Julian Hill (Bruce, Australian Labor Party) Share this | Hansard source

I echo a lot of the previous speakers in saying the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is an important bill. Australia is facing increasing cybersecurity threats, which underscores the need for this legislation. Those threats are not just to the private sector but to government, essential services and the stuff that sits in the middle, if you like, between the public and private sectors—critical infrastructure which is regulated in various ways by government but may be provided in the private sector and, of course, by individuals.

These are crimes and scams which concern so many in the community, from the proverbial little old lady being scammed out of small amounts of money, as has been said, to crimes that increasingly are rising up the value chain—the modern equivalents of the bank heist. But even more serious are the threats to essential services and critical infrastructure which this bill primarily concerns itself with. We have already seen, in the United States, examples of fuel and water infrastructure being disrupted by cybercriminals and cyberattacks. In this bill the government, for once—to their credit—are focused on an important issue, but typically, as the Parliamentary Joint Committee on Intelligence and Security found, they've mucked up their legislation quite profoundly. So I'm pleased that the minister—and it's good that we've actually got someone in the Home Affairs ministry at least impersonating an adult, after the obstinacy of the previous incumbent, who liked to say no just for the fun of it—has listened to the PJCIS, a government controlled committee, and the opposition and agreed to split the bill in half. With the half bill going forward we will of course vote for it.

The half of the bill that was retained and will go forward with everyone's support includes expanding the definition of critical infrastructure beyond the four sectors that were already covered—electricity, gas, water and ports—to incorporate seven new systems of national significance. The list will now be: communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and groceries, health care and medical, space technology, transport, and water and sewerage.

The second thing the bill, or half bill, will take forward is the introduction of additional reporting requirements for cyberincidents that affect critical infrastructure assets, which, of course, are the critical intelligence-collecting tools for the responsible agencies.

The parts of the bill that the PJCIS said, in essence, were half-baked, would do more harm than good if they proceeded and needed a further reworking include the requirement to introduce 'government assistance to relevant entities for critical infrastructure sector assets in response to significant cyberattacks' and the introduction of 'additional positive security obligations for critical infrastructure assets, including a risk management program, to be delivered through sector-specific requirements'. In essence, these things need more consultation with industry.

Just about everyone out in the real world—experts and people who actually run this critical infrastructure—who examined the government's proposals had reservations and said that the process was flawed, that the consultation process leading up to the drafting of the legislation was inadequate, that there was an unknown and totally unquantifiable regulatory impact of much of it because of the ham-fisted way the government had brought the legislation in and that there was far too much detail unknown left to the regulations. It makes sense in this kind of stuff that not everything is codified in the legislation and that many decision points would be left in the regulations. But, when you are introducing an entirely new regime with potentially enormous compliance costs and regulatory burden on industry, the regulations should be developed and consulted with alongside the legislation. Sure, they can be amended down the track by the responsible minister, but it's not an adequate way of actually bringing in a whole new regime, imposing costs on whole sectors of the economy, to not be able to tell them what they're actually up for instead of, 'Oh, don't worry. Trust us; we're the government.'

An aspect of the legislation which has received significant media attention is, if you like, the big stick intervention power. Obviously the home affairs minister wanted a big stick after the Minister for Industry, Energy and Emissions Reduction got himself a big stick. It gives the ASD the power to assist entities—'assist is a very polite government word, but I think it means to intervene and take control—whether they like it or not in responding to significant cybersecurity incidents to secure critical infrastructure assets. We take the government's assurances that these extreme powers would be used only in emergency events, and quite rightly there's a reporting regime through the PJCIS.

That kind of wraps up my comments on the bill itself. But I do want to note that the government, through this, is imposing a lot on the private sector—new standards, new accountability and a pretty heavy-duty intervention power. The government, though, are in no position, really, to lecture anyone on cybersecurity or cyber-resilience. They're in their ninth year and their record on cybersecurity—and that of their own government departments and agencies—is abysmal. The government need to get their own house in order, really, before they can with credibility tell the private sector that they're going to put all these compliance costs on them. Indeed, as we've just discussed, they can't even quantify what the costs might be.

In my just over five years in the parliament, I've sat on the Public Accounts and Audit Committee. It's not for everyone—it can be pretty dry—but it's a really important and fascinating committee, because you constantly rove across every part of government, working closely with the Auditor-General. I read and look at all the audit reports that come through. One of the most common themes of the Auditor-General, who I think is now six years into his 10-career term, is noncompliance by the government year after year. We in this committee feel like goldfish, going round and round in the bowl seeing the same thing—government departments not complying with the cybersecurity standards. For my sins, last year when I was stuck in Canberra for long slabs—six weeks or eight weeks—I decided one Sunday to sit down and read a whole bunch of stuff, including the Auditor-General's mid-term report. He did a report, five years through his 10-year term. I know, I know—it's fascinating! It is actually a great report. The Auditor-General is a really clever, thoughtful man who's got a view across government. I would recommend that nerdy members—I know there are a few more out there—actually take the time to have a look at this stuff on occasion. It's five years of reflections. He said:

… the category which consistently has the most number of financial audit findings raised relates to the information technology control environment, with the most common area relating to weaknesses in security management. These findings are consistent with the conclusions in performance audits of cyber security, which have also consistently identified non-compliance.

With cyber security being an area of government priority—

or so they say; they say it is a priority but they don't do much—

for many years, these findings are disappointing.

The Auditor-General is, of course, prone to understatement and measured language. 'Disappointing' is pretty high up in his lexicon of 'no good', 'not good enough' 'got to do something' and 'got to improve things'. He went on to document:

Cyber resilience and compliance with mandatory IT security policies has been a key program of audit in recent years.

In other words, 'I do this year after year.'

This government spent eight years cutting the Auditor-General's budget, year after year, to reduce scrutiny—an effective cut of over 22 per cent by the time the government was finally shamed this year into starting to reverse that trajectory. Even with that cut of 22 per cent to reduce scrutiny of this government's performance, rorts, waste and mismanagement, the Auditor-General has found space and resources every year to keep looking at cybersecurity and cyber-resilience, and every year this government fails its own tests. Since 2013-14, when the government came to office, the ANAO conducted five performance audits—this was a couple of years ago, they have done a couple more—looking at 17 different government entities. The audits found:

… compliance with mandatory requirements of information security continued to be low.

These are not 'nice to do'. They're not, 'This would be a good idea.' These are the mandatory requirements the government puts on itself, which they continue to fail. Let's be really clear: this bill is putting massive new requirements on the real economy out there, and the government, for eight years, has failed to get its own house in order.

The 2018 Cyber Resilience audit found that low levels of compliance were driven by entities not adopting a risk-based approach to prioritise improvements to cyber security, and cyber security investments being focused on short-term operational needs rather than long-term strategic objectives.

That's a bit like the government really.

The government should be an exemplar in these things. The private sector should be able to look to the government and see the best practice in cybersecurity on behalf of Australians, given the critical data and critical essential services which the government operates, at least those which they haven't managed to privatise yet.

I'll read a few examples to keep making the point. In a recent audit report looking at the cybersecurity strategies of non-corporate Commonwealth entities—that's Public Service speak for 'departments that aren't corporatised'—the auditor general looked at the Attorney-General's Department; the Australian Signals Directorate; the Department of Home Affairs—they're the big three, aren't they? They're responsible for cybersecurity policy—the Department of the Prime Minister and Cabinet; the Future Fund Management Agency—there's just a few billion going on there—the Australian Trade and Investment Commission, Austrade; the Department of Education, Skills and Employment; the Department of Health—there's a little bit of secret data there, maybe—and IP Australia. Guess what he found?

None of the seven selected entities examined have fully implemented all the mandatory Top Four mitigation strategies.

The top four are the mandatory four that have been mandatory for years. So none of those seven agencies last year had even got the top four. The government now—finally, after years of being poked by the Public Accounts and Audit Committee—have said, 'Yes, you're right; we should mandate the essential eight.' The government have just put new standards on, and they haven't even met the four that we've been pushing for for the last few years.

Even worse, perhaps, than the noncompliance is that the agencies, year after year, are still deluding themselves, the government, the parliament and, therefore, the public about how they're actually going. This is the key point I want to make, and it does relate to the bill: we really need to think about, as we're putting these requirements on the private sector, how we are working in the public sector to get cybersecurity and cyber-resilience standards up. The current system relies on self-assessment. I'll just go back to the Auditor-General's mid-term report. It's a great summary. He said:

The public sector operates largely under a self-regulatory approach.

Policy owners—the Department of Finance, for some things; the Attorney-General's Department; the Home Affairs Department; and the Public Service Commission—establish rules of operation and then largely leave it to the head of each department or agency to be responsible for the compliance, reporting to the minister.

There are almost no formal mechanisms in these frameworks to provide assurance on compliance. Often the ANAO—

when they randomly come in, every 20 years, in some cases, to smaller agencies—

is the only source of compliance reporting and our resources mean that coverage is quite limited.

That's very polite code for, 'The government doesn't give us enough money, because they keep cutting our budget,' just to remind people again.

That's the Auditor-General pointing out that, in cybersecurity, the government sets a bunch of standards and then says, 'It's up to the departments.' There's supposed to be an audit framework around that, where departments assess themselves every year against a checklist and report that in. What the Auditor-General consistently finds is that they delude themselves. They just tick the boxes and go: 'Yes, we're going well. It's all good; it's tickety-boo. We've got four out of four here with the big four.' I have read so many of these audits. To quote again from the same audit report, No. 32 of 2021, which looked at those seven departments:

For the three entities that had self-assessed full implementation for one or more of the Top Four mitigation strategies … two had not done so accurately. None of these three entities were cyber resilient.

Even worse than the fact that there are still problems in compliance—no doubt because of resources, culture or whatever—is the fact that the reports which come into the parliament and the government aren't even right. That's an issue I believe we seriously need to look at.

We can't just let this roll on. It has gone on for the six years I've been on the committee. Gai Brodtmann, the former member for Canberra, went round and round in circles on this for years. It's basically been the entire term of this government's office. It's their ninth year, and they have not taken their own responsibilities seriously. Of the three entities, only Treasury was compliant with the top four mitigation strategies—a tick to Treasury. National Archives was not compliant. Geoscience Australia wasn't compliant, and they've got critical national security data. Audit reports for years found that, with Services Australia and their system redevelopment, the cybersecurity risk framework was not appropriately managed and operating costs were not monitored. In relation to the My Health Record system, the ANAO found that 'management of shared cybersecurity risks was not appropriate and should be improved'. In planning for the 2021 census, the ANAO found 'the ABS has not fully implemented all the lessons from the 2016 census, particularly in relation to developing its cybersecurity'.

I will spare the House my reading the rest of them, given that I have only one minute left, but you get the point. This has gone on for years. For the government to say, 'We're going to put these standards on the private sector,' while they don't have their own house in order shows that the system isn't working. That's the point. It's a systemic problem now. We actually need to change the way we do this assurance process. I'll draw a parallel with financial accounts. Government departments don't just take their financial accounts and dump them into parliament and say, 'Here are our accounts.' There's a robust and rigorous system of independent audit and assurance over those accounts. We've just completed a 10-year reform program, so the performance statements of government departments in the corporate plans are now going to get a mandatory robust independent audit and assurance system over them. That's my point and that's what I'm calling for. We need a similarly robust, independent assurance because we can no longer trust what the government agencies are telling the government.

I commend half of the bill—not the dud half that the government mucked up. I commend half of the bill and I call on the government to get their own house in order.

See this speech in context