Pat Conaghan (Cowper, National Party) Share this | Hansard source

I'm pleased to rise to speak on the second reading of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. In my view, what makes Australia probably the best country in the world is the ease of access to critical services. Every Australian has learnt through experience to have high expectations when it comes to accessing those services, and rightly so. We have an expectation because, on the whole, things just work. We expect our lights to go on. We expect our water to run. We expect our kids to have easy access to education. We expect to have access to our own money, our own bank accounts—and it goes on and on and on. Unfortunately, recent events have posed a threat to this access and, in very real terms, to what makes this country what it is and how it works. We take for granted that our services will just simply work, that the security of these services is assured and that we maintain sovereignty of those services, but increasingly we are faced with the sad fact that this may not be and is not the case. In reality, our critical services are so interconnected in nature that if the cybersecurity of one of them is breached the domino effect could result in significant consequences to not only our national security but our economy and our sovereignty, and that is completely unacceptable for a country as free as ours.

When our essential services are faced with a physical threat, such as fires or floods, it's a given that government agencies and the wider Australian public will do whatever they can to preserve the critical running of those services. I know that in 2019 when bushfires engulfed my own electorate of Cowper and then again in 2021 when we had the devastating floods we made sure the access way to our hospitals and fire services were maintained. We prioritised the protection of phone towers and electricity poles. We set up perimeters. We called for reinforcements. Once a catastrophic physical event occurs, we reassess our situation and form plans as to how best to protect ourselves from that disruption ever happening again. We look at the experiences and best practices from around the world. We learn and evolve. We adjust and change our safeguards accordingly. When it comes to a physical threat, this type of response is a given, but the fact remains that what you can't see can hurt you. In fact, the threats posed by cyberattacks on our essential service networks are more catastrophic than any individual physical threat could ever be, and the response to safeguard these services from such attacks needs to be appropriately significant.

We've seen from overseas the extreme impact of cyberincidents such as the ransomware attack on the Colonial Pipeline in the US, which affected the distribution of fuel throughout the country. On home soil, in the past couple of years, we've seen cyberattacks on this place, the federal parliament, on logistics in the medical sector and on universities—and these are only the ones that were publicised in the media. In fact, in the 2021 financial year, the Australian Cyber Security Centre, or the ACSC, received over 67,500 cybercrime reports. That's an average of one every eight minutes. Concerningly, this represents an increase of 13 per cent from the previous financial year. I don't know what's more concerning about those figures—the 13 per cent increase or the fact that the ACSC received close to 60,000 cybercrime reports even before the true impact of COVID hit us.

Since COVID, there has been an increasing trend towards ransomware related activities, with demands ranging from thousands to millions of dollars, and, increasingly, cybercriminals are moving away from low-level attacks on individuals in our community to the larger, more profitable, high-end organisations. In short, they're essentially going for the big fish, and the big fish tend to be our critical services. To increase the likelihood of ransoms actually being paid, cybercriminals are encrypting networks, exfiltrating data and then threatening to publish the stolen information online for all to see. The risk that this poses is not just to Australians but to our national security, and it grows more menacing as the shifts in targeting and tactics intensify.

The reforms outlined in the amendment bill will strengthen Australia's ability to effectively respond to serious cyberattacks on critical infrastructure. Pleasingly, as a first step, the bill expands the definition of 'critical infrastructure' in response to society's evolving modern needs. The government will continue to review these definitions to ensure they remain current, given the changing technologies and threats. Fundamentally, a service is deemed critical when it's considered to be the case that, if the asset were destroyed, there would be a significant detrimental impact to our basic standard of living, to Australia's wealth and prosperity or to the security of large or sensitive data holdings. Taking this into account, critical infrastructure will now include energy, communications, financial services, defence industry, higher education and research, data storage and processing, food and grocery, health care and medical, space technology, transport, and water and sewerage.

The bill looks to introduce a cyberincident reporting regime for critical infrastructure assets. To effectively protect our critical infrastructure, we need to truly understand the threat, and no-one and no group can do that without the proper data and the proper information. If incidents aren't reported, we can't be expected to learn from them and stop them from happening again or from escalating in the future. The reporting regime will require entities to report cybersecurity incidents to the Australian Cyber Security Centre through the ReportCyber portal and provide ownership and operator information for the Register of Critical Infrastructure Assets. Critical infrastructure entities will have up to 12 hours to report a critical cybersecurity incident, once they become aware of it, and up to 72 hours to report other cybersecurity incidents, the timing of which aligns with other existing reporting regimes, both nationally and globally.

The next step of the bill relates to making government assistance available to industry, as a last resort and subject to appropriate limitations. There may be situations where there is an imminent cybersecurity threat or an incident that poses a risk of negatively impacting Australia's national interest. Where responding to such a situation is beyond the capability of the asset's owners or operators, the reforms will provide government with the ability to provide reasonable and proportionate directions or assistance to those entities to resolve the incidents. These actions will focus exclusively on protecting and defending the asset, noting its importance to the economy, to society or to defence, and it will be a criminal offence not to comply with the directions made under the government's assistance regime. It is important to note that intervention on this scale may be authorised only once the Minister for Home Affairs has sought agreement from the Prime Minister and the Minister for Defence. It should be noted that these powers are clearly defined and confined, proportionate and appropriate, and subject to a range of safeguards.

The reporting regime and government assistance powers recognise that industry has a role to play too, and this imposition of obligations on business is an important part of a comprehensive response to the serious challenges we face.

In conclusion: we, as Australians, have a right to assume that our critical services will continue to work now and into the future; we, as Australians, have a right to assume that our sovereignty is secure when it comes to accessing what we have come to expect are basic services to the modern world and a right to assume that our government is doing everything within its power to preserve the security of our essential services and our economy. I note—and it's pleasing to see—that both sides of the House have approached this in a bipartisan way. This bill is a critical step towards facilitating the government's and the private sector's ability to meet those fundamental assumptions. As the type and scale of the threat to Australians' way of life continues to evolve, so too must the legislation in place evolve to counteract those threats, and I'm proud to be part of a government that is proactively doing so.

See this speech in context