Wednesday, 22 November 2023

Interview with Patricia Karvelas

Subjects: Cyber Strategy to 2023, Ransomware payments, High Court ruling on immigration detention.

PATRICIA KARVELAS: The Federal Government will invest more than half a billion dollars towards six national cyber shields as part of its cyber strategy to 2030. In the last financial year almost 94,000 reports of cybercrime were made to law enforcement agencies by people and businesses, and the cost of those cyber-attacks are getting more expensive.

The Minister for Cyber Security says the plan will make Australia a world leader in cyber security, and the Minister, Clare O'Neil, joins us this morning. Minister, welcome back to Breakfast.

CLARE O'NEIL: Good morning, PK. Thanks for having me on the show.

PATRICIA KARVELAS: The strategy talks about cyber shield and Horizons. For everyone listening, what will the strategy practically do, what are the actual changes that will be implemented to stop these cybercrimes?

CLARE O'NEIL: Yep. Thanks, PK, and great to have the opportunity to get into a bit of the detail. Just high level, this is going to be a game‑changing strategy for cyber security in Australia, which is without question our fastest growing national security challenge, and I think for all of your listeners who have experienced the last 18 months of life in our country, there would be uniform agreement that we just cannot continue as we are.

We've got data flying around the country, we've got cyber-attacks on major pieces of infrastructure, and we've got citizen businesses who keep saying to me that they feel really alone in this challenge and unnecessarily vulnerable.

So the cyber strategy that the Government is releasing today is not just a big vision document about what the world might look like in 2030, it is a very specific set of tangible things the Government will do to change the game for our country.

PATRICIA KARVELAS: The Government will create a cyber health check program under the strategy. When will that be formed and what sort of support will it provide?

CLARE O'NEIL: So this is really a really important part of the measures that we're providing for small business, PK, and we worked a lot with small business in the development of the strategy.

We spend a lot of time in politics talking about these huge cyber incidents that bring huge companies to their knees. Think about how this feels for a small business owner who really, realistically has no capability to do much about cyber security within their own firm.

So we have a really specific set of measures for small business, including things like a cyber health check, which will be available for small businesses to go online and actually get practical advice for their business about things they can do to help themselves.

We've also got, for the first time, a commitment to provide support to small business when they're under cyber-attack. So you would observe the Australian Government, if we have an attack on Optus, an attack on Medibank, huge resources flock to that company to support them while they recover, yet up till now small business have had actually genuinely nothing from government.

Now we recognise that can't continue for small business. A cyber event can be fatal to a small business; a big deal for a big company, but fatal to small business, and that's why we've focused so much of our efforts on this really important community of Australians.

PATRICIA KARVELAS: And there will be mandatory reporting for business. Can you explain that to me?

CLARE O'NEIL: So this is about ransom payments. So one of the fastest growing types of cybercrime is that ransomware, which your listeners would hear a lot in the news.

This is a really big problem for the country, and we do need to move towards a position where we think about implementing a complete ban on paying ransoms. That is not the position the country's in at the moment, and in all the consultation I did about the strategy, the really clear message that I got is that people understand we are ultimately going to need to ban ransom payments in this country, but we don't ‑ we haven't done the hard work to prepare the country to manage the impacts of that.

So the starting point for us is build a clear picture of the problem. Right now while you and I are talking, there are probably lots of businesses around the country who are under cyber-attack and contemplating paying a ransom, yet the Australian Government has no visibility of the problem.

So we need to build that clear picture of what's going on, do everything we can to support businesses when they're under ransomware attack, and I think then we'll be in a position to consider that step, that next step of making ransomware payments illegal.

PATRICIA KARVELAS: When you announced this, you didn't ban companies from paying a ransom, even though the Cyber Security Coordinator, Darren Goldie, has previously called it a mistake to do so. Why didn't you ban it?

CLARE O'NEIL: So, again, PK, the reason that we haven't gone ahead with a ban is because I think everyone who I work with accepts that a ban at some stage is inevitable. The problem is that we just haven't done the hard work to prepare the country to manage what a ransomware ban would do.

So what we need to do, is we've got a very ‑‑

PATRICIA KARVELAS: So you want to get to a ban situation?

CLARE O'NEIL: I do, I do, because the payment ‑‑

PATRICIA KARVELAS: What would happen if we moved to it now then?

CLARE O'NEIL: So let me just explain why it's so important. The payment of ransoms at the moment is effectively businesses around the world funnelling millions and millions and hundreds of millions, probably billions of dollars into criminal gangs who reinvest that money back in their capability.

So every time a ransom is paid, we are feeding the cybercrime problem. Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that's because we haven't done the hard work, PK.

We don't have, for example, a Federal Police force that's properly resourced and properly equipped to deal with this problem, and we solve part of that problem in the strategy. We don't have a proper system of supports for companies that are undergoing cyber-attack, and we solve that problem in the strategy.

So my plan for the country on ransoms is that we undertake what is the first two years of this strategy, and then we revisit where we are then and contemplate what I think is inevitable for countries around the world, and that is one day a ban on making ransomware payments. We just can't feed cybercrime like this.

PATRICIA KARVELAS: The safety of personal information and business information relies on businesses to actually comply with best practice. How will you get them to do it? I mean you say all this information will be available, but what kind of coercive, if I can, you know, like mandatory part of this are you going to have?

CLARE O'NEIL: Really important question, PK, and don't think we're leaving it up to business to set the rules and enforce them on their own, that's not at all the plan here.

In fact one of the underlying ideas in the cyber strategy is to stop leaving small business and citizens on their own and to force the big players in our economy to take responsibility for this problem and oblige them to protect their customers.

So if I can just give you the example of telecommunications companies, there's probably no part of the private sector that is more equipped to help us nationally deal with the problem of cybercrime, and yet we have paltry requirements on telcos at the moment to care for cyber security, and we will change that, we will change that through the strategy, we will place stringent regulations on them. 

And not just that, PK, we are building a world‑leading partnership with our telco companies, with Telstra, Optus and others in the sector, to make sure that we are pushing and working with them to provide protections for the whole nation.

So just if I can break it down just one more step for you, what we're talking about here is telcos can see all the traffic coming in and out of the country, they can see everything. What we are talking about is helping them identify the indicators of compromise, the cybercrime clues that we can see and actually stop those things from entering the country to begin with.

So this is going to be part of the game‑changing approach that the Government's taking. Enforcing proper obligations on business is a core part of our approach.

PATRICIA KARVELAS: I want to change the conversation, if I can, Minister, to talk about that landmark High Court ruling. There's been subsequent legislation and a lot of discussion about even more legislation to come.

There is a specific story today in The Guardian in relation to the man who started this whole court case. Did you consider releasing the man whose case sparked the ruling to try to avoid losing the case and having indefinite detention overturned?

CLARE O'NEIL: Yep. So let me just say, before I get into the detail of this, to be absolutely abundantly clear for your listeners, if it were up to me, all of these people would still be in immigration detention today.

There are people in this cohort who the Australian Government has been forced to release, who have committed horrendous crimes, and if I had any legal power to keep them in detention, I would be using it right now to do so.

We had a High Court decision two weeks ago today which told us that the Commonwealth must release these people into the community, and since that decision has been made, we have constructed a new way of protecting the community while these people live outside of detention.

PATRICIA KARVELAS: With respect, I know all that ‑‑

CLARE O'NEIL: Yeah, yeah. Yep, yep. 

PATRICIA KARVELAS: But did you consider releasing that man?

CLARE O'NEIL: Understand, yes. So we looked at every possible option in order to improve our chances of winning this High Court challenge, and I worked through very carefully with my department operational and policy moves that we could make to improve our chances of winning the case, and I would say, I think that the record will show, he was not released from detention, and we did not go down that pathway.

But I'm not going to apologise for doing everything I could within my power to make sure that we didn't end up where we are, frankly, which is a High Court decision which tells us that the kind of detention we were using is actually illegal.

PATRICIA KARVELAS: So it was considered, but you decided not to do it.

CLARE O'NEIL: Look, it was considered, and we decided not to do it, that's right.

PATRICIA KARVELAS: Okay. Now, there's an email chain, and it does actually, I think it's been described by The Guardian as calling into question a claim that you made that the Government was advised it was likely to win the case.

So I'm going to put it to you really bluntly, right; if you were even looking at this option, you clearly knew you could lose.

CLARE O'NEIL: PK, I'm really glad to have the opportunity to just refer to those comments that I made in an interview on the weekend. I was not referring to legal advice when I made comments about the Commonwealth's prospects in that case.

I do not, will not, will not ever talk about the legal advice that is provided to the Commonwealth. What I was referring to was operational and policy conversations that were happening with my department that we felt might change, potentially change the outcome of the case. Specifically, could we remove the complainant from the country and end the High Court decision.

Now our government, our department has been working very hard on this. I'm not going to talk about the legal advice in the case, and I ‑‑

PATRICIA KARVELAS: But you obviously knew ‑ look, obviously, you know, the best case scenario was that you wouldn't have lost it on your reckoning. But it's a High Court challenge. You always knew you could.


PATRICIA KARVELAS: It seemed you were flat‑footed; you weren't ready.

CLARE O'NEIL: Okay. So I vehemently disagree with your analysis of that and let me just share some thinking with you. So I'm not referring now to legal advice, but I just can lay out the facts, that we had a 20‑year established precedent that was being tested in the High Court. It is just as a matter of fact unusual for the High Court to overturn a decision such as that.

However, it was absolutely contemplated, and it was absolutely planned for that we would not win the case in the High Court, absolutely. And I can show you that by the fact of the speed at which the Government has moved to address this issue.

So what you saw was a High Court decision on a Wednesday, by Thursday the following week we had put the people into the community we were legally obliged to release on special visas, we had put together a police and Border Force operation that was case‑managing these people in the community, and we had passed a completely new regime in the Parliament to manage community safety for this particular cohort of people.

And, PK, you've been watching politics a long time, as I have, I've been in Parliament for a decade, I have never seen an Australian Government more at this speed to manage a High Court decision of this size.

PATRICIA KARVELAS: There are reports the Government is looking at preventative detention style laws. Why wasn't that in the legislation last week, if you're looking at it then?

CLARE O'NEIL: Yep, yep. So really important question. If I could just quickly explain to your listeners. So the High Court has done something that is a bit unusual here, they have given us a clear decision on the case of NZYQ, and the decision was that this person and others like him must be immediately released from detention.

What the High Court has not done yet is give us the detailed reasons for their decision. Now the High Court is interpreting the Australian Constitution in a different way than was interpreted in 2004, they are effectively creating a new line between the role of the executive and the role of the judiciary, and we need to design laws that are going to be legal under the new test that they will set out for us in the reasons.

So the reason that we can't just launch forth and design a completely new regime to manage all of this is because it needs to be durable. The thing that we don't want, PK, is for the Commonwealth to design laws that don't stand up in front of the High Court, because a broken law doesn't make a single Australian safer.

So what we need to do, we've set up a Phase 1 approach which manages these people in the community in a way that is safe. What we now need to do is get the reasons for decision and design a longer‑term durable constitutional solution that will make sure that we manage community safety while we follow the law.

PATRICIA KARVELAS: If you could have your time again, would you have changed anything about the way the Government went about last week?

CLARE O'NEIL: I don't think about the world that way, PK. I am not into the gory analysis of politics. I have one consideration in the work that I do, and that is managing the safety of the Australian community, and that is the only thing that guides me in how I manage this issue within the Government.

PATRICIA KARVELAS: Thanks for joining us.


PATRICIA KARVELAS: Minister For Home Affairs and Cyber Security, Clare O'Neil. You're listening to RN Breakfast.