March 22, 2023
Good afternoon.
It is an honour to be here today speaking at the Australian Cyber Conference 2023 alongside some of Australia’s most knowledgeable and respected cyber security experts.
Thank you to the Australian Information Security Association for bringing us together for this important conversation, and your leadership in the cyber security industry.
We all need to work better together than ever before, because the threats we face are more serious than ever before.
A number of trends are driving this.
The first is the strategic environment. From Russia’s war in Ukraine, to China’s rapid military modernisation, we are living in a more contested global and regional security environment.
With that comes increased risks not just in the physical world but the digital world too.
As Ukraine has rightly identified, they are fighting a hybrid war against Russia – one on the ground, and one in the cyber realm.
Wiper malware, DDoS attacks, cyber-enabled disinformation and attempted sabotage of critical infrastructure have all been weapons in Russia’s digital arsenal against Ukraine.
The war in Ukraine has also underscored the centrality of public-private cooperation in defending a nation against cyber campaigns in a time of conflict.
For example, Microsoft helped Ukraine track and eradicate dangerous malware, and migrate critical Ukraine Government data to the cloud to keep it safe.
We would be naïve to think our region will always be free from this sort of conflict, or that Australia could never find itself in a similar position.
Already, foreign authoritarian states are testing and probing our critical infrastructure networks for vulnerabilities, and scanning our government networks for secrets.
Experts testifying before the Parliamentary Joint Committee on Intelligence and Security in 2021 said it was likely that our adversaries were already pre-positioned on critical networks so that they could disrupt or disable them as a prelude to regional conflict.
In their Annual Threat Assessment, released this month, the US intelligence community observed:
"If Beijing feared that a major conflict with the United States were imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide. Such a strike would be designed to deter U.S. military action by impeding U.S. decisionmaking, inducing societal panic, and interfering with the deployment of U.S. forces."
Last week’s AUKUS announcement is not just evidence of how seriously both sides of politics regard this threat, but an attractive cyber target itself.
There will be few items higher on the tasking lists of foreign signals intelligence agencies than the technology which underpins the US nuclear powered submarines.
And that’s before we contemplate the strategically and commercially valuable pillar two of AUKUS which includes cyber capabilities, artificial intelligence, quantum computing, hypersonics and unmanned vehicles.
The second trend relates to the double-edged sword of Australia’s digital evolution.
We are a rich country with among the highest rates of digital adoption on the planet.
That’s brought wonderful technologies which have enriched our lives. It’s changed the way we live and work, largely for the better.
But at the same time it has increased the attack surface for the criminally motivated. And they are only getting more sophisticated in the way they conduct their business.
Some criminal syndicates look more like multinational corporations in their structure with elaborate supply chains and modern business models.
Ransomware as a service operators even use marketing tools borrowed from legitimate companies like subscription models, affiliates, licence fees and profit-sharing.
According to the Australian Cyber Security Centre, 76,000 cybercrime incidents were reported in the last financial year, up 13 per cent from the previous year.
Medium-sized businesses experienced the highest average financial loss, at approximately $88,000 per attack.
Small business suffer approximately $39,000 in average financial losses and large business approximately $62,000. At all levels of Australian society, we are vulnerable to cyber intrusion and attacks.
It’s in this context that I will address the topic today: Better Together: Building Strong Partnerships to Beat the Evolving Cyber Threat.
And that’s because the first step to a successful cyber security strategy is recognising that we will fall behind our adversaries if we do not work together to defeat them.
To combat the serious challenges our nation faces, there must be a strong partnership between government and industry.
In government, the Liberal and National parties recognised these challenges and acted on them.
We made tough but necessary decisions to secure our digital sovereignty, equip our intelligence and security agencies with appropriate tools and harden the private sector from attacks.
We established the Australian Cyber Security Centre within the Australian Signals Directorate in 2014, to help drive a partnership between industry and government.
We released the first ever national cyber security strategy and appointed the first ever cyber security minister in 2016.
We appointed the first ever cyber ambassador in 2017.
We made ASD a statutory agency, and legislated the first ever security of critical infrastructure act in 2018.
In that year we also led the world by banning Huawei and other high-risk vendors with close connections to the Chinese Communist Party from providing 5G mobile technology in Australia.
A host of other countries including the United States, the United Kingdom, Japan, India, New Zealand and others have since followed our lead, recognising the security risk posed by companies like Huawei is too great to overcome.
In 2020 we updated our Cyber Security Strategy and backed it with $1.67 billion of investment.
In 2021 we legislated a new legal framework for the Australian Federal Police to take the fight up to criminals on the dark web, drawing on the assistance of ASD.
We significantly enhanced our Critical Infrastructure Act in 2021 and 2022, expanding the sectors covered from four to eleven, placed requirements on critical infrastructure providers to have risk management plans in place, and gave emergency powers to ASD to step-in in the event of a catastrophic attack on our most systemically important networks.
When I meet with our friends and allies around the world, their jaws drop when they hear about these reforms – an experience I know the current Minister for Home Affairs and Cyber Security has had as well.
And of course, last year we unveiled the largest ever investment in ASD’s history through project REDSPICE – $10 billion over 10 years to effectively double their size with 1,900 new personnel and the acquisition of new platforms, technologies and capabilities.
The fruits of this approach was evident in the Cyber Defense Index, released by MIT in November 2022, just six months after the May election.
Australia’s overall strong performance in the index was underpinned by our first place on the critical infrastructure pillar, no doubt the result of the reforms enacted by the previous government which Home Affairs Secretary Michael Pezzullo has rightly called “world-leading.”
I hope the new government can build on the success of the previous government, including through its new cyber security strategy.
I admire the Minister O’Neil’s ambition for Australia to be the most cyber-secure country in the world by 2030.
Despite these achievements, we all know that the cyber threat landscape is constantly evolving, and with it our responses must evolve too.
The Optus and Medibank data breaches are proof of that.
There are lessons to be learned from every successful cyber attack.
We must ensure we learn the right lessons from Optus and Medibank, and apply these lessons across industry and government to make sure they are never repeated on this scale in Australia.
In the wake of the Optus attack, I met with a number of CISOs. What you told me loud and clear was that you were alarmed by the public attacks by the government on Optus in the middle of the crisis.
Many told me it raised doubts in your mind about whether it was safe, or in the best interests of your company, to share information with the government about an evolving cyber crisis, because you feared it might be used against you while you were busy trying to put the fire out.
Instead of picking up the phone to the ACSC in the first instance, you would call the lawyers instead.
One cyber lawyer told me in good conscience they could not advise their clients there was no legal risk sharing information with government about a cyber attack.
Let’s be clear – this is not good.
We need to move beyond finger-pointing and blame shifting during every cyber crisis, and recognise this is a national challenge that can only be addressed through genuine partnership between industry and government.
If the flow of information to government about cyber attacks slowed down because of a lack of trust, it would be a disaster.
It was also clear during Optus and Medibank that Australians were crying out for calm, informed, factual information about what had happened, how it affected them and any steps they could take to protect themselves.
I know this because I was in high demand personally from radio and television producers, who wanted me to come on as Shadow Cyber Security Minister and do my best to answer the questions from their listeners and viewers.
They came to me because they couldn’t get anyone from the government to come on their programs.
This isn’t good either. While I was happy to help, in Opposition I don’t have a Department or an agency at my disposal to provide the information I would need to be an authoritative source on these complex and fast moving crises.
So in the spirit of bipartisanship I want to put two constructive policy reform ideas on the table to make sure if or sadly when the next Optus or Medibank comes along we are all better placed to deal with it.
We need seamless, time sensitive sharing of information between government and business when there is a cyber attack. We can’t afford for any CISO or their CEO to hesitate to pick up the phone to the ACSC and share what they know.
That’s why I am proposing a mechanism where companies can securely and with confidence share with ASD what they know as soon as they know it, without the fear that it could be used against them by regulators. It’s sometimes been called a “safe harbour”, but is really just a protected and confidential process to share information that won’t be used for any other purpose.
It is an idea I put to ASD director-general Rachel Noble in Senate Estimates last year.
Ms Noble responded:
I think the safe harbour concept is a most excellent idea…. from an operational perspective, in that heat of the incident, if you will, when we're still trying to pull people out of the water and into the lifeboats, to have that absolute confidence for the private sector, that at the very least their operational engagement with ASD would be exempted from the inquiry of others, whether they are other government agencies or other people scrutinising the process, like we've seen in class action lawsuits, for example, that is very attractive to us as well.
By removing the fear of vilification and litigation, a safe harbour would encourage the private sector to work cooperatively with federal agencies like the ASD in times of crisis.
That doesn’t mean companies can’t or shouldn’t be held accountable for negligent handling of customer information or poor cyber security. They absolutely should.
But that can come after the crisis has subsided, and shouldn’t rely on information voluntarily shared by companies with ASD when trying to solve the crisis.
We must also ensure that the flow of information to affected customers and the public is prompt, credible and informed.
When there is a bushfire or a flood, we are all used to tuning in to broadcasts fronted by Rural Fire Services or SES officials who update communities about the path of the fire or flood and when to evacuate.
With cyber attacks affecting millions of Australians, there’s no less need for this sort of timely information sharing to reassure people and provide advice about any necessary steps they should take to protect themselves.
The government should designate an official to perform this public education function. One logical person to perform this role would be the recently announced Coordinator for Cyber Security within the Department of Home Affairs, or alternatively the head of the ACSC.
By design, the intent of each of these proposals – a safe harbour and an authoritative voice – is to ensure a strong, productive, working partnership between government and the private sector to harden our cyber defences.
We are better when work together, and any government reforms should be targeted at securing this relationship into the future.
Our world is changing. We are living in the most dangerous period since the Second World War, and increasingly competition, coercion, conflict and crime is being orchestrated in the digital realm.
Australia’s cyber security cannot be viewed in isolation to our strategic circumstances.
To beat the constant cyber evolution and to overcome the very serious challenges our nation faces, we need a strong and enduring partnership between government and the private sector.
Failure to do so will only weaken Australia at the very time we most need her to be strong.