SUBJECTS: Cyber Security Strategy, Multi-factor Authentication, Signals Directorate
TONY BURKE: Thank you to the AFR for hosting this. I hadn't realised [indistinct] ‑ I think I've got two microphones on, that's the problem. Okay, we're back.
This is the third, it now means I've been to the majority of these gatherings which I'm really pleased about, and there's been some significant progress since I last spoke to you.
So, what Paul just said is completely right, I was ‑ I'd been in the Immigration portfolio previously, some 10 years earlier, the cyber security portfolio hadn't existed at that time. And now since the election have continued with the Home Affairs, Immigration, Citizenship, Cyber Security and Arts portfolios.
There's lots of times when the people in this room of different configurations gather for conferences, often to talk about efficiency, often to talk about regulation, often to talk about profit. But when you gather on cyber security, you gather for existential purposes. And in serving that challenge, there's significant progress that's happened since we last met.
We are nearly at the end of Horizon 1. The Cyber Security Strategy was established by my predecessor Clare O'Neil with three different horizons, and we start with the same six shields, the same concepts, she named them horizons. So, for Horizon 1, it then had 60 individual action items, and I've been working closely with my Department, and I acknowledge Deputy Secretary Hamish Hansford is here. We are on track to have completed all 60 of those by the end of the year, completing Horizon 1 on time as promised.
But we've immediately started a consultation on Horizon 2, to work out what the shields should be in the next layer of ambition.
The principles of those action items, the shields that they run under, are the same; strong business and citizens, safer technology, threat sharing and blocking, protecting critical infrastructure, sovereign capabilities, and having a resilient region and showing global leadership.
In pursuit of that, since we last met the amendments have happened to the SoCI legislation, making sure that critical infrastructure that was already covered with respect to a cyber threat now deals with all forms of threats, whether they be physical, whether they be espionage, whether they be sabotage.
The Cyber Security Act is now law in Australia, and it's already making a difference. The ransomware principle that is there, which is that while the Government always advises against the payment of ransoms, it is now a legal obligation to report to the Government if you have paid a ransom.
That legal obligation is being followed. What that means is we are now getting a sense of exactly what is happening out there; we are getting a sense and a much better line of sight to a range of threat actors, and by virtue of the cooperation we're getting there following the penalty being put in place, we have a situation now with ransomware where we are better placed to be able to deal with it as a country than we were 12 months ago, and with every additional report our capacity increases.
The Cyber Security Act also started the limited use provisions, and I spoke about them at this platform last year. Limited use, as those of you in the room would already know, is a government guarantee that if you provide us with information following a cyber attack, we are only going to use it for the purposes of helping you deal with that challenge. It's not going to be passed on to other agencies of government, it's not going to be used for any other purposes other than dealing with what's immediately there, and you have that guarantee in law.
That has resulted in a really significant behavioural change. So the Australian Signals Directorate, and I acknowledge Abigail Bradshaw, the Australian Signals Directorate reaches out to companies at different points when we have reason to believe that there is an attack that is under way or has occurred.
In the 12 months before the limited use came in, the Signals Directorate reached out 620 times, 620 notifications. On 55 per cent of occasions, the business reached back. So 620 times reaching out, but only just over half reaching back.
In the 12 months following the passage of the law, the Signals Directorate's had to reach out more times; 1,700 notifications, getting close to triple, but a 75 per cent response rate. Businesses are now having the confidence of knowing that when Government reaches out, it's in your interest to reach back, and you have the guarantee that limited use is there, locked in, in Australian law.
The final area that I didn't have the power to deal with 12 months ago before the passage of the Cyber Security Act which I have now, is what is my least favourite term, and there's someone in the world who came up with the term Internet of Things; they have no future in my Arts portfolio. But I've put forward the first instrument, which the instrument's in place now but the impact of it starts in March of next year, which is the ending of default passwords.
One of the easiest pathways onto the system is if there is a device attached to the system which has a default password easily penetrable. Default passwords as of March of next year, of devices ‑ all devices will not be allowed to be sold in Australia if they have default passwords, it's as simple as that. We want to make sure that we are not providing easy automatic opening doors for some of the worst actors in the world.
So that's Government legislation. That's where Government puts down the rules, the laws, and makes a difference there, and that was what I focused on last year.
But today I want to go broader, because Government legislation is one of the tools we have, and if we're going to deal with a threat actor that is constantly evolving and is constantly attacking, we need to look at Government legislation, Government example, Government advice and cultural change.
So, I've dealt with Government legislation. Now let me go to a Government example, because this is where there are occasions where simply the behaviour of Government sends a message without any laws being passed.
The regular uplift of our own systems is of course the most obvious example, which has always been that. But over the last couple of years there have been three different occasions where we have banned particular apps on Government devices. We haven't demanded that no one use those apps in business, we haven't demanded that nobody use those apps personally, but the message that it has sent when we have made clear that those apps are not fit for Government devices, has sent a message to others to think twice before putting them on your own systems.
We've done that with respect to a social media app, we've done it with respect to an anti‑virus application and to an artificial intelligence ‑ an AI application.
The next area is Government advice. The most obvious example of this has been what we've been doing with small business for the Cyber Wardens Program, an active system in providing advice to ‑ providing advice to small business around Australia. It's partnered with COSBOA, it's partnered with Telstra, with CommBank, and with the consultancy agency 89 Degrees East, helping design it.
Perhaps one of the most significant areas of Government advice, and it was mentioned in one of the previous contributions, is the Executive Cyber Council. The most significant thing about the Executive Cyber Council is you can't send your IT person. You either send your CEO, or you are not represented, and that allows around the table a couple of things to happen.
First of all, it allows CEOs who otherwise might not always be able to talk to each other or be wary of talking to each other, because of competition law, a space where within the rules and the limits of the conversation about cyber security the conversation can be free flowing.
To also be there in the circumstance where we have our intelligence and security agencies at the table able to provide significant information right to the top of organisations.
But more importantly than ever, sending the message that this is not a job that you can defer to the IT department. This is something that is about the future of a business, this is something about the existence of a business, and also about the corporate responsibility of large businesses in wanting to uplift the cyber security of the medium and small businesses and independent contractors who they do business with.
The main piece of Government advice though, for a long time, has been what the Signals Directorate has provided, the Australian Signals Directorate has provided known as the Essential Eight. The Essential Eight runs through eight very simple high‑level principles, and then the full document runs for 21 pages. It provides a very good piece of guidance to large businesses in Australia.
But if you're a small business, the Essential Eight probably hasn't been the ideal document, and this was raised during the previous term when Andrew Charlton, as the ‑ before he became a member of the executive, he had a role in cyber security as an envoy, and he did a lot of consultation with small and medium business, and it kept coming back to us that the Essential Eight was not fit‑for‑purpose.
I went and read some of it, and I get it. I accept for large businesses this is really helpful, but for many Australians being told application control restricts the execution of executable software library, scripture stores, compiled HTML, HTML applications and control panel outlets to an organisation [indistinct] set is not that helpful.
And so the Signals Directorate, to their absolute credit, have now provided one page that's directed specifically to small and medium businesses, and rather than simply have a Microsoft product, they've got a one‑pager for Apple, a one‑pager for Google, a one‑pager for Microsoft, making sure that we're not simply saying to every size business, "You all have to do this". We are providing materials and advice that is fit‑for‑purpose to practically help these businesses uplift their cyber security.
But the final area that I want to focus on today is cultural change, because no matter how much we spend on the tech, no matter how much we spend on the rules, ultimately the culture of cyber security either exists, or we are vulnerable.
As long we have people in a habit of having the password on the Post‑it Note behind the desk, then we don't in fact have a password in that room. And making sure that we change a culture within businesses and throughout the nation about cyber security means that we're not just relying on tech to provide a digital firewall, we are also providing the human firewall that's required to keep us safe.
The best way I can explain the vulnerabilities of human firewall, because there's specific breaches that have happened in different parts of Australia and the world that I can't talk about, but I can talk about me being scammed. So let me give you ‑ I stopped before we got there, but the process here is really significant for what I then want to explain, one of the threat actors around the world, how they do it.
So, I get a phone call, I'm driving a car, the first thing that I'm told is the person is helping me, because they say, "Hey, just calling from Amazon, we've had an order go through against your account for five TVs, it looked unusual, we wanted to check if that was right".
Immediately they got me on this is someone calling me to stop me from being scammed. The conversation goes on, they pretend to pause, so they're now clicking through the system to stop it. At that point they then say, "Okay, I'm just going to send you a text message. If you can then read that back to me, read the number back to me that I've sent you, and then we'll be able to close it off". The text message comes through, and of course it's from Amazon and it says, "Do not share this number with anyone". But had I continued to be in a rush, or had I not pulled over and done what you're not meant to do when you only glance at a text message while still driving a vehicle, I could have very easily, very easily been scammed.
But the principle there is not about scams, there's a cyber issue here. Scattered Spider is a criminal network run principally through English‑speaking countries, they are smart, and they use the principles that I just described to conduct cyber attacks.
They have had successful attacks against large companies, against retail, against airlines. Their method is the same as what I just described happening to me. They will often masquerade as being from the help desk. They will initially actually help, provide assistance, build the relationship, establish not over one conversation, but over a number of conversations a layer of trust. And then they will ask for something to be uploaded on to the system, at which point an entire system is compromised, and they're in.
Some of the limitations of Scattered Spider at the moment are also attached to their strength. Their strength is, because they're from English‑speaking countries, they sound very much like a fellow worker. They will know something about the business, and they will build that relationship.
That also means they are currently limited in numbers. Because it takes so much time there's a limit to how many operations they can do in their cyber attacks because of the methods that they use, but their method essentially is instead of crashing through the window, they get members of your staff to open the door.
Think how that changes with the limits, the capacity constraints that Scattered Spider have at the moment when artificial intelligence perfects, and it's getting very close, its conversation functionality, and then you add to that the layer where the conversation can be the voice of the CEO of the business or of any voice that is chosen.
At that point, this form of cyber attack becomes so much easier, and it doesn't matter how good your electronic systems are if you haven't trained your people to be part of a human firewall.
It's for this reason we, for a long time, through the work of the coordinator ‑ and I should mention, because people might not be ‑ you all know the Coordinator, Lieutenant‑General Michelle McGuinness. She has ‑ last week when I was at Five Eyes in London, Michelle travelled over to the United States to receive the Billington international cyber award for work that's been done here in Australia's as being internationally recognised.
The messaging that Michelle's been providing to businesses when she's been working with you all and working on exercises has always been the same three principles: use multifactor authentication; do your updates straight away; and use pass phrases.
We are adding now a fourth. The fourth is simply the same as what's previously only been used with respect to scams but now needs to be seen as a serious link of making sure that we retain cyber security. Stop. Check. Protect. Or another way of putting it, hang up, call back.
The simple protection when somebody has a cold call they weren't expecting, of hanging up and calling back through the official line and asking for the person who just said they were talking to them, is going to become an essential layer of cyber security, an absolutely essential layer.
We are in a situation at the moment where there are not massive numbers of attacks of this nature, but their capacity to expand is about to take off, and the time to put the human firewall in is now.
So we go from three things that we tell people to four. No doubt as time goes on we'll keep getting attacked in new and different ways, but we'll keep responding and making sure that for everything that's thrown at us, we're in there together defending our cyber security.
There's a reason why we talk about horizons. The action items under the 60 get reached, but a horizon by definition is something we never reach. Cyber security will never reach the point where the job is done. We will simply be able to know, and through gatherings like this, that we are meeting the challenge, that we are dealing with a threat actor whose actions keep changing and our defences keep moving to be up‑to‑date.
But with that in mind, we are well positioned, we are doing the work, and I thank the Australian Financial Review for bringing us together today.
