Level 4, 10 Moore St, Canberra ACT 2601
+61 2 5123 6700

Parliamentary Joint Committee on Intelligence and Security, Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 – Appearance by Dr Matthew Brown Deputy CE of Group of Eight Universities (Go8)

Canberra 9 July

Thank you for the opportunity to appear today to discuss the Group of Eight’s submission on the review of the Security Legislation Amendment Bill dealing with Critical Infrastructure.

The Committee has the Go8 submission and recommendations, so I will keep this opening statement to detail that the Go8 wishes to stress in addition.

I would also like to use this opportunity to acknowledge the ongoing and detailed engagement the Go8 has had with the Department of Home Affairs on this Bill.

Go8 members account for approximately 70 per cent of Australia’s university research effort undertaking $6.4 billion of research annually and teaching 400,000 students. We are critical to Australia’s national interests.

As such, the Go8 believes it is important to highlight our commitment to aligning with Government and the Parliament to protect Australia’s national security and critical infrastructure. This must be done in a collaborative way that ensures that we can do so effectively, efficiently and proportionate to the risks we face.

This approach is vital given the fast-changing threat landscape critical infrastructure faces. For instance, since the Security of Critical Infrastructure (SOCI) legislation was first passed in 2018 we have seen a summer of extreme bushfires and an ongoing global pandemic.

Also, as it relates to national security – there has been a significant altering in the geopolitical landscape, the national security threat level and, as a result, the response of Government. This response has importantly included collaboration with stakeholders – including the Go8.

This committee has previously heard much on this – including the effectiveness of the University Foreign Interference Taskforce – UFIT.

In the current context of critical infrastructure, the Go8 believes it is worth repeating an example from a previous submission to this committee that indicates just how much the world has changed.

With the University of Melbourne as the lead, between 2005 and 2010, the ARC funded a joint project with all Go8 members who joined international collaborators in Canada, China, New Zealand, Singapore, the UK and the US in what was termed as an ARC Research Network for a secure Australia (RNSA), designed to protect vital infrastructure.

This partnership would be unimaginable today.

As the threat landscape has evolved, so have our responses as a nation into dealing with this new landscape.

The Go8 supports that the Government is refreshing the 2015 Critical Infrastructure Resilience Strategy, notwithstanding that this refresh has yet to be completed and yet we find the strategy referenced prominently in the discussion of the Bill under review.

Further, and as it applies specifically to Higher Education, the Go8 believes that the Bill currently lacks sufficient detail to make either a compelling or functional case for Higher Education as a distinct critical infrastructure sector.

The Bill’s explanatory memorandum does establish the broad value of the higher education sector to Australia by noting that the Go8 universities contributed $66.4 billion to the Australian economy in 2016 and that Australian universities will be key contributors to continued prosperity in Australia. That is not in question.

However, the Bill doesn’t specify how this value is linked to, and dependent on, critical infrastructure.

Indeed, the definition of a critical education asset is at the level of a whole university with no further specification of what constitutes a critical infrastructure asset provided.  

Of course, Go8 members have many potential critical infrastructure assets amongst their research and education operations. However, each is also an organisation with many tens of thousands of both staff and students as well as cafes, gyms, swimming pools … none of which is differentiated or prioritised in the Bill from a critical infrastructure perspective.

Australia is not alone in struggling with this issue.

Amongst our five eyes security partners only the United States includes higher education institutions as critical infrastructure – although only as a limited part of the broader Government sector.

There has not been a clearly articulated and detailed rationale developed internationally for why and how higher education should be a standalone critical infrastructure sector.

However, what we do know is that Australia is a world-leader in addressing security issues in higher education.

The Foreign Interference guidelines drafted by UFIT are a world first. From our ongoing engagement with our research-intensive university equivalent networks in five eyes countries and beyond, we know that many countries are looking to emulate the guidelines model.

Importantly, what they see as ground-breaking is not the content of the guidelines themselves – although they are considered an exemplar – but the process by which they were drafted. Government, security agencies and the university sector in the one (virtual) room, identifying specific threats to higher education and targeted measures to address the threats.

The UFIT model also offers an important nimbleness to adjust to an evolving threat landscape in a proportionate way.  

The guidelines currently are undergoing an extensive refresh by UFIT. This refresh is taking place just 18 months after initial publication.

The refresh will also likely strongly reflect the report of this committee – when released – from its inquiry into national security and the higher education and research sector. This is the definition of nimbleness.

In the context of critical infrastructure, the Bill under review offers us the exact opposite of all of this.

The Bill provides no articulation of what constitutes critical infrastructure in higher education, nor the nature of the specific all-hazard threats faced by higher education, and it offers only generic mechanisms to address any threats.

For this reason, the Go8 has recommended that forums such as UFIT be used wherever practicable to assist in achieving the aims of the Bill. For instance, UFIT does offer a potential mechanism for addressing elements of the working of the Bill, such as meeting any Positive Security Obligation that may be required.

As noted, the generic nature of the measures in the Bill also are cause for concern in the higher education context.

For instance, in detailed ongoing Go8 consultation with the Department of Home Affairs there has been no determination on what is intended by a System of National Significance (SoNS) for higher education.

The Go8 does, however, note that it has been advised that it will be recommended to the Minister for Home Affairs that the application of the legislation be confined to enhanced cyber security obligations and the requirement to report cyber security incidents.

The Go8 is hopeful that this recommendation will be adopted. That is the sensible and logical outcome.

Also, and as noted earlier, currently the definition of a generic critical education asset applies to a university as a whole.

There has been no resolution as to what the Minister may or may not consider a critical infrastructure asset in higher education.

There is also no indication of how to disentangle the use of universities’ facilities in supporting other critical infrastructure sectors identified by the Bill, or vice versa.

This might include how possibly relevant data intensive facilities at the Go8 support the data storage or processing sector or undertake complex weather modelling to inform the food production sector.

Nor do we know how the $3 billion of annual research undertaken in medical, health and biological sciences in facilities across the Go8 is to be considered in its contribution to critical infrastructure in the health care and medical sector.

The Go8 believes that there is a significant piece of collaborative work between the university sector and Government that should be undertaken to resolve such issues.

While this cannot be entirely captured in the Bill under review, the Bill does need to be less generic, less catch-all in nature.

It needs to establish a framework under which effective, proportionate and efficient measures to protect Australia’s national interests in the higher education sector are set out as they relate to critical infrastructure.

In the current resource constrained environment for universities and government the opportunity cost of not doing so is high.

In closing, I would reiterate that the Go8 commitment to the safety and security of Australia is absolute and we will continue to work collaboratively and in good faith with the Government and the Parliament as part of this commitment.

Thank you.