Tabled document
18 November 2024
On behalf of the Parliamentary Joint Committee on Intelligence and Security, I want to make a brief contribution on the report that has now been tabled in relation to the Cyber Security Legislative Package 2024. Cyber security incidents have the potential to compromise the privacy and security of millions of our citizens here in Australia, enabling fraud and extortion on a scale that was not previously possible. Even more seriously, hostile nation-states are increasingly seeing cyber vulnerabilities as a possible means to sabotage critical infrastructure and damage Australia’s interests in a time of conflict. Hardening Australia’s cyber security against these threats is essential to our ongoing security and prosperity.
The Cyber Security Legislation Package consists of three bills: the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024. Collectively these bills provide a suite of measures intended to uplift Australia’s cyber security, including through mandated minimum security standards for smart devices, mandatory reporting of ransomware payments made by businesses, establishing a cyber incident review board, limited use provisions to encourage private-public cooperation on cyber incidents and reforms to the Security of Critical Infrastructure Act 2018, including to bolster the protection of business critical data and to simplify information-sharing across industry and government.
The Minister for Home Affairs and the Minister for Cyber Security referred the package to the committee on 9 October this year, requesting a report by 19 November to enable timely passage of the legislation before the end of the year. The committee received more than 60 very high quality, I must say, written submissions and heard public hearings over two days late last month. There was near universal support for the bills amongst most contributors to the inquiry, many of whom had been involved in a very extensive and rigorous consultation process prior to the bills being introduced by the government in connection with the 2023-2030 Australian Cyber Security Strategy. This meant there were few, if any, surprises in the bills and fewer issues to be resolved by the committee than otherwise would have been the case. The majority of the matters brought to the committee’s attention concerned implementational matters of detail.
In response to the matters raised, the committee has made a total of 12 recommendations, and these include recommendations for the government to ensure that businesses are educated about the new ransomware reporting obligations and provided with clear administrative guidance on how the various aspects of the new legislation are intended to be interpreted and applied in practice. The committee has recommended a small number of technical amendments aimed at clarifying the operation of the ransomware reporting obligations in relation to the incidents that do not affect a business’s operations in Australia, clarifying the protection of material that is subject to legal professional privilege and ensuring the package’s limited-use provisions are clearly expressed. The committee has also recommended that the Cyber Security Bill be subject to a statutory review by this committee after three years and that an existing statutory review of the Security of Critical Infrastructure Act 2018 be deferred by two years.
The committee recognises that hardening Australia’s cyber-resilience and implementing the 2023-2030 Australian Cyber Security Strategy is an urgent priority that the government and this parliament need to look at and need to consider on a much more routine basis. Noting the extensive consultation process that has already been undertaken in this place and subject to the recommendations in the report, the committee supports the urgent passage of these three bills.
On behalf of the committee, I’d like to extend my sincere thanks to the range of organisations and individuals who contributed to the inquiry and helped inform the committee’s report. I’d also like to thank my fellow committee members for their constructive and bipartisan approach, particularly the deputy chair, Mr Wallace, in the other place. I’d also like to note the outstanding work that the secretariat did in making sure that we were able to turn this report around, and I’d like to thank the secretary and all the members of the secretariat for their outstanding work on this report.
On that note, I commend the report to the Senate. I seek leave to continue my remarks later.