Senate debates

Monday, 25 November 2024

Bills

Cyber Security Bill 2024, Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024, Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024; In Committee

12:31 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Minister, a raft of submitters in relation to the proposed standards for the internet of things urged the government to be very clear about what standards the government is intending to adopt. Can you advise the Senate what standards the government is intending to adopt?

12:32 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The government recognises that, while Australia is a small technology market, it is essential to align the security standards with international approaches, including those of the United Kingdom. Any standards made as ministerial rules are intended to reflect international standards and closely follow global best practice that Australia agrees should apply to smart devices available or reasonably expected to be made available in Australia. Despite some level of influence in the negotiation of international standards, Australia does not oversee these instruments, which can be updated by international standards bodies. The rules based approach to incorporating standards under the act in Australia will help to ensure that consumers in Australia are protected from cybersecurity risks by updates to standards as they arise.

12:33 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Minister, is the government intending to adopt ETSI EN 303 645, which is probably the most broadly accepted global standard for consumer internet of things cybersecurity? Is that the intent?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The government's intention is to adopt, if that is the correct word, the first three ETSI.

12:34 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

When you say 'the first three ETSI', does that include EN 303 645, and, if so, which other ones?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

I'm advised that we will be adopting the first three of—I think the number you quoted was 303 645.

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

When you say 'the first three', it's my understanding that that standard has 13 high-level recommendations and there are 33 mandatory requirements. When you say 'the first three', do you mean the first three of the high-level recommendations of that standard? Do you mean the first three of the 33 mandatory requirements? What do you mean?

12:35 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

What I have been advised is that, within that overall standard, there are three—there are a number of standards within that number, and we are proposing to adopt the first three of those. I could seek some further advice on what they deal with, if that would be useful.

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Yes, I think that would be useful. Thanks, Minister. The reason I'm asking is that this is at the core of this cybersecurity standard, and so knowing what's actually going to be implemented is important. If you could get some further information on that, that would be of great assistance.

12:36 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

Why don't I rustle that up for you, while you move on to your next question?

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Thanks, Minister. Two of these bills have limited-use provisions which partly respond to the concerns that industry have about the provision of the information in relation to either ransomware or other cybersecurity. Much of the world, not least the United States, has moved to far more comprehensive safe-harbour provisions to ensure absolute protections. What was the rationale for limited use rather than safe harbour?

12:37 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

Providing for a safe harbour would give entities a shield against any legal liability incurred as a result of a cybersecurity incident. We think that the Australian public rightly expects that entities should comply with their legal obligations and do what they can to proactively respond to cybersecurity incidents. Limited use will not exempt an organisation from complying with their existing legal and regulatory obligations. The limited-use provisions are not a safe harbour to shield business against legal liability but will instead operate to ensure information provided by industry during a cybersecurity incident can only be used by government agencies, including the Cyber Security Coordinator, for the purpose in which it was shared—that is, a permitted cybersecurity purpose.

12:38 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

The safe-harbour provisions that operate in the United States are focused on providing protection against proceedings in circumstances where entities are actively reaching out to regulators to seek assistance and actively reaching out to provide information to the government to not only protect themselves but also protect consumers and others. Safe-harbour provisions in the United States do not come with a complete shield but do provide protections for entities when they, in good faith, reach out in those circumstances. Is it the government's view that the safe-harbour provisions in the United States are not working?

12:39 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

I've already made the point that providing a safe harbour regime—and I'm not sure that it extends quite as widely in the US as you've said—would give entities a shield against any legal liability incurred as a result of a cybersecurity incident. I didn't say that it was a complete shield, but it would provide a shield against liability.

The other issue with going down the safe harbour path is that that would interfere with a number of other regulatory regimes that Australia has in place, including those that relate to regulatory agencies like APRA. There are a number of others as well, and our view is that providing for limited use is a more appropriate way to go for Australian circumstances.

12:40 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Given the short consultation period for this and the complexity of the legislation, and given it cuts across existing regulatory and reporting requirements under the corps act, under the tax system, under the SOCI Act, under the Telecommunications Act, and, indeed, under Defence Export Controls, is the government intending to produce some clear regulatory guidance to industry that will show how these things will work after this legislation is passed and how they will interact? If so, who's going to produce it and when are we going to see it?

12:41 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

Yes, that is the intention, and the intention is that once this bill is passed, if it is passed, the Department of Home Affairs and the Australian Signals Directorate will provide that guidance.

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Are they each intending to provide separate guidance? It's the fractured nature of the regulatory regime here, which is going to be even more fractured after the passage of this bill, if this bill is passed, that's causing multiple concerns and quite genuine concerns. Is ASD going to produce something and Home Affairs going to produce something separate, or is it going to be a whole-of-government response saying, 'This is how it works'?

12:42 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

It's likely that that will be whole of government.

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

Minister, once information is provided to the ASD under the amendments to the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill, there's no requirement in this legislation to seek the consent of the entity that's provided the information before it's shared by ASD to either the National Cyber Security Coordinator or others. Equally, in relation to the Cyber Security Bill, once information is provided to the Cyber Security Coordinator there's no requirement to seek the consent of the entity before the information is shared to ASD. The coordinator can share to ASD and ASD can share to the coordinator once information is provided, but at no point is there the seeking of consent of the entity who provided that. If you want to have a relationship of trust with reporting entities, and you want this early provision of information—and I think we all share that goal—why isn't there a requirement to make efforts to seek consent?

12:43 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The government's view is that requiring that type of consent would significantly slow down the information sharing that is required to resolve and manage a particular cybersecurity incident. I make the point that both the ASD and coordinator have limited-use powers.

In answer to your earlier question about the standards within ETSI 303 645, the first three standards that I referred to were, firstly, that there's no default password; secondly, that there's a requirement to have a vulnerability disclosure statement; and, thirdly, to let consumers know how long they are willing to support the device. That mirrors the UK.

12:44 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

This is on the Cyber Security Bill. The review board will sit within Home Affairs. Given the review board, in significant part, will be reviewing the adequacy of the regulatory arrangements and the responses from Home Affairs, why was it decided to put the review board in Home Affairs and not in some other agency so that there's at least the appearance of independence?

12:45 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

As you'd be aware, the Department of Home Affairs is the lead agency for cybersecurity matters. The Cyber Incident Review Board is being set up in such a way as to ensure that it's independent, and there are processes in place to manage conflicts of interest—for example, if a board member from industry is part of an investigation into its own company or a competitor.

12:46 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

What are the arrangements for independence? It's not entirely apparent that there will be structural and legal independence, from the legislation. So, if there are any legal provisions in here for independence, can you identify them? If they're not going to be in the form of statutory protections in the bill, what are the other provisions that you say will provide the independence?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The Minister for Cyber Security will establish the eligibility requirements for board members and the expert panel to ensure the board has an appropriate mix of skills, experience and diversity. The eligibility criteria will include a requirement to hold or be eligible to obtain a security clearance and demonstrated qualifications and/or experience in the fields of law, cybersecurity, information security, incident response and crisis management, public administration, critical infrastructure sectoral experience, critical infrastructure regulation or audit and assurance experience. I mentioned that some thought had been given to how board members would handle conflicts of interest, which I'm happy to go into, but we are also proposing here to enshrine the Cyber Incident Review Board in legislation as a way to ensure its independence and enable the board to have powers to gather documents.

12:47 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

I hope that the board doesn't take its advice on conflicts of interest from the Commissioner of the NACC. Deputy President, I seek leave to move Greens amendments (1) to (24) on sheet 3161 together.

Leave granted.

In respect of the Cyber Security Bill 2024, I move:

(1) Clause 8, page 8 (after line 18), after the definition of personalinformation, insert:

Prime Minister's Department means the Department administered by the Prime Minister.

(2) Clause 8, page 9 (after line 1), after the definition of Secretary, insert:

Secretary of the Prime Minister's Department means the Secretary of the Prime Minister's Department.

(3) Clause 45, page 53 (line 13), omit "Minister", substitute "Prime Minister".

(4) Clause 46, page 54 (line 7), after "Minister", insert "or the Prime Minister".

(5) Clause 46, page 54 (line 19), omit "Minister", substitute "Prime Minister".

(6) Clause 51, page 58 (line 17), omit "Minister", substitute "Prime Minister".

(7) Clause 51, page 58 (line 33), omit "Minister", substitute "Prime Minister".

(8) Clause 54, page 61 (line 21), omit "Minister", substitute "Prime Minister".

(9) Clause 54, page 61 (line 31), omit "the Minister", substitute "the Prime Minister".

(10) Clause 55, page 62 (line 23), omit "Minister", substitute "Prime Minister".

(11) Clause 56, page 64 (line 21), omit "Minister", substitute "Prime Minister".

(12) Clause 60, page 69 (line 8), omit "Department", substitute "Prime Minister's Department".

(13) Clause 60, page 69 (line 10), omit "Department", substitute "Prime Minister's Department".

(14) Clause 63, page 71 (line 1), omit "Minister", substitute "Prime Minister".

(15) Clause 64, page 72 (line 4), omit "Minister", substitute "Prime Minister".

(16) Clause 66, page 72 (line 23), omit "Minister", substitute "Prime Minister".

(17) Clause 68, page 73 (line 20), omit "Minister", substitute "Prime Minister".

(18) Clause 69, page 74 (line 13), omit "Minister", substitute "Prime Minister".

(19) Clause 71, page 75 (line 27), omit "Department", substitute "Prime Minister's Department".

(20) Clause 72, page 76 (line 6), omit "Secretary of the Department", substitute "Secretary of the Prime Minister's Department".

(21) Clause 75, page 78 (line 23), omit "Secretary", substitute "Secretary of the Prime Minister's Department".

(22) Clause 76, page 79 (lines 3 and 4), omit "Secretary and given to the Minister", substitute "Secretary of the Prime Minister's Department and given to the Prime Minister".

(23) Clause 76, page 79 (line 15), omit "Minister", substitute "Prime Minister".

(24) Clause 77, page 79 (line 27), omit "Minister", substitute "Prime Minister".

These are Greens amendments that would make the board at least to some extent independent, because they would move the Cyber Incident Review Board from Home Affairs, where the board would, effectively, report to the entity that it's overseeing and be selected by the minister who's responsible for the department that the board's meant to be overseeing, to the Department of the Prime Minister and Cabinet. We don't think it's a perfect solution for independence of the board but we think it's at least some structural independence from Home Affairs. You could also say that Home Affairs has enough on its plate without having another review board added to it.

More fundamentally, given this review board is going to be reviewing what went right and what went wrong in major cybersecurity incidents and given the conduct of Home Affairs will be central to that, of course the review board should not be within Home Affairs. We think the appropriate authority or agency in that regard should be the Prime Minister and Cabinet, to show the seriousness of this matter and to provide at least some functional independence for the review board. I commend the amendments to the chamber.

12:49 pm

Photo of James PatersonJames Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | | Hansard source

I want to take the opportunity to put the coalition's view on each of the Greens amendments in one go. The coalition will not be supporting any of the Greens amendments today for two reasons. Firstly, we were not given sufficient time to consider amendments that have potential unintended consequences. We cannot support them on that basis. Secondly, I think there is a great risk that the Greens' amendments, while well motivated, will not achieve their own intended objectives. For example, moving the Cyber Incident Review Board into the Prime Minister and Cabinet portfolio does not make much sense. PM&C, qualified, competent and patriotic though they no doubt are, do not have expertise in cybersecurity incidents, and it is not the relevant portfolio to be managing it.

We're also concerned about the other amendments, which would seek to restrict the ability of the ASD and cybersecurity coordinator to work together in the heat of a crisis. The provisions on limited use are strongly supported in the sector, but this would complicate the government's own incident response, and that's not something we should do.

While I'm on my feet I did also want to take the opportunity to gently clarify the personal cybersecurity advice that was given by Senator Polley in her speech in the second reading debate. As well intentioned as I'm sure it no doubt was—and certainly not her fault, because the Prime Minister has said similar things—it is not a good idea to tell Australians that they can protect themselves from cybercrime by turning their phone on and off every day. There's highly specialised advice to people like members of parliament who are targets of sophisticated state-backed actors, including foreign intelligence services, trying to engage in espionage on them. Most Australians are not the target of foreign intelligence services for espionage, and this will not offer them any protection against a ransomware attack, a phishing email, a business email compromise, a socially engineered attack or a data breach. Instead of relying on any politician, Senator Polley or me, Australians should go cyber.gov.au, where there are very practical tips about things you can do to protect yourself from a cyberincident.

12:51 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The government will also be opposing the Greens' amendments. I've already made the point that the legislation that we're debating does preserve the independence of the Cyber Incident Review Board—in particular, in clause 63 of the bill. And I've have already outlined the reasons the government does not support requiring consent to be obtained before, for example, ASD and the cyber coordinator can exchange information.

Question negatived.

12:53 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

The next two amendments, although they're to different pieces of legislation—one to the Cyber Security Bill and one to the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill—effectively do the same thing, although in reverse. I think it would be most convenient if I move the amendment on sheet 3171 first, in relation to the Cyber Security Bill. I move:

(1) Page 46 (after line 14), after clause 39, insert:

39A Limitations on disclosure to ASD

(1) Despite any other provision of this Act, the National Cyber Security Coordinator must not disclose information that has been:

(a) provided to the Coordinator under this Act; and

(b) provided by, or on behalf, of an entity;

to the Director-General of ASD, or a staff member of ASD, unless:

(c) the entity has consented to the disclosure; or

(d) if urgent or other exceptional circumstances exist—the Coordinator has taken reasonable steps to obtain the consent of the entity to the disclosure, but the entity has not responded to the request for consent.

(2) If the Coordinator discloses information under this section in urgent or other exceptional circumstances without the consent of the entity, the Coordinator must notify the entity of the disclosure as soon as practicable after the disclosure occurs.

This amendment would require the National Cyber Security Coordinator, before disclosing to the ASD information obtained by an entity, to seek the consent of that entity and take reasonable steps to obtain that consent. Why do we say this is important? This is about building that environment of trust and relationship of trust, and stakeholders have said that this is important. If they're going to have confidence in sharing information with the National Cyber Security Coordinator, they want that relationship of trust, and that would include in every reasonable case seeking the consent of the entity before the information is passed on to the ASD, because, of course, the ASD then would use it for quite distinct purposes from which the National Cyber Security Coordinator would use it.

This amendment also recognises that there may be urgent or other exceptional circumstances where it's not possible to get that consent, even though reasonable efforts will have been made, and will permit the sharing even where there isn't consent in those urgent and exceptional circumstances. But it then says that if that happens they have to inform the entity about the information being shared. I heard from both the opposition and the government that they will be opposing this because they say that there needs to be the ability to share information in urgent and exceptional circumstances. I point out that the amendment incorporates that concern. What I also don't understand is why the government and the opposition are resisting at least telling entities that the information has been shared. There's nothing in the Cyber Security Bill that tells entities when the information has been shared without their consent. If you want a relationship of trust, if you want the information to flow, keeping entities in the dark does not assist. So I commend that amendment to the chamber.

I'll speak briefly to the amendment on sheet 3172, which does exactly the same thing for the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill, only in that case it provides that, where the Director-General of the ASD has information, they can't communicate that information to the National Cyber Security Coordinator without consent. Again, it provides for the 'urgent and exceptional circumstances' exception to that and then also requires, as do the amendments on sheet 3171, the Director-General to inform an entity if the information has been provided without their consent.

Photo of Andrew McLachlanAndrew McLachlan (SA, Deputy-President) Share this | | Hansard source

Senator Lambie.

12:56 pm

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

Minister, I want to ask you a few questions about the review board itself. How much will it cost taxpayers to create the Cyber Incident Review Board? What does their remuneration look like?

12:57 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The chair and standing members will be remunerated as determined by the Remuneration Tribunal. Remuneration for expert panel members participating in a review will be determined under the rules. That will be subject to a 28-day consultation period following passage of the bill. So there will be an opportunity for people to have their say on that.

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

How does the minister select the chair and the standing members? What's the process?

12:58 pm

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The board will comprise three parts: a chair, standing members and an expert panel, who form a pool of members that can be called upon for individual reviews. The board will also be allocated support staff from the Department of Home Affairs to assist with the functions of the board and for administrative duties.

The chair will be appointed by the Minister for Cyber Security and have the role of leading the board and making decisions in response to powers granted within the legislation. In the event there's a vacancy in the office of the chair, the minister may appoint an acting chair to carry out the chair's duties.

The standing members will be appointed by the minister. Together the chair and the standing members will form the core component of the board. Their terms are limited to a maximum of four years.

The third component of the board will be the expert panel, which will comprise industry participants, subject matter experts, cybersecurity specialists, academics and other individuals, as appointed, to assist the board to undertake a review of a cybersecurity incident. Appointment to the expert panel will be managed through a comprehensive appointment process including a register of interest.

You may have heard me mention before the eligibility criteria to serve on the expert panel. Those people would be required to obtain a security clearance and have demonstrated qualifications and/or experience in fields related to these matters.

12:59 pm

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

What do those 'fields' mean exactly? What sorts of qualifications will they exactly be looking for?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The kinds of fields that people would be expected to have experience in to serve on the board or the expert panel would include law, cybersecurity, information security, incident response and crisis management, public administration, critical infrastructure, sectoral experience, critical infrastructure regulation or audit and assurance experience. In line with the recommendation made by the PJCIS report, the eligibility requirements for standing members and the expert panel will be consulted further as part of the consultation on the rules. So, obviously, if you or others had views on that, we'd be happy to take them into account in that consultation.

1:00 pm

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

Are you telling me that I have to have only one of those qualifications or all of those qualifications you just listed? That's a big range of qualifications. You can come out with some sort of assurance experience, but it doesn't mean you have any idea on security whatsoever. So what does this look like?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

I'm not sure that anyone in Australia would necessarily have every single one of those qualifications. But, as is the case with the board of a company or the board of any government authority, we'll be looking for people who have a mixture of skills. Some of them will have them in cyber incident response. Some of them will have them in law. Some of them will have them in impact on critical infrastructure. Basically, we will be trying to come up with a board that has an overall cross-section of those skills.

1:01 pm

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

Do you know that there are over 1,240 Australian government advisory boards right now? So I want to ask you: Why is the department not capable of providing that advice? Why haven't you hired them into the department?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

The Department of Home Affairs is the lead agency when it comes to cybersecurity. But Australia currently has no formal mechanism to conduct post-incident reviews into cyber incidents that do have significant impacts on the Australian economy, national security or our social prosperity. What we've seen through some of the most recent high-profile cybersecurity incidents is that industry and government need to do more to effectively investigate and learn lessons from cybersecurity incidents and prepare contingencies for future attacks. The government's view is that we do need a standing independent mechanism—independent of government, rather than housed in a department or run by a department—that is responsible for undertaking post-incident reviews of vulnerabilities that led to a significant cybersecurity incident or the effectiveness of the government and industry response to the incident. By establishing this board, it brings us in line with a range of other countries, such as the US, which established its own cybersafety review board in 2022. I guess one of the risks in simply ensuring that the department manages these things is that there could be a situation where the department's own response was not adequate. Having an independent review board gives us the ability to have someone independently look at the actions of that department as well as industry and anyone else involved.

1:03 pm

Photo of Jacqui LambieJacqui Lambie (Tasmania, Jacqui Lambie Network) Share this | | Hansard source

The word is that you already have some people in mind for these jobs. This is 'jobs for mates', is it?

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Employment and Workplace Relations) Share this | | Hansard source

I'm certainly not aware, as the representing minister, of anyone who has been put forward for this or has intentions for this. I've previously outlined what the process will be for finding people to serve in these roles.

Photo of Dorinda CoxDorinda Cox (WA, Australian Greens) Share this | | Hansard source

The question is that amendment (1) on sheet 3171, moved by Senator Shoebridge, be agreed to.

Question negatived.

1:04 pm

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

I move the Australian Greens' amendment on sheet 3172:

(1) Schedule 1, item 2, page 7 (after line 36), after section 41BB, insert:

41BBA Limitations on disclosure to National Cyber Security Coordinator

(1) The Director-General of ASD, or a staff member of ASD, must not communicate limited cyber security information to the National Cyber Security Coordinator that has been voluntarily provided to ASD, in the performance of its functions, by, or on behalf of, an entity unless:

(a) the entity has consented to the communication; or

(b) if urgent or other exceptional circumstances exist—the Director-General or the staff member has taken reasonable steps to obtain the consent of the entity to the communication, but the entity has not responded to the request for consent.

(2) If the Director-General of ASD, or a staff member of ASD, communicates limited cyber security information under this section in urgent or other exceptional circumstances without the consent of the entity, the Director-General or the staff member must notify the entity of the communication as soon as practicable after the communication occurs.

Question negatived.

Bills agreed to.

Bills reported without amendment; report adopted.