September 26, 2022
Shadow Minister for Home Affairs
Shadow Minister for Child Protection and the Prevention of Family Violence
Federal Member for McPherson
Shadow Minister for Cyber Security
Shadow Minister for Countering Foreign Interference
Liberal Senator for Victoria
26 September 2022
Subjects: Ransomware, Optus cyber attack, Opposition policies
E&oe:
KAREN ANDREWS: Well, good morning. Cybersecurity is an increasing threat to our nation. When we were in government, the Coalition was very focused on a number of measures that it could put in place to protect Australia and to protect Australians. Today, I'll be introducing into the House of Representatives, a Private Members Bill that builds on the work that we had undertaken in government in relation to ransomware. So in October last year, we put out the discussion paper, the Ransomware Action Plan, we followed that with introducing legislation into the House to extend the penalties for those who are involved in cyber crime, particularly in relation to ransomware to make sure our legislation was fit for purpose and the Australian Federal Police in particular had the powers that they needed to protect Australia and Australians. So the ransomware legislation will be introduced into the House today as a Private Members Bill, what I am seeking from the Labor government is their support for this Bill. Now, recently we have seen the impact of cyber attack in relation to customers and the impact that cyber has on data. And that has been demonstrated through the recent attacks on Optus. That is a significant attack. So close to 10 million accounts, data sets have been taken. That is a huge risk to the customers. Now, unfortunately, the Labor government, the Minister in particular, has been asleep at the wheel and has certainly not done all that she could do to reassure the Australian public that the government will do what it can to protect them. Now, what we do know from these attacks, which may or may not be ransomware attack - that information has not been officially disclosed in relation to the Optus attack - what we do know is that the information relating to close to 10 million customers could already be being sold on the dark web; that puts these customers at risk, not only for weeks or months, but potentially for years, that their identities may well be stolen and they will potentially be liable for significant cost impacts over the years. Now, the Labor government needs to step up and do something, not just talk about these issues. And I would encourage them to look more fully at the work that was done by the Coalition when in government to extend that work as necessary, but certainly to support the Ransomware Bill that is going to be introduced as a Private Members Bill today. Now I'd like to invite our Shadow Minister for Cyber Security, Senator James Paterson, to speak in relation to not only that Bill, but more broadly cyber issues.
JAMES PATERSON: Thanks, Karen. Good morning. In June, the Albanese government appointed the first ever cabinet level Cyber Security Minister to much self-congratulations. And yet it took three days after the attack on Optus before the Minister Clare O'Neil had anything to say at all about what appears to be the largest ever attack on Australian users in a cyber attack. It followed criticism from the media and the Opposition. And so, at three-quarter time on Saturday afternoon, during the grand final, the Minister sent out three tweets about this massive cyber attack. Now I admit this was not the most exciting grand final in Australian history. I was a bit bored at three-quarter time as well, but I think something as serious as this demands a much more serious response from the government. There are very serious questions for the government to answer. Have they used the world-leading powers that the Coalition introduced and passed in December and early this year, our critical infrastructure reforms? This gives the Minister for Home Affairs, the power to declare a system of national significance and imposed enhanced cybersecurity obligations of them on them. Has the Minister done this? Has the Minister done it for Optus? And if so, when did she do it? And if not, what is her excuse for the inaction, which now may have resulted in up to 10 million Australians’ identity being stolen? Thank you. Happy to take some questions.
QUESTION: You've talked about, the government responses as the question for either of you, so you talk about the government responses, but what about Australian businesses? Do you think that they're taking it seriously when it comes to cyber attacks?
JAMES PATERSON: It's critically important that Australian businesses take this issue seriously because it can have profound implications not just for their business and not just for their shareholders, but for their customers and our wider economy and society. And they have very important obligations which we imposed upon them in the critical infrastructure legislation this year, which requires them to take steps to protect themselves and their users from these sorts of attacks. Now, if they're not doing so, if it emerges that in this case or in other cases, that they're not doing so, then that's very serious indeed. And there are already penalties attached to them for their failure to act in the legislation which the previous government passed.
QUESTION: You think that currently they're not taking it seriously enough?
JAMES PATERSON: Well, in the case of Optus, it remains to be seen and we don't yet have a full picture of exactly what happened. We have requested a briefing from the government on this and we look forward to receiving that. Both Karen and I have spoken to Optus and they are understandably being very reserved about what they can say so far because of the federal police investigation. But I look forward to understanding the full details of what actions Optus took and when they took it, and also what actions the government took and when they took it.
QUESTION: Ms Andrews, on your bill you were you were the Home Affairs Minister until four months ago, if these measures are so urgent, why weren't they there under the Coalition government?
KAREN ANDREWS: The legislation was introduced in February, but because the Parliament lapsed on election, they were not finally debated and passed. So, this is exactly the same legislation that was put up in February of this year. So, the then-Opposition had the opportunity to look at that legislation then, they should be well across those issues now that they are in government. So, it builds on much of the work that had been done, yes, this legislation had already been progressed. So, the Coalition has absolutely been on the front foot in relation to cyber matters. If I can pick up the comment in relation to businesses, this is a, yet another, wake up call to businesses and also consumers about the need to protect their data. We have long said that businesses need to proactively put in place steps and actions to ensure that the data of their customers is well protected. This is yet another example based on the Optus breach for our businesses to go back, reassess, test their cyber security risks, look at what they can do by way of a cyber action plan to protect their customer's data. Because not only is it a risk to them and their business, through their customers, it is huge reputational risk that they will sustain when customers data is released and potentially sold on the dark web.
QUESTION: Now we’re expecting the government to announce new measures this week, including a change that would require banks and other institutions to be informed when these sort of data breaches occur. What would you say about that? Would you be supportive of that?
KAREN ANDREWS: Well, we will proactively look at any legislation that the government puts up, but the point that Senator Paterson made is that there has been significant opportunity for the government to look proactively at what they are going to do. They are now looking at what they might do from a legislative point of view on a reactive basis, because a problem has been identified with Optus. It is just not good enough. Now I have said repeatedly that Labor had years in Opposition to start planning when they would be in government. We actually did that as a Coalition when we were in Opposition. And the classic example is Operation Sovereign Borders. So, Labor has clearly spent its time in Opposition going after cheap political attacks and not looking at what it would do, whenever it was elected. Well, Labor has now been elected and they need to stump up with some strategies pretty quickly.
JAMES PATERSON: I'll just add to that quickly. This looks like a case of the government trying to close the gate after the horse has bolted. This will do nothing to help any of the 10 million Optus users who have been affected, and even in future cyber attacks it will do nothing to prevent the cyber attack. It will only seek to mitigate the consequences of it happening. The government should be much more focused on prevention and the government should use the existing powers that they have in the law to prevent it, including the critical infrastructure reforms that we passed that require companies to uplift their cyber capability that would prevent these things from happening. And then the 10 million Optus users wouldn't be affected in this way, and they wouldn't even require a notification for the bank. So, of course we'll look at it in the spirit of bipartisanship and carefully consider any changes that are necessary. But I'd much rather see them use the powers they already have or take up the bill that Karen will introduce into the House this week, which will deter potential cyber criminals from taking these actions with very serious criminal penalties.
QUESTION: To pick up on that. Does Optus have a responsibility to front up and apologise and explain what actually happened? There are a lot of stories already coming out of people having to go through quite a rigmarole of, you know, changing documents and talking to, you know, service organisations and government departments and that sort of thing. Like, is there more of a responsibility for Optus to actually do more here?
JAMES PATERSON: Yes. Optus owes their customers a full explanation and a genuine apology for the way in which they have been exposed in this cyber attack, which has Karen pointed out would affect their users for years to come and could affect them in ways that they don't yet anticipate. So, it's critically important Optus takes responsibility, that they front up and explain things. Now it's appropriate that when there's an AFP investigation going on that they follow the AFP's advice, but that should not be used as an excuse not to be completely upfront with the public about how this happened and who's responsible for it when those facts are known.
QUESTION: Just picking up on one of your comments before, Karen, saying that Labor should have come up with policies or come up at least with a plan while they were in Opposition. One of your colleagues, Jane Hume, on Insiders yesterday said, ‘we don't have policies, we're in opposition, not in government.’ So, do you think that those kinds of comments are appropriate or should you as opposition be coming up
