Monday, 27 February 2023

Cyber Security Roundtable press conference

​JOURNALIST: We're taking you live now to Sydney where Cyber Security Minister Clare O'Neil is speaking. 

CLARE O'NEIL: Announced a significant change within the Australian Government about how cyber security will be managed. This will have two impacts. It will make sure that all of that great work that's happening in Government and out in the community will be properly strategically managed to make sure that we're cyber safe as a country, and the second is to make sure that when cyber incidents do occur, as they will continue to occur, we can quickly get back up off the mat and make sure we’re cyber resilient.

Now, these are important changes, they've been very welcomed by business, who are absolutely thrilled that for the first time in a long time, they've got a Government that is actually caring and actually doing something about this incredibly important national security problem that faces our country. 

Today the Prime Minister hosted a round table. What we saw today was that the last Prime Minister was the one who got rid of the Cyber Security Minister, and let the country go on continental drift with regard to cyber for too long. We're five years behind where we need to be, and the PM has made it absolutely clear that he expects me to make sure that we're cyber‑fit for today and for the future. 

JOURNALIST: When will the Cyber Security Coordinator start their job?  

CLARE O'NEIL: So we are advertising for the Cyber Security Coordinator at the moment, and we expect to have them in place within the next month. 

JOURNALIST: And how many staff will be in the National Office for Cyber Security?  

CLARE O'NEIL: So the National Office for Cyber Security will be staffed as it's needed, we'll work that out with my department, but we're not putting a number on it just at the moment. 

JOURNALIST: And why is a coordinator necessary when you already have the Australian Cyber Security ?

CLARE O'NEIL: Yep. So it's absolutely essentially that we better coordinate the work that is happening within Government. We have a whole range of Government departments that are doing really important work, and indeed lots of people in the community who are doing great things for cyber security. The problem is that at the moment they're all rolling in different directions. We need a coordinator within Government to make sure that all of that good work adds up to a more cyber secure Australia, and to make sure that when businesses and organisations and citizens are under cyber-attack that they have one point of entry for the Australian Government to come and help them. 

JOURNALIST: And what extent is this announcement today about the coordinator the result of the review in the Optus and Medibank attacks?  

CLARE O'NEIL: So, I think what Optus and Medibank really showed the Government was that unbelievably, there was no functional cyber incident response mechanism within the Australian Government. So when Optus occurred, it had been completely unforeseen by the previous Government that a cyber-attack of this scale could happen in Australia. 

Now, it should have been foreseen, and we should have been better prepared. But what the Australian Government has done now is made sure that next time this happens, we've got proper incident response functions at the ready, so when we have a scale of attack of that nature, we're able to respond to it well. 

JOURNALIST: And why does the ASD need greater access to private companies in the event of a cyber-attack?  

CLARE O'NEIL: One of the really important things about cyber security is that this is not just about individuals and businesses and organisations. Sometimes cyber security threats are so significant that they actually represent a national security risk for our country. 

Now, in those limited circumstances, it will sometimes be necessary for Government to come in and assist an Australian company or organisation to help manage a cyber security incident, and that's what those powers currently allow the Australian Government to do. 

The question for us is, are they fit for purpose for 2030, when we know by then, the cyber security threat, which is already huge and relentless and growing, is going to be a significantly greater risk to the country. 

JOURNALIST: Are you able to give me more detail on exactly how the ASD, like what they would do step by step in the case there was a cyber-attack like that; how they would sort of enter into a private company and  

CLARE O'NEIL: Yep, okay. So the Australian Signals Directorate is the centre hub of cyber technical skills in the Australian Government. The smartest people in our country, who understand cyber tech work for the Australian Signals Directorate. This is a resource for businesses when they are under that significant pressure and strain, and what we are saying to businesses is that in some circumstances it will be necessary for the ASD to come in and actually help you fight off what might be a very professional, very well‑organised, very skilled cyber attacker who is trying to hurt, not just your business, not just your company, but Australians themselves. 

SPEAKER: Any questions on the phone?  

JOURNALIST: Minister, do you think that it is necessary for the ASD to get those greater powers? 

CLARE O'NEIL: The Australian Signals Directorate already has the power to come in and assist companies and organisations that are under cyber threat. The problem today is that those powers are very, very narrowly defined, and the questions Australians need to ask is when we look to 2030 and understand the growing relentless, huge nature of the threat that we confront, do we want to equip Government to be better able to be support businesses and organisations when they are under that really serious cyber risk that we face. 

JOURNALIST: Is the Government going to prohibit companies from paying ransom to hackers? 

CLARE O'NEIL: So, ransomware is one of the biggest cyber threats that we face as a country, and we've seen this on a very much a national scale with what happened at Medibank. What the Australian Government is thinking about is how do we reduce the fruits of ransomware for cyber criminals. When we have an ecosystem where people are constantly paying ransoms, then it makes it look like Australia is a soft target, and we are not a soft target. 

There are many Australian companies that do not pay ransom, and certainly the advice of the Australian Government is that we would ask you not to do that. There is a separate question here about whether ransomware payments should be made illegal, and that is a question that is being examined under the cyber strategy that's in development today. 

JOURNALIST: An option on the table?  

CLARE O'NEIL: Yes, it's an option on table, yep. 

SPEAKER: Thanks everybody. 

CLARE O'NEIL: Okay, thank you, guys. 

JOURNALIST: Okay. That was Cyber Security Minister, Clare O'Neil speaking in Sydney there. The Government is advertising for this new position of Cyber Security Coordinator, and that comes after the large‑scale hacks of Optus and Medibank, and we will have more on this story shortly.