By Staff Writer
Senior Department of Home Affairs officials fronted the Australian Government’s Parliamentary Intelligence and Security Committee on Thursday, July 29. The committee is reviewing the proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020.
Chaired by Senator James Paterson, the committee heard from interest groups and potentially impacted entities earlier this month. The committee has also received 85 submissions from individuals, organisations, and businesses across a wide range of industries.
On Thursday, Home Affairs officials answered questions raised in the submissions and from committee members.
Lead by Department of Home Affairs Secretary Michael Pezzullo, officials addressed concerns regarding duplication, additional safeguards to prevent government misuse, employee screening rules, and issues surrounding proposed rules that will allow the Australian Signals Directorate to compel entities to install ASD software to thwart a cyberattack.
The proposed bill will broaden critical infrastructure assets from four industry sectors to eleven. The bill will also establish positive security obligations for these critical assets, including a mandatory reporting regime.
In addition, the proposed bill will give Australian Government agencies intrusive powers when a cyberattack threatens critical infrastructure assets and the national interest. The bill will also seek to increase cooperation between private entities and the ASD.
While admitting provisions in the proposed bill could prove onerous to some entities, Mr Pezzullo strongly backed it.
“We think the bill strikes the right balance between specificity and detail on the one hand and general principles on the other hand.”
While several earlier verbal and written submissions to the committee called for a pause in the proposed legislation’s progress, the Home Affairs Secretary said there was no time to lose.
“We’re already past time,” Mr Pezzullo said, referring to the cybersecurity legislation. “The clock is ticking … the imperative is so overwhelming that we are probably past time.”
The Home Affairs Secretary pushed back against claims the proposed legislation would prove onerous, costly, and unnecessary to private entities. Michael Pezzullo says the job of government and legislation is to look past corporate self-interest to the national interest.
The Secretary also called out the reluctance of some entities to involve the ASD when a cyberattack occurs.
“Here we have one of the great institutions of Australia’s national security apparatus almost screaming into the wind – ‘we’re here to help, we’re here to help’. No, companies are saying, ‘our CIOs have got it…’”
Both Mr Pezzullo and ASD Director-General Rachel Noble told the committee that calls to push out the proposed mandatory reporting window from 12 hours to 72 hours would not wash. Ms Noble said the earlier the report, the quicker the ASD could respond and alert other potential victims.
“State-based actors and cybercriminals can exploit vulnerabilities once they become talked about – within a few hours. Twelve hours is a long time and is three times as long as some of the timeframes where we see the problem’s out there, and people are being hit as a result.”
The committee will make their recommendations regarding the proposed Critical Infrastructure Bill to Attorney General Michaelia Cash.
