KAREN ANDREWS: The Australian Government overnight has joined international partners
in expressing serious concerns about malicious cyber activities by China's Ministry of State
In consultation with our partners – and that includes the United States, the United Kingdom,
and Japan – the Government has determined that China's Ministry of State Security
exploited vulnerabilities in the Microsoft Exchange software.
This exploitation targeted thousands of computers and networks worldwide, including in
Australia. It opened the door for cyber-criminals to exploit the private sector for illicit gain.
All countries – including China – should act responsibly in cyberspace.
In the past, Australia has publicly attributed malicious cyber-activity to Iran, China, North
Korea, and Russia. Australia publicly attributes cyber-incidents when it is in our interests to
do so, especially those with the potential to undermine global economic growth, national
security, and international stability.
The Australian Cyber Security Centre identified targeting and compromises of Australian
organisations as part of this malicious activity. This compromise primarily affected
businesses and organisations, rather than individuals.
If you are affected, we would encourage you to contact the Australian Cyber Security Centre
– go to cyber.gov.au – and they will be able to provide you with the practical support that
you need to deal with this and other cyber-related matters.
Now, the Government continues to take action to mitigate the real and present danger that
cybercrime presents to Australians and to our economy. We can't allow this criminal activity
to become a significant handbrake on our economic growth and our digital security. We
continue as a Government to deliver on our $1.67 billion Cyber Security Strategy – the single
largest investment in cybersecurity in this nation's history.
Just last week, I announced that the Government is considering reforms, including stronger
cybersecurity standards for the digital economy, more transparent information about
cybersecurity, and stronger legal remedies for consumers. And the Government continues
to progress our reforms to protect our critical infrastructure – with legislation in the
Parliament right now to secure the essential services all Australians rely on, including
everything from electricity through to water, to healthcare, and even to groceries.
I do encourage businesses and consumers to go online themselves to cyber.gov.au to look at
the support that can be provided through the Australian Cyber Security Centre. What I
would say is that this is a timely reminder to businesses and individuals to make sure that
they have in place appropriate levels of cyber security. We know in particular for businesses
that they are very much aware of what they have to do for their physical security. They
know to lock their doors, they know to lock their windows, they know how to put security
systems in place. What those businesses and consumers need to do now is to make sure
that they have in place the appropriate cyber security measures. There are real implications
for businesses who don't have that in place, because they will be more greatly subject to
potential cyberattacks, not just this one in respect of Microsoft Exchange, but in respect of
many other attacks.
We know that these attacks are increasing, and that's why I have made it very clear that
cybersecurity is my number one priority as the Home Affairs Minister. We are doing all that
we can to protect Australians and Australian businesses, but understand that this is a twoway street and that businesses need to make sure that they have in place the appropriate
measures to keep themselves and their data – which is critically important – cyber secure.
Businesses need to start understanding how significant these data breaches can be, not just
in terms of their reputational damage, but in terms of the long-term viability of their
business. So, again, this is a timely reminder to make sure that you have your cyber security
in place. I'm happy to take questions.
QUESTION: Minister, you said that Australian businesses are among those that have been
affected in this particular incident. Can you give us any more information about the number
of companies or organisations that were targeted, the nature of them, what sector they
work in, any more details along those lines?
KAREN ANDREWS: There were certainly a wide range of businesses worldwide that were
affected, and my understanding is that there was about 30,000 businesses and
organisations that were affected globally by this particular attack. If you go to the Australian
Cyber Security Centre, they will be able to provide you with some additional information
rather than me going through a list of names.
QUESTION: When did the attacks occur, and did the businesses who were impacted realise
that they were being hacked? And what sort of adverse events resulted from it?
KAREN ANDREWS: Look, there were a range of activities that were undertaken. So, these
attacks primarily took place in January of this year. So the Australian Cyber Security Centre
was very quick to provide practical support to those businesses that had been affected in
terms of what they needed to do to provide or install the appropriate patches, et cetera.
QUESTION: But did they lose information? Did they lose work? And did they know?
KAREN ANDREWS: There were a range of things that happened. It was a significant data
breach and access was enabled to these systems so that they could be commandeered and
controlled from outside the organisation.
QUESTION: Some American analysts believe that China's capabilities in cyber space have
increased significantly in the last couple of years. Is that a view shared by you?
KAREN ANDREWS: We are very much aware that many nations – including China – have
significantly increased their cyber capability. Australia is also increasing its legitimate and
lawful cyber activity as well. And we are making sure that we are well placed to protect our
business interests and our consumer interests and our government interests here in
QUESTION: You said you would attribute when it's in our interests to do so. Can you tell us
why it's in our interests in this case to name and shame China when you haven't in the past?
Because, for example, the attack against ANU in late 2019. Mike Burgess has publicly said
we know who did that, but we haven't named China. Sources tell me that we know it is
China and declined to do that. So why is it not in our interest there, but is in this case?
KAREN ANDREWS: Well, many of our partner nations have worked together to make sure
that we have very high levels of confidence that this was the Chinese Ministry of State
Security that was behind this attack. So, our level of confidence is very high. We're also
working and supporting our partner nations as well. So, what you will see is that this has
been a global response. This is just not Australia on its own. This is Australia working with
many other nations, including the United Kingdom, New Zealand, the United States, and
QUESTION: Would you be willing to make an attribution if other nations weren't joining us
in doing so?
KAREN ANDREWS: Absolutely, if that's what we needed to do and it was in our national
interests to do so.
QUESTION: Are you concerned that China will react to your decision to call this out today by
imposing further trade tariffs or measures of that nature?
KAREN ANDREWS: We are aware that there are serious implications for any attribution that
is made to any nation. But we also will not compromise our position on sovereignty and
national security. And in this instance, along with our partner nations, we needed to call out
this malicious cyberattack.
QUESTION: What are the consequences, though, for China? I mean, their Foreign Ministry
will do their press conference later today and say ‘it wasn't us’. The Global Times is saying
‘everyone in the West is smearing China again’. You've got Rex Patrick saying we should
start expelling Chinese diplomats. Are sanctions under consideration? If not, why not? Or is
it just name and shame and we just all continue on?
KAREN ANDREWS: I think it's important that we don't conflate this issue of a malicious
cyberattack with any of the other issues that are bubbling around at the moment, quite
frankly. Now, in respect to this particular attack, we have been very clear. We have done the
work that we needed here in Australia to make sure that we had a very high level of
confidence that this was China's Ministry of State Security. So we're confident with what
we're saying here. I do think, and the Government thinks, that we need to call out these
malicious cyberattacks. Part of this is also educating the Australian public about what the
extent of some of these attacks are, and the need to make sure that they are secure. So,
yes, we are looking at publicly naming and attributing where we need to, but this is also a
strong message to Australians to ensure that they are cyber secure.
QUESTION: So China will get away with this scot-free?
KAREN ANDREWS: They won't get away with it scot-free. They have many nations that have
come out and publicly attributed this attack to them. So, there is significant reputational
damage to China. They have been called out, and we will continue to call out, not only
China, but other nations, if they do launch and undertake significant attacks here on
Australians and Australian businesses.
QUESTION: Do you believe the information of everyday Australians has been stolen in these
KAREN ANDREWS: What we're doing is making sure that we keep Australians as safe as is
possible, but that is a journey that we have to undertake with the Australian people. It is up
to individuals to make sure they are keeping their data safe. It's up to businesses to make
sure they are keeping the data of their consumers safe as well. We do know that data theft
happens in Australia, we do know that identity theft happens here in Australia, so it is up to
individuals and businesses to make sure that they have in place the appropriate cyber
security measures that they need to keep themselves safe. From the Government's point of
view, we will call out malicious attacks where we have a high level of confidence that it can
be attributed to a particular nation.
QUESTION: Did some companies pay ransoms under these attacks?
KAREN ANDREWS: I'm not aware of any ransom being paid in relation to this particular
attack. But having said that, we are very conscious that there are an increasing number of
ransomware attacks happening globally, and also here in Australia. The strong advice from
Government is: do not pay the ransom; report any ransomware attack, any claims for a
ransom, directly to the Australian Cyber Security Centre. Assistance can be provided by
them that may assist in the resolution of that. But our very strong advice is do not pay the
QUESTION: On the critical infrastructure legislation, we've had some of the biggest tech
companies in the world running cloud and data management servers, saying that they're
opposed to the legislation because they don't think that Australian officials really have the
technical expertise that they do – given they manage global systems, and they want becarved out from that. Is that an amendment you'd be willing to make to get that legislation
KAREN ANDREWS: Well, currently, it is before the Joint Committee on Intelligence and
Security here in Australia. I will wait for the report to come through. There are, and there
have been, a number of hearings already held. I do encourage people to put their hand up
now and provide a submission to the Committee, because that's what the Committee will
take into account when it determines and makes its recommendations to me. I will look at
those. I do have a very open mind. It is important that we work with industry because
ultimately it is industry that will need to take a lot of the responsibility for keeping those
systems safe and secure. And I think that we've got to make a distinction about Government
having to step in and solve problems when industry needs to make sure that it is putting in
place the appropriate measures with government to support
QUESTION: How willing is the Australian Government to help bankroll Telstra to buy Digicel
in Papua New Guinea? There are concerns there about Chinese telcos possibly owning that
telco in Papua New Guinea?
KAREN ANDREWS: Look that is an entirely different issue than the matter that I'm dealing
with here this morning. And whilst I understand your question, I'm not prepared to make a
comment on any of those matters, particularly because they relate to our national security.
Thank you very much.