Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Economics Legislation Committee

JENNINGS, Mr Peter, Executive Director, Australian Strategic Policy Institute

Committee met at 09:18

ACTING CHAIR ( Senator O'Neill ): I declare open this hearing of the Senate Economics Legislation Committee for the inquiry into the Foreign Investment Reform (Protecting Australia’s National Security) Bill 2020 and the Foreign Acquisitions and Takeovers Fees Imposition Amendment Bill 2020. The Senate referred this inquiry to the committee on 29 October 2020 for report by 26 November 2020. This is a public hearing, and a Hansard transcript of the proceedings is being made. Information on procedural rules governing public hearings and claims of public interest immunity has been provided to witnesses and is available from the secretariat. I would like to advise witnesses that answers to any questions on notice are to be sent to the secretariat by midday Friday 20 November.

I now welcome the Australian Strategic Policy Institute, which is represented today by Mr Jennings. Thank you for appearing before the committee. I invite you to make a brief opening statement, should you wish to do so.

Mr Jennings : I thank the committee for the opportunity to speak with you today about the foreign investment reform bills for 2020. I would like to strongly endorse the five key measures of the bills—new national security test; new national last resort power; stronger compliance and enforcement powers; amendments to close gaps in the screening regime; and a new design to the register of foreign-owned assets. These are welcome and necessary measures, reflecting a significant amount of thinking and policy reform which has been applied to the foreign investment sector since 2015. As is said in the explanatory memorandum to the bills, rapid technological change and changes in the international security environment have shaped the need to rethink our approach to national security and foreign investment.

A key message that I would like to leave with you is that these challenges are only going to get more pervasive, more serious and harder to deal with, so I would fully expect that we'll continue to see legislative changes in the future. These bills don't end a process; they just help us to continue strengthening our arrangements against increasing threats to national security. So, while I have a positive assessment of these bills, I would like to set out for the committee some thoughts about problems that still need to be addressed. Some may be addressed in the way the bills' powers are managed; others may need new legislative measures.

There are six areas that I would very quickly like to mention to the committee. The first one is dealing with past FIRB approvals. The bills are very clearly shaped to only address matters after 1 January 2021. The problem this presents is the potential national security risk to critical infrastructure arising from past foreign investment decisions. The technological changes, which are so often referred to, create the potential for cyberdamage to be done to vast areas of critical infrastructure. Senior government ministers have said that some previous decisions—for example, the port of Darwin lease is one—would not have gone ahead, had the current legislative measures been in place. This may be true, but it does nothing to mitigate existing risks. So how past decisions are addressed will be a critical task for government and the parliament going forward.

The second area I'd like to mention is sovereignty risk. I understand that a reason that's put forward for not seeking to deal with past foreign investment decisions, or non-decisions in some cases, is sovereign risk, which is where the rules can be changed after material decisions which may discourage foreign investment into Australia. Some threats to critical infrastructure may emerge not from past investment decisions but from current and future decisions by hostile powers to use cybermeans to attack us through this infrastructure. If government seeks to prevent this from happening, I do not see how this gives rise to sovereign risk. On the contrary, investors from many countries will see this as a necessary way to maintain the investment conditions which makes Australia attractive.

Thirdly, I would urge the committee to resist calls to try to narrow the scope of what critical infrastructure should be captured by the bills. Anything that can be run through the Internet of Things is a potential attack vector for malign cyberoperators. This problem is ubiquitous, with increased applications of 5G and its successors, and also for artificial intelligence. As these fields become larger parts of our economy and society, governments will need to have powers of the kind anticipated in these bills to address security in many areas.

My fourth point goes to how advice will be shaped for the Treasurer. I suggest that the committee should satisfy itself that the wider national security system has the resources and necessary guidance to shape the consolidated advice that will go to the Treasurer. In my time as a senior official in Defence, the defence department resisted making national security judgements and preferred to confine its advice to potential foreign investment impacts on defence facilities and operations. The need is for broad judgements about the national security impact, not simply the impact on agencies.

My fifth point is about the dollar thresholds. In my view, government made the right call during the pandemic to bring the dollar threshold to zero for FIRB consideration. Previous FIRB dollar thresholds would in fact have excluded most of defence industry from being considered by the FIRB. The zero-dollar threshold should remain in place permanently, mindful that much intellectual property being produced by many startups and SMEs has potentially substantial defence and security value.

Finally, while the government and Public Service maintain that their security approach is largely country agnostic, the reality is that only a small group of countries potentially threaten Australia's national security. This is a group that includes Russia and North Korea, but the People's Republic of China presents the biggest set of challenges. It's noteworthy in this context that the Chinese Communist Party is substantially reasserting its control over Chinese so-called private businesses. Beijing's national intelligence laws compel businesses and individuals to cooperate with the Chinese intelligence apparatus and to hide the fact of that cooperation should it be demanded. I mention this to the committee to make the point that risks to Australia's national security can emerge as a matter of changed political intent on the part of a foreign power, with little or nothing to do with the entities that engage the FIRB. Those that might seek to do Australia harm have no intention for their activities to be publicly discoverable.

Those are my prepared comments, Chair. Over to you.

CHAIR ( Senator Brockman ): Thank you very much for that. Thanks for kicking things off, Senator O'Neill. I will throw straight back to you, Senator O'Neill, to start the questions.

Senator O'NEILL: Can I go to your last point about the discoverability? One of the serious concerns that I have in this area, which we've been prosecuting in another committee inquiry into the FIRB, is the lack of resource allocation to the part of Treasury that advises the Treasurer. A lot of people don't understand that the FIRB isn't a separate thing; it's simply an advisory body of people gathered by the government, but the decision-maker is the Treasurer himself in this case—or perhaps in future herself. Nonetheless the capacity to actually detect and to know about what's going on in this space has been compromised for quite some time with a failure to invest in IT and in staff to monitor compliance. There are protections still built into this current piece of legislation that prevent Australians from seeing things on a public register. There is a proposal for it to be kept private. So, in the context of what I've just said, how important is it that changes be made to the legislation as it's proposed at this point in time with regard to the nature of public registration or any other matters that you wish to address?

Mr Jennings : Thank you, Senator. On the public registration point, I think there's long been a difference of views between the FIRB and the business community on how the FIRB is able to explain the criteria by which it shapes advice to go to the Treasurer. The FIRB position has been, 'We need to be flexible in how we do this and it has to be treated case by case.'

Senator O'NEILL: We also hear, 'We talk to each other a lot,' when I ask about the agencies having conversations.

Mr Jennings : Yes.

Senator O'NEILL: It doesn't seem to me a particularly robust framework.

Mr Jennings : Yes. The business view is that this is impenetrable. I think more could be done, frankly, to set out appropriate guidance for business to shape and explain how it is that the FIRB comes to its decisions. To go to, I think, the heart of your question, Senator: the point is that Treasury is not designed to shape national security advice to government. That's not the competence of Treasury officials. So inevitably what FIRB does is that it sort of casts a net around the wider national security community—the defence department and the intelligence agencies—to get their advice on national security issues. Certainly in past years that has been, I think, a poorly resourced, ad hoc process that has not developed timely, well-considered whole-of-government advice for the Treasurer. In the past I've argued that what should happen with the FIRB is to be taken out of Treasury, made a statutory authority and given the capacity to shape national security advice itself by having the right people put into the organisation.

Senator O'NEILL: But that's not proposed in this legislation, is it?

Mr Jennings : That is not proposed. That has never been an argument that I've succeeded with, so we fall back on the essentiality for the whole-of-government process to work. In the explanatory memorandum to the legislation, it does say, 'Yes, there are resource implications that are attached to this.' I don't know that anyone really has their mind around quite how serious those resource implications are, because the nature of the national security threats has become so much greater in the foreign investment area.

Senator O'NEILL: Mr Jennings, I don't want to put you on the spot, and perhaps you want to take this on notice, but, if you were to design an adequately resourced element within the Treasury department that did the job that you believe FIRB needs to do, where consultation is on more than an ad hoc basis and is not of the kind that you described here, where Defence was requested for advice but resisted making advice with regard to anything other than Defence facilities and operations, what would it need to look like in terms of resourcing to actually do the job you believe it needs to do? Could I ask you to give some thought to that and write to us about that?

Mr Jennings : I'll do that. It probably does need a bit of careful thinking, but you would need to be talking about seconding significant numbers of officials into this area. I imagine you could probably design an organisation of somewhere from 60 to 80 people that might be able to perform that function, which I believe would be significantly larger than that part of Treasury which is currently concerned with FIRB matters.

Senator O'NEILL: You talked about sovereign risk, but you used 'Sovereignty' as your header for that section of your opening remarks. I think you make a very good point about sovereign risk. It's something that a lot of the public hear and they respond to. I invite you to maybe fill out a little more why the arguments that you know will be coming today, about sovereign risk, should be treated with some professional scepticism, as an auditor would apply, given that we're basically auditing this legislation on behalf of the Australian people. Claims about sovereign risk do matter, but why should our views be tempered when we're hearing what we will hear today?

Mr Jennings : I think the flaw in the sovereign risk case is that it argues that, once a decision has been taken—and certainly everything that applied before 1 January 2021 cannot be changed. My concern about that is from a national security point of view. Unfortunately, facts can change. It might have been perfectly reasonable for a particular decision to have been taken 10 years or five years ago, but, if the technology has changed in ways which now make those investments vulnerable to cyberattack, then it seems to me government has to be able to make decisions that might force a reconsideration of past foreign investment decisions. The claim is: if you do that, that is going to undermine confidence that foreign investors might have in Australia. My view would be: I don't think that's right. I think many foreign investors from like-minded democracies would look at that and say, 'This is an example of Australia taking necessary steps to look after its national security.' For that reason, I think there has to be some capacity for a retrospective look to past decisions.

Senator O'NEILL: When you were talking about a retrospective look, I suppose it is the whole of business back to 1970 or 1960 that we could go to, but certainly, in recent times, the 2015 Landbridge purchase in the Northern Territory is something that's very much in the minds of Australians. There is a lot of resistance to retrospectivity in lawmaking. I note that there is a proposal in this legislation to limit the call-in power to 10 years, and there are some submissions that say it should only be three. Could you expand on what needs to happen to capture things like the Port of Darwin, and what do you think about the 10-year rule?

Mr Jennings : I don't think there can be a sort of statute of limitations on Australia's national security interests. I don't imagine for a minute that this would require reconsideration of investments going back to the seventies, but if we look at the last decade that is the decade where we see changes happening to cyber-enabled critical infrastructure—indeed, a lot of critical infrastructure being retrofitted with industrial control systems which make it possible for that infrastructure to be run over the internet. Now, in effect, that's where the risk comes in. We know that countries are developing capability to attack critical infrastructure in other countries. We have seen real examples of that—for example, Russia attacking elements of the Ukrainian grid in December 2015. So we know that a risk is there.

The challenge is: what do you do about that now? I think that does at some point force a requirement to look at a number of the high-profile critical infrastructure investment decisions that have been taken over the last decade or so; I am thinking of the electricity grid, gas infrastructure, ports, airports and perhaps some medical areas. I don't necessarily know what comes as a result of that look, but everyone is aware of the cybervulnerability to those entities and I think we now have to account for the fact that we have here technological developments that have the potential to change decisions that were taken at an earlier time by the FIRB.

Senator O'NEILL: I've got so many more questions I'd like to ask. You stated in your opening remarks to the committee that it is noteworthy that the Chinese Communist Party is substantially reasserting its control over so-called Chinese private businesses. I'm not familiar with all of the businesses operating that are Chinese private businesses owned and operating here in Australia, but I am familiar with Alinta and I have asked a number of questions around that. One of the practices, it seems to me, is that a foreign company might have some restrictions placed on it; we will leave aside the management of that, because that's being inquired into in another inquiry. If Chow Tai Fook, the owner of Alinta Energy, is operating as a so-called private or family business, what is really happening there, Mr Jennings? Can you put that on the public record for us, given your insights from ASPI?

Mr Jennings : I'll talk in the broad about what we have seen around Chinese government moves to reassert greater control over Chinese business. There are several streams worth paying attention to. One is the modernisation of China's espionage laws, from 2014 to 2017, which publicly state that Chinese intelligence services can direct individuals and businesses to assist those intelligence services in the gathering of information and to then deny the fact that they have provided that type of assistance. That has been enshrined in Chinese law.

More generally, as recently as August and September this year we have seen statements coming from the Central Committee of the Chinese Communist Party that business needs to be more attentive to the requirements of the Communist Party to achieve its international goals through the Belt and Road strategy and the China 2025 strategy of achieving scientific and technological dominance in a number of key industries. We have also seen China's assertion of greater control over Hong Kong and Hong Kong companies.

The position that I would put is simply to say that capitalism with Chinese characteristics operates very differently to capitalism in a democracy, where there are very real constraints on how governments can interact with private sector companies. Private sector companies in China—large ones, at least—will have inside them a Chinese Communist Party committee, which is there to act as shadow oversight of the management of those companies. All of this is done in opaque ways which are designed to obscure and make those types of connections less obvious, but nevertheless they are there. So I think the key point to make, without drawing references to any individual companies, is that that is the structure that the Communist Party operates through to manage the Chinese economy and to manage Chinese businesses, and that makes China different from pretty much any other potential investor in Australia.

Senator O'NEILL: We need to be prepared to interact with all foreign entities across the entire globe, so we need to develop legislation that helps us meet those varied realities across that context. One of the protections that is embedded at the moment when such a foreign company purchases in Australia, such as in the case of Alinta Energy, is that there is an Australian quota demanded on the board; that is one of the conditions. Is that sufficient to make sure that board is not controlled from outside the country, in your view?

Mr Jennings : No. It certainly doesn't address the practical requirements of security, and I very much doubt that the Chinese Ministry of State Security is going to be talking to local Australian boards of Chinese entities to seek permission for them to do what they want to do. It really comes down to much grittier control mechanisms, which go to questions like who has physical and virtual access to the industrial control devices that run critical infrastructure.

Senator O'NEILL: Like our electricity grid?

Mr Jennings : Exactly.

Senator O'NEILL: Or our telecommunications networks?

Mr Jennings : Yes, what are the practical steps that would be taken to control those systems, just as we might look to practical steps to control the IT network in Parliament House or a government department. Really, that is not addressed, I don't think, by board membership.

Senator O'NEILL: One of the things that is unclear in this legislation is how the Treasurer will come to know about an action that poses a national security risk that needs to be called in for assessment. We talked about the sort of ad hoc nature of consultation with the nation's highest national security agencies. I also note that, as designed, this legislation will not have a public register so that parties who are interested in a civic field could keep a watch on things. So given that reality of where we are—the potential limits that look like they are embedded in the legislation—how will the Treasurer, how will the Foreign Investment Review Board, how will Treasury officials know what is reviewable in terms of national security action without a full and historically accurate register that is easily accessed and used?

Mr Jennings : That is a great question. It seems to many that, however this happens, it has to be surfaced by the national security community, which really means the intelligence agencies and the Defence department.

Senator O'NEILL: Could you name them for the public record today? You are more of an expert in this area than I am.

Mr Jennings : The Office of National Intelligence, which is really the peak body that attempts to be the community manager across all of our intelligence agencies. I would say probably the two most significant agencies that will be affected by this are ASIO, our internal security organisation, and the Australian Signals Directorate, which is really also responsible for cybersecurity across the Commonwealth. They are the most relevant. And then not entirely inside the intelligence community, it is important to bring in the Department of Home Affairs, which has its Critical Infrastructure Centre, which has been doing a lot of really good work in the last couple of years to develop a granular understanding of the risks to critical infrastructure from cyber means. Then the Defence department, which arguably needs to concern itself, not simply with the security of bases and exercise areas but actually to voice views about national security risk.

It is interesting that, in describing all of these entities, I don't think any one of them could be said to have explicitly charged with responsibility to talk to government about overall national security risk and that goes to your point about, so who surfaces these problems that ultimately go to the Treasurer? I think this can be addressed if the mechanisms that are designed to implement this are designed appropriately, but the implication is that a lot of effort is going to be needed, a lot more distinct focus on this, so that it can no longer be a sort of a part-time concern of someone in the Defence department, but actually a larger number of people will be looking at this pretty much full time.

Senator O'NEILL: I note that, under the proposed section—

CHAIR: Senator O'Neill, this will have to be the last question.

Senator O'NEILL: I will have further questions on notice. I did want to ask questions about Mr Dutton's responsibilities that are brought in by this legislation, so there's one coming on that for sure. Continuing my line of questioning about what will be opaque and what will remain opaque, it concerns me that, under subsections (8) to (10) of the proposed section 130G, the Treasurer is able to issue a national security certificate to allow for the non-disclosure of evidence that would be contrary to the national security. Does this legislation clearly identify what national security is, what national risk is, and are the processes and proposed configurations of consultation sufficient to actually deliver what the big promise of this legislation is? It's a great announcement: 'We're going to be out there looking after the country. Your safe in our hands'—despite the fact that the Port of Darwin was handed over in 2015. I'm concerned that, with this piece of legislation, the gap between the announcement and the delivery is very big.

Mr Jennings : I think all legislation ultimately has to be implemented—and it's in the fire of that experience that you discover the adequacy of implementation. I think this can be done as long as there is a strong whole-of-government emphasis to make it happen. But I agree: definitions around what national security means, what a national security company is and what national security land is seem to have been left to be determined by regulation rather than actually being expressed in the act itself.

Senator O'NEILL: What would be the reason for that and what is the risk in that?

Mr Jennings : There is probably going to be a bit of toing and froing over how far you extend that circle. Indeed, you'll have seen it in at least one of the submissions, from the Business Council, that came to the committee. It said: 'We think you should narrow your definition of national security to essentially the industries and areas that are now looked at in a separate act, the critical infrastructure act.'

Senator O'NEILL: But this proposes additional industries and entities, doesn't it?

Mr Jennings : As I think it should. Really what we are dealing with here is the ubiquity of cyber-risk across pretty much all of the economy. As we have now seen with COVID, there are many areas—for example, medical supply and food supply—that we mightn't have thought about as being a sharp national security risk until such time as we lived through 2020. So I don't know that it's necessarily right to draw boundaries around this and say 'this is in and that's out'. In a sense, all that does is create a whole bunch of areas in which other hostile agencies might conclude that it is simpler for them to try and gain an entry point that way. I think we've got to be allowed to the fact that the Internet of Things and artificial intelligence and 5G and its successors create risk in many areas that hadn't been there before probably half a decade ago.

CHAIR: Senator O'Neill, we will have to keep moving. Mr Jennings, have you ever given any thought to whether, or if, and how we could triage based on the origin of investment loans? Should we have favoured-nation status for long-term Western democratic nations and investment flows from those regions?

Mr Jennings : I think what this really comes down to is the realisation in Australia now that 'oils ain't oils', that quite different problems emerge. Canada, for example, does not present the range of national security risks that China does. This has been a challenging line for government and the Public Service apparatus to deal with because they don't want to be seen to be singling China out. But, increasingly, that's the nature of the problem—along with a small number of other authoritarian systems that use hostile cybermeasures to attack Australia and other countries. For the other 180 countries that we might potentially have to deal with as investors, I think there could be considered a fast-track process that says we're unlikely to see risk coming from liberal democracies in the same way that we do from authoritarian systems. That is obvious. Really, the question is: how can that be described in ways which don't give clear offence to some of those authoritarian systems? That seems to be the policy consideration at the moment.

CHAIR: I'm sorry, but we are out of time. We thank you for your input this morning.