The Home Affairs secretary has demanded sweeping powers for spy agencies, claiming "the clock is ticking" on a cyber attack on Australian infrastructure.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
Mike Pezzullo has also warned foreign powers were using crime gangs as proxies to carry out online attacks, creating a "hybrid conflict" in a new cyberspace "grey-zone".
The Parliamentary Joint Committee on Intelligence and Security is reviewing a proposal to broaden the definition of "critical infrastructure", allowing federal agencies to commandeer companies' security systems during cyber attacks.
The bill has drawn fire from the Commonwealth Ombudsman, the union movement, and several business groups on oversight and privacy grounds.
READ MORE:
But appearing before the committee on Thursday, Mr Pezzullo warned a growing number of Australian entities were under threat of a "catastrophic" cyber attack, potentially targeting the nation's electricity grid or water supplies.
"We're already past time. The clock is ticking. The possibility of us waking up tomorrow and being in the grip of such an attack was already last year, [or] the year before. The urgency of this legislation, frankly, is self-evident," he said.
Mr Pezzullo insisted the powers could only be used as "a last resort" when no other legislation applied, and when entities were "unable or unwilling" to cooperate.
"The safeguards are set out in the legislation. The decision makers have to be satisfied that the tests have been met, the thresholds have been met ... They can't do it on a whim," he said.
The Commonwealth has argued its interconnected systems meant a broader range of sectors - including transport, telecommunications, energy, and food distribution - should be defined as "critical infrastructure".
Companies in those categories would be required to report details of cyber attacks they suffered to the federal government, and take direction from cyber agencies.
Australia joined an international cadre last week blaming Beijing for a massive strike on Microsoft's servers, which Chinese non-state hackers were suspected of carrying out.
Australian Signals Directorate director-general Rachel Noble said the Chinese government had "propped all those doors open" and allowed cyber criminal groups to "pour in", exposing the 70,000 Australian entities which used the Microsoft Server Exchange.
"It's that action, from a technical point of view, which crossed a line in the judgment of policy agencies and governments around the world," she said.
"It's an attack at a scale that is extremely large and significant."
Ms Noble warned the response was complicated by the fact state actors and online criminals "look awfully similar" in cyberspace.
That made distinguishing between a criminal attack or an act of war increasingly difficult, Mr Pezzullo warned.
"These are very fraught questions. They're complicated and complex questions ... [They need a response] which doesn't have to be invented or scrambled on the day," he said.
Home Affairs modelling showed a cyber attack causing a 10 per cent disruption - a "worst case scenario" - would cost the financial sector $3b per week, the energy sector $2.4b, and $1.6b to higher education and research.
But ACTU Secretary Sally McManus blasted the bill as an "attack [on] the basic rights of working people" which would do "nothing" to strengthen national security.
"Potentially forcing food and distribution centre workers, apprentice electricians and nurses - the workers who have carried us through the pandemic - to comply with lengthy security checks is a massive drain on the economy and an assault on the right to privacy that every Australian should be able to enjoy," she said.
Mr Pezzullo insisted background checks would only apply to the "very small subset" of workers with access to sensitive assets.
The Commonwealth Ombudsman Michael Manthorpe had earlier warned the bill would hamper his ability to watch over Home Affairs or ASD.
Because the agencies using the powers would rely on "protected information", which was illegal to disclose, Mr Manthorpe said companies effected would have a "limited" ability to complain to the Ombudsman.
"I am concerned these proposed amendments will have the effect of limiting the ability of an entity that is subject to a direction, or its staff, to make complaints to my office about the secretary's use of the direction power or the conduct of [Home Affairs and ASD]," he wrote in a submission.
"This would undermine the capacity of my office to provide the level of oversight anticipated."
The bill would therefore create an imbalance, with the Inspector General of Intelligence and Security and the Ombudsman able to communicate protected information, he said.
Our journalists work hard to provide local, up-to-date news to the community. This is how you can continue to access our trusted content:
- Bookmark canberratimes.com.au
- Download our app
- Make sure you are signed up for our breaking and regular headlines newsletters
- Follow us on Twitter
- Follow us on Instagram