Celia Hammond (Curtin, Liberal Party) Share this | Hansard source

I'm pleased to have the opportunity to speak on the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The expanding threat of cybersecurity vulnerability and malicious cyberactivity has become increasingly evident in recent years. While Australia has enjoyed relative security in this regard, the incidence of cyberattacks, ransomware and the exploitation of system vulnerabilities has been increasing in frequency, scale and sophistication in recent years. In Australia, recent high-profile cybersecurity incidents affecting government departments, including parliamentary networks, major logistics and transport companies, the health sector, education providers and media companies have brought public attention to this issue. Internationally, there have been cyberattacks on critical infrastructure, including water services and airports. In the year 2019-20, the Australian Cyber Security Centre reported 2,266 cybersecurity incidents with just over one-third of those incidents coming from critical infrastructure companies and assets. However, the ASD has said that this is expected to be just a fraction of the number of cyber incidents affecting critical infrastructure, given the voluntary nature of reporting.

The Australian Cyber Security Centre notes that phishing and spear phishing remain the most common methods used by cyberadversaries to gain access to networks or to distribute malicious content. Typically, this involves an unsuspecting user executing or opening a file that they received via email as part of a spear-phishing campaign. The ASD has also publicly noted that, alongside the increasing sophistication of cybercriminals, the likelihood and severity of cyberattacks is also increasing due to our growing dependence on new information technology platforms and interconnected devices and systems. While the 5G mobile network will underpin Australia's transition to a more digital economy and the internet and internet connected devices will enable a greater flow of information and efficiencies than ever before, it also makes us more vulnerable to significant threats to our infrastructure, our information and systems more broadly. It's against this background that the SOCI bill was first introduced late last year and, indeed, the explanatory memorandum to this bill makes the point very clearly:

Critical infrastructure is increasingly interconnected and interdependent, delivering efficiencies and economic benefits to operations. However, connectivity without proper safeguards creates vulnerabilities that can deliberately or inadvertently cause disruption and result in cascading consequences across our economy, security and sovereignty.

…   …   …

… the interconnected nature of our critical infrastructure means that compromise of one essential function can have a domino effect that degrades or disrupts others.

Because of these factors, the amendments in this bill were designed to enhance the obligations in the SOCI act and expand its coverage to sectors including communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage.

Following its introduction in December 2020, the bill was referred to the Parliamentary Joint Committee on Intelligence and Security later that month. The committee received over 80 submissions to this inquiry and held a number of private and public hearings. As is noted in the advisory report that the PJCIS tabled on 29 September 2021, while there was general acknowledgement from all submitters of the level of the threat and the need to do more, there were a number of conflicting views and opinions over elements of the bill. Before coming to those conflicting views or issues, and the government's response to the PJCIS advisory report, it is worth noting some of the evidence presented to the committee regarding the level of the threat.

When outlining these threats and the increasing challenge of preparing, hardening and countering assets, the secretary of the Department of Home Affairs said this to the committee:

Cyberattacks will soon reach global pandemic proportions. This has been building for about five years but has accelerated over the course of the COVID pandemic.

…   …   …

Basic cybersecurity protections will always help, but malicious actors, such as cybercriminals, state sponsored actors and state actors themselves will defeat the best defences that firms, families and individuals can buy. We have to do what we can, of course, to defend our own networks and devices against known vulnerabilities. However, just as we do not rely on home security alarms and door locks to deal with serious and organised crime, we cannot leave firms, families and individuals on the field on their own.

Evidence at the committee was also received from a panel of experts, and one of those experts in the public hearing on 9 July highlighted the shift in the cyberthreat environment. Mr Chris Krebs noted:

… there have been three strategic shifts over the last several years in the threat actor landscape. First … was ransomware and criminal actors.

…   …   …

I think the second strategic shift that we've seen was probably over the last two to three years, where, rather than go after their primary targets through the front door, the intelligence apparatus of our adversaries—traditionally, from the US perspective at least, we call that Russia, China, Iran and North Korea, but obviously there are others—have sought to effectively use the global ICT ecosystem, the systems we use on a daily basis, as a real-time collection apparatus.

…   …   …

The third and final strategic shift that I'd suggest we really prioritise is a shifting to functional disruptions and moving away from purely reconnaissance and intelligence collection.

The committee also heard evidence that the rise of cyber-enabled crime and security threats has not been counted evenly by entities and that there has been an uneven investment in cybersecurity. There are companies out there who have been spending almost a billion dollars a year on cybersecurity programs, which is clearly a significant investment, but it's also true that that is not consistent across any industry anywhere.

As noted earlier, while the need for reforms was not contested in evidence to the inquiry, a number of significant concerns were expressed about aspects of the bill and the process taken to develop it. The detail on these is found in the PJCIS advisory report, and I will outline a number of them. The first of those regards the timeline for the co-design of rules and economic modelling. There was concern that there was insufficient time for that to be done. A second concern that was raised by a number of submitters was around the variation in the breadth and specificity in the definitions of what would be included and what a critical infrastructure asset is. That caused concern in various sectors that the definitions were either too specific or too broad. Another concern was the unknown regulatory burden of positive security obligations. Then there was a concern about the time frames outlined in the bill for the notification of cybersecurity incidents to ASD under proposed part 2B. The final concern raised was that the potential reach of the powers in the bill was not being accompanied by appropriate authorisation or oversight mechanisms in the eyes of some.

Ultimately, as noted in the advisory report, the PJCIS, a bipartisan committee, whilst strongly supporting the aims of the bill, came to the conclusion that it would need a significant amount of redrafting to pass in its entirety in a way that was going to ensure maximum buy-in and maximum understanding. The committee reached the conclusion that that would be required to be able to respond to the level of concerns that had been raised in an appropriate fashion. The committee's concern was that doing so would significantly delay the time-critical elements of the bill. As a result of that, the PJCIS made 14 recommendations in the advisory report, including splitting the bill into two separate bills with a first bill to incorporate the measures to respond to cyberincidents and cyberincident reporting as well as associated definitions and powers. What we are discussing today is actually the government's response to the PJCIS report and, in particular, the recommendation to split the bill into two separate bills.

The amendments in what we're discussing today are effectively creating the first of those bills. The key measures retained in this particular bill include: first, government assistance to relevant entities for critical infrastructure sector assets in response to serious cybersecurity incidents that impact on Australia's critical infrastructure assets. Second is the mechanism by which cyberincident reporting to the ASD may be required by responsible entities for critical infrastructure assets that are subject to cybersecurity incidents. Thirdly, it has expanded the definition of 'critical infrastructure assets' to include assets across the 11 industry sectors, so increasing them from four to 11. Importantly, this bill also extends—this concern was raised, and so has been actively addressed—the period for making a written cybersecurity incident report to the ASD. It also addresses another concern that had been raised by increasing the level of consultation and oversight which is going to be carried out as the next bill is developed.

By way of finishing, there is no doubt that cybersecurity threats are very real and potentially very significant, and doing something as soon as possible is imperative. The bipartisan committee, the PJCIS, acknowledges this very real threat but also identifies significant concerns with the draft bill which could potentially undermine it achieving its aims and goals. On this point I note the criticism from earlier opposition speakers, although I note that none of them actually sat on the committee. They criticised the government's approach on this bill and the failure to get the legislation perfect the first time. If only it were remotely possible to draft perfect legislation for anything or to have a perfect process for anything. I also dismiss those criticisms because this legislation concerns an area that involves many different sectors facing many different threats, and they are evolving in a very fast-changing landscape. We heard in the evidence that was given to the committee and which I cited earlier that some of these threats are only just emerging. The third wave of what we are now concerned about is actually just emerging. It's not that we've been sitting back and watching all this happen before responding. A lot of these threats, and their increase and their severity, have been within the last three to five years, if not in the last 12 to 18 months. The fact that the PJCIS works in the way that it does—that it gets the opportunity to have inquiries into bills and to hear from experts and then to effectively give recommendations to the government in a bipartisan way, pointing out issues that have emerged through that process—is to me a sign that democracy is working and that there are good checks and balances. I believe that the fact that the minister and the government responded to the recommendations of the committee reflects responsible and sound governance by this government. I commend this bill to the House.

See this speech in context