February 27, 2023
JAMES PATERSON: I note the expected release today of a discussion paper towards a new cyber security strategy, and of course, the Opposition will be constructive and bipartisan about any sensible changes that the government brings forward for a new cyber security strategy.
But having said that, I am concerned with the way in which the government is handling this issue. It's now more than six months in August last year that the Cyber Security Minister, Minister O'Neil, announced that she was scrapping the 2020 Cyber Security Strategy backed by $1.7 billion of investment. It wasn't until December that the Minister got around to appointing a panel to review it, and the panel is now only finalising and releasing a discussion paper towards a possible new cyber security strategy in the second half of this year.
Some very radical options have been floated in the media today, including the Australian Signals Directorate being given the power to take over any business's network in the event of a cyber attack, a power which had previously only been granted to the ASD in very narrow circumstances for critically important networks that are systemically important to Australia. The Government has provided no detail
and no explanation and no justification as to how these powers would work and why they are necessary.
At this moment, many businesses are trying to comply with the new obligations that were imposed on them in the critical infrastructure reforms enacted by the previous government, and they're now being hit with the possibility of new, vague, ill-defined powers that will apply to them.
I certainly agree with the implied criticism of the reviewers of the government's handling of the Optus and Medibank attacks. Let's remember that the Minister O'Neil took more than three days before she made any public statement about the Optus attack. At the time it was the largest cyber attack in Australian history, and it took the Minister a week before she then made any public comments about the Medibank attack, which is the other biggest cyber attack ever in Australian history. Now the government is out there today talking about potentially appointing a bureaucrat to coordinate, but no bureaucrat, no matter how many you appoint, can make up for the lack of political leadership that we've seen from the government in response to cyber attacks. In the end it is the Minister who is responsible, who has to stand up and front up and explain to the Australian people when these things happen.
QUESTION: So just to this co-ordinator. Do you think there's any merit in this role or what do you make of the claim to have this national cyber security co-ordinator?
PATERSON: Well, it was certainly clear in the wake of Optus and Medibank that this government's response to those attacks was incoherent and uncoordinated. But it is not clear to me why the Minister couldn't have taken that responsibility for co-ordinating. After all, the Albanese government made a lot of fanfare about appointing the first ever Cyber Security Minister to the Cabinet. It really should fall on the Minister's shoulders to take on that role of leading the response to those things. But if the Minister's not capable of doing it, if a bureaucrat needs to be appointed to do that, we'll look at it very carefully.
QUESTION: You mentioned the ASD, if there was more information regarding the laws would you support allowing the ASD to take control of ICT systems?
PATERSON: I led the Intelligence Committee inquiry into the critical infrastructure reforms that passed in 2021 and 2022, and the expansion of the ASD's powers to cover the most systemically important businesses to Australia, the largest critical infrastructure providers, was highly contentious. Even those businesses were
reluctant to accept that oversight, but in the national interest, we proceeded because we thought that was necessary. If the government now believes that these extreme emergency powers are now necessary to apply to every other business, it has to provide a rationale and a justification for why that's necessary and to explain how that would work. Let's remember that although the previous government invested $10 billion in the Signals Directorate to significantly expand its operations, this would be an extraordinary obligation it would be placing on our ASD to protect every business in Australia from cyber attacks. I think we need to make sure ASD is focussed on the highest risk events and if the government believes it needs resources to do every single business in Australia well then it needs to explain that.
QUESTION: Cyber security is currently overseen by four government departments. Does it need to be streamlined?
PATERSON: Well, it was streamlined under the previous government, where Home Affairs was clearly the lead agency for cyber security. But unfortunately, the government has made it much worse by dividing that responsibility between Home Affairs and the Attorney-General's Department. In fact, the government forgot to move responsibility for cybercrime to the Attorney-General's portfolio and after having that identified months later had to embarrassingly shift that over. And so really it is the government's responsibility to make sure this is coordinated and coherent and in one place. And if they keep moving it around, they're making things harder for everyone.
QUESTION: The government says it's the cyber security laws that the Coalition put in place don't go far enough. Do you concede that in a constantly changing tech environment that we do need tougher laws?
PATERSON: Certainly, we always learn new things from cyber incidents and if changes are necessary in the wake of Optus and Medibank, we're very open to considering that. But the laws that we pushed through at the time, the critical infrastructure reforms were world leading and the government has conceded, even the Minister has conceded they were world leading reforms. Many of our partners and allies are still trying to catch up to those reforms which we enacted and are jealous of the powers that we have. If the government wants to extend that even further, we're very open to looking at that. But it is incumbent on the government to justify and explain why, and they haven't done so yet.
QUESTION: How much power do you think the government should have when private companies such as Optus or Medibank are hacked?
PATERSON: Well, the reason of the critical infrastructure reforms were passed was not because of a risk of a data breach, as serious as that is, they were in fact targeted at much higher risk activities like a possible cyber attack from a nation state adversary that was seeking to internally weaken, destabilise and distract Australia and prevent us from projecting our power into the region in the event of a military or other crisis. That's the kind of scenario that was in mind when the Parliament agreed to those critical infrastructure reforms. So, data breaches certainly are serious and certainly do warrant a strong response. But let's remember that these powers were passed for emergency case scenarios.
QUESTION: Just another matter. What do you make of a Federal Police issuing factsheets that outline what foreign interference is and where [indistinct]?
PATERSON: I really welcome this action from the Federal Police today. It is critically important that we remain on top of the threat of foreign interference, particularly the way in which it affects diaspora communities, many of whom are under very serious and sustained harassment and coercion from foreign authoritarian governments. That is utterly unacceptable, and it is the obligation of Australia and the Australian Federal Police to protect them. So, I'm very pleased to see this awareness raising exercise from the AFP today. It is right that they tell communities that they are available to act to protect them from these threats. What also needs to come with that, though, is much more active enforcement of these laws by the federal police. Since these reforms passed in 2018, only one person has been charged with an offence of foreign interference. That is difficult to reconcile with the observation of the ASIO Director-General, Mike Burgess, that espionage and foreign interference is our principal security concern and is at higher levels than it was at even the height of the Cold War. So, we need to match this welcome awareness raising activity by the AFP, by more active enforcement of these laws by the AFP.
QUESTION: Can I just go back to the discussion paper. Do you think it should be illegal for companies to pay ransoms?
PATERSON: Certainly, the very consistent advice from the Australian government is not to pay ransom. The reason for that is that it equips those attackers with greater
resources for which they can attack again. It sends the message that you are willing to pay, and you could very much be targeted again even after you pay. And there's no guarantee at all, even if you do pay that your data which has been stolen or secured will actually be released and returned to you. And that copy isnt being kept by those hackers. So, we urge real caution with that. We also have to think carefully about whether or not it should be legally banned. No country in the world has banned it. And if we go down that path we need to think carefully about the implications of that, particularly in the scenarios, where, for example, a hospital is under attack and it can't get its emergency operating systems back online without paying a ransom, we have to think about those extreme scenarios. Thank you.
ENDS
