Opening statement – PJCIS review of critical infrastructure bill
9 July 2021
The Australian Technology Network of Universities (ATN), in collaboration with The University of Newcastle, is pleased to appear before this inquiry.
ATN is the peak body representing Australia’s five most innovative and enterprising universities: Curtin University, Deakin University, RMIT University, University of South Australia, and University of Technology Sydney. The University of Newcastle is an important research-intensive anchor institution in the regional gateways of the Hunter and Central Coast. Together, we are home to over 300,000 university students.
Our universities have a deep understanding that the security of critical infrastructure is vitally important in the face of current and emerging sophisticated threats to Australia. We value the security of institutions and have been developing an agile and proactive culture around these growing risks. Universities have long understood and accepted it is the responsibility of the Government to set and enforce the standard.
Universities, in close partnership with the Government, have demonstrated that we are willing and able to take on proportionate responsibility and protective measures. Over the last couple of decades, we have adapted to and met the rising challenges faced by Australia in an interconnected and interdependent world. ATN recognises that a safe and secure Australia is important for our collective prosperity.
We have welcomed the opportunities to work with the Department of Home Affairs on the design and implementation of these reforms so far. The Department’s comprehensive, measured and staged approach to these consultations is greatly appreciated and we look forward to participating in the sector-specific co-design for higher education and research.
The best outcome for Australia’s prosperity and security will be a risk-based and proportionate system, adequately supported by the Government, that builds on the risk management and protections universities already have in place.
As public institutions, our universities have a strong and enduring commitment to remaining open and accountable. We welcome opportunities on consult with and working collaboratively with Government security agencies to assist in developing our protective measures and advise on our incident responses. Where it is possible to do so, transparency should be maintained so that all parties responsible for protecting critical infrastructure can consult with each other, share best practice and build a network of protections.
ATN has robust research partnerships with the Government, with a particular strength in defence research. This research work is already subject to comprehensive and effective security protections and we should collectively learn from this existing experience when seeking to improve protections of other critical infrastructure. We value our role in safely and securely developing Australia’s strategic and sovereign capabilities.
We should also take advantage of the significant cyber security expertise and capability within Australia’s higher education sector – we have some of the world’s leading researchers and they are already working with the Government and businesses both large and small. Additional resources and support could turn these world leading insights into practical protections that have an impact beyond just the higher education and research sector. The sharing of expertise and capability across key sectors is a vital component in ensuring that Australia is in the best position to stay ahead of the everchanging threats we face.
Designated critical infrastructure entities are just one part of the supply and value chains that involve a range of organisations with varying levels of cyber security maturity and flexibility. This illustrates the reality that protecting critical infrastructure extends far beyond the designated institutions and sectors – it extends to their partners, suppliers and end-users.
As such, critical infrastructure protections must be implemented and built up in a carefully planned and stepped approach. Our approach must be one in partnership with the Government and must be sustainable, well resourced, and allowed to adapt and mature as it progresses. Further, it must recognise the inherently open nature of much of the work universities do and support us in implementing segmented and sustainable approaches that protect our institutional and national assets.
The Committee may also be interested in further details about the February 2021 cyberattack on RMIT University or the May 2021 cyberattack on University of South Australia, as a case study on the preparedness and resilience of our universities. We would be pleased to provide the Committee with an in-camera briefing on request.
I am happy to answer any questions Committee members may have.