November 7, 2022
DANICA DE GIORGIO: Joining me now live to discuss is Shadow Minister for Cyber Security James Paterson. Thank you for joining us this morning. Should companies ever pay a ransom in these sorts of cyber attack cases?
JAMES PATERSON: Danica, thank you for having me on the program. Look, this is a very vexed issue and a difficult one for companies to decide. It is often the case that companies do pay ransoms and it is often the case that it is not successful when they do in achieving their objectives. And that's why the consistent position of the Australian government and our cyber security agencies over many years is not to pay. Paying helps resource these organisations and criminals to conduct more attacks and paying signals that the target is willing to pay and means it can be a target of future attacks. If you're going to adopt a policy as Medibank has of not paying, well, then that means it's even more important that you have the responsibility to adequately protect the data of your customers in the first place so that they never put in this invidious position of having to choose between paying in the forlorn hope that might help protect them or not paying.
This is going to be a real wake up call for corporate Australia. It is not acceptable to inadequately protect the data of customers and I am very concerned that this is yet another public update for Medibank in which the number of users affected has increased significantly. It was only a few weeks ago they were saying that they believed it was about 4
million users that were affected. And, of course, weeks before that they were saying it was in the many hundreds of thousands. We now have up to 9.7 million customers of Medibank affected and they will be very distressed by that news this morning.
DE GIORGIO: That is certainly a large number of customers. Medibank also confirming this morning that those who had their private health information accessed is now less than 500,000. Is that a relief, do you think, that it wasn't closer to that 9.7 million? How concerning is that?
PATERSON: I think it'll be cold comfort to those 500,000 that not more of their fellow Medibank customers are among the data breach of the full extent, which includes the private health information, that is highly sensitive private health information, of half a million Australians who now face a real risk of that being leaked online and having their privacy undermined and exposed. But the other information leaked on the 9.7 million users is quite akin to the information that was leaked on Optus users and so it puts it in the ballpark in terms of scale and severity as the Optus attack. These are now the two largest cyber attacks in Australian history, and it does require more leadership from the government and unfortunately the Minister for Home Affairs and Cyber Security was slow to respond to Optus. It took her three days before she put out any public statement on it, even though it was very clear early on it was a serious attack and it appears that the Minister also took Medibank at its word when it said it wasn't a serious hack. And it took a week before she made any public statement, and it appears also took a week before she spoke to the Medibank CEO. The government needs to be much more quick in responding to these issues, particularly when they've made such fanfare of appointing a dedicated Cyber Security Minister to their cabinet.
DE GIORGIO: Let's move on to a story in The Australian newspaper today. Researchers at the Australian Strategic Policy Institute have uncovered what they say is a campaign of abuse, disinformation and propaganda aimed at shutting down a group of outspoken women who had criticised China. Now, that actually includes a number of women living in Western democracies, even here in Australia. How can this happen? I guess, how can the CCP infiltrate even over here in Australia digitally like that?
PATERSON: This is a very disturbing new piece of research from ASPI, and it demonstrates what some have feared and suspected was the case, which is that there is a systemic, coordinated campaign that is being run from China, most likely by Chinese intelligence agencies, targeting researchers, academics, activists and journalists in the West who do work which is critical of the Chinese Communist Party or exposes their human rights abuses. One of the case studies that they feature is Vicky Xu, a young Australian woman who has done world leading research on the repression of the Uyghur people in Xinjiang, and that has deeply embarrassed the Chinese Communist Party. And for that, the price she has paid is ongoing trolling and harassment of a highly sexualised nature online, including on Western social media platforms like Twitter. This is deeply disturbing. We effectively have a nuclear superpower, sexually harassing young women online. It is totally unacceptable. It should never be allowed to happen. And there are a couple of important implications that flow from this.
Firstly, social media companies must do more to protect their users. These activities are already very clearly in violation of their own platform rules. They need to consistently and much more promptly enforce those rules to protect those women.
But secondly, there's a role for government here. Australia led the world in 2018 with our espionage and foreign interference laws, and that has gone a long way to protecting our political parties and our democratic institutions from direct interference and influence. But there is an unfinished part of that reform program, and it is cyber-enabled foreign interference, which is still rife, and it can be equally corrosive to our democratic institutions because it is designed to coerce and intimidate and silence voices within our democracy from speaking out. The government needs to step up here and introduce a package of legislative reforms which seek to address this problem.
DE GIORGIO: James Paterson, we have to leave it there. Thank you very much for joining us.
PATERSON: Thank you.
ENDS
