that 80 per cent of senior cybersecurity leaders see ransomware as a dangerous, growing threat that is threatening our public safety. The cyber incident in the US underscored that, increasingly, providers of essential services are more vulnerable to widespread cyberthreats, both here and abroad. The increasing digitisation of critical infrastructure sectors such as oil and gas and the associated industrial systems is changing the nature of cyber risk. The government's original approach to address this alarming and growing threat was to expand the definition of critical infrastructure from four sectors to 11 systems of national significance—namely, communications, financial services and markets, data storage or processing, defence industries, higher education and research, energy, food, health care, space technology, transport, and water and sewage. At the same time, the government also sought to introduce additional reporting requirements for cyber incidents affecting critical infrastructure, along with new government assistance measures for critical infrastructure assets and additional positive security obligations for critical infrastructure assets.

When the Parliamentary Joint Committee on Intelligence and Security considered the government's initial approach, it noted that threats to critical infrastructure are often complex and serious, and usually require a swift and comprehensive response. Given this, the Parliamentary Joint Committee on Intelligence and Security formed the view that the government's attempt to introduce both the assistance measures and the new positive security obligations along with the sector-specific requirements all at once would end up achieving neither aim. Following the release of the findings of the parliamentary joint committee, it is pleasing to see that this legislation reflects a more considered approach than the one the government originally proposed.

By accepting the recommendation of the parliamentary joint committee that legislation relating to the security and protection of our critical infrastructure should be split, the Senate is now able to consider this first bill, which relates to the expansion of sectors deemed to be of national significance, the additional reporting requirements and the new assistance measures. The positive security obligations and sector-specific requirements are to be covered in further legislation, which should allow the government to conduct genuine and meaningful consultation with industry.

The threats to Australia's critical infrastructure are not solely contained to cyberattacks. They can include natural hazards, espionage, chemical or oil spills, and insider actions. These all have the potential to significantly disrupt our critical infrastructure. Delays and disruption of fuel supplies and other pressures on our supply chains have made Australians increasingly aware of the vital role played by key parts of our national supply chain infrastructure. The global pandemic has also led to heightened awareness of the essential roles undertaken by our transport and logistic workers. Essential workers play a key role in securing and protecting our critical infrastructure. They access key transport infrastructure and ensure that the goods our economy and our society need are delivered when and where they are needed. For this, we can thank the maritime workers and truck drivers of our nation. These critical workers have kept our country and economy going throughout the pandemic with little thanks or help from this government. In fact, the government won't even officially recognise the essential role played by our maritime workers. The federal government has done nothing to facilitate the vaccination of these key workers, nor have they acted to ensure that maritime crew changes can take place in a safe and effective manner. Instead, we have seen repeated outbreaks of COVID on board ships transporting goods to and from Australia and crew being forced to remain on board vessels for over 12 months because crew changes are rarely facilitated in Australia. I remind the government that there is much more to critical infrastructure than physical premises or assets.

In addition to the government assistance and mandatory notification requirements provided for in this piece of legislation, the bill also provides for oversight arrangements. On the recommendation of the parliamentary joint committee, the secretary to the department is required to report to the committee as soon as possible after government assistance measures are requested. This is an important safeguard that will ensure that the parliament, through the committee, will be aware of the operations of the act and whether the provisions are meeting the threat that they have been drafted to address. In addition to this, the parliamentary joint committee will review the operations of the act three years after it receives royal assent. This measure will help ensure that our security regime, put in place to protect our critical infrastructure, remains fit for purpose.

Security legislation is often complex and can have dire ramifications if we get it wrong. That is why consultation and review processes are so important. As I understand it, there was considerable concern from stakeholders that the consultation process leading to the government's initial proposed legislation was too rushed and that input, concerns and feedback were not acknowledged or addressed. It is my sincere hope that, by splitting the original legislation into two bills, the government will avail itself of the renewed opportunity to consult with stakeholders and that their concerns and suggestions will be given due consideration.

I commend the bill to the Senate.

1:12 pm

Photo of Mehreen FaruqiMehreen Faruqi (NSW, Australian Greens) Share this | | Hansard source

I rise to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2021 and I associate myself with the comments made by my colleague Senator Thorpe. The bill gives considerable—and too much—power to the minister, under the guise of protecting critical infrastructure. It creates the potential for government security agencies to intervene and take over businesses and operations. This bill is not supported by key stakeholders, including the logistics, technology and higher education sectors. As the Greens spokesperson on education, I'll focus my comments on how this bill could impact the higher education sector. In a nutshell, this bill will require the higher education and research sector to have, and comply with, a critical infrastructure risk management program. It will require universities and research bodies to notify the government about cybersecurity incidents, under increased regulatory obligations. The government will be able to directly intervene and take over their computer systems when they experience a cyberattack.

National security is important, but there is no clear or compelling reason for the powers this bill gives the government nor for the burdens that it places on higher education and research. This is a misguided bill. I recognise the concerns of various universities that this bill, as it applies to the university sector, is not proportionate, is not workable, is not risk based and is not carefully targeted. The definitions of 'critical education asset' and 'critical infrastructure asset' are too broad in scope. Universities have tens of thousands of staff and students. They have cafeterias, gyms and swimming pools. None of these assets are distinguished in the bill. Instead, everything in a university would fall under this law. As a number of universities and their umbrella organisations noted in their submissions to the Parliamentary Joint Committee on Intelligence and Security inquiry related to this bill, the regulatory obligations imposed by this bill are likely to be extensive and quite costly for them. The government doesn't even intend to offer financial support to critical infrastructure owners and employees to meet the proposed obligations.

The innovative research universities have concluded that imposing further legislation on universities without a clear overarching strategy risks blurring the lines of responsibility for action, adds complexity to large diverse organisations and highlights compliance over effective responsive action. The Group of Eight universities have said that the regulatory impact and the costs that may accrue in the sector and for its members will be significant—far greater than so far estimated by the government, especially when added to the regulation cost already borne by the sector for compliance with other foreign interference laws. For the Group of Eight, the catch-all nature of the legislation proposed for higher education and research is highly disproportionate.

We know universities are in crisis as the government has cut funding, hiked fees and offered no support to them or to their international students during COVID-19. Thousands of staff have been let go already, casualisation is rampant and wage theft is systemic. What does the government do to address the devastation and problems that the universities are facing? Nothing. But here we have a bill that makes life more difficult for them. It's clear that this government has no plan for universities beyond a slash-and-burn, anti-intellectual, anti-education agenda. We can't sit back and expect that the government will take any approach other than the one that they have taken for the last eight years. That's why the rest of us have to proactively take back some power and reimagine what the universities in future should and hopefully will look like.

Last week I published a new discussion paper on what that could look like. The Greens propose a range of bold ideas that would completely transform higher education in this country. The government should fully fund learning, teaching and research by providing a big boost to funding. Education should be free and student debt should be abolished. Moreover, universities should be places where you can be guaranteed a secure job, where casualisation is reversed and where wage theft has ended. Staff and students deserve so much better than what they are experiencing at the moment. Universities should be places where student activism is encouraged, academic freedom is assured and political expression is part and parcel of campus life. Universities should be institutions that are equitable and antiracist and that provide a platform for First Nations knowledge, research and leadership.

This paper contains Parliamentary Library data which we have analysed that reveals that, over the past 20 years, the number of elected members on the governing bodies of Australian universities has decreased by 43 per cent, from 274 elected members in the year 2000 to 155 elected members in 2020. As a proportion, in 2000 more than one-third of positions on these bodies were elected, but by 2020 that was down to fewer than one in four. This is nothing less than a crisis of democracy in freefall at our universities.

The corporatisation of universities by government and neoliberal university management has occurred while staff and student representation on government bodies has shrunk massively. This business model sees staff and students as expendable cogs in the machine of a corporate campus that makes a mockery of the notion that the university is a public good. Universities are at crossroads. They can continue hurtling down a path of corporatisation, austerity and job insecurity, or they can chart a new course based on democracy, equity and the collective public good.

Rather than focusing on the real issues that universities face, this government is imposing another unnecessary, disproportionate burden on university communities. The government is once again trying to grow its ever-expanding surveillance powers under the guise of national security. It presents a real threat to the independence and autonomy of the university sector. It allows the government to extensively intervene in university operations.

The ability of government agencies to reach into and possibly take over external systems, including those of our education sector, raises serious issues of organisational integrity and autonomy, and this ever-increasing surveillance creep should be concerning for all of us here. Let's not become desensitised to how much surveillance power we are giving this government. The Greens will not be supporting this bill.

1:20 pm

Photo of David VanDavid Van (Victoria, Liberal Party) Share this | | Hansard source

We undoubtedly live in a digital age, one where no corner of the globe has been left untouched. This interconnectivity has brought with it a significant number of benefits to society. However, this also means that human life and society have become increasingly dependent on modern information technology. Recent advances in new information and communication networks have led to a shift towards newly emerged paradigms, such as smart grids, IOT—or the internet of things—cloud computing, big data, and edge and fog computing.

One of the most fundamental responsibilities of a government is to ensure the security of its citizens. This means that we must ensure that the infrastructure that underpins the very functioning of our society is secure. While past cyberattacks were focused mainly on IT environments, the trends show that cyber risks are now greater in the operational technology environment. Software and data that are critical to the provision of essential services such as power, water, health care, transportation and communications must be protected from criminals and terrorists if the nation's security is to be assured. The imperative is to ensure that the continuous delivery of essential services is not only clearly legal but also moral.

The cyber threat to critical infrastructure continues to grow, and this represents one of most serious national security challenges that we must confront. The increased integration of IOT technology as well as the digitisation of many systems upon which our critical infrastructure rely means that many of the systems that our society relies on are increasingly under threat from cyberattacks. As outlined in Australia's Cyber Security Strategy 2020, the Australian government is committed to protecting the essential services that all Australians rely on by uplifting the security and resilience of critical infrastructure.

Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on our federal parliamentary networks, logistics, the medical sector and universities, just to name a few. Internationally we have seen cyberattacks on critical infrastructure. Recently the Colonial Pipeline in the United States, which supplies half of that country's east coast with fuel, was shut down for six days, leading to the President declaring a state of emergency. It led to fuel shortages and to the company having to pay a $4.4 million ransom. We saw attacks against the Ukraine's power grid in 2015 and 2016, resulting in large parts of the country losing power for hours on end. These and countless other examples go to show that this is a real and present threat that has real-world consequences.

All Australians rely on critical infrastructure to deliver essential services that are crucial to our economic prosperity and our way of life, such as electricity, communications, transport and banking. Critical infrastructure is increasingly interconnected and interdependent. Connectivity without proper safeguards creates significant vulnerabilities. Interconnectedness means that the compromise of one critical infrastructure asset can have a domino effect that degrades or disrupts others and results in cascading consequences across Australia's economy and national security. Threats across a range of hazards from natural threats, including meteorological or climate hazards, to human induced threats, including unlawful interference, cyberincidents, espionage and chemical or oil spills, as well as from trusted insiders, all have the potential to significantly disrupt critical infrastructure.

As the majority of Australia's critical infrastructure is owned and operated by private industry or state and territory governments, it is vital that our approach to ensuring the resilience of Australia's critical infrastructure is clear, effective, consistent and proportionate. That government alone can succeed in addressing the challenges and vulnerabilities regarding cybersecurity should not be our expectation. Critical infrastructure owners and operators, whether public or private, must take every precaution to protect their digital assets and networks. However, we believe the government must take necessary steps so that it can protect critical infrastructure from various threats.

Amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will ensure the government is well placed to assist entities responsible for critical infrastructure assets to respond to serious cyberattacks, as the first step in strengthening Australia's critical infrastructure security. Reforms outlined in the bill will strengthen Australia's ability to respond to serious cyberattacks on critical infrastructure by expanding the definition of critical infrastructure so that it includes energy, communications, financial services, defence industry, higher education, research, data storage or processing, food and groceries, health care and medical, space technology, transport, water and sewerage sectors. It will introduce a cyberincident reporting regime for critical infrastructure assets. By making government assistance available to industry as a last resort and subject to appropriate limitations, this assistance will be available immediately prior to, during or following a significant cybersecurity incident to ensure the continued provision of essential services.

By defining what is and isn't critical infrastructure, the government is better able to allocate resources and responsibilities during a crisis. The definitions have been refined in partnership with industry to ensure that only those assets that are truly critical are captured. The assets have been identified as critical based on their impact on the social or economic stability of Australia, the defence of Australia or Australia's national security. Currently, the Security of Critical Infrastructure Act 2018 requires entities responsible for critical infrastructure to provide ownership and operator information for the Register of Critical Infrastructure Assets. The cyberincident reporting regime builds on the existing obligations in the Security of Critical Infrastructure Act. Once turned on, for each sector, it will require infrastructure entities to report incidents to the Australian Cyber Security Centre through the ReportCyber portal and provide ownership and operator information for the register. This will enable a quick and effective government response to cybersecurity incidents by providing a greater situational awareness of threats to those assets.

Critical infrastructure entities will have up to 12 hours to report a critical cybersecurity incident once they become aware of it and up to 72 hours to report other cybersecurity incidents. The time frame for reporting cybersecurity incidents aligns with the reporting regimes such as APRA's prudential standard CPS 234 and the EU's GDPR. The reporting of cybersecurity incidents is vital to help the government develop an aggregated threat picture and comprehensive understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry. Reporting of cybersecurity incidents will provide better, proactive and reactive incident response options, which can range from providing voluntary assistance to industry to building a better culture of cybersecurity.

These reforms will provide for government assistance measures. These measures are necessary as there may be situations where a cyberthreat or incident is occurring or has occurred which can or will pose a serious risk to our national security interest. The assistance measures will focus on protecting and defending assets that provide a critical role in Australia's economy, society or defence when the owner or operator of those assets is unable to do so. Noting the importance of these assets for an effective functioning of Australian society, it will be a criminal offence not to comply with directions made under the assistance regime. These assistance powers are necessary due to the current threats we face and expectations from the community that, where Australia's national interests are under threat, the government will use its technical expertise to ensure essential services remain functioning.

Debate interrupted.