Tuesday, 20 July 2021

Press Conference - Attribution of malicious cyber activity to China's Ministry of State Security

KAREN ANDREWS: The Australian Government overnight has joined international partners in expressing serious concerns about malicious cyber activities by China's Ministry of State Security. 

In consultation with our partners – and that includes the United States, the United Kingdom, and Japan – the Government has determined that China's Ministry of State Security exploited vulnerabilities in the Microsoft Exchange software. 

This exploitation targeted thousands of computers and networks worldwide, including in Australia. It opened the door for cyber-criminals to exploit the private sector for illicit gain. All countries – including China – should act responsibly in cyberspace. 

In the past, Australia has publicly attributed malicious cyber-activity to Iran, China, North Korea, and Russia. Australia publicly attributes cyber-incidents when it is in our interests to do so, especially those with the potential to undermine global economic growth, national security, and international stability. 

The Australian Cyber Security Centre identified targeting and compromises of Australian organisations as part of this malicious activity. This compromise primarily affected businesses and organisations, rather than individuals. 

If you are affected, we would encourage you to contact the Australian Cyber Security Centre – go to cyber.gov.au – and they will be able to provide you with the practical support that you need to deal with this and other cyber-related matters. 

Now, the Government continues to take action to mitigate the real and present danger that cybercrime presents to Australians and to our economy. We can't allow this criminal activity to become a significant handbrake on our economic growth and our digital security. We continue as a Government to deliver on our $1.67 billion Cyber Security Strategy – the single largest investment in cybersecurity in this nation's history.

Just last week, I announced that the Government is considering reforms, including stronger cybersecurity standards for the digital economy, more transparent information about cybersecurity, and stronger legal remedies for consumers. And the Government continues to progress our reforms to protect our critical infrastructure – with legislation in the Parliament right now to secure the essential services all Australians rely on, including everything from electricity through to water, to healthcare, and even to groceries. 

I do encourage businesses and consumers to go online themselves to cyber.gov.au to look at the support that can be provided through the Australian Cyber Security Centre. What I would say is that this is a timely reminder to businesses and individuals to make sure that they have in place appropriate levels of cyber security. We know in particular for businesses that they are very much aware of what they have to do for their physical security. They know to lock their doors, they know to lock their windows, they know how to put security systems in place. What those businesses and consumers need to do now is to make sure that they have in place the appropriate cyber security measures. There are real implications for businesses who don't have that in place, because they will be more greatly subject to potential cyberattacks, not just this one in respect of Microsoft Exchange, but in respect of many other attacks. 

We know that these attacks are increasing, and that's why I have made it very clear that cybersecurity is my number one priority as the Home Affairs Minister. We are doing all that we can to protect Australians and Australian businesses, but understand that this is a twoway street and that businesses need to make sure that they have in place the appropriate measures to keep themselves and their data – which is critically important – cyber secure. Businesses need to start understanding how significant these data breaches can be, not just in terms of their reputational damage, but in terms of the long-term viability of their business. So, again, this is a timely reminder to make sure that you have your cyber security in place. I'm happy to take questions. 

QUESTION: Minister, you said that Australian businesses are among those that have been affected in this particular incident. Can you give us any more information about the number of companies or organisations that were targeted, the nature of them, what sector they work in, any more details along those lines? 

KAREN ANDREWS: There were certainly a wide range of businesses worldwide that were affected, and my understanding is that there was about 30,000 businesses and organisations that were affected globally by this particular attack. If you go to the Australian Cyber Security Centre, they will be able to provide you with some additional information rather than me going through a list of names. 

QUESTION: When did the attacks occur, and did the businesses who were impacted realise that they were being hacked? And what sort of adverse events resulted from it? 

KAREN ANDREWS: Look, there were a range of activities that were undertaken. So, these attacks primarily took place in January of this year. So the Australian Cyber Security Centre was very quick to provide practical support to those businesses that had been affected in terms of what they needed to do to provide or install the appropriate patches, et cetera.

QUESTION: But did they lose information? Did they lose work? And did they know? 

KAREN ANDREWS: There were a range of things that happened. It was a significant data breach and access was enabled to these systems so that they could be commandeered and controlled from outside the organisation. 

QUESTION: Some American analysts believe that China's capabilities in cyber space have increased significantly in the last couple of years. Is that a view shared by you? 

KAREN ANDREWS: We are very much aware that many nations – including China – have significantly increased their cyber capability. Australia is also increasing its legitimate and lawful cyber activity as well. And we are making sure that we are well placed to protect our business interests and our consumer interests and our government interests here in Australia. 

QUESTION: You said you would attribute when it's in our interests to do so. Can you tell us why it's in our interests in this case to name and shame China when you haven't in the past? Because, for example, the attack against ANU in late 2019. Mike Burgess has publicly said we know who did that, but we haven't named China. Sources tell me that we know it is China and declined to do that. So why is it not in our interest there, but is in this case? 

KAREN ANDREWS: Well, many of our partner nations have worked together to make sure that we have very high levels of confidence that this was the Chinese Ministry of State Security that was behind this attack. So, our level of confidence is very high. We're also working and supporting our partner nations as well. So, what you will see is that this has been a global response. This is just not Australia on its own. This is Australia working with many other nations, including the United Kingdom, New Zealand, the United States, and Japan. 

QUESTION: Would you be willing to make an attribution if other nations weren't joining us in doing so? 

KAREN ANDREWS: Absolutely, if that's what we needed to do and it was in our national interests to do so. 

QUESTION: Are you concerned that China will react to your decision to call this out today by imposing further trade tariffs or measures of that nature? 

KAREN ANDREWS: We are aware that there are serious implications for any attribution that is made to any nation. But we also will not compromise our position on sovereignty and national security. And in this instance, along with our partner nations, we needed to call out this malicious cyberattack. 

QUESTION: What are the consequences, though, for China? I mean, their Foreign Ministry will do their press conference later today and say ‘it wasn't us’. The Global Times is saying ‘everyone in the West is smearing China again’. You've got Rex Patrick saying we should start expelling Chinese diplomats. Are sanctions under consideration? If not, why not? Or is it just name and shame and we just all continue on?

KAREN ANDREWS: I think it's important that we don't conflate this issue of a malicious cyberattack with any of the other issues that are bubbling around at the moment, quite frankly. Now, in respect to this particular attack, we have been very clear. We have done the work that we needed here in Australia to make sure that we had a very high level of confidence that this was China's Ministry of State Security. So we're confident with what we're saying here. I do think, and the Government thinks, that we need to call out these malicious cyberattacks. Part of this is also educating the Australian public about what the extent of some of these attacks are, and the need to make sure that they are secure. So, yes, we are looking at publicly naming and attributing where we need to, but this is also a strong message to Australians to ensure that they are cyber secure. 

QUESTION: So China will get away with this scot-free? 

KAREN ANDREWS: They won't get away with it scot-free. They have many nations that have come out and publicly attributed this attack to them. So, there is significant reputational damage to China. They have been called out, and we will continue to call out, not only China, but other nations, if they do launch and undertake significant attacks here on Australians and Australian businesses. 

QUESTION: Do you believe the information of everyday Australians has been stolen in these attacks? 

KAREN ANDREWS: What we're doing is making sure that we keep Australians as safe as is possible, but that is a journey that we have to undertake with the Australian people. It is up to individuals to make sure they are keeping their data safe. It's up to businesses to make sure they are keeping the data of their consumers safe as well. We do know that data theft happens in Australia, we do know that identity theft happens here in Australia, so it is up to individuals and businesses to make sure that they have in place the appropriate cyber security measures that they need to keep themselves safe. From the Government's point of view, we will call out malicious attacks where we have a high level of confidence that it can be attributed to a particular nation. 

QUESTION: Did some companies pay ransoms under these attacks? 

KAREN ANDREWS: I'm not aware of any ransom being paid in relation to this particular attack. But having said that, we are very conscious that there are an increasing number of ransomware attacks happening globally, and also here in Australia. The strong advice from Government is: do not pay the ransom; report any ransomware attack, any claims for a ransom, directly to the Australian Cyber Security Centre. Assistance can be provided by them that may assist in the resolution of that. But our very strong advice is do not pay the ransom. 

QUESTION: On the critical infrastructure legislation, we've had some of the biggest tech companies in the world running cloud and data management servers, saying that they're opposed to the legislation because they don't think that Australian officials really have the technical expertise that they do – given they manage global systems, and they want becarved out from that. Is that an amendment you'd be willing to make to get that legislation through? 

KAREN ANDREWS: Well, currently, it is before the Joint Committee on Intelligence and Security here in Australia. I will wait for the report to come through. There are, and there have been, a number of hearings already held. I do encourage people to put their hand up now and provide a submission to the Committee, because that's what the Committee will take into account when it determines and makes its recommendations to me. I will look at those. I do have a very open mind. It is important that we work with industry because ultimately it is industry that will need to take a lot of the responsibility for keeping those systems safe and secure. And I think that we've got to make a distinction about Government having to step in and solve problems when industry needs to make sure that it is putting in place the appropriate measures with government to support 

QUESTION: How willing is the Australian Government to help bankroll Telstra to buy Digicel in Papua New Guinea? There are concerns there about Chinese telcos possibly owning that telco in Papua New Guinea? 

KAREN ANDREWS: Look that is an entirely different issue than the matter that I'm dealing with here this morning. And whilst I understand your question, I'm not prepared to make a comment on any of those matters, particularly because they relate to our national security. Thank you very much. ​