Thursday, 16 December 2021

Address to the Center for Strategic and International Studies

​Topics: Safeguarding our values, principles and prosperity through cyber security.

JIM LEWIS: Good morning to everyone. Welcome to CSIS. Australia is in a unique position; it’s a very close US ally with strong cybersecurity skills, but it’s the target of intense and hostile cyber activity from China and from sophisticated cybercriminals. Our speaker today is Karen Andrews – MP and Minister for Home Affairs; she began as an engineer and was elected into Parliament in 2010. She’s been an Assistant Minister and was made Minister for Industry, Science and Technology in 2018. In March 2021, she became the first female Minister for Home Affairs. Her responsibilities – and I’m going to read them because they’re such a long list – include domestic security and law enforcement; cybersecurity policy; counterterrorism; counterespionage; counter foreign interference; counter–child exploitation; and preparation for the reopening of Australia’s international borders. That’s quite a portfolio, so we’re lucky to have Minister Andrews here today. She’s going to talk about how Australia – recognising the expanding cyber threats we face – is investing in the protection and active defence of critical infrastructure. Minister Andrews: welcome.

KAREN ANDREWS: Thank you very much, and good morning ladies and gentlemen. It’s an absolute pleasure to be here at the Center for Strategic and International Studies in Washington DC, and I do thank Dr John Hammer the CSIS president and CEO for the very kind invitation to address you today.

It’s an honour to be the first Australian Minister to visit you following the appointment of Dr Charles Edel as the inaugural Australia chair here at CSIS.

Thank you to everyone who is joining us here today; to Mr Jim Lewis, Senior Vice President and Director of the CSIS Strategic Technologies Program, thank you very much for moderating today’s discussion. I’d also like to acknowledge the presence of the Australian Ambassador to the United States Mr Arthur Sinodinos AO, and the Commissioner of the Australian Federal Police Mr Reece Kershaw APM. Finally, while not with us today, I’d nevertheless like to welcome yesterday’s announcement of the nomination of Caroline Kennedy as the next US Ambassador to Australia.

Ladies and gentlemen – both here in Washington and watching online – Australia and the United States have been firm friends for at least 120 years. Over that time, we’ve fought alongside each other, we’ve consoled each other in loss, and we’ve celebrated together in triumph. We’ve partnered on the world stage, most recently through the new AUKUS arrangement alongside the United Kingdom, and through the Quad with India and Japan to make the world a better place: freer, more secure and more prosperous for all. The continuation of that success, however, and the fruits of that labour – namely, our shared economic prosperity, security and the ongoing relevance of the principles and values that underpin it – is not guaranteed. It is contingent on the choices we make. 

As a global community we stand at the precipice of significant technological advances that could propel our standard of living to new heights or that could be used to threaten the peace and prosperity of the international order. Not since the splitting of the atom has technological disruption created so much opportunity but also presented so many challenges.

Quantum, blockchain, algorithmic automation, 6G, artificial intelligence – of course in isolation any one of these developments would revolutionise our world, but they are not occurring in isolation. They are occurring in parallel, exponentially accelerating the pace of change and the risks that go with it. These developments are also occurring at a time in which the core tenets of the liberal rules-based geopolitical order, established in the wake of the Second World War, are being aggressively challenged by hostile states and malicious actors. It’s a sad reality that some states are already using technology for political oppression; to undermine democracy at scale; or to hold our data, our identities and our way of life to ransom. 

So too, developments in the digital economy could propel our economies to new heights. However, we know that a range of malicious actors – some of whom receive state support – are already using cyberspace to steal intellectual property; sabotage sensitive research; and disrupt legitimate businesses. Left to their own devices, these malicious actors have the potential to undermine trust in global digital markets; spread falsehoods to erode faith in democratic institutions and outcomes; and bombard our citizens with violent extremist content, hateful rhetoric, and artefacts of foreign interference.

Liberal democracies like ours must step up in response. We must create a rules-based global digital order in which critical infrastructure is supported and defended when it comes under attack; where sensible, measured regulation of social media companies breeds a healthy transparency in the digital public square; and where technology adds to, not detracts from, our shared security, prosperity and unity. 

Of course, we have already started down that path – through AUKUS; through the signing yesterday of our bilateral CLOUD Act Agreement; and through our joint attribution of state-backed cyberattacks. I’m certain that will continue, because strong action today will assure both our nation’s security. So too, it will foster a supportive economic environment for our businesses, fostering further innovation and development and securing global prosperity.

America has long been known as ‘the land of the free and the home of the brave’. In Australia we’re ‘the lucky country’ – but it’s not luck that has seen us avoid – thus far – a cataclysmic cyberattack.

It certainly hasn’t been because we’re not a target. In the past two years, we’ve seen cyberattacks on Federal Parliamentary networks, logistics companies, small businesses, hospitals, utilities, schools and university, amongst others. Just last week we saw reporting in the Australian media about a ransomware attack on a major energy provider. Thankfully, that attack did not result in any interruption of power supply to consumers; and in recent days, we’ve seen digital infrastructure across the world come under pressure as a result of the Log4j2 vulnerability. 

The exploitation of the Log4j2 vulnerability demonstrates, yet again, just how bold malicious cyber actors have become; threatening and attacking the very architecture that enables the secure, open exchange of digital ideas and information. We can’t be complacent about this threat, and we cannot act in isolation. Support from our friends and colleagues here in the United States and elsewhere has certainly played a role in keeping us safe – my presence here today and my signing of the CLOUD Act Agreement yesterday is a testament to that – but most importantly, has been Australia’s robust multi-layered approach to cybersecurity built on the three core concepts that I will address in turn today.

Firstly; support for industry. 

In Australia, as in America, the Federal Government only operates a small proportion of the nation’s critical infrastructure, which we define not only as power plants and airports but also universities, food and groceries, banks, space and logistics firms – to name just a few. Owners and operators have an important frontline role in assuring their own cybersecurity, but with the tools and resources available to the Federal Government, it makes sense for our specialists to step in and assist as a last resort when these companies come under serious attack. 

Secondly; support for security agencies and law enforcement.

We’ve given our police and law enforcement bodies important new authorities to go after cybercriminals directly, taking the fight to those who peddle in ransomware, child sexual abuse and hateful extremism. We’ve also embarked on a program of major legislative reform to ensure our laws are fit for purpose as we head towards the start of the second quarter of the twenty-first century.

Thirdly; support for citizens. 

We’re raising awareness of the cyber threat and embedding cybersecurity into the muscle memory of our society – so cybersecurity becomes as reflexive as locking the front door or putting on a seatbelt. We’re also protecting Australians online by introducing new court powers to force global social media giants to unmask anonymous online trolls.

By supporting these three pillars, we have thus far kept Australia safe from a massively disruptive cyberattack, but they are no panacea. Cybersecurity is a complex and evolving field. If left unattended, digital spaces could become an existential threat to our prosperity, sovereignty, values and principles.

No-one can afford to be complacent, least of all the owners and operators of our most critical, sensitive and relied-on technologies. In the 2020–21 financial year alone, one-quarter of cyber incidents reported to the Australian Cyber Security Centre were associated with Australia’s critical infrastructure or essential services. While Australia has not yet suffered a major cataclysmic attack on its critical infrastructure, our intelligence and cybersecurity agencies assess it is no longer a matter of “if” an attack will occur but rather “when”. That’s why Australia is urgently passing new laws to ensure we are better prepared to prevent and respond to cyberattacks, including from hostile foreign state actors

On 22 November, the Australian Parliament passed the Security Legislation Amendment (Critical Infrastructure) Bill. This legislation expanded Australia’s definition of “critical infrastructure” to include energy, communications, financial services, defence industry, higher education and research, data storage and processing, food and grocery, health care and medical, space technology, transport and water and sewerage sectors. Importantly, the legislation allows the Australian Government to provide emergency assistance or directions to large businesses operating in these critical industries, both during or following a significant cybersecurity incident.

As an example, it’s not reasonable for a supermarket retailer to have all of the highly specialised personnel and expertise to deal with a major debilitating cyberattack that misdirects their supply chains, shuts down payment points and holds their customers data to ransom. This type of complex coordinated attack would – more than likely – be beyond the capabilities of any business’s IT division. When major attacks occur, we can now call upon the capabilities and expertise of the Australian Signals Directorate – the ASD – to address the problem; and in the case of state-backed cyberattacks to level the field. Of course, business owners and operators still have a vital frontline role to play; just the same as with physical security, they need to ensure their doors are locked and their alarms are set. But the fact is, the ASD has a unique capability that can support industry’s response to a major cyberattack that would impact on the entire Australian community.

Having passed these initial amendments, I’m now consulting with industry on proposed additional amendments relating to industry risk management and enhanced cyber obligations. As always, our aim is to strengthen cybersecurity settings without overly burdening our businesses. This balance – though it’s sometimes hard to strike – has never been more important as we look to our business sector to help us recover from this once-in-a-century pandemic. That’s why we’re also supporting industry by setting clear expectations about supply chain integrity. Last month, I released the Australian Government’s Critical Technology Supply Chain Principles: 10 voluntary principles – designed with and supported by industry – to give businesses and consumers the confidence to take up, invest in and further develop critical and emerging technologies.

Critical emerging technologies – such as quantum computing – will herald untold advances for humanity, but at the same time, we can’t allow our nation’s growing reliance on technologies that can be hacked, held to ransom or otherwise disrupted to become a major strategic vulnerability. Our Critical Technology Supply Chain Principles cover security by design; transparency and autonomy; and integrity. They ask businesses to have a good understanding of who their suppliers are, and whether they act with integrity and in line with Australian law and human rights responsibilities.

Taken together, the principles will improve the management of critical technology supply chains across the economy; build Australia’s resilience to future shocks; address growing risks to our national security, economic prosperity and social cohesion; and increase consumer confidence in technologies that are – or will be – fundamental to our long-term prosperity. 

But, of course, this is something that we cannot do alone. In July, I had no hesitation joining with the United States and other international partners in expressing serious concerns about the malicious cyber activities of China’s Ministry of State Security – following their exploitation of vulnerabilities in the Microsoft Exchange software to infect thousands of computers and networks worldwide including in Australia. Australia has also publicly attributed malicious cyber activity to North Korea, Russia and Iran. We call out these malicious activities to highlight the significant risk they can pose to Australia’s national security or broader international stability.

Sadly, the threat of state‑sanctioned cyberattack is real and it’s growing. In response, liberal democracies must ensure our national security, law enforcement and intelligence agencies have the resources, powers and authorities they need to keep us safe.

Many here will be familiar with Operation Trojan Shield, known in Australia as Operation Ironside. For those not aware, the operation saw the Australian Federal Police, working closely with the FBI and other international partners, successfully develop an app – ANOM – that criminals thought facilitated secure anonymous communication. Little did they know, but the ANOM app – an idea conceived over beer between colleagues – was giving police and law enforcement officers a full readout of their most sensitive discussions: where drug transactions were going to take place, how they planned to illegally import weapons, and who they planned to silence next. In Australia alone, this operation has seen more than 300 alleged offenders charged and more than $50 million in cash seized. 

I’m confident Operation Ironside was the start of a new area in digital police work, and I’m glad that the Australian Federal Police Commissioner Reece Kershaw has joined me on this trip; we both look forward to meeting with FBI Director Christopher Wray later today to discuss what more can be done in this regard. But despite the incredible success of Operation Ironside or Trojan Shield, it’s a sad fact that, in the main, the internet continues to be a frustrating place for law enforcement and intelligent agencies. Criminals’ identities, locations and activities are often concealed by encrypted communications and anonymising technologies, and our laws have not always kept pace with rapid advances in technology; making it difficult to bring criminals to justice. That’s why our second area of focus when it comes to cybersecurity has been support for law enforcement and the modernisation of our legal arrangements.

In August this year, the Parliament passed the Surveillance Legislation Amendment (Identify and Disrupt) Act. It introduced new powers that substantially boost the capacity of the Australian Federal Police and Australian Criminal Intelligence Commission to fight cyber-enabled crime. The new powers represent a three-pronged approach: disrupting data to frustrate offenders; collecting intelligence; and taking control of alleged offenders’ online accounts, for the purpose of gathering evidence. Specifically, the law gives our police and law enforcement agencies three new powers: network activity warrants – enabling the collection of intelligence on the dark web and when using anonymising technologies by permitting access to the computers used to facilitate serious criminal activity; data disruption warrants – authorising the modification of data belonging to individuals suspected of criminal activity to frustrate the commission of serious offences such as the distribution of child exploitation material; and an account takeover power – enabling law enforcement to take control of a person’s online account to gather evidence about the alleged criminal activity of an individual and their associates.

Australian law enforcement agencies have already begun using these new powers and I anticipate having more to say about how they’ve contributed to arrests and prosecutions in due course. We aren’t stopping there though. I’ve also enacted a suite of measures empowering police to combat the rise of ransomware as an extortion tactic. In October, I announced Australia’s Ransomware Action Plan, which sets out a suite of operational policy and legislative reforms that support law enforcement and protect our businesses. These include developing a specific ransomware reporting regime the regime will ensure valuable information is flowing to the Australian Cyber Security Centre to improve law enforcement’s threat picture of ransomware attacks in Australia. The plan will also support Australian businesses to invest with confidence in digital technologies, knowing it will be harder for criminals to extort or hold them to ransom. Importantly for law enforcement it outlines our intention to introduce a new aggravated offence for all forms of cyber extortion; to ensure cybercriminals who use ransomware face increased maximum penalties. 

Next year, I plan to introduce legislation that would make targeting critical infrastructure through a cyberattack an aggravated offence, ensuring these cybercriminals seeking to do us harm face greater penalties than ever before. I will move to criminalise the buying or selling of malware for carrying out computer crimes – like hacking and ransom attacks – and criminalise the trade in stolen data. 

I’ve also supported the Australian Federal Police to strengthen Australia’s coordination and ransomware intelligence-sharing arrangements by announcing a new taskforce to hunt down anyone using ransomware to target Australians. This multi-agency taskforce has been active since July and has been harnessing the combined resources and expertise of the Australian Federal Police, the Australian Cyber Security Centre, the Australian Criminal Intelligence Commission, the Australian Transaction Reports and an Analysis Centre, as well as state and territory police agencies.

In cracking down on this escalating crime, I know we’re in the company of good friends. 

In October, we supported the White House’s counter ransomware initiative, joining the International Statement that recognised the need for urgent action, common priorities and complementary efforts to reduce the risk of ransomware. Australia continues to work closely with the United States on the actions agreed at that meeting, and I do commend the United States for leading the global community on this front and for leading other global efforts in the fight against cybercrime, most notably through the passage of your CLOUD Act. Of course, yesterday I joined with Attorney General Garland to sign the Australia–United States CLOUD Act Agreement.

Until now, Australian agencies have relied on complex and time-consuming mechanisms, such as mutual legal assistance agreements, to access crucial evidence from other countries. Investigations and prosecutions have stalled and even derailed as a result of these arrangements. Earlier this year, Australia passed a new international production order framework, paving the way for a more efficient and modernised approach to international data access and trusted foreign partners. This legal framework provides Australian law enforcement agencies, and the Australian Security Intelligence Organisation, with access to the vital data they need from foreign communications service providers, subject of course to appropriate safeguards and oversight. 

Today I’m proud to say the first agreement to be designated under this framework is the CLOUD Act Agreement, and the signing of this agreement is of tremendous significance for our two nations and our law enforcement agencies. The agreement further supports our police, giving them timely access to the evidence they need to uphold our laws and to protect our communities. As is right and proper, important safeguards in the agreement reflect our two countries respect for the rule of law and for human rights. The Australian Government will always balance the need for agencies to have the powers they require to protect Australians while ensuring these powers are subject to robust controls, safeguards and oversight.

Of course, legislative amendments and international agreements are important, but these must translate into direct benefit for our citizens who are the final pillar in our approach to cybersecurity.

Perhaps the most tangible cybersecurity breach that many of us will have experienced at one point or another is on our mobile phones. In fact, in Australia this year SMS and phone scams and related financial losses have doubled those reported in 2020. Almost 200,000 reports of scam texts were received this year with more than $87 million lost by victims. That’s why I recently provided our telecommunications sector with the authority they needed to block malicious text messages at scale. Stopping scam text messages might not seem as important as safeguarding critical infrastructure, but such actions give us the social capital to start a wider conversation about how citizens can improve their own online safety. We can’t be – and don’t want to be – in the business of securing the devices of each and every citizen, but we can empower each and every citizen to take their own cybersecurity seriously. 

In October this year, I launched a public information campaign asking Australians to ‘beat cybercrime in their downtime’. The campaign encourages Australians to consider their cyber vulnerabilities and then take tangible action to improve their security. Simple things like increasing the complexity of passwords by using passphrases, turning on multi-factor authentication and software updates, can have an outsized impact when they prevent identity theft or save a business from a ransomware attack. Supporting citizens to engage safely and transparently in the digital public square is also a priority for the Australian Government; that’s why – in a world-leading move – Australia will shortly introduce new court powers to force global social media giants to unmask anonymous online trolls. 

The reforms will be some of the strongest powers in the world when it comes to tackling damaging anonymous comments and holding global social media giants to account. The reforms will ensure social media companies are considered publishers and can be held liable for defamatory comments posted on their platforms. They can avoid this liability if they provide information that ensures a victim can identify and commence defamation proceedings against the offender. Our approach is simple: the same rules that apply offline, should apply online as well.

As our Prime Minister, Scott Morrison, has said, and I quote: “social media can too often be a coward’s palace where the anonymous can bully harass and ruin lives without consequence. We cannot allow social media platforms to take no responsibility for the content on their platforms. They cannot enable it, disseminate it and wash their hands of it; this has to stop.”

The reforms will give victims of defamatory online comments two ways to unmask trolls and resolve disputes. First, global social media platforms will be required to establish a quick simple and standardised complaint system that ensures defamatory remarks can be removed and trolls identified with their consent. This recognises that Australians often just want harmful comments removed. Second, a new Federal Court order will be established that requires social media giants to disclose identifying details of trolls to victims without consent which will then enable a defamation case to be lodged. Importantly, the reforms will ensure everyday Australians and Australian organisations with a social media page are not legally considered publishers and cannot be held liable for any defamatory comments posted on their page, providing them with certainty. The Australian Parliament will also shortly put big tech under the microscope and convene a bipartisan inquiry into the toxic material that is all too common on social media platforms. These new powers and this inquiry build on our other world-leading reforms to support ordinary Australians use digital spaces safely and securely, such as establishing an e-safety Commissioner and legislating an Online Safety Act.

Australians can be assured – as can the global community – that the Australian Government will continue to prioritise the online safety and security of our citizens; and, thankfully, we’re not alone. Against hostile states and a range of malicious actors we must continue working together, both with each other and with other likeminded nations. Of course, there is no better example than the invitation extended to me today. Yesterday’s signing of the CLOUD Act Agreement also continues our long tradition of working in lockstep to secure the rules-based international order and assure global peace and prosperity. We know that Australia’s prosperity and security and the prosperity and security of the United States depends on our ability to securely harness the opportunities created by digital technologies and connectivity. That’s why we must continue to work with each other – and with other likeminded liberal democratic nations – to support industry, national security and law enforcement agencies, and citizens. Taken together, I have confidence we will continue to make sure that advances in communications and online connectivity are a force for good. But this isn’t ‘set and forget’; just as cyber threats continue to evolve, so too must our responses, and as they do, we must ensure that technology continues to support our shared security, prosperity and unity.

Thank you very much. 

JIM LEWIS: Well, thank you, Minister. You’ve been quite busy, so we have a lot of ground to cover with the questions we are getting in. I’ll start with my own questions, then we’ll do the online. What’s your biggest challenge? What do you think your biggest challenges are in moving the agenda here forward?

KAREN ANDREWS: Look there’s a range of challenges and I think we have to be realistic that not only does Australia face these but the world faces these. On one level, we need to make sure we are bringing the population with us, that they understand what the threat to their way of life is through cybersecurity threats and challenges. Now that’s a multi-layered issue that we need to be dealing with, whether that’s government with businesses or dealing with our citizens. So, I think if we look at what the biggest challenges are, it’s to make sure that there is a broad understanding of the threat that cyberattacks present to us – both in our personal lives and through our businesses – and making sure everyone has in place the proper defences they need.

JIM LEWIS: Where do you put the Australian public in terms of their reaction? One thing that was a bit surprising with the Colonial Pipeline incident here was the kind of panicky response in some way. So where would you put Australia?

KAREN ANDREWS: Well, I think that if we talk about the pipeline attack – what that really did was have an impact on many individuals; it heightened people’s understanding of what the impacts could be of a cyberattack on their way of life and the way it could impact them. So, I think that was actually important – in terms of people starting to understand what the clear implications were of a cyberattack. To many people, understandably perhaps, cybersecurity is something they don’t necessarily understand or accept the need for, and they don’t understand what the extent of the damage could be to them. Now, increasingly people are starting to understand that on an individual basis. Particularly where they’re being faced with identity theft; they understand what the implications are of keeping their personal information and their data secure. Businesses are starting to understand. I’m not sure that overall – globally – businesses are as aware as they need to be of the implications of cyber threats and what they need to do. Importantly, I think businesses have some way to go to understand what they need to do to protect themselves and what the implications will be of a significant attack on them.

JIM LEWIS: So, I read the legislation on critical infrastructure passed in November. I was a bit envious I have to say. Why is Australia doing so much on critical infrastructure? And you have this new expansive definition, so what’s your thinking on cybersecurity and critical infrastructure?

KAREN ANDREWS: Well, fundamentally, when we looked at what we needed to do with critical infrastructure it was making sure that we could maintain the Australian way of life, and we understood that with critical infrastructure if any of the sectors that we identified as being critical to Australia had a significant disruption, it would fundamentally change the way that businesses operated and how Australians live their lives. That’s why we included sectors such as health, but also importantly, food and grocery; so we had a wide range of sectors, simply because we understood the significance of those sectors to our security.

JIM LEWIS: What are the politics of cybersecurity in Australia? Here it remains pretty much a bipartisan issue so there’s a lot of support for doing things. What’s it like in Australia? 

KAREN ANDREWS: National security is something the Government of the day, led by our Prime Minister Scott Morrison, is certainly well recognised for. We have been very forward-leaning on those issues. I think there’s a level of understanding across all of the political parties or players that national security is important, but our government has been certainly very forward-leaning in making sure that we are taking the appropriate action to ensure Australia’s national security, and of course our economic recovery post-pandemic and our economic security for the future. So that’s front of mind for us. But I think that there’s an awareness, there’s an acceptance of the need to make sure that we have strong cyber defences in place. 

JIM LEWIS: I occasionally get notes from members of the Australian privacy community who perhaps are upset with some of the things you’re thinking about, and I was interested to hear you talk about bringing the tech giants in and making them accountable. It seems to be a global phenomenon, but Australia’s taken some big steps in this area. The publishing one is a big one too, so tell us about that.

KAREN ANDREWS: Very simply, our Government had a very strong view that you shouldn’t be able to hide; there should be not a level of any anonymity online; if you’re going to put comments online, then you need to be able to be held to account for them. I mean, some of the things that people think it is okay to say online are just appalling and they hide behind anonymity to say those things. Well, why should you be able to hide online? If you can’t say that offline, why is it okay to say it online? The social media giants, the big tech companies, do have a role to play – in that they cannot facilitate that sort of behaviour. So we’ve actually seriously considered the legislation, the ways to make sure that they’re accountable for that. Now, if they’re not prepared to disclose or they won’t disclose, then they will be held liable themselves.

JIM LEWIS: What’s their reaction been – we all know who they are. How have they reacted?

KAREN ANDREWS: Well I think there’s been a range of responses to much of-

JIM LEWIS: That’s very polite of you.

KAREN ANDREWS: But can I also say that our Government is very strong and very determined that we’re here to look after the interests of the Australian people, and there does need to be some accountability online. So, look, I think the tech giants would understand why we’re doing this. We know they have the technology and the capability to deal with what we’re asking them to do, and for those that say they can’t, they can develop that very quickly to make sure they can take the action that is appropriate.

JIM LEWIS: How will you implement? You said you were criminalising some of the data sales and malware sales. How are you going to implement that?

KAREN ANDREWS: We’re going through the processes of making sure we can put in place the appropriate criminal penalties for a range of matters and range of issues. We will be working through that process. We’ll be working closely with the Australian Federal Police. In Australia, our Attorney General has carriage of many of those matters. We’ll be looking to implement as soon as we possibly can. But what we wanted to do by even making the announcement was to send a very clear message that Australia does not take these matters lightly and we are prepared to legislate, we are prepared to criminalise these activities.

JIM LEWIS: It sounds like Australia’s decided to take a position on extraterritorial application because a lot of these networks are global. A lot of the companies are located outside your territorial jurisdiction, but it sounds like you’ve decided to take action anyhow. How do you intend to deal with extraterritoriality?

KAREN ANDREWS: I think it was important Australia took the steps it did and that it has, but if I go back to what I’ve said earlier, we can’t act alone in this. So, we will be looking at cooperation. We’ll be looking to continue our close cooperation with the United States, amongst others. We know there is significant interest from other countries in the legislation we have passed, and so we will be working to look at what we can do in conjunction with other nations to make sure those that have conducted themselves in a manner we don’t find acceptable – and many people don’t find acceptable – are held accountable. So, we all continue to work together – but we did have to make a very strong statement and we did have to put in place some things that were necessary to protect Australians. 

JIM LEWIS: Usually every year I predict that next year we’ll get some kind of legislation on privacy and accountability and usually every year I’m wrong… but maybe next year. You never know! What would your advice be in terms of thinking about legislation? There were, I think, 160 bills on cybersecurity including content in the Congress this year which a little more shows a high level of interest and that generally means eventually we’ll get there. What would you advise them to look for? What would you say the pitfalls are in designing both cybersecurity and maybe content control?

KAREN ANDREWS: We know the environment is changing and it’s changing quickly, so that gives a very strong need for us and for other nations to act as quickly as they possibly can. Now because things are changing so rapidly and the need is so strong to move quickly, it ultimately comes down to priorities. So, in Australia what we did was prioritise our critical infrastructure and protecting that because of the impact it would have on the Australian people. The other part we’ve focused on is making sure that we’re putting in place the protections for individuals, and that’s why we’ve looked at the scam messaging, amongst other things, as well to support them. So, front of mind for the Australian Government has always been what is in the best interests for the Australian people, and that’s why when we started prioritising our own work, we looked at critical infrastructure and we’ve looked at what we can do as protections for our citizens. 

JIM LEWIS: You knew this was coming and we got a couple questions from the audience on AUKUS. Do you think that since the establishment of AUKUS, attacks towards Australia will increase?

KAREN ANDREWS: I don’t think anyone should underestimate what Australia’s cyber capability is would be my starting point. The AUKUS agreement is very important to us. It’s clearly important to the United States and it’s clearly important to the United Kingdom. AUKUS, whilst in Australia at least, much of the headline has been about nuclear submarines, there’s also other key parts to it which goes to AI, quantum computing. I’d also like to make it very clear that from a Home Affairs perspective; AUKUS to me means great cooperation between Australia, the United States and the United Kingdom. So, it is strengthening what is, quite frankly, an already strong relationship between those three nations. Now, obviously, because of the AUKUS arrangements that have been put in place it has focused the attention of other players around the world on the very close relationship between Australia, the United States and the United Kingdom. We were clearly prepared for what the responses may be to that, but we make no apology for acting in the best interests of Australia. 

JIM LEWIS: A follow-on question was – and Australia has been more open than most in this – but what is the reality of Australia’s offensive and defensive capabilities? You’ve touched on that, but I know it’s something Australian diplomats are always proud about – how open they’ve been. In the rankings in the football league – where do you put Australia?

KAREN ANDREWS: Well, I’m not going to be quite so open about what our capability is I would have to say, but what I will say is that I have been particularly impressed by both our defensive and offensive capability, and I’m not easily impressed, I’ve got to tell you.

JIM LEWIS: Okay. That’s a good sign so we’ll read between the lines. You were the Minister for Industry, Science and Technology. One of the questions is about what is the Australian Government doing when it comes to emerging technologies? This is sort of your old portfolio but since it came in let’s ask it.

KAREN ANDREWS: Yes. So, critical and emerging technologies are clearly very important for us, so when I was in the role as Minister for Industry, Science and Technology, we started seriously looking at what that actually meant to us and starting to look at the definitions of critical and emerging technologies; we looked at international examples; just recently, we released a paper that actually goes through 63 critical emerging technologies that are significant to us in Australia. Now, I don’t want to just call it a starting point, even though it is to a point because it is meant to be and always will be a very fluid document. The 63 technologies we’ve looked at and we’ve specified as critical as we sit here now – those will obviously change those over time to adapt to the environment in which we work. But I think it’s a very good document, clearly setting out the technologies that are important. It’s important for a couple of reasons; one, it focuses Australia and Australians, particularly our businesses, on where there might be opportunities where the government is clearly defining areas of need, but potential growth as well. I think we’ve also shown and been able to demonstrate globally that critical emergency technology is something that Australia has considered and has done a significant amount of work on already.

JIM LEWIS: Just to push on that a little bit what’s the best way for the US and Australia to partner? This has come up in AUKUS, in the Quad, in the Five Eyes context. What would you recommend for us to build a better partnership on science and technology with Australia?

KAREN ANDREWS: Well, if we talk broadly about science and technology, Australia recognised some time ago we couldn’t continue to be – or try to be – all things to everyone. So, we have been very strategic about the work that we have been doing we’ve looked at what our capabilities are. A good example of that was the manufacturing policy that we announced and have already been implementing probably over for over 12 months now. That actually set out some key sectors for us, so instead of trying to be, for example, a manufacturer of all goods in Australia, we looked at where our strategic areas were going to be. Now, I think the opportunity is there for Australia in the United States to work closely together to look at how we can partner, whether it be in manufacturing, whether it be in resources, you know, to make sure that we’re not necessarily duplicating effort, but we’re working to support each other.

JIM LEWIS: There’s a follow-on question that gets back to the topic which is ‘how can Australia better partner with the US and use bodies like AUKUS or the Quad in cybersecurity?’ What’s the way to partner there?

KAREN ANDREWS: Well, I think it’s to look at what the individual strengths of the two nations are and to work cooperatively together. I will actually use an example of the space sector where Australia and the United States have worked very closely together and that is with the Artemis program that NASA is in the process of implementing. When we worked with NASA, we initially talked to them about the technologies that we believe we had expertise in, and there’s a couple of areas that we are pursuing with NASA. Now, we can’t be part of the entire space program, but there are strategic parts for us to work with NASA. So I think when we look at cybersecurity, we’ve got already models and templates in place that we can start to look at and say, “well, here are the strengths for Australia and here are the strengths for the United States and let’s actually work cooperatively together.”

JIM LEWIS: What would you focus on when you work cooperatively? Would it be threat assessment? Would it be developing countermeasures? I mean, what would be some of the crunchy details of cooperation?

KAREN ANDREWS: It is looking at what cyber defences we should have, but we should also be working and continuing to work cooperatively on intelligence sharing to make sure that there is a level of cooperation between Australia and the United States. That already exists, but we should always continue to work towards building on that, particularly with sharing of intelligence. So those are probably the priorities for us but developing the capability to deal with attacks is very important to us, and with our Australian Signals Directorate we believe that is right up there with the absolute best in the world. There’s information we are able to share to assist capability development here in the United States and undoubtedly there are many things that United States could share with us in terms of developing that capability. 

JIM LEWIS: I put ASD at the top of the league too, but you’ve got a lot of practice unsurprisingly. We got a couple more questions about the social media and content control, so we’ll just go ahead and do them here. Are there different standards for removing content for public and private individuals?

KAREN ANDREWS: Let me start by saying that we’re in the very early stages of this. I think what we have done so far has absolutely set the groundwork for it. Now, there will need to be consideration given to how this unfolds for individuals as compared to businesses, what happens with their social media. But overall, you will see a consistency in the response from Australia. I mean, we would not expect, for example, a business to be making defamatory marks about another business or an individual and being able to do that on online. If you’re actually talking about businesses though, they don’t tend to hide often, but we’ll be doing all we can to draw out those businesses as well and not allow them to hide behind anonymity; because it does happen. For individuals, we are very conscious of the impact where people’s lives can and have been ruined by what has been said and done online.

JIM LEWIS: A follow-up: how do you define defamation? Do you take an action before defamation is proved? What’s the process here? I think that’s sort of an interesting one, I mean who makes the decision that there’s defamation? Normally, it would be a court, but is that what you’re going to – how will this work?

KAREN ANDREWS: If an individual has a claim that they have been defamed online, then through the complaints process that the social media giants have to put in place, there will be a resolution of that. The identity of the individual who has made those comments can and should be disclosed. It may well be, as I indicated when I was speaking, that just the removal of those comments will be sufficient to resolve the issue. But should an individual choose to pursue action then that will go to the courts, and there will be a determination made by the courts just as there would be in any defamation action offline as well. So, we’re trying to make sure that any actions that are available offline will be available for online claims of defamation.

JIM LEWIS: What’s your role in the decision-making on this? Do you make a decision that something’s defamatory? Do you ensure that the companies take action? 

KAREN ANDREWS: That’s not the role of the government. That will be up to the individual to determine. Our legislation is to enable disclosure of someone who is hiding behind anonymity and to have them drawn out or disclosed, and then it will be up to the individual who believes they have been defamed to take action should they choose to do so.

JIM LEWIS: Tell us a little bit about the CLOUD Act. It’s not popular in Europe. I just came from a conference there. Why did you decide to sign? What are the benefits for you? You’re the second, aren’t you?

KAREN ANDREWS: Well, we’re certainly one of the very first to enter into that arrangement, so I was delighted to be in the United States to sign that. In terms of access to information that is going to be needed by our law enforcement agencies, it has historically been quite difficult to access that information. So, what this will do is enable our law enforcement agencies to access the information that they need in a timely manner for their prosecutions. I think it’s actually a very important agreement and the legislation that has been passed in Australia is also very important. 

JIM LEWIS: One last question. You mentioned principles for managing supply chain risk. Can you tell us a little bit more about that?

KAREN ANDREWS: We understand the significance of supply chain risks and probably those risks have been heightened through the COVID pandemic as well. We’ve been particularly minded in Australia about the risks that we have through supply chain specifically what we’re talking about when we’re talking about cyber and other digital issues is making sure, for example, that where we have large businesses they are working with who their suppliers are to make sure that they have in place the appropriate cybersecurity measures so that there’s integrity in their systems, and just to make sure that we’re also using the pull factor of the large businesses, working with the smaller to medium enterprises that are in their supply chains, to make sure that they are supporting them to put in place the proper measures to ensure the integrity, for example, of the data that they hold. So those principles are very important to us. As we start to continue to work with rolling out of our cybersecurity strategy and working with our businesses on cybersecurity and what they need to do, we want to make sure we wanted to make sure that there were some foundation principles that would guide them in the development of their relationships with their supply chains.

JIM LEWIS: Great. Well, we’ve reached the end of our allotted time and I want to say that I have tracked Australia for a while in this space and the agenda you’ve laid out is expansive and I’d say even bold, so there’s some lessons here that the US could take in a couple of areas. It’s a close partnership and we’re all grateful for that. So, Karen Andrews, thank you for speaking with us. 

KAREN ANDREWS: It’s a pleasure. Thank you.