June 1, 2023
Good morning and thank you for hosting me here at the Cyber Security Connect Summit.
I am pleased to be speaking today on Australia’s cyber security posture amid global threats.
This topic is timely given that over the past week we have been scrutinising the performance of the Government in this area through the Senate Estimates process.
I regret to report there is much work to be done.
A particular concern of mine is our exposure to high-risk authoritarian technology, particularly from China.
In a more benign security environment perhaps this would not be such a problem.
But the Defence Strategic Review tells us the ten-year warning time for conflict in our region has evaporated.
The Director-General of ASIO tells us that espionage and foreign interference is higher than at any point in our history and has now supplanted terrorism as our principal security concern.
The Australian Signals Directorate has warned of near constant cyber attacks on our government networks and critical infrastructure operators.
The dominant source of all of the threats in these domains is the People’s Republic of China.
Unfortunately, it is also a dominant source of much of the software and hardware Australians rely on – including in the federal government.
And the ostensibly ‘private’ companies based in China who produce and sell these products are not really private companies at all.
They are effectively arms of the Chinese state, and subject to the extra judicial direction of the Chinese Communist Party through many levers, including strategic ownership stakes, internal CCP cells, national security legislation and the ever-present threat of arbitrary detention and arrest for their senior management if they fail to uphold the Party’s wishes.
So, we can’t treat these products like just another piece of software or hardware. Our friends and allies around the world are certainly not.
I am unashamedly waging a campaign to rid the Commonwealth Government of as much high-risk authoritarian tech as quickly as possible.
Because I fear that if the worst eventuates, and conflict eventuates in our region in the future we will look back with regret that we had not acted to address these vulnerabilities sooner.
Competition – and potentially conflict – in the digital realm will be just as consequential as that in the physical domain.
We need only to look to Ukraine to see how this is already playing out in the real world, where Ukrainian authorities acknowledge they are fighting a hybrid war against Russia: one on the ground, and one in cyber space.
We need to be clear-eyed about Australia’s own cyber posture, and diligent in ensuring we aren’t unwittingly leaving a back door open for foreign adversaries to infiltrate our systems.
Doing so exposes us to the risk of cyber disruptions, surveillance, and large-scale foreign interference.
I’m pleased with the progress we’ve made so far.
In the last year, the Government has banned TikTok from government-issued devices.
They’ve committed to removing more than 1,000 cameras made by Hikvision and Dahua from Commonwealth sites.
And they’ve grounded their fleet of drones made by DJI.
But every one of those actions only came after I first revealed the vulnerability through audits of our exposure, after I called for them to address it and after our allies had already done so.
To put it mildly, it’s not a robust approach to national security to wait until an Opposition Senator lodges questions on notice through the Parliament before we act.
We need a much more proactive approach to the risks to cyber security posed by these high-risk vendors.
We need to get on the front foot and start anticipating these threats, dealing with them before someone like me thinks that it might be a problem and starts asking questions.
Ripping out cameras or uninstalling apps after the fact is time consuming, expensive, and leaves us wondering how much damage has already been done before we recognised the risks we were exposed to.
We need to move beyond this whack-a-mole approach towards something more systemic and forward-leaning.
In November last year, I questioned the Department of Home Affairs at Senate Estimates on whether it assesses, provides advice or even has visibility of the suite of technologies embedded in government systems. The answer was no.
Home Affairs told me that, “Ultimately, it would be up to governments to make a decision about how they require individual portfolios, departments or agencies to make choices.... As for the choices that each individual agency makes about what it bans or accepts on its networks, some are based on judgements about the degree of risk involved and some are made on pure value-for-money bases. There isn't a central controlling department or agency that is responsible for providing that sort of advice.”
In today’s spirit of constructive discussion, I would like to propose a practical solution to assist the Government to address this obvious gap and get ahead of the curve on threats presented by new and existing technologies.
The Government should establish a new office within the Department of Home Affairs to assess the security risks presented by software and hardware used by the Commonwealth Government.
A National Technology Security Office should bring together the policy nous of departments like Home Affairs and the Attorney-General’s Department with the technical expertise and intelligence access of agencies like the Australian Signals Directorate and the Office of National Intelligence.
In the first instance, the Office should map the Commonwealth Government’s current exposure to technologies that could pose a national security risk, with a particular focus on technologies owned by companies subject to extra judicial directions from a foreign government that could jeopardise our national interests.
What other drones, cameras or other devices are embedded in our networks right now? What other applications are interfacing with our IT and leaving government information open to compromise?
This is no easy task. I imagine the findings will be dire, and expensive to remedy through what could be a years-long process.
But it is important and necessary work.
Building on this first phase, the new Office could move toward a more proactive stance, identifying and assessing emerging technologies before they are deployed to ensure appropriate mitigations are in place.
Recognising that there is no ‘one size fits all’ approach, the Office will need to evaluate technologies according to the level of risk they present and the utility they provide, applying commensurate controls to eliminate or manage this risk.
As Secretary of Home Affairs Mike Pezzullo said last week: “All apps carry data risks. The question is, does the benefit outweigh the risks? And, if the benefit is still material enough, can the risks be managed in such a way that the application can be safely used?”.
If the answer is no, we should be forthright in banning Commonwealth use of the technology, as was the case with TikTok.
Once mature, the advice provided by this construct could be made binding, and expanded to capture government contractors as well as the operators of critical infrastructure, especially systems of national significance.
This work could also ultimately be used as the basis for a high-risk vendor framework to assist entities outside of government in managing risks throughout their supply chains.
The intent of this proposal is to take Government out of a purely reactive mindset when it comes to the security risks presented by different technologies, and put us back on the front foot as we navigate the next wave of challenges.
Failure to do so will see Australia stuck in a perpetual game of catch-up, forever two steps behind our adversaries as technology continues to evolve at breakneck speed.
Conversely, if we get this right, Government can show real leadership in uplifting Australia’s cyber security.
Australia can again lead the world in taking the tough but necessary decisions to secure our digital sovereignty, as we did in 2018 when we banned Huawei and other high-risk vendors from our 5G networks.
I look forward to discussing these issues with the panel this morning
