November 22, 2021
I rise to speak to the Security Legislation Amendment(Critical Infrastructure) Bill 2021. I am pleased to have the opportunity to do so having chaired the inquiry into the legislation. The Parliamentary Joint Committee on Intelligence and Security tabled its report out of session so I will speak to our recommendations as well as this bill.
At the outset I thank my fellow members of the PJCIS, in particular the former Deputy Chair, Anthony Byrne and the Shadow Minister for Home Affairs, Senator Keneally, for the constructive and bipartisan way they worked with me and Liberal colleagues on our report and recommendations.
Mr President, every 32 minutes infrastructure critical to Australia’s interests and security is targeted in a cyber-attack by both state and non-state actors. COVID-19 has seen us shift even more of our lives on online, deepening our reliance on digital systems to navigate life and businesslike never before. Throughout the pandemic, the total reported cyber-attacks in Australia increased by 13 per cent.
Many Australians are familiar with the criminal ransomware gangs and their for-profit motives in launching cyber attacks to extort economic advantage for themselves personally. These are serious and ever-present threats to the cyber security of our businesses large and small as well as individual Australians. Recent high-profile attacks against JBS Foods,the Nine Network and the Colonial pipeline powerfully illustrate the broader cost to our economy of these tactics.
However, the trend which focused the mind of the PJCIS on the urgent challenge facing us is the involvement of nation-states who use the cyber-realm as a new frontier to threaten our security, sovereignty and freedom.
Our cyber challenges are increasing in complexity as a result of the evolving security environment in the Indo-Pacific region. Grey-zone tactics, which lie between peace and war, where foreign states use cyber intrusion and digital espionage among other tools to threaten our interests are increasingly being relied upon by authoritarian states.
Independent experts told the PJCIS that it is likely that foreign state actors are already pre-positioned on sensitive networks that could be activated against our interests in the prelude to a regional crisis.
ASIO Director General Mike Burgess recently confirmed this fear as part of his annual report to the parliament, reaffirming the very real and serious risk we face as a nation, and the urgent need to respond decisively.
Given how interconnected our digital systems are, it is not difficult to imagine the society-wide consequences if our financial system was shutdown or if our food supply chains were suddenly disrupted. This would be debilitating not just for individual Australian citizens, but for our country and our ability to project power in the region. With the evolving cyber threat, it is clear the digital world is the new battlefield, and Australia, along with our critical infrastructure service providers, needs to be armed to respond.
The recent public attribution by Australia and our allies ofthe Microsoft Exchange attack to the Chinese government and its agents is a concrete example of this danger.
It also highlights how there is not always a clear distinction between state and non-state actors when it comes to cyber threats,with the Australian Signals Directorate’s Rachel Noble telling the PJCIS the Chinese government effectively propped open the doors of businesses around to world to enable cyber-theft and extortion to take place by criminal actors.
It is worth noting in passing that there is a very high technical and political threshold for attributing cyber attacks, so the decision to do so by so many countries – including the EU, NATO, all Five Eyes members and Japan is a significant one.
There have of course been other high profile attempted and successful cyber intrusions which have not been publicly attributed including against this parliament, our political parties and the Australian National University.
There is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats. Our security agencies urgently need emergency powers to defend us from these threats. Of equal importance, however, is the need for critical infrastructure providers to harden their own defences against an attack and protect the essential services that we all rely upon.
They have an obligation to do so not just to protect their employees, shareholders and customers, but also the national interest.
The PJCIS considered this bill over the past year over four public hearings and 88 submissions, supplemented by classified briefings from security agencies on the threat environment.
The challenge we faced in this inquiry was to find an appropriate balance between the urgent need for emergency intervention powers and the legitimate concern from industry that additional regulation could impose a financial burden at a sensitive time for the economy as we recover from the impact of the pandemic.
In 14 recommendations the Committee advised the government to adopt a two-step approach towards strengthening Australia’s critical infrastructure from cyber-attack. This two-step approach would give our security agencies the emergency tools they need to counter urgent cyber threats in one Bill, while giving industry additional time to finalise the co-design process of additional security obligations.
The Committee recommended that the government legislate in this first Bill the last-resort intervention powers for the Australian Signals Directorate, the expansion of the number of sectors captured by this legislation from four to eleven and enhanced cyber incident reporting obligations. The proposed government amendments to the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the SOCI Bill) do just that.
The committee proposed immediate passage for these three key provisions and associated enabling clauses because they were the most urgent and essential, and because the other clauses of the bill, while still important, attracted the most concern during the inquiry process.
I do acknowledge that while the broadest concern aired in the inquiry related to the positive security obligations recommended to proceed after further consultation in a second bill, that there was opposition to the emergency assistance powers, particularly from the tech sector.
These are extraordinary powers, and while the committee did understand the desire on the part of the tech sector for their use to be judicially reviewable, given the clearly stated intention for them to only be used in crisis scenarios, we did not think it was workable or desirable for these issues to be litigated in the courts in the event of a major national emergency.
Instead, the PJCIS has recommended that it is notified of any use of these powers and that we be briefed on the circumstances of their use.This will allow the committee, on behalf of the parliament, to ensure they are genuinely only used as a last resort as the government has outlined.
The Government is carefully considering the rest of Committee’s recommendations. I thank the government, in particular the Minister for Home Affairs, Karen Andrews, for its engagement with the Committee and for the implementation of our recommendations, which is reflected in this amended bill that we are debating today. I’d also like to thank the director general of the Australian Signals Directorate, Rachel Noble, and the Head of the Australian Cyber Security Centre, Abigail Bradshaw, for their candid engagement with the committee and the vitally important work they do combating these serious threats to our country.
The emergency reforms outlined in the amended Bill will strengthen Australia’s ability to respond to serious cyber-attacks on critical infrastructure by:
o expanding the definition of critical infrastructure to include energy, communications, financial services, defence industry, higher education and research, data storage or processing, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors;
o introducing a cyber incident reporting regime for critical infrastructure assets; and
o making Government assistance available to industry as a last resort and subject to appropriate limitations.
Recent cyber-attacks and security threats to Australian critical infrastructure make these reforms critically important to deliver.While most companies willingly cooperate with the Australian Signals Directorate when they suffer an attack, the government assistance mechanisms are an important tool of last resort to assist companies that are unable or unwilling to respond to a serious cyber incident. During our inquiry, the Committee heard an example of at least one systemically important business that failed to cooperate with authorities in a timely way, leading to a nation-wide disruption of its services. This business was then re-infected in a second attack. In the event of a crisis, our security agencies must have last-resort powers to avoid a situation like this, and to keep critical infrastructure up and running if providers are unwilling or unable to do so themselves. These are world-leading powers which are vital for the task at hand and will be subject to strong safeguards and the appropriate oversights.
There may also be other businesses who never reported they were under attack. While the volume of cyber crime reporting has increased, the Australian Cyber Security Centre stated in its latest annual threat report that reported cyber security incidents “may not reflect all cyber threats and trends in Australia’s cyber security environment.” Mandatory cyber incident reporting for critical infrastructure assets will give the Government a clear picture of the cyber threat environment. This will ensure that our cyber security policies, and the significant powers that we entrust to security agencies, accurately reflect and are proportionate to the threats and trends in Australia’s cyber security environment.
Of course, cyber security is not just the government’s job. Industry has a vital role to play too and the passage of a subsequent bill after further consultation and co-design is essential to ensure a comprehensive response for the long-term security of our critical infrastructure. The second phase of these reforms will be implemented by further amending the Security of Critical Infrastructure Act 2018 - capturing the remaining elements from the SOCI Bill - the risk management program, systems of national significance and enhanced cyber security obligations.
I encourage industry and the department of Home Affairs to continue to work productively together through the co-design process to refine the proposed regulations to strike the right balance to deliver the additional protections we all agree are necessary. It is my hope that by the time any revised second bill is referred to the PJCIS that the major concerns industry raised through the first inquiry will have been resolved with so that we can quickly deal with it and it can be expeditiously legislated.
While Australia has not suffered a catastrophic attack on critical infrastructure, we are not immune and the increasingly interconnected nature of critical infrastructure exposes vulnerabilities that could result insignificant consequences to our security, economy and sovereignty. This demands both a swift and comprehensive response. I am confident that the two-step approach adopted by the Government to urgently expedite emergency powers for our security agencies to protect Australia’s critical infrastructure does just that. I commend this Bill to the Senate.