Matt Keogh (Burt, Australian Labor Party, Shadow Minister for Defence Industry) Share this | Hansard source

[by video link] I wonder how many government members have two-factor or three-factor authentication enabled on their systems on their phones and computers. I wonder how many use the password 'password123' to get into secure networks. I wonder how many of them leave their laptops open or unattended in an office or on a plane or have TikTok on their phone. Now I ask the same of every public servant in this nation. Every public servant has access to highly privileged information—information that could be dangerous or at least embarrassing in the wrong hands. The digital literacy of this government and their departments leaves a lot to be desired. Unfortunately, the same can be said for the private sector as well. Honestly, the digital literacy of the nation concerns me.

The pervasive threat of cyber-enabled attacks on and manipulation of critical infrastructure assets is serious, considerable in scope and impact, and is increasing at an unprecedented rate. We are facing increased cybersecurity threats to essential services, businesses and all levels of government. In the past two years, cyberattacks have struck the federal parliament's network, the health sector, the media and universities. Potentially most concerning is that they struck the food and beverage sector, with Lion beer shut down for almost three weeks. Many people in Australia found that very disturbing.

More seriously, though, earlier this year we saw an attack on a critical fuel pipeline in the US. While there are different levels of concern about the things that happen and the troubling prospects they raise, if such an incident were to occur to a piece of our essential infrastructure, such as a central industry like the resources sector, by striking out ports in northern Australia, which are responsible for exporting to the world, or our oil and gas rigs in the offshore industry, our nation's economy would just about flatline. Similarly, if our southern import ports were hit, our supply chains would stop, leaving us cut off and without vital supplies, including, potentially, fuel.

In his submission on this matter to the PJCIS, retired Air Vice Marshal John Blackburn AO expressed concerns resulting from his work examining Australia's national resilience. He is particularly troubled about our lack of national liquid fuel security. The coronavirus pandemic has exposed a global lack of resilience as a result of collective failure to assess and act on national risks and vulnerabilities in the face of a rapidly changing world. Australians have also been complacent with respect to the significant exponential changes occurring in the world and our growing lack of national resilience. We've already seen supply chain disruptions due to COVID-19 and vaccine nationalism. There is no doubt that if push comes to shove other nations will restrict fuel exports to us if they need that fuel.

But it's not just about fuel supply, it's not just about jobs and it's not just about the economy. It's about our national security, our sovereign integrity and our ability to look after ourselves. As I mentioned, earlier this year we saw a damaging cyberattack in the US. The Colonial Pipeline suffered a ransomware cyberattack that took its service down for five days, causing massive fuel supply issues across the United States. The pipeline, almost 9,000 kilometres long, usually carries 2.5 million barrels of diesel, petrol and jet fuel per day. So, having it offline for five days caused huge economic damage to the nation, and many states declared a state of emergency. The organisation that attacked the pipeline operates by infiltrating an organisation's computer network and stealing sensitive data. A day or so after that they will make themselves known to that organisation and make threats about data being leaked should a ransom not be paid. Or they will seize operation of that computer network and not provide access to it until a ransom is paid.

This organisation and many across the world know that attacking critical infrastructure such as pipelines is a way of making a quick buck. We in Australia are not immune to such coercions. As an island nation reliant on our critical resources industry and ports of trade, and of course our energy networks, for everything, this is not a threat we can take lightly. The threat of cyberattack and the manipulation of critical infrastructure assets is serious, is massive in scope and is increasing at an unprecedented rate—certainly faster than this government, responsible for myriad digital disasters in recent years, can cope with.

The bill before us today was introduced in December last year. Since that time the PJCIS has been working on its inquiry. We've heard a great deal of feedback that there is a lot more work to do on this suite of legislation, with many stakeholders concerned about the lack of consultation to date. The inquiry of the Parliamentary Joint Committee on Intelligence and Security received around 100 submissions and held numerous hearings of experts and industry professionals. Many companies, industry bodies and trade unions expressed concern with the bill, its consultative development and issues with regulatory impact, particularly the concurrent rules development that occurred throughout the review.

Threats to critical infrastructure are serious. When they happen, we need to act—swiftly. The lack of action and consultation to date makes it clear that we are not at all ready for these sorts of threats. As such, I support the recommendation from the PJCIS to split this bill in order to pass its most urgent parts whilst continuing to refine more-complex elements that at this stage are not fit for purpose. Subsequently, bill No. 1 will deal with the expansion of the 11 sectors that are deemed to be systems of national significance, the additional reporting requirements for cyber incidents and the new government assistance measures. Bill No. 2 can handle the positive security obligations and sector-specific requirements following further consultation with industry.

In this complex threat environment that we currently find ourselves in it is crucial that Australia's highest authority on these issues, the Australian Signals Directorate, is empowered to assist entities in responding to significant cybersecurity incidents in order to secure our nation's critical infrastructure assets. ASD has observed that malicious cyber activity against Australia's national and economic interests is increasing in frequency, scale and sophistication. In 2019-20 there were 2,266 cyber incidents reported to the Australian Cyber Security Centre. Just over a third of all incidents reported to the centre over the past 12 months have been reported by Australia's critical infrastructure sector. This is expected to be just a fraction of the number of cybersecurity incidences affecting critical infrastructure, given the voluntary nature of the reporting.

ASD's knowledge of domestic cybersecurity threats and vulnerabilities relies on the Australian community and industry voluntarily reporting incidents. This voluntary reporting and sharing of information assists ASD with identifying threats and subsequently publishing advice to mitigate those threats to others. That's why, as important as the bill before us today is to ensuring that we have the right legislative mechanisms for action when required, our national digital literacy and institutional knowledge of cybersafety must also be significantly improved as a nation. It's up to each and every Australian, as well, to protect themselves, their families and their businesses online—and, let's face it, we can't now conduct our lives without being online.

The Australian Cyber Security Centre, working within the Australian Signals Directorate, are supporting the government with their cybersecurity strategy, but a strategy has not been released since 2016. The cyberthreat landscape, however, has shifted and evolved dramatically since that time. The magnitude of threats faced by Australian businesses and families has increased. It's up to us all, but especially the government, to be proactive in this space. I believe that kids should be learning how to stay safe online from the moment that they can work out on their own how to watch Bluey on mum and dad's iPad. It's just as important as looking both ways before crossing the road. Cybersecurity education must become the norm early on, from primary school, and in small businesses, large businesses and government departments. It's not just about cybersecurity; it's about cyberliteracy. It's about literacy in cybersecurity requirements and protecting ourselves, our privacy and our information.

A higher number of incident reports to ASD through the provisions proposed in the bill will assist in building improved national situational awareness and allow ASD to identify trends and provide targeted advice to others in order to assist entities with better preparing and protecting their networks and Australia's critical infrastructure. But, with that, each Australian must be educated on what to look for and what to report.

The expansion of the definition of 'critical sectors' in this bill to include the defence industry as one of 11 systems of national significance elevates the importance of having a sovereign, self-sufficient Australian defence industry. Indeed, it begs the question: how was this sector not included before? As retired Air Vice-Marshal John Blackburn AO says about fuel: 'If push comes to shove in a conflict situation, we must not assume that other nations will have the desire or capacity to support our defence assets. As a result, we must be able to scale up, invest in and ensure the security of our Australian defence industry and our sovereign capability to maintain, sustain, repair and upgrade our defensive capabilities and equipment.'

The powers in the bill before us today are last-resort powers, and that is the assurance that both Labor and affected entities wish to confirm. Most organisations affected by this are very willing to work with the Australian Signals Directorate, and the government assistance powers should only be needed in the case of an affected entity being either unwilling or unable to respond appropriately. One would expect that the use of such measures would be uncommon and rare. Should there be an instance where there is disagreement between the affected entity and the ASD on an appropriate course of action to combat a threat, there are safeguards in place that will involve the minister having the final say. As I have said, the initiatives put forward in this bill are important. We must get this right and we must act quickly, but, equally, we must improve the cybersecurity literacy of everyone so we remain resilient as a nation. I commend to the House the components of the bill that should now be proceeded with and I look forward to seeing the results of the work on the remainder as a separate bill.

See this speech in context