James Stevens (Sturt, Liberal Party) Share this | Hansard source

I rise to support the second reading on the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a very important bill introducing enhanced frameworks to make sure we are providing the kinds of protections that are necessary, in the modern era, for our critical infrastructure when it comes to the risk of cyberattack. I think about this in the context of my home state of South Australia, with the infrastructure that is now coming online in the electricity sector and the sorts of risks that we need to be wary of as new technology enters our marketplace from an electricity point of view. I think Queensland has a rate of installation of rooftop solar that's around the same or slightly higher than South Australia's. Both states lead the nation, and as a nation we lead the world when it comes to the installation of rooftop solar. It's a good example of where the future of electricity generation is going to be, particularly for household-level consumption, going forward—in my view. It's a technology that has become much more affordable. Around one-third of households already have rooftop solar, and growth figures show that's only going to increase in the future.

I believe this is a source of generation that we'll increasingly rely on, but, equally, more technology makes it more reliable. One of the challenges with solar is that it's good when the sun is shining but, if the sun's not shining and you want to turn on your television or your dishwasher or cook your evening meal, it's not very helpful if you can't capture the generated electricity and store it. Now, of course, we have the advent of home-scale battery storage systems. They've been a little expensive for the average person to afford until now, but we know where the unit price of batteries is heading—down. Hopefully, it will become a more and more affordable option for people to couple their rooftop solar panels with a home battery so they can charge up the battery when the sun is shining during the day, when they might not be at home to consume energy, and save that energy to use when they need it in the evenings.

We're going a step further again in South Australia with battery units. Household batteries are sometimes described as a distributed grid—as in distributed generation and storage of electricity—and in South Australia, on that definition, we've got the largest distributed grid in the world. We hope to continue to build on that. The Commonwealth government, through the Clean Energy Finance Corporation, is co-financing a scheme with the South Australian government to provide subsidy for home batteries, because we want to partner as much of that rooftop solar with battery storage as we can, for the reasons I've just outlined. The next step, beyond us storing our own electricity at home and using it when we need it, is being able to share that electricity. If I've got excess electricity that I'm not using stored in my battery and someone else in my neighbourhood is running low on stored electricity, or any electricity, then, through that distributed grid, we can have a transaction where some of my electricity goes, at a charge, to the person who wants to consume it. We can have what is sometimes called a virtual power plant. When you think of all these small batteries combined, they're the same size as a major electricity generator and they're holding electricity that can be dispatched on demand, and all these systems are interconnected.

What's vitally important for that kind of virtual power plant to work is all the systems being able to talk to each other on a central platform—in the cloud, no doubt—and share information: who's got what energy; what future consumption and demand is likely to be; where there is excess energy being stored in a household and where there is a deficit of energy available to a household, despite what they're expected to consume going forward; and how we trade that electricity amongst all the people in this virtual power plant. That effectively means you've got not only distributed storage but also the ability to share demand and the most efficient way of capturing, storing and providing electricity for consumption. That's an unbelievable proposition. It's something for which the technology already exists, and we're trialling it in South Australia. That is all predicated on the technology and communication of all those units, which could be hundreds if not thousands, with billions and billions of data points coming together to provide electricity for a neighbourhood. That, of course, raises the huge risk of someone being able to interfere through the cyberworld in something like a virtual power plant and, effectively, take it offline and take out a neighbourhood's electricity source because, through a cyberattack, they were able to disrupt and infect that platform and remove the ability for that platform to come together, to share that collaboration and to provide the power source for an entire neighbourhood.

That is one example among thousands—if not millions—of others that we are going to have when it comes to the future of infrastructure in this country, whether it's at the low level—in small scale, like the example I've just outlined—or, again in electricity, in the very large scale. In South Australia, we're building an interconnector now with New South Wales. It will take around 800 megawatts of electricity in either direction, which will be vital for the stability of the South Australian grid, given some of the challenges we've had with that in recent years and will also be vital to the ability to attract investment in larger-scale generation and to have markets where renewable energy generated in large solar or wind projects in South Australia can be not just used domestically in the South Australian market but also exported for sale in somewhere like New South Wales. So, at the other end of the electricity infrastructure scale, a multibillion dollar interconnector is the sort of infrastructure that already—and even more so into the future—is reliant on cybercapability and is vulnerable to cyberattack.

That is the modern world. That is the current situation and the future, as well, for infrastructure. In terms of this bill, of course, electricity is one of the easier examples to talk about, but other speakers have talked about the wide variety of infrastructure that is captured that is going to be vulnerable to cyberthreats today and into the future. That is really every single piece of infrastructure we can conceive now and some that we can't yet conceive, because, in the future, almost everything is going to be reliant on cybertechnology and at risk of cyberthreat. In a beautiful country like ours, we've not had, from a physical infrastructure risk point of view, the same kind of alarm and concern throughout our history. Obviously we're lucky enough to be one country on an entire continent. We've not had a major conflict here since the advent of what some philosophers call 'total war' or 'absolute war' where, in modern warfare, infrastructure has become a major target physically, as has happened in other parts of the world. We don't have the sort of history or the culture of having a paranoia about the protection of our infrastructure. But, of course, that is not the case when it comes to the risk of cyber because there is no tyranny of distance related to cyber. There are no proximity issues with cyber. Someone anywhere else on the planet with an internet connection can attempt to launch a cyberattack on any critical infrastructure in our country, and that's why we now have the risk and the need to respond to that risk through this legislation and the other things that this government is doing.

I've had the pleasure, a couple of times, of going to the Australian Cyber Collaboration Centre which is located just outside of my electorate in the Adelaide CBD in the Lot Fourteen Precinct, which is the heart of the city deal between the federal government, the state government and the Adelaide City Council in South Australia. It's amazing what they're doing there. It is very much in line with what this legislation is about, which is creating partnerships and support between government, the private sector and other people that have expertise in cyber and in risks of cyber. There's a cyberwarfare range at the centre, which is quite an experience to visit. It's almost a SCIF-like set-up—a room that's secure—where you can come in as a company, plug your software platforms into the mainframe and have people launch cyberattacks on the systems of your business so that you can identify what the vulnerabilities to cyberattack might be for your software platforms and other systems that you use. You can also seek to repel those attacks and can use various tools available in the marketplace to see which ones are the most effective for the systems your business operates in order to best protect your business from the risk of these cyberattacks, and you can weigh up the wide variety of costs for different levels of security.

So, what's happening there at A3C, as it's known, is assisting the private sector, particularly those that have a significant vulnerability to cyberattacks. For somewhere like Adelaide, that's obviously industries like defence, space and critical infrastructure such as the mining sector and the ag sector. Given the examples of attacks on private sector businesses around the world, no-one who operates a computer could say that their business doesn't have a vulnerability to cyber. So, A3C is an opportunity for any business to engage with that industry collaboration and assess and then address modern cyber risks to their business.

The other thing we know about cyber is that whatever you do today is the best you can do to protect yourself against what are known to be the capabilities of offensive cyber today. But, every day, new capability is developed and new risks emerge, so we need to be ever vigilant and constantly learn from the attacks undertaken on businesses, particularly those that we have the purview of learning from in our own country. That's really what the heart of this bill achieves. By creating the reporting framework that is one of the pillars of this bill, we're essentially making sure there's a requirement for high-risk targets—particularly those captured within this bill, related to critical infrastructure—to first and foremost report any cyberattack or suspected cyberattack that they receive, because it's very important that the experts—and the ASD is a world-renowned agency when it comes to this topic—know and are able to capture all the known or suspected cyberattacks launched on critical infrastructure across the board in this country.

That puts a government agency like ASD in the best possible position to be aware that something has occurred, to perhaps have an initial triage approach to considering the initial prima facie evidence of what's occurred and to decide whether they need to look more closely at that attack. We know that there are attacks constantly. We have tens if not hundreds of thousands of attacks a year, and we know there are different levels of attacks that bring different risks. But ASD are the experts and the ones in the best position to make decisions around how to respond to those threats. By having a mandatory system of reporting in place, they're going to have the awareness of all the things they can then choose to look at and prioritise.

Secondly, we're talking about government having a much more significant involvement in working with the private sector when it comes to critical infrastructure to help them, work with them and provide support for them if and when they are imminently at risk of, adjacent or either side of, or in the middle of a cyberattack. As a Liberal, I'm always a bit nervous about interfering in businesses or having additional regulation or requirements on business. But this is something that I thoroughly support. An agency like the ASD, with the expertise that they have, should be in a position to provide all the necessary support to businesses. Not only do we want to look after them and support them but also, by the very nature of the definition that they are critical infrastructure, they're doing things that are vital in our society, and they are a very high-risk target to people who may wish harm upon Australia and our interests.

For those reasons, I commend the bill to the House, and I thank all those who made contributions. I am pleased that this legislation will have bipartisan support. It's important and necessary legislation that we should pass and give this new capability and this new framework to the ASD and other government agencies so they can get on with the good work they're doing in protecting our country.

See this speech in context