Vince Connelly (Stirling, Liberal Party) Share this | Hansard source

It's a pleasure to rise to speak today on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. I'm particularly pleased because I have some degree of experience, which I'll talk about shortly, in relation to the protection of critical infrastructure. I'm also greatly in favour of the concept of looking at what is most important and looking at ways to enhance protections around those critical pieces of infrastructure. Indeed, in the military, where I had my first career, when we plan operations, we look at our own forces and those of opposing forces and we look for critical capabilities. Then we look at what some of the critical vulnerabilities that sit below and enable those capabilities are. In the case of an enemy force, we look at how to target some of those vulnerabilities to, if you like, bring the house crumbling down. Equally, in our own interests, we look for our capabilities, what vulnerabilities we have and how we can provide protection against those vulnerabilities. So it's wonderful to see that the Morrison government is taking a similar, mature, methodical planning approach when looking at our national critical infrastructure. Indeed, this is the course that we must and will continue to take.

In the last parliament, we passed the Security of Critical Infrastructure Act 2018 to identify and manage national security risks of espionage, sabotage and coercion resulting from foreign involvement in Australia's critical infrastructure. The reforms in this bill will apply to a range of owners and operators of critical infrastructure. It's worth taking a moment to classify what we mean by critical infrastructure. There are 11 different categories. As I name each category, I feel certain that listeners will absolutely identify with why it is that each of these categories has been defined as 'critical'. The categories are: communications; financial services and markets; data storage and processing; defence industry; higher education and research; energy; food and grocery; health care and medical; space technology; transport; and water and sewerage. Since we passed the Security of Critical Infrastructure Act 2018, new challenges have emerged. Indeed, on 1 July last year, our Prime Minister tabled and announced the 2020 Defence Strategic Update. What it painted was a picture of a degrading security environment, particularly within our Indo-Pacific region, and a large part of our response to our deteriorating security situation is looking at those vulnerabilities and how we can bolster their stability and security.

Of particular concern is the increase that we have observed in the aggressive use of what's referred to as 'grey zone activities'. What we mean by 'grey zone activities' is that they sit somewhere beyond that threshold of illegality but short of actual military conflict. Some of the examples are interference operations, coercive use of trade and , of course, economic levers. We've seen those geo-economic levers used in an aggressive form against Australia. These activities, whilst they sit below the threshold of open conflict, certainly threaten stability and, indeed, sovereignty. Whilst these grey zone activities are certainly not new and have always existed on the spectrum of conflict, what we are seeing is an escalation in the use of these grey zone activities, including in Australia and within our region.

Cyberwarfare is absolutely on the rise, and we can rightly refer to cyber as being a new battleground. In its Annual cyber threat report 2020-21 the Australian Cyber Security Centre noted that there were 67,500 reports of cybercrime. This reflects a 13 per cent increase on the previous year and equates, very worryingly, to a cyberattack here in Australia every eight minutes. This is indeed alarming. Throughout 2019 and during the 2020 COVID-19 pandemic Australia's critical infrastructure sectors were regularly targeted by malicious cyberactors seeking both to exploit the victims of the attack and in many cases to gain profit. This totally disregards our communities and in some examples has led to material impacts. For example, during this period we've seen multiple regional hospitals having been the victims of cyberattacks, and this has resulted in the delayed delivery of health services, including surgery, to regional communities. A major national food wholesaler was also the victim of a cyberattack. This affected their systems and temporarily disrupted their ability to provide food during a time when there was unprecedented pressure on the food and grocery sector. There was also a water provider which had its control system encrypted by ransomware. Had that system not been restored quickly enough from backups that could well have disrupted the supply of potable water to a regional population hub. It could also have disrupted the agricultural activities which relied on that same water source.

Attacks on our critical infrastructure require a joint response. They require government, business and individuals to operate in a coordinated fashion, and this indicates the interrelated nature of these risks. The new framework provided by these bills will enable government, industry and partners to defend Australia's national interests. It will require entities to adopt and maintain a risk-management program for critical infrastructure assets, and this will in turn bolster their resilience in the face of threats.

I've had the opportunity to see firsthand some of the Australian operators of critical infrastructure and to work hand in hand with some of those operators. After leaving the Australian Regular Army I worked for most of the last 14 years as a risk, crisis and business continuity management specialist. This involved working with largely mining, oil and gas companies and helping to build their resilience. This involved taking teams and training them in incident and crisis response, working with all levels of management to train on a system of response and to empower those individuals who were managers within their own business to take the responsibility to lead others and to manage through responses. The last engagement I had was with Woodside Energy, a great Western Australian company and the operator of a whole range of oil and gas platforms offshore and processing facilities onshore. Dealing with hydrocarbons, particularly when they're under high pressure, is already a very high-risk environment. Add to that the reality that some of these facilities also take the form of those targetable critical vulnerabilities I mentioned earlier, and we have absolutely no option but to invest in the protection of those assets.

In fact, some of the key themes in which these incident and crisis responders were trained and exercised came under the acronym PEARL, which stands for people, environment, asset, reputation and liability. The acronym makes them easy to remember. They are also prioritised. Of course, every organisation should and must look after their people first—their safety and their security. Of course, the environment, assets, reputation and liability also need a close degree of attention when we're looking to build that resilience.

I also credit some other great organisations, like Rio Tinto Iron Ore and BHP Billiton, which I saw, over many years, dedicate a great deal of effort to building resilience. Not only do we look at the training of teams of individuals to be ready to respond; we also look at the investment in physical infrastructure—in safety response systems, fire management systems and the readiness and maintenance of those systems to provide that protection.

I also had the opportunity to work with a number of organisations during live responses. That's where we see resilience really come to the fore, after the investment, over years, of training and equipment. I won't go into some of the specifics, but, needless to say, the readiness and resilience that was built up by companies like those I mentioned should be credited. It has paid off in spades already and will into the future. Through this bill, we can see how government is partnering with the investments that those businesses are making to protect the critical infrastructure upon which all Australians rely for our wellbeing and prosperity.

On the financial services front, I also worked with some of our major financial institutions, our banks. This is where business continuity becomes really essential. Of course, banks take the responsibility for safeguarding our personal savings, but, as institutions, they also, importantly, enable cash flow for our businesses, whether they be small family businesses or large businesses. Essentially, our banks set the conditions that underpin economic confidence. For this reason, the processes of business continuity management remain absolutely essential, and I provide credit to our banks and to our regulators—which, obviously, this government takes a large degree of responsibility for—for maintaining the resilience of our financial institutions in the interests of us all.

Entities will also now be required to report cybersecurity incidents to the Australian Signals Directorate, which will enable the latter to build a better picture of the threat environment surrounding Australia's critical infrastructure. This, in turn, will allow government to provide better advice and assistance to entities about how they can safeguard critical infrastructure. The public expects the Australian government will protect the nation if a cyberincident affects Australia's critical infrastructure and results in serious threats to Australia's interests. Even if a critical infrastructure entity is doing all it can to protect itself and the services that it provides, we recognise that there are some threats that are beyond the capabilities of critical infrastructure operators themselves to mitigate. That is why this bill also contains what I call 'last-resort powers', which can only be used in situations where an entity is unable or unwilling to respond to an incident. I note that this legislation has been developed through extensive consultation with industry, which is very welcome and will absolutely be continuing.

As I conclude, I'll lean on the words the Prime Minister used when he launched the 2020 Defence Strategic Update. He said:

The enduring responsibility of Government … is timeless—to protect Australia's national interest, our sovereignty, our values and the security of the Australian people.

This bill does exactly that, and I commend it to the House.

See this speech in context