Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Thursday, 10 December 2020
Page: 11262


Mr DUTTON (DicksonMinister for Home Affairs) (09:48): I move:

That this bill be now read a second time.

The first priority of the Morrison government is the safety and security of Australians.

Millions of Australians use power, water, banking and health services on a daily basis and do not have to think about the supporting systems and infrastructure that deliver those essential services to our community and across the country.

Imagine a day without power or water because the systems that reliably deliver these services to our homes and our businesses have been attacked or deliberately disrupted.

A prolonged and widespread failure in the energy sector, for example, could have catastrophic and far-reaching consequences. Such an incident may lead to shortages or destruction of essential medical supplies; impact food, groceries, water supply and telecommunications networks; disrupt transport, traffic management systems and fuel; reduce or shutdown banking, finance and retail services; and leave businesses and governments unable to function.

The introduction today of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is a significant step in the protection of the critical infrastructure and essential services which all Australians rely upon.

Critical infrastructure underpins the delivery of goods and services that are essential to the Australian way of life, our nation's wealth and prosperity, and national security.

While Australia has not suffered a catastrophic attack on our critical infrastructure, we are not immune.

Australia is facing increasing cybersecurity threats to essential services, businesses and all levels of government. In the past two years we have seen cyberattacks on federal parliamentary networks, logistics, the medical sector and universities, just to mention a few.

Internationally, we have seen cyberattacks on critical infrastructure, including water services and airports.

COVID-19 has also strained the ability of critical infrastructure to deliver essential services. These disruptions show how quickly events can cause widespread physical, financial and indeed psychological damage.

While owners and operators of critical infrastructure are best placed to deal with such threats, it takes a team effort to bring about positive change. That is why the ongoing security and resilience of critical infrastructure must be a shared responsibility, not only by all governments and the owners and operators of the infrastructure but indeed by all Australians. The cost of inaction is far too great to ignore.

This bill signifies an enhanced effort to ensure the ongoing security and resilience of critical infrastructure and the essential services they provide for all Australians.

This bill will extend the application of the Security of Critical Infrastructure Act 2018 to additional sectors and assets within those sectors that are critical to:

maintaining basic living standards for the Australian population;

sustaining Australia's wealth and prosperity;

Australia's national security and defence; and

the security of large or sensitive data holdings.

This includes communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health.

The bill will build on the regulatory regime in the existing act by introducing a new framework designed to uplift the all-hazards security and resilience of critical infrastructure assets and provide government with greater visibility of cyberattacks.

Part 2A of the bill requires entities to adopt and comply with a risk management program that ensures that critical infrastructure assets are protected and safeguarded from all hazards. This obligation is designed to uplift core security practices of critical infrastructure assets by ensuring that entities take a holistic and proactive approach to identifying, preventing and mitigating risks.

Part 2B of the bill creates a framework that requires entities to report cybersecurity incidents to the Australian Signals Directorate. The purpose of this framework is to establish a comprehensive understanding of the cybersecurity risks to critical infrastructure assets.

Through greater awareness, the government can better see malicious trends and campaigns which would not be apparent to an individual victim of an attack. This will ensure that the government can appropriately advise and assist entities across the economy to better safeguard their assets from cyberattacks.

The bill also facilitates the government to work with industry to strengthen the cyber preparedness and resilience of entities that operate assets of the highest criticality to Australia's national interests. These assets of highest criticality are defined as systems of national significance due to the role they serve in the economy and the consequences to the national interest should they be unavailable or inoperable.

The enhanced cybersecurity obligations will support a bespoke, outcomes-focused partnership between government and Australia's most critical assets and will build an aggregated threat picture and understanding of cybersecurity risks to critical infrastructure in a way that is mutually beneficial to government and industry.

These obligations will require the responsible entity for a system of national significance to undertake one or more prescribed activities requested by the Department of Home Affairs, including:

developing cybersecurity incident response plans to prepare for a serious cyber incident.

undertaking cybersecurity exercises to build cyber preparedness.

undertaking vulnerability assessments to identify vulnerabilities for remediation, and

providing system information to build Australia's situational awareness.

While private industry is best placed to protect critical infrastructure, some threats are too sophisticated or disruptive to be handled alone. That is why Part 3A of this bill provides government with last-resort powers to respond to a serious cyber incident that is having, has had or may have an impact on a critical infrastructure asset and there is a material risk to Australia's national interests. These new powers will ensure government is able to act effectively and decisively in responding to cyberattacks that go beyond the capability or capacity of industry to respond.

Under the bill, the Minister for Home Affairs will be able to authorise the Secretary of Home Affairs to:

give directions to a specified entity for the purposes of gathering information—positioning government to understand the nature of the incident and determine alongside industry any further action that might be necessary

give directions to a specified entity requiring the entity to take certain actions or do certain things in response to the incident—limited to where the entity is unwilling or unable to resolve the incident; or

request an authorised government agency to provide assistance in responding to the incident—it may be necessary for the government to step in and take the necessary actions to defend the asset where directing an entity to take specified action would not be practical or effective.

These new powers will be subject to stringent authorisation and oversight mechanisms, including:

the Minister for Home Affairs being satisfied that there is a material risk that the incident has or will seriously prejudice,

the social or economic stability of Australia or its people; or

the defence of Australia; or

national security.

Government only being able to take action if the entity is unwilling or unable to take all reasonable steps to resolve the cybersecurity incident. This is reflective of the government's continued view that industry are primarily responsible for responding to incidents impacting their business.

Any direction or action authorised must be reasonably necessary and proportionate, and technically feasible to comply with.

Finally, before authorising a request to directly intervene, the Minister for Home Affairs must obtain the agreement of the Prime Minister and the Defence Minister.

The bill has been developed through extensive consultation with industry. This includes consulting with over 3,000 people and receiving close to 350 submissions over two separate periods of consultation on a consultation paper and exposure draft legislation. I would like to thank industry and the department for the constructive approach to the consultations and their assistance in developing the legislation with the home affairs department.

The final bill reflects the outcomes of the consultation process and ensures we have the right balance between taking effective steps to manage security of our critical infrastructure and appropriate checks and balances. This includes mandatory industry consultation periods, reporting mechanisms and oversight by IGIS.

However this is not the end of consultation, the government is committed to continuing the conversation to ensure that the reforms are operationalised in the most appropriate and effective manner.

An enhanced partnership with industry will be key to the success of these reforms. Strengthening government's cooperation and collaboration with industry is a vital part of improving the resilience of Australia's critical infrastructure.

In 2021, the government will relaunch the Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience and a revised Critical Infrastructure Resilience Strategy to further embed the genuine industry government partnership approach to managing the security and resilience of our critical infrastructure.

This enhanced industry engagement mechanism will be central as we commence co-design of the sector-specific requirements and best practice guidance which will underpin the Risk Management Program.

To ensure the Risk Management Program obligations are fit for purpose and drive genuine security uplift, we will work with industry to ensure the rules are proportionate to the risks impacting each sector, recognise existing approaches and impose the least regulatory burden necessary. These obligations will not commence for a given sector until we have completed this co-design work with industry.

The bill demonstrates the government's commitment to uplifting the security and resilience of Australia's critical infrastructure assets. It guarantees the continued growth of Australian industry and the ability for businesses to compete in overseas markets. It allows Australians to have uninterrupted access to essential services and ensures that our society and living standard continues to be the envy of the world. It ensures that Australia continues to be a safe, prosperous and wealthy nation.

Before concluding, I'd like to take this opportunity to thank all of the hardworking officers of the home affairs portfolio for their work during this difficult year. No-one could have anticipated the events of 2020, but it is clear your outstanding response has kept Australians safe and secure in unprecedented times. Specifically with regard to the development of these important reforms and the comprehensive consultations conducted with industry regarding the proposed regime I would like to thank Hamish Hansford, Sam Grunhard, Andrew Kiley, Louise Bechtel, Lib Clark, Alex Sallabank and Luke Muffet for their tireless efforts. I'm very proud of the work of these officers and those across the department.

I commend this bill to the House.

Debate adjourned.