March 27, 2024
Good morning and thank you for hosting me here at the Australian Cyber Conference.
It is an honour to be speaking here again in 2024 alongside some of the best and brightest in the industry.
I would also like to thank the Australian Information Security Association for organising this event, and for your continued leadership in the cyber security industry.
A lot has happened since I spoke at this event a year ago.
Russia’s devastating war in Ukraine has dragged on for another year, and Ukraine’s incredible resilience in fighting a hybrid war has been instructive on the importance of public-private partnership for national security and the nature of cyber warfare in the modern era.
There were multiple high profile cyber incidents in Australia, including the Latitude Financial cyberattack that affected 7.9 million Australians, a data breach that forced DP World to shut down ports around the country, and a cyber incident targeting St Vincent’s Health.
We also saw the release of the Government’s new Cyber Security Strategy – which I will return to later – and the appointment of Australia’s first (and second) National Cyber Security Coordinator.
These were all significant events in Australia’s cyber landscape, and have no doubt shaped much of the conversation over the last couple of days.
But there were two developments that stood out to me above the rest.
On the 8th of February, the Australian Signals Directorate issued a joint advisory with its Five Eyes counterparts which assessed that:
“People’s Republic of China (PRC) state sponsored cyber actors are seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
This came after a Five Eyes joint attribution issued in May last year, which shed light on Volt Typhoon’s targeting of US critical infrastructure and the group’s use of ‘living off the land’ techniques, which use built-in network administration tools to evade detection.
By contrast, the latest attribution is quite explicit in describing the threat actor’s intent and the risk that it poses to US critical infrastructure.
Governments do not take the decision to make these attributions lightly, and this significant escalation in language likely reflects a commensurate escalation in the cyber threat environment.
Concerningly, the statement also says Australian critical infrastructure could be vulnerable to similar activity from PRC state-sponsored actors.
ASIO Director-General Mike Burgess said in the annual threat assessment last month:
“The most immediate, low cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.
ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.”
The Director-General also pointed out that we have already seen what the consequences of this kind of sabotage could look like in Australia through our experience of the Optus outage last year.
A routing error caused widespread interruption across the Optus network, disrupting the lives of millions of Australians and impacting everything from hairdressers, banks, hospitals and even train services.
The outage directly affected more than 10 million people and 400,000 businesses across Australia.
While this disruption was not caused by malicious activity, it’s not hard to imagine how a well-resourced state-based actor could initiate something similar.
And I’m sure it’s not just our national security agencies who have realised this.
So, I have a sobering message for our colleagues here from industry, particularly those who manage our critical infrastructure and systems of national significance: if you haven’t found any evidence of these kinds of intrusions, you haven’t looked hard enough.
Public attributions are crucial for shaping norms in the cyber domain, and Australia should never be afraid to call out bad behaviour.
Doing so may cause our adversaries to think twice about targeting us next time.
This brings me to the other, more positive development that stood out to me this year: Australia’s first use of our thematic cyber sanctions regime.
On 23 January 2024, the Australian Government announced it had imposed a targeted financial sanction and travel ban on Aleksandr Ermakov for his role in the Medibank breach of 2022.
The next day our allies in US and UK announced they were jointly sanctioning Mr Ermakov for his role in the Medibank hack.
It was in November 2022 that I first called on the Government to use these powers in relation to Medibank after the Australian Federal Police had publicly attributed the incident to Russian hackers.
I welcome the Government’s decision to finally do so, however belatedly, but I note that some have questioned the effectiveness of these kinds of sanctions.
The reality is that cyber deterrence is a very hard task, particularly when the perpetrators can be any combination of sophisticated state-backed actors, organised cybercrime groups, and lone actors.
We have to be honest with the Australian people about what we can realistically achieve, and what we are trying to do through these sanctions is shape international norms by putting a cost on this malicious behaviour.
We should be doing that with offensive cyber operations against cybercriminals, and we should be doing it by sanctioning not just these gangs, but the governments that harbour them.
The Russian government knows very well that this activity takes place on their soil.
These sanctions will by no means guarantee that this type of malicious behaviour will stop, but it does make it less likely than if we do nothing.
These sanctions are particularly powerful when done in concert with our allies, and I welcome the decision of the US and UK Governments in participating in the joint sanctioning of Mr Ermakov.
The more likeminded countries that join in, the more powerful the effect of the sanctions.
Just yesterday we saw the New Zealand and UK Governments publicly call out China for malicious cyber activity attributed to groups sponsored by the Chinese Government. These attacks targeted both countries’ parliamentary institutions and, in the case of the United Kingdom, its electoral commission as well.
The UK and the US sanctioned a front company and two individuals who were complicit in this shocking conduct, and I have called upon the Australian Government to use our own Magnitsky-style thematic sanctions regime to stand with our allies in sanctioning the individuals responsible.
If we can prevent these people from being able to travel or transact anywhere in the world – not just Australia – the world starts to get a lot smaller and a lot less friendly, which might lead others to think twice before engaging in this activity.
We are at a crucial juncture for how we conceptualise national security risks in what is a rapidly evolving digital threat environment, and we need to think carefully about the international norms we are seeking to promote and what we are willing to do to enforce them.
This is true not just for cyber, but for other cyber-enabled ‘grey zone’ threats.
Many were shocked by the revelations last month that an elected politician was prepared to betray our country.
But this really shouldn’t come as a surprise.
Director-General Burgess has been saying for years now that foreign interference and espionage is Australia’s number one security threat, and I welcome his disclosure because it has shaken Australia out of its complacency towards this subtle but pervasive threat.
You may have heard the refrain “threat is equal to capability plus intent.”
The episode discussed by Mr Burgess unambiguously demonstrates that at least one foreign country has the intent to undermine Australia’s sovereignty in pursuit of their own national interests and has the time and resources to do so.
I fear that the advent of generative AI will serve to enhance this capability.
Many of you would have seen the recent examples of realistic video footage produced by AI models that have radically improved in the last 12 months alone.
It is possible right now to create ‘fake’ video and images almost indistinguishable from the real thing with relatively nascent technology.
We don’t need to speculate about the ways that this technology can be misused.
Two days before Slovakia’s elections last year, an audio recording began circulating appearing to depict one of the party leaders and a journalist discussing how to rig the election.
It quickly became apparent that the recording was fake, having been crudely synthesised by AI.
But the audio was posted during the two-day media blackout, making it difficult to debunk the deepfake.
It is impossible to say how much this incident impacted the election, if at all.
But it is worth noting the individual targeted represented was pro-NATO and aligned with Western interests, while the pro-Russian opponent who ultimately won was advocating for an end to military aid to Ukraine.
More recently, voters in the US state of New Hampshire received robocalls from an AI-generated Joe Biden ahead of the presidential primary urging them not to vote.
Many are rightly concerned that there will be many more instances like this in the lead up to the US presidential election, as low-cost generative AI tools are used to create and disseminate deepfakes and disinformation at a scale we have never seen before.
The 2024 Annual Threat Assessment of the US Intelligence Community released last month highlighted that “China is demonstrating a higher degree of sophistication in its influence activity, including experimenting with generative AI”, and notes China may attempt to influence US election in 2024 to further its interests.
I’m sure our policymakers and national security agencies will be watching closely to see what lessons can be gleaned for Australia heading into our next federal election shortly after.
AI will also modulate more familiar cyber threats.
The UK’s National Cyber Security Centre assessed in a report released in January that AI will heighten the global ransomware threat and increase the volume and impact of cyberattacks in the next two years.
The report suggests that by lowering the barrier to entry for novice cyber criminals, hackers-for-hire and hacktivists, AI enables relatively unskilled threat actors to carry out more effective access and information-gathering operations. This access, combined with new tools to improve targeting of victims, will contribute to the global ransomware threat in the next two years.
Meanwhile, Microsoft published research last month which revealed that Iran, North Korea, Russia and China are already using large language models to assist with reconnaissance, social engineering, and offensive cyber operations.
I realise I have painted a fairly grim picture, but there have also been more positive developments in the face of this new wave of threats.
Ukraine’s incredible resistance in the face of the Russian invasion has driven the adoption of AI technologies in unprecedented ways.
Time Magazine has reported the Ukrainian Government is using AI for battlefield intelligence, strike targeting, gathering evidence of war crimes, clearing land mines, resettling displaced refugees, and fighting corruption.
This underscores that, in the right hands, these new technologies can provide an asymmetrical advantage against those who would seek to do us harm.
This is a crucial point for a country like Australia.
FBI Director Christopher Wray told the US Congress in January that “The PRC has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
If that is true of a country like the United States, it’s fair to say Australia isn’t going to win a numbers game.
This is why we need to work with our allies to accelerate technological innovation and embrace new technologies that can give us an edge in the cyber domain.
This is also why the previous government invested 9.9 billion dollars over ten years through project REDSPICE.
This was the single largest investment in ASD’s history, and will enable the acquisition of new platforms, technologies, and capabilities.
This is also the logic that underpins pillar two of AUKUS, which will see Australia work with the US and the UK to improve our collective capabilities relating to cyber, artificial intelligence, quantum computing, hypersonics and unmanned vehicles.
Both REDSPICE and AUKUS will be transformative for Australia’s sovereign capability in the technological arms race we find ourselves in.
And both decisions required clear-eyed national leadership backed by significant investment.
The Cyber Security Strategy released by the Government last year is undoubtedly ambitious.
It aspires to see Australia become a world leader in cyber security by 2030 and commits to a long list of actions.
But I fear it aspires to do too much, too soon, with too little.
At Senate Estimates last month the Department of Home Affairs the Strategy only commits $192 million over the next four years.
The Strategy also fails to prioritise within its lengthy list of objectives.
There is real risk that when a government tries to do everything, it ends up doing nothing, and I worry that will be the case here unless we see some ruthless prioritisation from the Minister ahead of the next election.
I am also concerned the Government may be tempted to rush decisions that will have significant implications for industry.
Most of you would be aware that the Government is currently consulting on proposed legislative reforms floated as part of the Strategy.
These reforms – particularly to the Security of Critical Infrastructure Act – are incredibly consequential for how government and industry manage cyber risk, and I know many people in
industry are concerned that these reforms have been poorly explained in what has been a rushed consultation process.
I am also concerned that the Strategy does not go far enough in addressing some of the threats I discussed earlier.
Last year I chaired the Senate Select Committee on Foreign Interference through Social Media.
The Committee Report made a number of recommendations, but chief among them was a requirement for all large social media platforms operating in Australia to meet a minimum set of transparency requirements, enforceable with fines or, ultimately, a ban.
Some private companies are already moving in this direction.
Last month Meta announced it will begin detecting and labelling images generated by other companies’ AI services. Meta also announced it plans to set up a special team in Europe tasked with identifying and mitigating election-related threats on its platforms in real time.
While I welcome these efforts, we cannot leave companies to their own devices to address these systemic risks.
Earlie this month, this realisation prompted the United States House of Representatives to vote overwhelmingly in support of a Bill which would force TikTok’s parent company ByteDance to divest or see the social media application TikTok banned in the US.
For those who don’t know, ByteDance is a Beijing-headquartered company that can be compelled to cooperate with Chinese intelligence services – and keep that cooperation a secret – under China’s 2017 National Intelligence Law.
This means the CCP can use TikTok to access the data of millions of Australians, and can put its thumb on the scale of the TikTok algorithm to push China’s preferred narratives to actively influence its users.
The US legislation severs the relationship between TikTok and ByteDance, thereby removing the ability for the Chinese Government to compel access to user data.
Countries have the right to set the terms by which foreign companies operate on their shores, and this is particularly relevant for companies headquartered in authoritarian countries that could pose a domestic national security risk.
This is why I have encouraged the Government to consider similar legislation here in Australia to make sure that Australia is not left behind.
It is also why the Senate Committee Report also recommended the Government designate a lead for whole-of-government efforts to counter cyber-enabled foreign interference, and recommended the Government address countering cyber-enabled foreign interference as part of the Cyber Security Strategy.
The intent of this proposal was to elevate national leadership on foreign interference, and to reframe our thinking to recognise that cybersecurity and other threats such as foreign interference and espionage are inextricably linked in the digital era.
Australia needs to have a difficult conversation about what sovereignty looks like as new technologies and evolving threats continue to intersect in unprecedented ways.
This conversation should be led by a government with a clear vision for what this future should look like, and that is willing to make some difficult decisions to realise this vision.
Fundamentally, we need to move towards a more holistic national security strategy that takes a first-principles approach to defining Australia’s core strategic interests and articulates how we will seek to defend these from the most significant threats – regardless of the vector.
We have a real opportunity right now to collectively agree what we want the Australia of the future to look like, and to make clear to those who would seek to undermine this vision what the consequences of that behaviour will be.
Public-private partnership must be at the centre of this approach, and we need strong leadership from the Commonwealth Government to ensure these risks are managed by those best-placed to do so – be it private companies such as critical infrastructure providers, social media companies, or government itself.
Failure will see us drift passively into an uncertain future, and I fear we will not truly understand the costs of this complacency until it is too late.
I look forward to discussing these issues in further detail with you this morning.
ENDS
