October 19, 2023
Good morning and thank you for hosting me here at the Australian Cyber Conference.
I am pleased to be speaking today about opportunities to uplift Australia’s cyber resilience, and the role of the Commonwealth Government in this project.
This topic is front of mind for many of us as we await the release of the Government’s new Cyber Security Strategy, which will set out how the Government will deliver its laudable ambition of making Australia the world’s most cyber secure country by 2030.
In the spirit of constructive discussion, I would like to set out what I believe a successful national cyber security strategy must address, and the most critical areas where the Government should focus its energy and investment.
The suggestions draw from my own engagements with industry, academia, and other sectors, as well as the considered and comprehensive submissions that stakeholders provided to inform the Cyber Security Strategy.
Before I get to specific themes or ideas, I want to touch on Australia’s strategic environment which serves as the backdrop for the Cyber Strategy.
The Director-General of ASIO warns us that espionage and foreign interference has supplanted terrorism Australia’s principal security concern.
The Australian Signals Directorate has spoken of near constant cyberattacks on our government networks and critical infrastructure operators.
And the Defence Strategic Review tells us the ten-year warning time for conflict in our region has evaporated.
It feels like every other day we hear about another cyber incident impacting Australia.
Last year we saw two of the largest data breaches in Australia’s history through the Optus and Medibank incidents, and more recently the incident impacting Latitude Financial and others.
As a result, much of the commentary surrounding the cyber strategy has focused on the harms suffered by individuals whose data was stolen due to the inadequacy of the cyber security practices of companies who failed to protect their customers.
I do not want to minimise the very real impacts these data breaches can have on an individual, and I think that it's only fair that companies foot the bill for things like the reissuing of identity documents or credit monitoring services for customers affected by these events.
But it is misguided to think that further data breaches are the most serious cyber security threats that we face.
I am even more concerned by the prospect of a large-scale cyberattack on our critical infrastructure by a well-resourced state actor, possibly as a precursor to a regional conflict.
Something like a blackout across the entire east coast as the energy grid is taken offline.
Or the national distribution networks that serve the grocery stores that Australians rely on suddenly grinding to a halt.
Or millions of Australians having their internet and communications cutoff for days at a time.
Or all of these events happening at the same time.
These threats are more than just irritating, embarrassing, uncomfortable and stressful – they are existential.
What, then, can a national strategy do to prepare us against these threats?
First and foremost it needs to redefine what public-private partnership on cyber resilience means in an era of increasing technological acceleration and interconnectedness.
We need to move toward a new paradigm which recognises cyber security as a truly national issue where cyber risks are managed by those best-placed to do so, accepting responsibility as government and industry, and away from end users and small businesses.
Industry needs to be brought into the tent as a genuine partner, working closely under the leadership of the Commonwealth for the collective benefit of Australia in a way that is dynamic and responsive to changes in the threat environment.
A system works best when roles and responsibilities are clearly defined and everyone is shouldering their fair share.
States and territories, academia, civil society, as well as communities and individuals have all have a role to play in Australia’s cyber security.
Regulation is one lever through which we can articulate these roles and expectations, and it is vital that the Strategy gets this right.
Any new legislation must be proportional to the problems we face, consistent with our values as market based liberal democracies and cognisant of the bigger strategic picture.
A new ‘cyber security act’, or a variant thereof, should seek to address gaps in the regulatory framework while streamlining and deconflicting existing regulation. Industry has been crystal clear on this point.
So where could such legislative reform add value?
Firstly, as I have called for before, the Government should introduce a mechanism where companies can securely and confidently share with ASD what they know as soon as they know it, without the fear that it could be used against them by regulators.
Sometimes called a ‘safe harbour’, this provision is a protected and confidential process to share information that won’t be used for any other purpose.
I want the first instinct of any company faced with a cyber crisis to be to call ASD for assistance, not their lawyers.
Secondly, we need to get serious about addressing systemic cyber risk caused by technologies owned by companies subject to extra judicial directions from a foreign government that could jeopardise our national interests.
The Minister for Home Affairs has mentioned baseline cyber standards for internet of things devices, which is a sensible place to start.
But we need to go further.
The Government should establish a framework, administered by a National Technology Security Office, to evaluate technologies according to the level of risk they present and the utility they provide, recommending commensurate controls to eliminate or manage this risk as required.
Once mature, such a framework could be made binding across government, and expanded to capture government contractors as well as the operators of critical infrastructure, especially systems of national significance.
This work could also ultimately be used as the basis for a high-risk vendor framework to assist entities outside of government in managing risks throughout their supply chains.
The Government needs to move out of a purely reactive mindset when it comes to the security risks presented by different technologies, and put us back on the front foot as we look out to 2030.
What I don’t want to see is the Government leaning on heavy-handed regulation as its primary lever for change because it can’t find the money in the coffers for substantive capability uplift.
The 2020 Cyber Security Strategy was accompanied by a $1.67 billion investment, and the cyber security landscape has only gotten worse since then.
The last budget of the previous government allocated $9.9 billion to ASD as part of the REDSPICE program.
Every dollar of the REDSPICE investment must be safeguarded, and the new strategy must at least match the $1.67 billion of new funds from the last strategy, otherwise we are moving backwards in real terms.
On the topic of regulation, I would like to take this opportunity to encourage the Government to dispense with some unhelpful ideas that have been floated as part of the development of the Cyber Security Strategy.
The first is the proposal to introduce an outright ban on ransomware payments.
I want to be clear that I fully endorse the Australian Cyber Security Centre’s advice that victims absolutely should not pay a ransom.
There is no guarantee you will regain access to your information, nor will paying a ransom prevent it from being sold or leaked online. You may also find yourself targeted by another attack shortly after the first.
I recognise the intent of this proposal in providing clarity to the victims of ransomware attacks, and to send a signal to the perpetrators of these attacks that Australia is not a lucrative target.
But an outright ban could have significant unintended consequences.
I am very worried that a ban on ransomware payments wouldn’t end ransomware attacks – it would just end the reporting of them to ACSC or ASD as the practice is driven underground.
That’s because while a ransomware attack on a large corporation can be damaging, for small businesses it can be existential. Paying a ransom could be the difference between survival or bankruptcy. We know that many businesses do pay ransoms, despite the advice not to.
Similarly, you can imagine a scenario involving a hospital or our critical infrastructure where there is a threat to life which means paying a ransom could be the least-worst option.
I believe there are better ways to address this issue than a blanket ban.
For example, there is broad support for the concept of a mandatory reporting regime for ransomware incidents, which would assist government and industry to get a fuller sense of the scale of the problem so that our cyber defences are tuned appropriately.
Increasing levels of foreign ownership and a more challenging strategic environment means Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion.
Addressing this risk was the rationale behind the Coalition’s introduction of the Security of Critical Infrastructure Act and subsequent reforms.
Quite rightly, it does not try to solve every cyber or national security challenge our country faces – just the serious and systemic ones.
I share the concerns of many stakeholders at the suggestion that SOCI should be significantly extended to capture many more industries and businesses, or larger components of those businesses.
These proposals indicate a misunderstanding of the intention of the SOCI Act, which seeks to strengthen the security and resilience of critical infrastructure by regulating sectors and asset classes that are essential to Australia.
SOCI was designed to protect our most valuable assets which underpin the Australian way of life, and the disruption of which could have catastrophic and far-reaching consequences.
These are the ‘crown jewels’ of our national cyber security.
If everything is critical, nothing is.
Uplifting Australia’s cyber resilience will require concerted effort across all sectors of the economy. A project of this scale can only be achieved with a unified vision and leadership from the Commonwealth Government, and it is difficult to be a credible leader in this space if you don’t have your own house in order.
As of July 2022, it is a core requirement of the Protective Security Policy Framework that Australian Government entities implement the Essential Eight strategies to at least Maturity Level 2.
The Australian Signals Directorate’s 2022 Commonwealth Cyber Security Posture Report revealed that the proportion of entities that have reached Maturity Level 2 through implementation of Essential Eight controls alone increased from 4% in 2021 to 11% in 2022, or 19% when compensating controls were taken into account.
Sarah Sloan from Palo Alto pointed out last week that, at this rate, it is projected that all federal government entities will achieve overall maturity level 2 by the year 2035.
On this trajectory we will fall well short of the Government goal of making Australia the most cyber secure country by 2030.
There is clearly much more work that needs to be done.
Government should be held to at least the same standard expected of industry, and we will never get there without a clear-eyed assessment of the barriers to cyber security uplift and the steps government must take to improve.
This needs to be married with significant investment in capability uplift.
The Government recently announced that it had terminated the cyber hubs program – which aimed to centralise a number of federal government networks to uplift cyber resilience across the public sector – at the same time the Department of Home Affairs is taking over responsibility for the hardening of government IT.
Given this, I expect government uplift to feature heavily in the new Cyber Security Strategy being developed by Home Affairs.
Government is also uniquely placed to shepherd whole-of-economy cyber uplift. Through the sheer scale of its procurement power, the Government can incentivise a culture of cyber best practice amongst vendors by setting baseline expectations for cybersecurity for anyone looking to sell to Government.
In this way, Government can play an instrumental role in promoting uptake of innovative cyber practices such as attack surface management, zero trust security, and machine learning-enabled cyber defence.
Government must also serve as the national coordinator on cyber security. This entails setting national cyber security policy, coordinating responses to major cyber incidents, and sharing information for the collective benefit of all sectors of the Australian economy.
This last point is crucial. Our Australian Signals Directorate has access to powerful insights – both specific threat intelligence and broader trends – that industry can leverage to improve their cyber defences.
Conversely, the vast scale of the attack surface collectively managed by private industry provides a level of visibility far beyond any single government agency.
Through the Cyber Security Strategy, we need to work towards a model that brings these comparative advantages together to enable uplift across the entire Australian economy.
This means sanitising and sharing threat intelligence with industry stakeholders in time for it to be actionable, and when that information cannot be sanitised, ensuring we have appropriately cleared staff in private companies who can work with government on sensitive matters as needed.
We also need to build mechanisms for seamless two-way information flows between the public and private sector.
The Cyber and Infrastructure Security Centre’s Trusted Information Sharing Network and ASD’s Cyber Threat Intelligence Shared (CTIS) platform are important early steps toward this goal.
But there is room to further scale up and streamline these mechanisms – and explore new industry-led mechanisms – to structurally embed systemic information sharing in support of a shared goal of uplifting national cyber resilience.
Cyber security is a shared challenge – no one is immune from cyberattacks.
That’s why it is important that we learn the right lessons from every major cyber incident, and apply these lessons across industry and government to make sure we’re better equipped next time we face something similar.
A year on from the data breaches suffered by Optus and Medibank, we’re still in the dark about the specifics on what led to these incidents, how they were managed, and what companies can learn from the incidents to avoid or mitigate future cyberattacks of a similar nature.
I am disappointed that Optus has walked back its commitment to release at least some of the Deloitte review into its attack.
We have also not seen the government issue a comprehensive advisory about the Optus breach that other critical infrastructure owners and operators could leverage to improve their own security.
That’s why it’s important that the Cyber Security Strategy explore the creation of a mechanism to conduct dispassionate, objective investigations following significant cyber incidents, and commit to publicly sharing the findings of these investigations for the collective benefit of organisations who may be able to benefit from the lessons learned.
This is not a novel idea.
The US Government announced the establishment of a Cyber Safety Review Board in 2021, which brings together cybersecurity leaders from government and the private sector to review major cyber events and make concrete recommendations to drive continuous improvement.
The Australian Government should move quickly to establish an equivalent function here.
We can’t afford to sit on our hands waiting for the next major cyber incident, and then wonder if it could have been avoided if only we’d been more proactive when we had the chance.
I have talked a lot about the role of government and industry as the biggest players in this space, but it is absolutely crucial that we bring small and medium-sized enterprises along on this journey too.
Earlier this year, the Australian Small Business and Family Enterprise Ombudsman reported that almost 98% of businesses in Australia are small businesses, employing more than 5.1 million people and accounting for one-third of Australia’s GDP.
The Australian Cyber Security Centre’s 2020 Small Business Survey reported that 62 per cent of respondents had experienced a cyber security incident.
In the 2021-2022 financial year, the average cost per cybercrime reported to the ACSC rose to over $39,000 for small businesses.
In aggregate, this amounts to an incredibly large cyber attack surface that poses risks to the livelihood of small business owners, the security of their customers, and the Australian economy overall.
Our national approach needs to recognise that while businesses are ultimately responsible for protecting themselves and their customers, Government and industry have a responsibility to support smaller enterprises to uplift their cyber security.
We need to ensure we have the appropriate mechanisms in place to pool our collective knowledge and resources for the benefit of small businesses, sharing the burden across the economy for the benefit of regular Australians, who typically bear the consequences for things like data breaches, fraud and scams.
While regulation is important, it is only one piece of the puzzle. We need to strike an appropriate balance to protect businesses and consumers without overburdening small businesses with unnecessary compliance frameworks.
Small businesses need to manage competing business priorities with fewer resources and staff than their larger peers. While there are effective and inexpensive practices available to protect them against cyber incidents, many businesses are unaware these practices exist.
Part of the solution is to make this information readily available to smaller businesses so they are empowered to take their security into their own hands.
Small businesses regularly interface with a whole range of service providers, many of which are very experienced in dealing with cybersecurity, scams and fraud.
I would like to see these businesses – such as banks, insurance companies, telcos and internet service providers – play a greater role in supporting small businesses by complementing the work the government is already doing.
A truly national cyber security strategy must serve as an enabler that produces whole-of-economy uplift greater than the sum of its parts.
This means ensuring the regulatory environment is tuned correctly to effect change at scale, and taking targeted action – backed by sufficient investment – in areas where intervention can deliver the greatest impact.
This could involve joint partnerships on automated threat blocking at scale, helping to protect businesses and end-users by stopping threats at the gate.
It could involve improving the pipeline between education and employment in cyber-related fields, or better integrating cyber knowledge into school curriculum and tertiary education programs.
It could involve working with like-minded international partners to position Australia as a regional hub of cyber excellence, capable of assisting our Pacific neighbours to improve their own cyber resilience.
Stakeholders have offered a range of great ideas towards these goals, and the Government will need to make some difficult decisions in determining the best path forward.
While much has changed since the last national cyber security strategy was released in 2020, I think history will show it correctly identified many of the risks our country faces today and took steps to mitigate them.
A refresh of that strategy is entirely reasonable.
But it should seek to build on its strengths, not trash it for purely partisan political gain.
We are living in the most dangerous period since the Second World War.
Every single day malicious cyber actors test and probe our critical infrastructure networks for vulnerabilities, scan our government networks for secrets, and opportunistically target businesses and individuals to perpetrate cybercrime.
Australia’s cyber security cannot be viewed in isolation to this threat environment.
We need a truly national cyber security strategy which defines the roles and responsibilities across the digital economy, from government and large corporations, all the way down to small businesses, communities and individuals.
This must be matched by significant investment to continue the trajectory of cyber uplift enabled by the 2016 and 2020 strategies.
Failure to do so will see Australia go backwards in relative terms. This would be disappointing at the best of times. But in the current circumstances it would be downright irresponsible.
The Cyber Security Strategy’s goal of making Australia the most cyber-secure country in the world by 2030 presents an important opportunity for Australia, but extraordinary ambition will require extraordinary action.
I look forward to seeing what the Government announces in this space.
Thank you for hosting me here this morning, and I look forward to discussing these ideas with you in further detail.
ENDS
