Brendan O'Connor (Gorton, Australian Labor Party, Shadow Minister for Foreign Affairs (House)) Share this | Hansard source

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 responds to the threat of cyber-enabled attacks and other risks to Australia's critical infrastructure. Labor is committed to the safety and security of all Australians, and urgent cybersecurity reforms are definitely required to address the ever-increasing number of cyberattacks Australians face. The pervasive threat of a cyber-enabled attack and the manipulation of critical infrastructure is serious, is considerable in scope and impact and is increasing at an unprecedented rate. Ransomware and other cyberattacks are a multibillion- dollar cost to the nation annually, threatening jobs and investment when we can least afford it. A cyberattack is reported in Australia every eight minutes, which is a 13 per cent increase on pre-pandemic levels.

The COVID-19 pandemic has fast-tracked the movement of our lives online, where we now heavily rely upon digital systems to navigate life and business like never before. Many of Australia's most significant social and economic opportunities, as well as geostrategic and security challenges, are currently unfolding through the prism of cyber and critical technologies. This not only increases our reliance on cyber systems but also increases the risk should those systems become inoperable. It is for that reason that Labor will support this bill, which is a step forward in the protection of critical infrastructure and essential services that all Australians rely upon.

Critical infrastructure is increasingly interconnected and interdependent, making our lives easier and providing economic benefit. However, connectivity without proper safeguards creates vulnerabilities. These vulnerabilities, if exploited through cyberattacks, can result in cascading consequences across our economy, security and sovereignty. The interconnected nature of our critical infrastructure means that an attack on one essential function can have a domino effect that degrades or disrupts others. Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation 's wealth and prosperity and, indeed, our national security.

This bill proposes enhanced cybersecurity obligations for those assets that are most important this country. It introduces additional reporting requirements for cyber incidents that affect critical infrastructure assets. It also provides a definition of 'significant impact', and that is a cybersecurity incident that will have a significant impact if the incident has materially disrupted the availability of essential goods or services provided by using the asset. It also offers government assistance to relevant entities in response to significant cyberattacks that impact Australia's critical infrastructure assets.

While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune. Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on Australian food suppliers, on Australian hospitals, on our universities, on media outlets and even on this parliament's own network, just to mention a few. Internationally, cyberattacks have disrupted critical sectors. In the United States, for example, we have seen significant disruption to water and fuel supplies caused by cyberattacks. In this threat environment it is critical—it is crucial—that Australia's technical authority, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents to secure infrastructure assets. That is what this bill proposes to do.

These are last-resort powers, and affected entities will undoubtedly retain their reservations. In supporting this legislation, Labor is relying upon the intention stated in the bill and as given by the department and indeed by agency heads—that these powers will only be used as a last resort. With that in mind, it is very important to emphasise that the Parliamentary Joint Committee on Intelligence and Security will be notified and briefed each and every time the government enacts this power and will conduct a full review of the legislation when additional critical infrastructure reforms are introduced by government. In evidence provided to the committee, witnesses overwhelmingly indicated their willingness to co-operate with the Australian Signals Directorate. It is always the case that, where a parliament seeks to increase the power of executive government, parliamentary oversight is also increased in order to ensure sufficient transparency and accountability by the executive government. To that extent, we are very much supportive of those safeguards. In this threat environment it is critical, I think, that we have that caveat on the use of these powers, and that's what is intended by this bill.

Government assistance powers would only be needed in the event that an affected entity is unwilling or unable to respond appropriately, thus these measures should only be needed sparingly, if ever. In the instance that there is a disagreement between an entity and the Australian Signals Directorate on the best course of action, this bill incorporates the committee's recommendation to include safeguards that require the minister to consider multiple impacts and current responses. These are the checks and balances required at any stage when a parliament is seeking to increase executive powers, albeit for the common good and in the national interest. They ensure there's a balance with respect to decisions made by ministers or by executive government more generally.

I'd also note that the bipartisan committee also called on the Morrison government to review the processes for classified briefings for the opposition during caretaker periods, in response to serious cyberincidents, and to consider best-practice principles for any public announcement about those incidents, especially during election campaigns. We would expect, as would be the Westminster tradition and convention, that in the case of an election the opposition would be involved in such matters and that the matter itself would be dealt with, in the caretaker tradition, by the Public Service and the department heads. We've made that very clear.

While this proposed legislation is a positive move, we have to note that the government has so far fallen behind in taking meaningful action to prevent cyberattacks on Australian organisations. In fact, one of the Prime Minister's first actions upon coming to office was to abolish the dedicated cybersecurity minister, and it has been at the bottom of the government's to-do list ever since. The Australian Cyber Security Centre's second annual cyberthreat report, released last month, reaffirms the fact that ransomware remains the most serious cyberthreat facing Australian businesses. It also reveals a 15 per cent increase in reported attacks since last financial year, with more than one ransomware attack reported every day, on average. That's a remarkable number of incidents that are occurring currently.

In February we called upon the government to develop a national ransomware strategy to reduce the volume of these attacks and co-ordinate government action across policy, regulation, law enforcement, diplomatic and defence capabilities. More recently, Labor introduced the Ransomware Payments Bill 2021 into the House of Representatives and the Senate. The government last week—finally—heeded Labor's call for a national ransomware strategy to combat this billion dollar scourge.

With only a few parliamentary sitting weeks left in the year—and, indeed, possibly this parliamentary term—and more consultation on this proposed ransomware reporting scheme to be done, this looks like yet another announcement with no delivery from the Morrison-Joyce government. We're at the back end of this parliamentary term, this threat has been real and growing for days, weeks, months and years, and we are only now seeing the government seriously attending to this matter after the efforts of the opposition to make it very clear that the need was great and urgent. The government has conceded that more work needs to be done in communicating, consulting and responding to concerns regarding its proposed positive security obligations for critical infrastructure sectors. These important initiatives need to be done properly. These are important initiatives, and they do need to be done well and diligently.

While Labor supports this important bill, I can't overstate the need for more attention to be focused on reducing cyberattacks and protecting the critical infrastructure and essential services that all Australians rely upon.

See this speech in context