October 20, 2022
MATTHEW DORAN: Well, the Shadow Cyber Security Minister James Paterson joins us now live from our Melbourne studios. Senator, welcome to Afternoon Briefing. Do you think this is a situation where there are more cyber attacks happening and we're just hearing more about them than we have done in the past?
JAMES PATERSON: Thanks for having me on. It certainly is the case that we are on an exponential increase of cyber attacks and it's possible we're also hearing more about them as companies understand their obligations to inform the public and their customers of the impact. I've also had a briefing from the Medibank CEO this afternoon and I do congratulate them on sharing as much information as they're able to publicly at this time. But I am also concerned that there are some questions that they are not yet able to answer. They're not yet able to say how many customers have been affected. They're not yet able to say whether or not it is just current customers or also former customers. And they don't know the proportion of which have been affected by just their personal information, for example, their name and address and date of birth, which has been released, and the proportion of which have been affected by the potentially highly personal medical information which has been leaked. And I know that will be of great concern to Medibank customers who are wondering how this impacts them.
DORAN: How quickly do you think that sort of information would be forthcoming?
PATERSON: Well, I hope it is very promptly forthcoming. It is a bit concerning to me that it was over a week ago now that this attack was first disclosed, and that Medibank said that at the time that it did not believe that personal information of customers had been leaked. Now, these are complex, fast-moving issues, they are technically difficult, and I don't want to be too critical of the company here. But it is also of concern that the Minister for Cyber Security has waited a full week after this attack was disclosed before she made any public statement about it. And unfortunately, that is consistent with the way the government has approached these issues. It was reminiscent of the response to Optus which was also very slow, and I am concerned that we're not seeing the political leadership we need here from the government. Anthony Albanese made much fanfare of appointing a dedicated Cyber Security Minister in his Cabinet, but so far, I think Clare O'Neil has been missing in action.
DORAN: How much of that comes down to the sort of information that the company is giving the government, whether it's the political side of the government or indeed the security agencies who were brought in to try to secure the situation?
PATERSON: Companies like Medibank have important moral but also legal obligations to share as much as they know as promptly as they can with organisations within the government like the Australian Cyber Security Centre. And I hope that that has occurred in this instance. I don't have any reason to believe that it hasn't, but it's also very dangerous for the government and for the Minister to assume that if the company believes it is a relatively low risk attack, that's not disclosed personal information, that they should just accept that. The Minister's now said that officials from the AFP and the Australian Signals Directorate will be deployed to Medibank. But why didn't she propose that a week ago when she first learned of this, when this was first disclosed publicly and to the government? And maybe if she had done so, we would have got to the bottom of this much more quickly than we have and we wouldn't have lost a week of time in responding to this. I mean, time is of the essence when it comes to cyber attacks, because individuals can take steps to secure their personal information to protect themselves from potential exploit. But if we're assuming that this is not of consequence and that no special action is required, as the minister appears to have done in this instance, then we can lose a lot of time. And I'm worried on behalf of Medibank customers about what that means.
DORAN: James Paterson, this is the second high profile cyber attack to hit a large Australian company within the course of about a month or so. Do you think that there are concerns with how Australian companies are preparing their cyber defences?
PATERSON: Self-evidently, yes. Australians trust these companies with their personal information and when they hand it over, they have a reasonable expectation, as does the government and the parliament, that companies will take sufficient steps to protect that data and make sure that it is not lost and also that they won't unnecessarily store the data beyond what they need it for, for legitimate business purposes. It's in fact, an already requirement of our privacy law that companies cease holding any data any longer than they need it for. And it'll be very important to understand in both the Optus breach and this Medibank attack, whether or not each company has been holding data for any longer than it needed to and potentially in contravention of the law. It will be appropriate, as the government has flagged, to look at potential legislative reforms if it is necessary to make sure companies are complying with their existing legal obligations.
DORAN: There was a PWC survey released earlier this week which showed that 90 per cent of Australian executives are somewhat wary about actually revealing when they've been hit by cyber attacks. Is that a concerning statistic?
PATERSON: It is a concerning statistic, but I have to say it's not something that I'm very surprised to hear given the feedback that I'm receiving from industry over the last few weeks. In fact, just today, I met with senior cyber security leaders in a range of private and public facing companies, and they told me that in the wake of the Optus attack where the Minister and the CEO very publicly fell out and attacked each other, that they have become more wary than they otherwise would have been previously at sharing information with the government because they fear that that might be used against them in a political context. That is extremely concerning information that I heard today. That's the last thing we want. We need a very trusted sharing relationship between cybersecurity professionals in government and those in the private sector. Otherwise, we're exposing ourselves to more risk. And if they're holding back because they fear that Clare O'Neil or Bill Shorten will do a press conference and attack them for it, then that does not make Australia safer.
DORAN: Is there an argument, though, that if the company is publicly saying one thing and then telling the government of the day whatever political persuasion they are, another, that there is a responsibility on the behalf of ministers to bridge that credibility gap, I guess?
PATERSON: Well, if that is true and if that has happened, then yes, I think it is important for governments to share what they know and to be upfront and honest with customers about the information that they have. But it's not yet clear whether or not that's the case in this instance. For example, with Optus, the company continues to assert that this was a sophisticated attack, and the Minister continues to assert that this was a basic attack. Those two competing storylines have not been reconciled and I think Optus customers are entitled to know who is right. And if someone has been misleading the public, whether it is the company or the Minister, then they need to fess up on that. Unfortunately, because we don't have the final results of the investigation, we don't yet know that. And perhaps that is a lesson that rather than having a public debate about what the nature of this leak has been, we should instead just focus on dealing with the problem and wait until we have full information before we have accountability.
DORAN: I want to ask you a question about another story today, the breaking news about Greens Senator Lidia Thorpe not declaring a relationship with a former bikie while she was on the law enforcement committee. You have been on a number of committees in your time in Parliament and currently on the Joint Committee on Intelligence and Security, so a different committee to the law enforcement one, but how concerning is it? Regardless of the fact that Senator Thorpe says she never shared any confidential information with her then partner, how concerning is it that there is this at least perception of a conflict existing?
PATERSON: This is a very important story by your ABC colleagues. It is of grave concern to me that a person who is serving on a parliamentary committee that has access to sensitive law enforcement information because the Australian Federal Police and other law enforcement agencies trust parliamentary committees and disclose to them important information about the way in which they operate and the priority targets which they pursue and the technology which they use. That a person who sat on that committee was having a relationship with someone who potentially would have fallen into the purview of the law enforcement agencies that she had the task of overseeing and didn't disclose that either to the AFP or to the committee it appears. That's a very serious conflict of interest. It should not have happened. It's disappointing that the Greens were not more on top of this issue and from time-to-time people suggest that a member of the Greens should be allowed to serve on the
Parliamentary Joint Committee on Intelligence and Security. Well, can I say this is exactly why they have never been allowed to and, in my view, should never be allowed to serve on that committee. They simply cannot be trusted with sensitive national security information, as they've demonstrated.
DORAN: James Paterson, thank you for joining us.
ENDS