February 27, 2023
TOM CONNELL: Joining me now is live now is Shadow Cyber Security Minister James Paterson. Thanks very much for your time. So, we've heard earlier today from the Minister, she said that there weren't laws in place to actually grant guaranteed access to authorities when these hacks happen to make sure Australians' data was was managed properly at that point. Is it fair enough for the government to change these laws?
JAMES PATERSON: Well, Tom, certainly we learn something new from every cyber incident. And definitely the government's approach in the wake of Optus and Medibank needs to change. Let's remember that the Minister waited three days before making any public statement about the Optus attack and a week before making any public statement about the Medibank attack - two of the largest cyber attacks in Australian history.
The gap in that instance was political leadership. The Minister, appointed to much fanfare by Anthony Albanese as the first ever Cyber Security Minister in the Cabinet, was missing in action when Australians were looking for information about what they needed to do to protect themselves and protect their private information which had
been breached onto the internet. Now, if additional legislative change is also necessary, if bureaucratic changes are necessary, the Opposition will of course be constructive and bipartisan about any sensible proposals the government makes. But as we stand today, there is no concrete proposal on the table. The Minister scrapped the cyber security strategy in August last year, only got around to appointing a panel to review it in December last year. And today we only have a discussion paper, not a cyber security strategy. We might have one in the second half of this year if we're lucky.
CONNELL: Okay. So, I understand we don't know a concrete proposal, but given what was outlined, that at that point after the hacks, because the actual hack itself was over, there was no way for the government to guarantee access or demand access, I guess, from police agencies to what was happening. Should that be changed? That's intervention. You know, you're from the Liberal Party, but do you understand the need for the government to be able to access companies at that point?
PATERSON: Well, it's not clear to me what the Minister is proposing, Tom. Is the Minister saying that the critical infrastructure laws that passed through the Parliament in 2021 and 2022 and gave the Australian Signals Directorate the power for the first time to step in to a critical infrastructure operator in the event of a cyber crisis should be widened to cover every Australian business? Now if that's the case, that is a very radical departure from the law as it stands. The law is designed to target very high risk entities, ones which are systemically important to Australia because as serious as a data breach is and as serious as the privacy implications of that are for millions of Australians, what those laws were designed to prevent and ameliorate was an even more serious cyber incident where, for example, a nation state actor tried to attack Australia by destabilising our telecommunications network or our electricity network or our payment systems network and ASD needed the powers in the event of a national crisis to step in. Now, if the Minister is proposing to extend that to data breaches of all companies that store information on Australians, that's a very radical departure and she needs to outline what the rationale for that is, and...
CONNELL: She wasn't saying that, we pressed her on that, how broad the definition would be. Just to stick to this part, but she said the issue with those laws was that as it stands, they only apply when the actual hack or attack is happening. That isn't actually fit for purpose because then you get the situation after the attack where you've still got to figure out what's happening with the data. Is that fair enough to broaden not when, you know, what level of attack it is, but how long the government can be involved in?
PATERSON: Well, if the Minister has now clarified what was attributed to her in the papers this morning, which was that this should be widened to cover all Australian businesses, then I welcome that. But this does show that this is policy making on the run and not being approached in a dispassionate, calm manner. You can't float radical options like that out in the media without proposing a very clear rationale and explanation as to how this would work, how our agencies would be resourced to implement it, and who it would apply to, because there are businesses out there today, Tom, who are still working out how to comply with those critical infrastructure reforms from last year because the Minister only issued last week the regulations to put the final piece of that puzzle in place. And you're now telling those businesses that they may be subject to an entirely new law that might have different obligations and different powers without providing them any information or detail about what is going on. This is really quite a chaotic policy making process from the government. I think they need to be clear about what it is that they're proposing.
CONNELL: Couple of other ones I've got to quickly whip through. The Chinese made cameras that you essentially triggered this audit over them. We revealed nearly, well you revealed in nearly 1,000 Commonwealth buildings. There were in, 1,000 of them in Commonwealth buildings. I'm just curious, though, you ask these questions of the departments recently, obviously, now that you're in Opposition. Why were you not asking these questions when the Liberal Party was in power?
PATERSON: I was aware of the kind of human rights concerns associated with Hikvision and Dahua last year, and I was tipped off shortly after I became Shadow Cyber Security Minister that they might be in Commonwealth government entities and they might be more widespread. And so that's why I was the first person to ask this question, to launch this audit. No one had thought to do this before. It was open to the Opposition, as they then were before May, to do so if they were concerned about it. But I was the first one to do it because I became aware that they were possibly rife within Commonwealth government agencies. And that's why I started asking those questions in September last year. It was a six month process with a frankly pretty shocking finding. I thought, Tom, we might find these in some peripheral agencies that aren't core to national security, like the Environment Department. Sorry to pick on them. And I thought there might be a few dozen. I didn't think there'd be nearly 1,000 and that they'd be the Department of Defence, the Attorney-General's Department and Home Affairs, where they never should have been.
CONNELL: Okay. And just finally, reports that Abdul Benbrika might be released soon. And this could all stem from the terror assessment tool that's used by Home Affairs, that the accuracy of that, is being questioned. What did you make of this story today?
PATERSON: This is obviously a live legal matter, so I won't comment on the specifics of the Benbrika case. But speaking generally, people who are sentenced to very serious terrorism offences, there are a range of options available to the Commonwealth to protect the public after their sentence expires. One is a Continuing Detention Order and Mr Benbrika has been subject to three years of that, and there is an option for the Commonwealth to seek approval from a court to renew that and extend that. But if the Commonwealth doesn't believe that that's the right course of action or believe it's not likely to be granted, under the Intelligence Committee, which I led in the previous Parliament, we ticked off on a series of laws called Extended Supervision Orders, which provide for the courts an opportunity to apply a bespoke arrangement for these people when they're released into the community with strenuous reporting obligations and oversight. Now only the government is in possession of the information necessary to decide what is appropriate in this particular case. I'm not privy to the information about Mr Benbrika and the risk that he may pose, and I hope the government is very seriously looking at both of those options.
CONNELL: James Paterson, appreciate your time today. Thank you.
ENDS
