September 30, 2021
Every eight minutes a cyber attack is reported in Australia, a 13 per cent increase on pre-pandemic levels. Covid-19 has seen us move even more of our lives online, relying on the interconnectedness of our digital systems to navigate life and business like never before.
It is made more complex by the evolving security environment in the Indo-Pacific region and emerging theatres of grey-zone tactics where foreign states use cyber intrusion and digital espionage to threaten the security and freedom of our country.
There is clear recognition from government and industry we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure. Any facility, supply chain or communication network that, if destroyed or compromised, would significantly harm our way of life is considered critical infrastructure to Australia.
These assets often operate within a web of networks. Therefore, a compromise of one essential function could have a domino effect that disrupts others. A sewerage facility that stops working could prevent safe management of waste and supply of clean water, which could affect irrigation and food supply. Independent experts have indicated it is likely foreign state actors are already pre-positioned on sensitive networks that could be activated against our interests in a regional crisis. It’s not hard to imagine the implications of such a scenario to our ability to project power into our region.
With one in every four reported cyber attacks – one every 32 minutes – being targeted at our critical infrastructure, it’s clear cyberspace is the rapidly evolving battlefield that demands a swift and comprehensive response. Given the complexity of the challenge we face, achieving both a swift and comprehensive response that works for government and industry alike is not a simple task.
This is the difficult reality federal parliament’s intelligence and security committee has grappled with in its inquiry into proposed laws to protect our critical infrastructure from cyber intrusion.
The legislation, as proposed, creates enhanced regulatory obligations across 11 sectors identified as having critical significance to Australia’s interests. This includes water, energy, food, healthcare, data storage and financial services.
Critical industries would be required to adopt risk-management programs and mitigation strategies and, in the event of a serious cyber attack, would need to report the incident to the Australian Signals Directorate. As a tool of last resort, the government would be granted power to direct companies unwilling or unable to respond to a serious cyber attack.
While submitters to the inquiry overwhelmingly support the broad intentions of the bill, there were divergent views on the best way to secure our most vital assets. Significant elements of the bill remain subject to ongoing co-design with industries, a process that will not be complete for any of the 11 sectors before the likely passage of the bill.
In an already fragile economy beset by lockdowns and the pandemic, many businesses are concerned about this uncertain regulatory impost and have called for the bill to be shelved until the framework is finalised. While sympathetic to these concerns, the committee does not believe pausing the entire bill is in our national interest given our reliance on the digital world and the immediate cyber threats our nation faces.
Our security agencies need urgent access to additional tools that will help protect critical assets and our country from serious attacks. That’s why the committee has backed the urgent passage of last-resort government assistance mechanisms and mandatory notification requirements.
To do this, the committee has recommended these measures be urgently implemented in a stand-alone bill, with a second, separate bill to be introduced later that would allow further consultation and co-design on the regulatory framework. This does not mean cyber security is just the government’s job. Industry has a vital role to play and the passage of a subsequent bill after further consultation is essential to ensure a comprehensive response.
This two-step approach will enable the swift passage of laws to counter urgent threats against Australia’s critical infrastructure while giving businesses and government additional time to co-design and implement the most effective regulatory framework to ensure long-term security of our critical infrastructure.
James Paterson is a Liberal senator for Victoria and chairman of the Parliamentary Joint Committee on Intelligence and Security
