Additional Comments of the Coalition Members of the Committee

Coalition Members of the Committee (Coalition Members) support the policy intent of the Bills and the recommendations of this Report. The reforms introduced by this legislation represent a logical extension of the world-leading approach taken by the former Coalition Government which was the architect of the Security of Critical Infrastructure (SOCI) regime and successive national cyber security strategies in 2016 and 2020.

However, Coalition Members continue to hold significant concerns – as do many interested stakeholders – about the Government’s continued rushed process and limited time for parliamentary scrutiny of the Bills the subject of this Inquiry and many others before it, which increases the risk of overlooking unintended consequences and drafting errors in the legislation.

Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024

The former Coalition Government introduced the Security of Critical Infrastructure Act 2018 (SOCI Act), which outlined the legal obligations for entities that own, operate, or have direct interests in critical infrastructure assets, and included government assistance powers for serious cyber security threats or attacks. The former Coalition Government amended the SOCI Act in 2021 and again in 2022 to enhance security obligations for critical infrastructure assets and systems of national significance, including by introducing mandatory risk management programs for certain assets.

Coalition Members welcome the approach taken in the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, which represents a modest and logical extension of the SOCI reforms introduced by the previous government.

Limited use provisions

The Coalition Members welcome the limited use provisions in the Cyber Security Bill and the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (ISA Bill), which will provide assurance to entities that the information they disclose to government about cyber incidents will not be used against entities’ interests in the future.

The former Director General of the Australian Signals Directorate, Ms Rachel Noble, publicly endorsed this concept in November 2022:

Speaking purely from ASD's perspective, I think the safe harbour concept is a most excellent idea because, to your point, where there is ambiguity—if I'm dealing with a government, do you hand that information to other government departments or don't you? How can I be sure that that won't occur without my permission and so forth? So from an operational perspective, in that heat of the incident, if you will, when we're still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we've seen in class action lawsuits, for example, that is very attractive to us as well.[1]

The Coalition first called for a legislated limited use obligation on 22 March 2023, and Coalition Members note that, if the Australian Government had moved more quickly with this reform, it may have gone some way to address the declining willingness from industry to share information with ASD in a timely way that we have witnessed in the intervening years.

Security standards for smart devices

The proposed mandatory standards for smart devices in the Cyber Security Bill 2024 are welcome and long overdue. This proposal was first canvassed by the former Coalition Government in the discussion paper ‘Strengthening Australia’s cyber security regulations and incentives - An initiative of Australia’s Cyber Security Strategy 2020’ released on 13 July 2021.

The need for these reforms has become more acute in recent years as we have learned more about the national security risks of internet-connected devices through successive audits which revealed hundreds of Chinese-manufactured cameras, drones and internet-connected solar inverters in use across Commonwealth Government sites.

The Commonwealth Government has had ample time to develop and refine this proposal, and we welcome this work finally coming to fruition.

Cyber Incident Review Board

The Coalition Members welcome the introduction of a legislated Cyber Incident Review Board. The Coalition originally called for this construct on 19 October 2023, noting the need for a mechanism to conduct dispassionate, objective investigations following significant cyber incidents for the collective benefit of organisations who may be able to benefit from the lessons learned. This came after the US Government announced the establishment of a Cyber Safety Review Board in 2021. Had the Australian Government acted sooner to establish an equivalent construct here, it may have assisted post-incident investigations in significant incidents such as the MediSecure data breach and the CrowdStrike outage which occurred earlier this year.

Nevertheless, the Coalition Members welcome the establishment of the CIRB – however belated – and supports the proposed recommendation to amend the Explanatory Memorandum to the Cyber Security Bill 2024 to remove the statement that standing members of the Cyber Incident Review Board will be members of the public service to provide flexibility to include representatives external to government if the Minister deems it appropriate.

Compressed timeframe risks unintended consequences

While Coalition Members of the Committee support the policy intent of the Bills and the recommendations of this Report, we continue to hold significant concerns about the Albanese Labor government’s rushed process and limited time for parliamentary scrutiny, which increases the risk of overlooking unintended consequences and drafting errors in the legislation.

The former Minister for Home Affairs and Cyber Security, the Hon. Clare O’Neil MP, originally announced the development of the 2023-2030 Australian Cyber Security Strategy (the Cyber Strategy) on 8 December 2022. The Cyber Strategy was released on 22 November 2023, and on 19 December 2023 the Department of Home Affairs released a consultation paper on legislative reforms arising from the Cyber Strategy which informed the current bills.

The Department of Home Affairs consulted on a targeted exposure draft of the proposed legislative reform package between 4 September and 11 September 2024. The government introduced the bills into the House on 9 October 2024 and referred the package to the PJCIS on the same day, with submissions due by 25 October 2024. The PJCIS report is due to be tabled by 18 November 2024, and we understand the government intends to pass the legislation before Parliament rises for the year.

This means stakeholders had only two weeks to make a submission on the bills, and the PJCIS had just over a month to consider and report on the Bill. Given these reforms have been in train for close to two years, it is inexplicable that the government has seen fit to reduce the time for parliamentary scrutiny in its desperation to pass this legislation before the end of the year.

The Chair’s report notes these concerns, citing comments by the Law Council of Australia.

Multiple stakeholders raised similar concerns.

The Social Cyber Institute stated:

With the greatest of respect, the introduction of a mammoth undertaking of legislative amendments such as the Package – with significant implications for businesses in terms of cost and time – whilst providing only twelve business days for public consultation is simply not appropriate. No doubt the PJCIS will receive submissions only from the most dedicated and keenly eyed stakeholders, capable of digesting three complex Bills and synthesising their position in such a short timeframe.

That position is made worse by the amount of time the government has had to consider its own position. According to the Explanatory Memorandum, the Package stems from a Consultation Paper issued from December 2023 to March 2024, and ‘targeted consultation’ from 4-11 September 2024. The Albanese Government has therefore had at least 222 days – from 1 March to 4 September 2024 and again from 11 September to 9 October 2024 – to consider how it would draft this legislation. Seeking detailed industry and stakeholder feedback on this proposed legislation in only two weeks is incongruent behaviour by a government that seeks to champion its “extensive consultation” with industry over cybersecurity.[2]

.auDA shared similar concerns:

Overall, we believe the consultation process on these reforms would benefit from greater time to deepen the goodwill between industry and government in the critical area of cyber security.

The journey to a more cyber secure Australia must be a genuine partnership between government and industry and will only be achieved by taking adequate time to consult and receive input from all relevant parties.[3]

As did the Australasian Higher Education Cybersecurity Service:

However, providing only a two-week turnaround on a response to three Bills, which total over 300 pages of reading material, is insufficient for thorough review and consultation on the reform package. To ensure industry has ample opportunity for meaningful input, please consider response timeframes that enable time for relevant consultation (i.e. legal review, group consultation, submission drafting). An appropriate timeframe for this important cybersecurity legislation would be a minimum of four weeks.[4]

The Government has shown a flagrant disregard for these concerns, and it remains abundantly clear that the condensed inquiry timeframe is insufficient to properly scrutinise such highly complex and consequential legislation. The Chair’s report canvasses numerous concerns and potential issues already identified through this inquiry, and it stands to reason that a more fulsome scrutiny process would reveal even more areas that warrant further consideration.

The Coalition has repeatedly cautioned against this impetuous approach, and any unintended consequences that arise in the future as a result of this rushed process lie solely on the Government.

Mr Andrew Wallace MPSenator the Hon Simon Birmingham

Deputy Chair

Hon Andrew Hastie MPMs Zoe McKenzie MP

Senator James Paterson

Footnotes

[1]Ms Rachel Noble, Director-General, Australian Signals Directorate, Foreign Affairs, Defence and Trade Legislation Committee Hansard, Senate Estimates, Canberra, 8 November 2024, p. 15.

[2]Social Cyber Institute, Submission 18, p 8-9.

[3]au Domain Administration Ltd (auDA), Submission 18, p 7.

[4]Australasian Higher Education Cybersecurity Service (AHECS), Submission 22, p 4-5.