Tim Watts (Gellibrand, Australian Labor Party, Shadow Assistant Minister for Communications and Cyber Security) Share this | Hansard source

I'm pleased to have the opportunity to rise to speak on this significant bill, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, designed to better protect Australia's critical infrastructure assets from a growing range of cyberthreats. Labor broadly supports the measures in this bill and will be supporting the passage of this bill through the parliament this week. For the benefit of the previous speaker, I'll point out that the process that has brought this bill to the House today has been shambolic, to say the least, and it has left the parliament with significant additional work to achieve the aims of this bill.

In recognition of the increasingly interconnected and interdependent nature of Australia's complex modern economy and society, the bill before the House does significantly expand the definition of critical infrastructure, subject to Commonwealth regulation, from the current four sectors of electricity, gas, water and ports to 11 sectors of national significance encompassing communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage.

The bill then introduces a series of new obligations on the owners of this critical infrastructure, designed to improve the ability of both the owner and the Australian government to protect these assets from attack. For example, the bill introduces new requirements that critical infrastructure asset owners report certain cyberincidents to the government. In addition, the bill gives the government significant powers to intervene to assist critical infrastructure asset owners responding to critical cybersecurity incidents if necessary and, as a last resort, without the consent of the asset owner.

These new obligations and government powers are needed today because the threat environment facing critical infrastructure asset owners has deteriorated significantly in recent years. There has been a rapid growth of cyberattacks targeting critical infrastructure globally and in Australia from both nation state actors and from international organised crime groups.

In May 2021 the world saw a high profile example of the impact that a significant cyberattack could have on a piece of critical infrastructure. Affiliates of the Russian ransomware crew DarkSide, an organised crime group, targeted the US colonial pipeline in a ransomware attack that shutdown its operations for six days. That pipeline was responsible for carrying nearly half of all the fuel supply to the east coast of the United States. The fuel shortages and the lines at the petrol stations that we saw as a result made global news headlines.

Just a month later another Russian ransomware crew, the REvil group, launched a attack on JBS meats, the worlds largest meat supplier, bringing its operations to a halt, including in Australia—an attack that had the potential to cause food shortages around the world.

In the background to these high-profile attacks there have been a series of incidents affecting utilities around the world, including water and electricity companies and the operators of ports and rail networks. The Australian Cyber Security Centre's recent annual cyberthreat report has noted:

Approximately one quarter of cyber incidents reported to the ACSC during the reporting period were associated with Australia's critical infrastructure or essential services. Significant targeting, both domestically and globally, of essential services such as the health care, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life.

The secretary of the Department of Home Affairs underlined the urgency of the threat environment when he told the Parliamentary Joint Committee on Intelligence and Security in July 2021 that our security agencies wanted the government assistance provisions in this bill 'on the statute books tonight'. Addressing this worsening threat environment is both an urgent and a difficult talk. Cybersecurity is a whole of nation endeavour. It requires defending networks operated by multiple levels of government, within small and large businesses and within civil society. Indeed, the defence mobilisation review found that in the event of cyberwarfare many of the targets of state-sponsored cyberattacks will be civilian businesses or individuals. Designing policy interventions to protect this diverse and rapidly evolving attack service is difficult, particularly when the circumstances demand rapid action.

Unfortunately, the Morrison government has not met this challenge. This bill is yet another example of the Morrison government dithering on a major challenge and then rushing once we've reached the crisis point. It has been too slow to act. Then when the threat environment reached a crisis point it has failed to give due weight to the complexity of the challenge.

The time line leading up to the introduction of this bill tells the story of the government's lack of urgency. The genesis of the bill was the Cyber Security Strategy 2020. By the time the Cyber Security Strategy 2020 was released by the Morrison government in August 2020 the government's previous Cyber Security Strategy 2016 had reached the end of its four-year life four months before. The government spent 12 months developing its new strategy. Four months after the Cyber Security Strategy 2020, the government released an exposure draft for this bill and indicated that it intended to introduce the bill to parliament just 10 days after public consultation concluded. Dither and then rush—the Morrison government's MO.

This was a crazy approach to such a consequential and complex piece of legislation. Industry was aghast and warned in the most urgent terms that the governments rushed approach could do more harm than good. Stakeholders raised numerous concerns with the exposure draft, but the government insisted on forging ahead with minor technical amendments. In response, Labor insisted that a bill of this consequence and complexity be subject to a substantive PJCIS review. Thankfully, under an avalanche of objections, the government agreed that the bill be referred for the PJCIS for inquiry in December 2020. After the madcap rush to progress the exposure draft, this inquiry then took nine months. Yet again, it was left to the PJCIS and the constructive bipartisan efforts of the Labor members of this committee to do the hard work of getting the bill into a workable shape that the government itself had neglected. In this instance, the bill required a little bit more than panelbeating. Indeed, the unanimous bipartisan report of the PJCIS recommended radical surgery.

The governments original bill was split in two. Recognising the worsening threat environment and the 14 months that had passed since the release of 2020 cybersecurity strategy, the PJCIS ultimately recommended that only the most urgent measures in the original bill be passed subject to amendments. As previously outlined, these provisions include the expanded definition of critical infrastructure government assistance provisions in the event of a significant cyber incident and a mandatory reporting scheme for these incidents. However, the PJCIS finding that critical infrastructure asset owners 'did not feel like their input or feedback had been actioned or acknowledged during the government's consultations on the original bill,' the committee recommended other measures in the bill, like the establishment of risk management programs and the declarations of systems of national significance with associated enhanced security obligations, be 'revisited and amended in a consultive and collaborative basis' in a separate bill to be considered by the parliament at a later date.

This really is an extraordinary indictment of the Morrison government's failure to work in partnership with the broader Australian cybersecurity ecosystem in our shared task of protecting the nation from cyberthreats. As the PJCIS highlighted, the government's consultation failures on the provisions—that have now been punted to bill two—created enormous uncertainty across multiple industries about unknown future regulatory burdens that this legislation would impose. My observation, speaking to people in the industry, is that this uncertainty has had the opposite effect to that desired by the government. In response to this uncertainty, many organisations have fallen into a compliance mindset and adopted a wait-and-see approach to the cybersecurity measures that they might be required to implement by regulation. Instead of driving an uplift in cyber maturity, many organisations have paused their cybersecurity investments while they wait for clarity from the government.

It's been a real failure of the government to work in partnership with the IT systems operators outside of government towards a shared goal. Cybersecurity isn't something that government can do from behind the ramparts. It requires government to come out from the Commonwealth security and law enforcement silos and work hand in hand with operators of IT systems in an extremely diverse range of organisations—large public sector companies, privately held companies, state and local governments and even civil society group it is. It requires government to build trust with the operators of these networks—something that was not assisted by the process through which this bill was developed. Finally, it requires government to build understanding and expertise in the real-world challenges facing the operators of these IT systems.

The process of the development of this bill has highlighted that, while policymakers within the government are able to undertake a reasonable desktop exercise identifying the kinds of policy interventions you'd like to see in an ideal world, they have little appreciation for how private sector networks are actually developed, operated and defended in the real world. While there is significant technical expertise within Commonwealth defence, intelligence and law enforcement agencies, the government has shown at the policy level it does not have sufficient experience and understanding of the cybersecurity challenges of the private sector. This is a capability gap that the Commonwealth will need to address as the threats that this bill is designed to respond to become more acute. This is particularly notable in the context of the government assistance or step-in powers created by this bill. Anyone who has worked with large private sector IT networks understands that the risks of people who lack specific knowledge of a network interfering with it are significant. If you don't build it, it's easy to break things. The potential for unintended harm is significant and, with critical infrastructure, the scale of unintended harms are potentially extremely significant. As a series of major technology companies, like Google, Microsoft and Amazon Web Services, highlighted in the consultation of the PJCIS on this bill, government intervention in their networks has the potential to increase the risk they face from cyberthreats. AWS told the PJCIS:

… there is a deeper underlying assumption in the entire bill here that seems to be this: if something bad happens to a critical piece of Australia's infrastructure, then the government is capable of stepping in and fixing that bad thing. In many instances, we think there's a really big risk of the government stepping in and misunderstanding how the regulated entity operates, and maybe making things worse—so creating more or new problematic security incidents than are at risk in the process.

Microsoft explained the risk of installing foreign software on a network and said:

Doing so in the context of the data storage or processing sector with hyperscale cloud providers—these are interdependent systems. They will introduce vulnerabilities. We think it's going to potentially be a source of substantial third-party risk that we may have to mitigate for from the government if there is uncertainty on how these powers may be used.

Similarly, representatives of Google said:

What we need is information and collaboration, because the only software that's safe to operate in a Google or hyperscale cloud environment is our software and our systems that have been tested and vetted.

I am sure that the technical experts at the Australian Signals Directorate understand the reality of working with networks that you don't run, much more so than the policy designers of this legislative framework. The PJCIS heard that industry would overwhelmingly without compulsion cooperate with the ASD and the ACSC in the event of a major cybersecurity incident. These compulsory powers are only intended to deal with the most extreme scenario where entities are unwilling or unable to respond. I'm confident that these powers would only be exercised as an absolute last resort, if ever, and then with extreme reticence and caution.

Importantly, the PJCIS spent significant time considering a range of safeguards that could be put in place in the exercise of these powers. I welcome the proposal that any use of the assistance powers be reported to the PJCIS after they are rendered. That said, I share the view of Labor members expressed in their additional comments to the PJCIS report that there's more to do in this space. As this bill is currently drafted, all ministerial authorisations for the use of the government's intervention powers are excluded from judicial review. The government has not adequately explained its reasons for this wholesale exclusion from judicial review. The role of judicial review on the exercise of powers like this has been a common difference of approach between Labor and coalition members on the PJCIS over a number of inquiries now.

Labor members also highlighted the Law Council of Australia's submission that consideration should be given to an independent issuing authority for authorisations to exercise these powers along the lines recommended by the third INSLM. This would be similar to the authorisation of compulsory industry assistance powers under part 15 of the Telecommunications Act. I note in this respect the committee's recommendation that the impacts of the provisions of this bill be reviewed by the PJCIS again when bill two of these reforms is introduced into the parliament. I want to highlight the additional comments of Labor members. They said:

… the Committee should take advantage of that opportunity and—in the absence of compelling evidence from the Government—recommend further improvements to Part 3A.

In my remaining time I want to deal with two matters that the PJCIS highlighted in its report that are not dealt with in this bill—largely the protection of non-governmental democratic institutions under this regime. They aren't directly covered by the regulatory framework put in place by this law. In fact, we don't have existing institutional or program responses to lift the cyber-resilience of non-governmental democratic institutions in our society. I'm talking about political parties, think tanks, universities and newspapers. These have recently all been very frequent targets of cyberenabled foreign interference around the world. A constant theme of recent elections around the world is cyberenabled foreign interference.

Chris Krebs, a former Director of the US Cybersecurity and Infrastructure Security Agency, appeared before the PJCIS and warned that Australia needs a process in place to enable non-political entities to make disclosures of any cyberenabled foreign interference during an election campaign. He told the committee:

… you never want the incumbent with the ability to put their thumb on the scale and change the outcome of the election … you would not have wanted a White House press conference for those sorts of announcements because that, in and of itself, can be politicised.

This is an important learning for Australia. The committee report makes recommendations that the government put in place a process during the caretaker period for apolitical disclosure of cyberenabled foreign interference, and the government should take that up.

See this speech in context