Security of Critical Infrastructure Bill
I echo the comments made by my colleague and friend, the member for Eden-Monaro, with regard to the fact we need to be ever-vigilant in this space. The technology is changing rapidly, and the threats at the non-state actor and the state actor level are changing rapidly. So we need to be constantly looking at legislation and regulation to ensure it's responding to the threat environment and the attack environment as quick as possible.
That is challenging because the development of legislation and regulation can quite often operate at a very glacial pace—not exactly a speedy pace. That's why we do need to be ever-vigilant. We need to be constantly assessing the environment, constantly looking at what the threats are, constantly looking at anticipating possible attacks. We need to see this bill as the first step in a very long journey to ensure that we continue to protect our national security and the prosperity of our nation.
As we know, the facilities that are called critical infrastructure addressed in the Security of Critical Infrastructure Bill 2017 are the facilities, supply chains, systems and networks that keep our country operating and are amongst our most precious assets. Referred to as our critical infrastructure, these are those physical assets, supply chains, information technologies and communication networks which if destroyed, degraded or rendered unavailable for an extended period would significantly impact the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security.
What this definition means in real terms is that these facilities and services are what keep our hospitals operating, our homes heated and our stores stocked. They're facilities that keep the lights on, our water running and clean and safe, and our economy operating. The disruption of this infrastructure—of these facilities, supply chains and technologies—either from physical or cyber-related threats can have a serious impact on our national security and our economic stability. As such, government must ensure that these assets are well protected from threats of foreign espionage, sabotage and coercion in an ever-evolving threat environment.
Currently, over 80 percent of Australia's critical infrastructure is privately owned, and therein lies a challenge: how do you get the balance right ensuring that we have economic prosperity and national security while also acknowledging the fact these are private outfits with their own imperatives?
Ensuring we have the adequate oversight of the risk exposure of these assets is vital in assessing and protecting them from interference, but the challenge is ensuring that we get the oversight and the balance right, especially given the fact that 80 percent of these are private outfits.
The committee, as we've heard, made nine recommendations in its review of this bill, and this committee, as has been acknowledged by everyone who has spoken this evening, is very bipartisan. There is largely a common sense of mission, so I'm pleased the government has indicated support for these nine recommendations. Protecting our nation's critical infrastructure is an important national security responsibility that requires the cooperation of many arms of government and the private sector, and that's why Labor supports this bill.
The Critical Infrastructure Centre, which was established in January 2017, is intended to provide a central or culminating point for cooperation. It's tasked with collaborating with asset owners, operators, and state and territory regulators to identify risks, to implement mitigation strategies and to develop sector-wide best practice guidelines. It's a big task because that centre is quite a small outfit. I went to a conference recently where one of the senior managers of the centre said one of their biggest challenges is resources. I put that out there for the government.
I've made this point on many panels before and at other conferences that this is a big job for the centre. I understand it's been absorbed into Home Affairs now, so it will be interesting to see where it finds its place there and also to find out whether it will be appropriately resourced because it's a big job. Liaising with the private sector, government, regulators—state, territory and local—is a big job.
The bill proposes the creation of a private register of critical infrastructure assets, and extends ministerial powers to give direction to individual reporting entities or operators of a critical infrastructure asset to do, or refrain from doing, a specified act or thing within a certain time frame. Such a power may be used if the minister is satisfied that there is a risk that is prejudicial to security that cannot otherwise be mitigated. Both the creation of the asset register and the extension of ministerial powers are good first steps. But as I said, and as the member for Eden-Monaro has mentioned, they are first steps. This is a journey; this is an iterative process. This bill is welcome but it is just one marker in that process. We do need to be open-minded, flexible and responsive in this environment.
There is still a need for baseline assurances that networks and systems running our critical infrastructure are adequately protected. The fact that the bill does not specifically include cyber and digital systems is, from my perspective as the Shadow Assistant Minister for Cyber Security, disappointing. But I'm acknowledging the fact that we are taking those first steps and this is an iterative process.
I will be looking to the government and to this committee to, in future, look at how we can include cybersecurity in more detail.
The Australian Cyber Security Centre's 2017 threat report noted that CERT Australia responded to 734 incidents affecting private sector systems of national critical infrastructure within the 2016-17 financial year. This equates to a significant cyber incident occurring on these networks more than twice a day.
According to the Australian Security Intelligence Organisation 2017 annual report, Australia continues to be a target of espionage through cyber means. The cyber threat is persistent, sophisticated and not limited by geography. The report also notes that the clandestine acquisition of intellectual property, science and technology, and commercially sensitive information is increasing. This highlights the need for a greater focus on the security of the cyber systems underpinning our critical infrastructure.
Given that cyber-attacks are being perpetrated against our critical infrastructure systems on a daily basis, timely action needs to be taken. Unfortunately, this bill doesn't discuss this in much detail. It doesn't go into detail about the threats that critical infrastructure operators are struggling to repel. The explanatory documents do provide an example in which the minister could issue a direction to a company, compelling them to reduce their vulnerability by implementing extra cyber security protocols, but it doesn't provide further clarity to the private sector in how to protect their systems appropriately and comprehensively.
If we are to effectively safeguard our critical infrastructure, we need to think about more than the issue of who owns what, and the issue of physical assets such as ports, poles and wires. It's vitally important we start thinking beyond just the physical. This is the first step, I appreciate that, but we do need to sit up straight and get onto this quick smart. We need to think beyond just critical infrastructure and the protection of it from a physical perspective; we also need to start thinking about it from a cyber security perspective.
As more and more essential systems are managed electronically, interdependence between physical systems and cybernetworks need to be clearly understood to ensure services continue to be provided, and our people and interests continue to be protected. This isn't adequately explained in the bill.
Another element that is not adequately explained is why the bill only applies to four out of eight currently identified critical infrastructure sectors. US CERT released a report in October 2017, which stated:
Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.
It's disappointing that this bill does not include all identified critical infrastructure sectors clearly at threat. I made submissions on this point to a number of inquiries stating this issue, because our transport, telecommunications, banking networks, healthcare providers and subcontractor entities associated with critical infrastructure are all subject to the same risks of espionage, sabotage and coercion that are outlined here.
This bill identifies electricity, water and ports as the highest risk sectors, yet there are other equally important sectors being overlooked. Eight critical infrastructure sectors are identified in the critical infrastructure resilience strategy. These are banking and finance, communication, energy, food and grocery, health, transport, water services and Commonwealth government. The Trusted Information Sharing Network, the primary national mechanism for business-to-government information sharing and resilience building initiative on critical infrastructure, states that each of these critical infrastructure sectors are, 'vital to Australia's social cohesion, economic prosperity and public safety'.
If each of these sectors are vital to Australia's social cohesion, economic prosperity and public safety, why aren't all of them included in the bill?
Each of these identified critical infrastructure sectors have experienced some form of cyberthreat in the past 12 months. We've only got the four here. Compared with our international partners, eight is a conservative figure. The US critical infrastructure security and resilience strategy identifies 16 sectors. The UK identifies 13 sectors. Canada has 10 and Singapore 11. The sectors recognised by these nations but not currently recognised here in Australia include emergency services, information technology infrastructure, chemicals, manufacturing and electoral systems—and that's a whole different speech on electoral systems, particularly after what with we have seen in the US and what we have seen in France. Why aren't electoral systems in Australia treated as critical infrastructure? This is a big question.
To improve the security of our critical infrastructure, there needs to be a very careful evaluation of what sectors fall within our definition of 'critical infrastructure'. The bill also doesn't appear to consider supply chain security. Subcontractors and vulnerabilities in supply chain networks pose a significant threat to all forms of critical infrastructure. Last year, the then Minister Assisting the Prime Minister for Cyber Security made the announcement that a small defence contractor’s network was compromised in 2016. An unknown hacker was able to steal 30 gigabytes of sensitive defence data, including information on major, multibillion-dollar defence projects. Data relating to the JSF, P-8 surveillance craft project, C-130 transport planes and several current naval vessels were all compromised.
The revelation highlights the risk that a vulnerable supply chain can have when it comes to protecting our national critical systems. Subcontractors are low-hanging fruit when it comes to foreign influence and interference and are often seen as the easy ‘in’ to protected networks and systems. One weak link is all it takes to expose sensitive information and introduce attack vectors into larger systems.
Our US ally recognised the supply chain threat long ago and has already taken steps to rectify it. In May 2017, an executive order was passed requiring all US government agencies to comply with a national cybersecurity standards framework. This includes cybersecurity risks facing the defence industrial base, including its supply chain.
As the member for Eden-Monaro has said, this bill is the first step in many ways. I commend the bill to the House but do make a number of recommendations for improvements in the future.