Monday, 18 September 2023

Speech, AFR Cyber Summit

​​Subjects​:  Development of the National Cyber Security Strategy

CLARE O’NEIL: Good morning, everyone. Can I acknowledge that we are on the traditional lands of the Gadigal people of the Eora Nation. Today our country faces a once in a generation opportunity to do more than make acknowledgements. We can recognise first Australians in our constitution and give them a voice on the 14th of October. And I acknowledge that there are many businesses in this room that have been integral to helping us build public support for this position, and I thank you for that.

I am really grateful and thrilled to be here today. I have been itching to share some thinking interest Australia’s new cyber security strategy that the government will release before the end of the year, and to talk about my very genuine passion for cyber security, an issue that affects the lives of literally every single person that lives in our country.

The people who are in this room right now have the capacity and will reshape this problem for our country, and it is a huge privilege for me to be able to lead some of that work and thinking in my role as Australia’s first Cabinet Minister with responsibility for cyber security.

Today’s event could not be better timed as we have, of course, already heard from those introductory speakers that it is exactly a year ago that Optus revealed in an it had had the personal data of more than 9 million of its customers stolen. At the time that was easily the biggest cyber attack in Australian history, but it was superseded just three weeks later when Medibank told us that they’d had a hack which had affected fewer people, but this was particularly vicious in nature as it took deeply hurtful health information about Australian citizens and posted that on the dark web in an attempt to try to extort money from the company. And since then we have seen one or two – we’ve seen HWL Ebsworth, and these I would put as the four really acute cyber attacks that we have experienced at a national level over this last year. But, of course, there were thousands and thousands more that never penetrated the public consciousness.

I think last year we also saw really for the first time open, public reporting about the extent of cyber attacks that are successfully thwarted. We heard the National Australia Bank come out and tell us that they’d experienced 50 million attempted cyber talks a month. The Australian Taxation Office experiences 3 million attempted cyber attacks a month. Now, when I look around the world and see what our comparator countries are doing, I observe that most of them had a particular year where their nation woke up to the enormously important threat that cyber security will mean for our citizens, and for Australia last year was it.

And I think most people in this room, too, can probably see where this problem is going. There are three really big and important shifts underway that are going to make the current cyber threat more challenging for us but I think also create new tools and opportunities to help us manage it.

The first is the growth of the internet of things. Some estimates say that by 2030 the number of device that is are connected to the internet will double to about 30 billion. And that’s in a world in which all of the devices in your home and your car, your fridge, your television, your heating and cooling systems are all online and all continuously collecting data about you. The cyber risk here is obviously and serious.

Technological change is also going to involve the threats that we face. In particular, machine learning and AI are going to create more pervasive and complex threats, but they’re always going to build new tools to help us manage them.

And 2030 will be a world in which our geopolitical circumstances will probably look quite different. Already Australia faces the most challenging geostrategic circumstances that we’ve confronted since the Second World War. We live in a region of strategic competition, and cyber will be integral to how the events of the coming decade play out.

In short, cyber security is the fastest changing national security threat that our country faces. It is also a bloody big opportunity. The global cyber industry is massive. It is growing like topsy, and it is here to stay. If we play it right, Australia is uniquely placed to be best in the world in a number of cyber capabilities, creating well-paid jobs for Australians and products that we can export all over the world.

So when you put it together, it’s really clear: we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues. So our government’s work on this has been driven really by two tracks: the first is that we have implemented 10 really important reforms in the last year or so that have changed how government deals with cyber security nationally. So these are those obvious and important things that we could progress really quickly.

So in August last year I declared 81 assets as systems of national significance. So these are systems which under Australian law we are declaring are those which if they fail will have broad-sweeping and serious impacts on the Australian population. In September we conducted a number of reviews into the government’s ability to handle major incident response, and we have profoundly transformed the way the government interacts with companies that are undergoing cyber attack and the consequence.

In October the Attorney-General, Mark Dreyfus and I launched Hack the Hackers, a new collaboration between the Australian Federal Police and the cyber guns in the Australian Signals Directorate, which is seeing really for the first time the Australian Government adopt an aggressive stance where we look out to the world to find cyber criminals who are seeking to harm us and we debilitate and degrade their ability to do this.

In October we reformed the Privacy Act to bring penalties up to community standards. In January Australia became the Chair of the International Counter Ransomware Taskforce. So this is a 37-country collaboration. We accept that all the countries that we are partners with around the world are dealing with the same shape of the cyber security challenge – in fact, it is often the exact same perpetrators using the exact same technologies. So we are trying to use those opportunities to fight this problem globally.

In February we delivered world-leading protection for Australia’s critical infrastructure assets by setting risk management rules for SOCI entities – that will make sense to you if you are one of them. And in the same month we established the Office of the National Cyber Coordinator, and we appointed Air Marshall Darren Goldie to that position a few months later, and he’s doing a brilliant job in his work, which we’ll get to hear a little bit more about later.

So after all this, in March last year something very positive for the country happened – that is, MIT University has established a cyber security index, and because of the policy reforms that the government had undertaken, they actually ranked Australia number one has having shown great progress in how we are managing these issues as a country, which is a really important endorsement.

In June the government announced the release of the national strategy for identity resilience. So this is a piece of work that was led by Finance Minister Katy Gallagher, and it is aiming to try to create a digital environment where we can better protect the identities of Australians when they are stolen.

Last month we declared another 87 critical infrastructure assets as systems of national significance, and in June, as I mentioned, we appointed Air Marshall Darren Goldie to his role. One of the things that Air Marshall Goldie has been conducting and leading is a serious of cyber war games that we have also begun – something that I think arguably should have been happening a long time ago. But, importantly, we are bringing together sectors of Australia’s economy that we are most concerned about and we are running a major systemwide cyber simulations with the main players in those industries. And one CEO told me that this was the best industry and government collaboration he’d ever been involved in. So we’ve run three of these now – one in aviation, one in telecommunications and one in financial services. And what we are trying to do is build and flex that cyber response muscle.

We know we cannot stop these cyber attacks; what we can do is prepare for them so that when they occur we can bounce back better.

So that’s some of the highlights of the first track of work over this last year, and I want to turn now to the second track. It was really clear when we arrived in office that as well as some of these practical things that I’ve already mentioned, we did not have the ambitious national plan, a national framework, which could help us knit together all of the cyber activity that’s going to occur over the coming years so we can bring the country together in our efforts to fight this incredibly important topic.

And this brings me to the national Cyber Security Strategy. The key to this strategy was always going to be around engaging in conversation and collaboration with you in this room and many others. So we started this process by bringing together leading thinkers in the communities we know are going to be our core partners in this fight into the tent to help us with our work. So a lot of the policy thinking for the strategy was actually driven by our expert advisory board. So we’ve got Andy Penn here, who is, of course, known to everyone in this room probably as a great business leader and former head of Telstra. Rachel Falk is also here. I’m just looking for Rachel to give us a wave. So Rachel is down the front here. So Rachel, of course, I think many of you would know, is a brilliant telecom lawyer and an expert in cyber innovation. And we also had Mel Hupfeld, who is a very senior leader from our defence community. So these three worked together, travelled the country and drove the thinking and discussion with a lot of communities about what we can do nationally to help improve this problem.

So Andy, in particular, I just want to point out, he was not only an absolute top shelf core partner for me in a lot of the work that we did, but he was the voice of business in the room every day, really pushing us to leverage the commitment that is already there from the people in this room and beyond to make sure that we are getting the best out of everyone.

We received 330 submissions to the consultation process. Home Affairs hosted 50 consultation events and stakeholder roundtables and spoke to over 200 businesses, community groups and individuals regarding the strategy. And I, too, engaged really, really deeply in these discussions. When I’m working to solve a problem I need to really be in the detail. I need to see it and feel it for myself. And that journey has taken me into the guts of the Australian Signals Directorate where I sat on the shoulders of some of the smartest cyber guns in the country and watched them as they hunt and track criminals who are trying to do Australia harm.

It's taken me to the security operations centre of some of the biggest Australian companies, to meetings with small business owners, universities, non-profits and community roundtables. And to genuinely thrilling conversations with technical experts about what the possibilities are for us if we can work together and coordinate our activities better as a country. And amid all of these blinking lights and flashing screens, I was allowed to sit at the coal face and observe the people who are going to lead this fight, and I watched them analyse lines of security incident notification and complex malware codes.

So what did we learn from this extensive process of consultation? We learned that there is a lot of incredible work on cyber security around the country. We have got small businesses innovative and creating world-leading products. We’ve got big companies which are striving for better protection for their customers. We are absolutely not starting from scratch here.

But I can also tell you that with a few notable exceptions, there is broad agreement that when you put the national picture together, we need to do better. And I absolutely include government in that.

I want to acknowledge, too, how far we have come in the last year. Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now cyber security is a top priority for the board and it is one they discussed in every single board meeting.

There is enormous hunger for board directors to get – to understand the problem better, and I see CEOs and other leaders who are really down in the detail, supporting their technical people and working out where they need to improve. And all of that hard work is having an impact, and I thank you for it.

One of our main assets going into this fight is the extraordinary team of technical professionals from around our country who are already on the frontline. Some of you in this room belong to this community – the info set, cyber security and CISO communities. These people are often invisible to the public eye, but they are the gladiators of the 21st century – a community of people with incredibly unique skills that are truly critical to our country’s safety and prosperity.

And for those who you that are lucky to interact with these people every day, the culture within this community is absolutely astounding. This is a group of people who are completely solutions oriented and totally public minded in their outset, and their natural stance is sharing, pushing and doing and working and collaborating across businesses and across sectors to try to keep their country safe. And they do it every day without thinking twice. And it’s going to be a really important part of our response.

We really clearly heard from community and business that they want the government there in the fight and at the table with them. And we also heard that they want government to show some leadership. It’s not good enough for us to push and demand more of business without making sure that we have got our own house in order too.

One of the clear areas of critique we heard through the consultation for government is around our role in incident response, and there has been a lot of enthusiasm for the appointment of a National Cyber Coordinator. Yet I still meet with boards today who tell me that they have a long list sometimes of 30 or 40 people that they need to call within government when they come under cyber attack. And I want to acknowledge to you that that is not government being a good partner to a company undergoing a crisis.

We had a very lively conversation about ransomware while we were on the road. I think there’s more recognition that we cannot continue indefinitely to be a country where it is a part of business to be funnelling money into cyber criminal gangs. But we also heard that we do not have the proper supports in place today to be able to implement an outright ban on ransomware payments.

There was universal recognition of the need to do more about cyber skills and the sense that when it comes to the cyber industry, quality can be a little bit hard to discern for many Australian companies.

For citizens, what we heard is that Australians feel deeply vulnerable. They feel there is an invisible, ever-shaping, every-shifting threat that is sitting there on their shoulder every day that they basically feel very little capacity to control and constrain. Many Australians are desperately anxious about this problem, and I hear from a lot of people, in particular seniors and those from multicultural backgrounds, that they are actually starting to scale back their use of the internet and digital products because they are so anxious about this problem.

And if there was one thing that came up no matter who we were talking to, everywhere we went in almost every consultation it was about small business. I have spoken to small business owners who are in genuine panic, who genuinely lie awake at night worried that the next day is going to bring a cyber attack that they do not have the capacity to control. And, remember, that for a large company, a big cyber attack is an enormously distressing problem to manage. For a small business, this could be an immediately fatal event.

And so we have to work together here to help small business. We heard again and again that they know they need to change things. They know they need to tackle this challenge. The big issue for them is that they just don’t know where to start.

And, finally, one more really consistent theme that we heard from business, government and the community citizens was this: we will not get out of the cyber challenge by all acting alone. This is a national challenge shared by all Australians that we will only solve if we work together. And what I hear loud and clear is to address that challenge you need something from us – and that is the government at the table as a leader and a partner in addressing this problem for the nation. You need us to build a strategy that provides a backbone to all of the good work that can and will be done over the coming years. And you want us to build a framework that will help knit all of those actions together so that when we have companies in this room that are doing really important things to protect cyber security, it’s not just providing a layer of protection for their company but in a coordinated way building better protection for our nation as a whole.

So ultimately this is the goal of our cyber strategy. Australia’s new Cyber Security Strategy will begin to build six cyber shields around our nation. So these shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia.

So let me explain a little bit more about what the cyber shields are intending to do for our citizens. So the first shield that we intend to create is strong citizens and businesses that understand that they actually do have the power to protect themselves. So by 2030 what we want is citizens and business who understand the cyber threat, understand those actions that they can take to protect themselves and have proper supports in place so that when they are the victim of cyber attack they’re able to get back up off the mat very quickly.

We want to protect our citizens and businesses with a layer of safe products, and that’s why our second shield is safe technology. Why do we continue to allow digital products for sale in our country when the makers of those products sometimes know them to be cyber insecure? We would never accept this from any other type of consumer product. So in 2030 our vision for safe technology is a world where we have clear global standards for digital safety in products that will help us drive the development of security into those products from their very inception, a world where just as you can’t go into a car yard and buy a car that will not be safe to use, when you buy a digital product on sale in our country we know that it’s safe for you to use.

Our third cyber shield is world-class threat sharing and threat blocking. And in some ways I see this as a real key to making the change that we need to make in this country. And it’s to me one of the most exciting parts of the strategy. So by 2030 we envision a world where threat intelligence can be exchanged between government and business at real-time machine speed and then threats blocked before they cause any harm to the Australian population. So there’s a lot of inspiring, interesting work to be done here and a lot of things that we can do actually in the short term about it.

Our fourth cyber shield will be protecting Australians’ access to critical infrastructure. So, remember that this world of data breaches that we have been living through over the past year is terrible, but it is actually not as bad as it can get. And one of the things as Cyber Security Minister that I’m most concerned about is attacks on infrastructure Australians rely on every day – on our water systems, on our electricity, on the provision of the internet, on our energy grid. So what we need to do is make sure that we’re addressing not only the problems of today but the problems of the future. And I include in this the critical role of government. So like many organisations in this room, we own critical infrastructure, we deliver essential services and we certainly hold a lot of very sensitive and private data about Australians. And so that’s why part of this year will be about government lifting up its own cyber defences to make sure we’re protecting our country.

Our fifth cyber shield will be sovereign capability. So by 2030 we want to be in a thriving cyber ecosystem where we have the skills we need, where cyber security is a really desirable profession for young people around the country and that we are making sure that we have the system that’s adaptable in itself. So that means that as we innovate and as we see the cyber security problem change, that Australia is at the frontier of those technologies and those changes to make sure that we’re getting to the benefits out of what this problem presents to the country.

And finally our cyber challenge is truly global. So undertaking coordinated global action and pushing for a more resilient region is an absolute no-brainer for us here. My good friend Tim Watts is the Assistant Minister for Foreign Affairs, and he has been driving this part of the strategy, helping us think through how we can double down on our engagement around the globe but, in particular, how we can build these really strong and valuable partnerships within our region to assist countries which are really struggling with this problem too.

So our government will unveil the detail of the strategy a little bit later this year, but you’ll see this diagram again, I’ll come back to explain to you is what it is specifically that we will be able to do over the next period of time to build these shields for our country.

So I wanted to give you just one more sense of how we are going about this task before we get into Q&A. So cyber is one of the fastest moving national security threats we face, and sometimes, oddly enough, I feel like I can almost see the 2030 vision of what the future holds. What’s actually really hard is what does the next two or three years look like. Our government is deeply committed to delivery, and that’s why one of the core challenges that I set the team who have been working on this strategy with me is what are we actually going to do about this. We can see a world of 2030 where we’ve got AI and machine learning running, you know, real-time exchanging of threat sharing and threat blocking. That’s an exciting vision, but what I care about is my job – to protect Australians today, tomorrow and the next day in this problem. And that’s why we’ve pushed really hard to be specific.

So this is quite unique because, as you know, government strategies of this kind can sometimes be a little bit light on detail – great on vision, light on detail. Our strategy, as you will see, will be actually very different in this respect. So we’ll share a big vision, as I’ve talked about today – the six cyber shields that we will surround our citizens and small business with. But my plan for how we are going to tackle this as a country is really to do it in two-year blocks. And our first horizon, which is 2022 to 2025 is about building out strong foundations. So as the cyber challenge reshapes, we will take stock and each two years when will build out the next phase of this plan that will ultimately see the country surrounded by these six firm shields of protection that will help keep our citizens safe.

If we push as hard as we have over the last year all the way up until 2030 I truly and genuinely believe that our country will be a world-class cyber security nation by 2030. I really do believe that we can do this, but we’ve got to have a plan and we’ve got to work together.

What’s very important always to emphasise in this conversation is that success here does not mean a world without cyber attacks. No government can promise this. What it will mean is having the clear national approach that will build to more than the sum of the parts. It means a world where we’re using every piece of information that all your companies have about the cyber threat so we can build a clear national picture and respond to it as quickly as possible. It’s a world where when we do come under cyber attacks we’re able to bounce back quickly and where government is a convenor and a leader and a partner to all of you in helping tackle that challenge.

Could I just say in closing that working with some of you in this room as I’ve had the great privilege to do over the last year has been an amazing experience for me. And we’ve got a lot of work to do, but I know we’re going to get this done by working together. We’ve got this really shared clear national imperative to build a cyber safe Australia, and I’m really looking forward to working with you on this task. Thanks for having me.