Security Legislation Amendment (Critical Infrastructure) Bill 2021 Bills
I rise to address the Security Legislation Amendment (Critical Infrastructure) Bill 2021, noting that the government has brought in some amendments. Like some of my colleagues, I’m a member of the Parliamentary Joint Committee on Intelligence and Security, and I have been for a number of years. This is probably one of the first times where I have seen the agencies get to the point where they haven’t done sufficient consultation with industry, but it’s an example, I think, of where this committee is very effective, in that, on a bipartisan basis, we were able to work with agencies and industries to get an understanding of where things sat—hence the recommendation to split the bill, which many of my colleagues have talked about. They have also talked about some of the particular measures in the bill, so what I plan to do with the time I have available here is to give people who may be listening to this debate a little more background on some of the emerging trends overseas and here in Australia. I will particularly look at some of the evidence that was provided to the committee by Ms Noble, who heads up ASD, because I think that really speaks to the heart of why these step-in powers are required and why we do need to get this right with industry.
The first incident I want to go to took place in Ukraine in 2015. The reason I’m talking about this particular cyberattack is experts believe it is the first time there has been a large-scale grid-level attack that has been successful on a modern nation. The control centres of three Ukrainian electricity distribution companies were remotely accessed, and the breakers at some 30 distribution substations in Kiev and a western region were opened, causing more than 200,000 consumers to lose power. In this case, the hackers gained entry through a sophisticated phishing campaign and BlackEnergy Malware to cause havoc in Ukraine. Governments and cybersecurity companies have attributed the hacks to Russian groups with suspected, albeit not proven, and unclear links to the Russian government. This occurred on the back of not only the 2014 annexation of the Crimea but also the incursion by Russian forces in the eastern part of Ukraine. Many people believe that this area of Ukraine has become a bit of a playground for Russia and other actors to, essentially, test their capabilities in cyberspace. In 2017 there was a hack that broke into thousands of Ukrainian networks by sabotaging a fairly widely used piece of software, and that attack disabled around 10 per cent of computers in Ukraine and inflicted financial costs to about 0.5 per cent of Ukraine’s GDP. If you think about what 0.5 per cent of GDP would mean in Australia, it’s a significant amount of money.
A number of companies and foreign governments have looked to help Ukraine, freeing up aid and other investments to try to boost their ability for cybersecurity. Latvia has also experienced crises. The most recent attacks are probably the two in the States that have made the media. One was the SolarWinds cyberattack, which is one of the most sophisticated and large-scale cyber operations that has ever been identified. The US government stated the operation was an intelligence-gathering effort, and they’ve attributed it to an actor that is most likely Russian in origin. The President of Microsoft said it was the largest, most sophisticated attack the world has ever seen, and it affected federal agencies, courts, the private sector, and state and local governments across the US. A more recent incident, from May this year, was the attack and shutdown of one of the US’s major pipelines that supplied fuel infrastructure. The hackers stole data from the company while demanding a large ransom to get things going again.
That’s the global scene. You can see that actors are using cyber means to impact critical infrastructure for criminal intent in terms of money, for espionage in terms of stealing money, or for a grey-zone technique of undermining the community’s confidence and potentially diminishing a nation’s capacity to control its own defence when it lacks things like electricity or communications. More recently—and starting to involve Australia—in July of this year Australia, the European Union, the United Kingdom and the United States for the first time attributed publicly an attack involving ransomware and IP theft that affected some 30,000 businesses around the world to the Ministry of State Security of the Chinese Communist Party. The threshold for attribution is quite high, but what that indicates is that when the strategic update of 2021 talks about the fact that grey-zone activities are increasing, we are seeing very tangible examples of that here in Australia. The consequences of disruptions in our digital systems are quite extreme, and not only from those obvious blockages or thefts. We’ve also seen a couple of failures just in the aviation industry, not necessarily attributable to malware or cyberattack, but it gives an indication of how that could be used to significantly disrupt the normal operations of a country. Just one here in Australia: when the ticketing system for Virgin went down globally, we saw massive delays of travel around Australia due to that ticketing and freight and luggage-loading system going down. And so it doesn’t take too much to see, as you compare what happened through COVID and the impact when passenger flights weren’t flying—on trade, on services such as mail, banking et cetera and on the movement of notes and other things around the country—that those services can experience significant impacts from attacks on critical infrastructure where it fails.
At the heart of the contention in this bill were concerns by industry around the step-in powers that were proposed by the original bill. I think it’s really instructive to go to the evidence provided by Ms Noble, the head of ASD. A lot of people have indicated that industry cooperates, and that’s acknowledged and, in fact, that is the vast majority of players in Australia, whether they be state governments or the private sector. In evidence from ASD during the inquiry, Ms Noble said:
… we do have some wonderful examples of incredible cooperation. You might recall that in 2019 there was a significant impact of ransomware against the Victorian health system, and that’s a good example. We have a close relationship with the Victorian government and they also had a private incident response provider. So this was a terrific example of state government, federal government and private sector working together. ‘Good’ looks like this: they contacted us so we were able to work with them. They provided us with technical information from their network, like logs and images of discs. That happened on day one. Within 24 hours, we sent incident responders on the ground to work side by side with the Victorian government, the private entity impacted, their private service provider and our staff from the Australian Cyber Security Centre. We were able to fully map the network quickly and to identify the nature of the criminality.
That’s an example that ASD provided of how things can, often do and should work for the benefit of the Australian people. But Ms Noble went on to say:
Bad looks like this––and this is a real example, but I’m not going to name names, because that’s really important. We found out something happened because there were media reports. Then we tried to reach out to the company to clarify if the media reports were true, and they didn’t want to talk to us. We kept pushing— sometimes we have to use our own very senior-level contacts; sometimes through people … who might know members of boards or chairs of boards—to try to establish trust and build a willingness to cooperate. At times, we have spent nearly a week negotiating with lawyers about us even being able to obtain just the basic information that I described in the first scenario, asking, ‘Can we please just have some data from your network; we might be able to help by telling you quickly who it is, what they’re doing and what they might do next?’
In this case that I’m referring to, five days later we were still getting very sluggish engagement and were trying to get them to provide data to us and to deploy some of our tools so that we could work out what was happening on their networks. That goes for 13 days. This incident had a national impact on our country. On day 14 were we only able to provide them with generic protection advice, and their network was still down. Three months later they got reinfected and we started again.
So it’s important to understand that, when we talk about ‘step-in powers’, we’re talking about scenarios like that, where, with good cooperation, you see a seamless working together, side by side, with people helping each other out and you get quick resolutions of these incidents, which can be damaging to Australia’s ability to run an effective, free, First World nation and provide the services that Australians depend on. But where, for whatever reason, a commercial provider chooses not to engage with ASD and where the flow-on effects go on for days, if not weeks, and impact on Australia and Australia’s capabilities, then it’s appropriate that ASD is given the legal authority to step in to work not against but with that provider, because of the obligation for them to report and to cooperate.
It’s important to understand that the threat environment is deteriorating. There has been a 60 per cent increase in ransomware attacks against Australian entities between last year and this year. We see both state based actors and criminals acting against Australian entities. They’re motivated by a range of imperatives, from espionage to generating influence to interference to preparing to disrupt, degrade or deny services or actually disrupting, degrading or denying services. Some, as I’ve said, purely have the motivation of stealing money. There’s also a broader economic cost. Some of the evidence, again from ASD, was that AustCyber have estimated that a significant cyberattack against Australia could cost around $30 billion and 160,000 or so jobs. That’s ASD’s and industry’s assessment of what the cost could be of a significant cyberattack here in Australia that is sustained, and that’s why these measures are important.
It’s interesting that, over the past 12 months, just over one-third of all incidents that have been reported to ASD, the cybersecurity centre, were related to critical infrastructure, and the assessment is—because that reporting is currently voluntary—that that’s only a fraction of what has probably occurred, hence the requirements not only for the step-in powers but also for reporting within 12 hours, if it’s a critical and significant event. So, in the advisory report on this Security Legislation Amendment (Critical Infrastructure) Bill 2020, the committee has recommended that the emergency powers be swiftly legislated in a standalone bill with a second separate bill to be introduced after further consultation. This two-step approach, which the government has agreed to and which we’re now dealing with today, will enable the quick passage of laws to counter the looming threats against Australia’s critical infrastructure, while giving businesses and government the additional time to do the co-design work on the most effective regulatory framework to ensure the long-term security of our critical infrastructure.
As other colleagues have mentioned, our committee, the PJCIS, made 14 recommendations in relation to the bill. We received compelling evidence that the complexity and frequency of cyberattacks on critical infrastructure is increasing globally. Australia is not immune. There’s clear recognition from government and industry that we need to do more, and this first bill—bill No. 1—is to expand the critical infrastructure sectors that are covered by the act to introduce government assistance measures to be used as a last resort in crisis scenarios, as well as mandating reporting obligations. I encourage senators to support the bill.