Loading

Thursday, 11 June 2026
Transcript

Speech - Launch of Horizon 2 of the Australian Cyber Security Strategy

​ ​

Subjects: cyber security​

​BRAN BLACK, BUSINESS COUNCIL OF AUSTRALIA CEO: Well, good morning, everybody. For those that don't know me, my name's Bran Black. I'm the chief executive of the Business Council of Australia. It is an absolute delight to be here with you all today and to have the chance to help launch Horizon 2 of the government's national Cyber Security Strategy. Just before we kick off, I've got a few acknowledgements. So if you could just bear with me, that would be terrific. Firstly, can I acknowledge the traditional owners of the land, on which we're meeting, the Gadigal people of the Eora Nation, and pay respects to elders past and present. Can I acknowledge Matt and the CBA. Thank you so very much for hosting us. We very much appreciate it. Can I acknowledge all of the members of the ECC, and particularly the expanded ECC. It is excellent to have the chance to work with you in the years ahead, in the same way that it has been excellent to work with you over the last couple of years. Can I acknowledge the minister. Minister Burke, you have been absolutely terrific in your support for this initiative, and I can't thank you enough. We were remarking just before that it's a little bit different from the Tom and Jerry-esque relationship that we have in the context of industrial relations. But this is a relationship that is built on shared purpose, and we are extremely appreciative of that. And I think it's also important just to call out Clare O'Neil and acknowledge her as the minister that got this initiative up and running. We are appreciative of her efforts. They have come a long way. Now, as I mentioned before, we are here to launch Horizon 2, and that is an achievement in and of itself. I think what that acknowledges is that we have already come through Horizon 1. We have achieved everything that we set out to achieve, or we have underway and ongoing so many different initiatives that are making a difference day to day with respect to our country's national cyber security resilience, and that's an important thing. When you consider Horizon 1, it had a number of key elements, including legislative reform and, of course, enhanced protection for critical infrastructure assets. But if I can cut to the chase with respect to why we're here today, I think that the most important thing that Horizon one did was deliver a reset as between the relationship of government and business in terms of cyber resilience. And that was absolutely needed. Before we had Horizon 1, I think it's fair to say, and I don't imagine, there would be too many people in this room who would disagree with me on this, government saw cyber security as a thing that it did, and business saw cyber security as a thing that it did. And never the twain would meet, unless, of course, there was a major incident, a disaster, if you will, and that necessarily brought everybody together. But what Horizon 1 recognised was that the better approach is to see cybersecurity as a problem that requires a shared approach and a shared solution at every stage throughout the journey. And that's why we have this ECC, and that's why it is so very important. And we've already seen its success. A couple of examples, if I can. We've already, as an Executive Cyber Council, showcased sovereign capability. We delivered practical guidance for industry on emerging technologies and the threats and the opportunities that they entail. We've established the Stop The Hack campaign, to strengthen cyber resilience across small and medium enterprises, recognising that cyber security can never simply be something that an organisation does, but it has to be something that is reflected throughout supply chains. And we prepared the Australian cyber workforce playbook, which highlights the skills that we need, and most importantly, the pathways that are required in order to deliver those skills so that Australia can be at the forefront of global cybersecurity resilience. Now, none of that means we are safe, of course. None of that means we are safe. I think that many practitioners in this space would recognise and say more loudly than I ever can, and more eloquently than I ever can, that the job is truly never done. We see frontier models that are presenting new challenges. We see the emergence of quantum computing, presenting extraordinary challenges, and we, of course, know that the fraudsters and the scammers will become increasingly sophisticated, as they always do, and, as always, we need to be increasingly sophisticated, to counter whatever it is that they do. And so, in light of that, Horizon 2 becomes more and more important. And if I can make one final observation, it is that if we have learned anything from Horizon 1 and from our experiences before Horizon 1, it is that we will always be stronger, we'll always be more resilient, and far more effectual, if we are working together as business, and as government. And it's in that spirit that we're coming together today. So it's my great pleasure to welcome you all to welcome minister and to have the chance to be with you. And on that note, can I pass over to Matt to say a few words before we introduce the minister? Thank you so very much.

MATT COMYN, COMMONWEALTH BANK OF AUSTRALIA CEO: Good morning, all, and welcome. We're obviously delighted to be hosting the Executive Cyber Council here this morning. It is, it's been a critical issue for some time, of course, rightly so. It's a very topical issue at the moment. I think it's central to both economic as well as national resilience. And hence today's forum is just a great opportunity to bring together industry, government, cyber security professionals, share practical information, experience, and how we can work together, to effectively protect our customers, the community, and the broader country. And on that note, we're very fortunate to have the minister, the honourable Tony Burke, leading and chairing the forum today. And, of course, to have him speaking this morning. The minister is, of course, responsible for a very broad portfolio. We were just talking about that, Home Affairs, Cyber, Arts, Immigration, quite a diverse portfolio, but an extremely important one. And thank you, Minister, for coming along this morning. I look forward to your remarks now, and of course, the meeting later today. Welcome. 

TONY BURKE: Thanks very much, Matt. And thank you to Bran, as well. Can I acknowledge we have the Director General of Australian Signals Directorate, Abigail Bradshaw here. We have the deputy secretary of my department, Ciara Spencer. We also have the Cyber Security Coordinator, Lieutenant General Michelle McGuinness. I acknowledge all the business leaders who are here. And want to thank everybody for the cooperation that meant that for Horizon 1, we had 60 action items, and every one of those 60 action items was completed at the end of last year on time. That means we are now at the stage of looking at Horizon 2. And can I also, I'll say more about this later in the speech, but acknowledge my parliamentary colleague, the member for Reid, Sally Sitou. There is a new House of Reps committee that has just been established, that we'll be looking at cyber security for small and medium businesses. It was only established last week, so I'm very glad that Sally's been able to join us today. Thank you for that.

If I start with the threat, when I deal with my counterterrorism role, Australia regularly reassesses the threat level. You'll remember the Director General of ASIO standing up some time ago now, raising the threat level from possible to probable. With cyber effectively, the threat level is always certain. Always certain. That's what we are dealing with. We are constantly under various forms of cyber attack, some of them from criminal gangs, some of them are straight opportunistic, and some of them from nation states. But it is certain that the attacks are always happening. Which means that threats that used to always be thought that they could only come over the border, now come over the browser. The latest one that would have received a whole lot of publicity was an attack on a piece of software that is used by educational services throughout the world, Instructure. A simple example of that particular, and that was a ransomware attack, there were 8800 institutions globally affected by that single attack. Twenty-nine institutions in Australia, three government entities. But when I say 29 institutions in Australia, one of them was the entire Catholic school system. So the breadth of that single attack from one place in the world is extraordinarily significant. The current estimates on the impact of the Australian economy each year of cyber attacks amount to $25 billion each year. $12 billion of that is levelled at small business, $2.4 billion at government. The average cost of cybercrime in the last 12 months has increased by 50 per cent to $80,000. We are always being warned what would happen if there were a single catastrophic cyber attack. If there were a single catastrophic cyber attack that lasted for four weeks, the impact on the Australian economy would be $35 billion dollars. For small business when we talk about how much and -- when people wonder why is it small than medium businesses that we've set up the parliamentary committee for, of our total proportion of cyber incidents, 64 and a half per cent of them are a small business. And 60 per cent of our total number of data breaches are because of human error. So, effectively, no matter how much you invest, as major businesses, in establishing the firewall, the human firewall, and the supply chain that plugs into your system, remain the key vulnerabilities, and that's very much what I'll be talking about with respect to what we are doing with Horizon 2.

No matter what sort of cyber attack we are talking about, there are responses to the threat that the Signals Directorate are always recommending that we take, that are consistent as threats change. The first is to implement logging and detection capabilities. The second is to replace legacy IT. The next is to prepare for post-quantum cryptography. The fourth is to deal, as I said a moment ago, with the third party supply chain. And finally, to be improving our workforce. Overarching all of these attacks is the fact that there is a single capability that means that those who want to attack are getting new tools. It doesn't change the nature of vulnerability, but it changes their capacity to exploit vulnerabilities, and that's frontier artificial intelligence. I want to pay tribute to Clare O'Neil. Today, it is no surprise that we're launching the Horizon 2 initiatives on the same day that the Executive Cyber Council meets. The Executive Cyber Council has been one of the great reforms in cybersecurity of the Albanese Labor government. Effectively, it guarantees that we have the most senior business people who, relevant to cyber, around the same table. You need to remember, that's not just a random meeting. Many of these people, because of competition, law have to actually avoid being around the same table. But it is also the case that, as someone said, and I'm not going to attribute it, because I'm going to climb the line as my own forevermore. But it was someone else's line a moment ago. Uh, that cyber security is a team sport. And so effectively, while competition law quite properly wants to keep people apart, unless we can get people to the same table, we cannot effectively deal with this. And so that is an essential, an absolutely essential aspect of being able to deal with cyber security, and that Executive Cyber Council was one of the many initiatives from Clare O'Neil. Similarly establishing the role of a Cyber Coordinator, and I acknowledged at the start of Lieutenant General Michelle McGuinness. Having somebody who is constantly engaging with business for exercises, dealing with incidents, and building that relationship, makes sure that when a cyber attack occurs, the trust has already been established, and whoever is dealing with the cyber attack, the exercises mean that you have the very beginnings of muscle memory in terms of each of the concepts and processes you need to deal with, is something that a business has thought through beforehand. The cyber strategy with Horizon 1 means that we now have cyber health checks, the Act Now, Stay Secure campaign, Australian Federal Police disruption capability, the technology vendor review, and the Systems of Government Significance. It also means importantly, we have the Cyber Security Act. As a result of that, we have mandatory ransomware reporting requirements. As a result of that, we have the limited use provisions, which have made a fundamental difference to people's willingness to share information, because they know whatever they share will only be used by government for the purposes of assisting them with the attack they are currently dealing with. And finally, the regulation on what, I don't like acronyms generally, but I think IOT, internet of things, is one of the silliest terms of art I've heard in my life. But effectively internet connective devices to be able to regulate those as well. So all of that having been established, it now means there are processes which did not exist four years ago which have now simply become part of what happens when a cyber attack occurs. Whether people already know this, or whether they Google in the event of a cyberattack, to try to work out, who do I call, straight away, they start with the Cyber Security Hotline. They start by calling 1300-292 371. And then they are in touch with both the Australian Signals Directorate and with the Coordinator. The Australian Signals Directorate dealing with the technical assistance that they need, the coordinator helping them with the response they need to undertake. As different issues escalate, the Coordinator reports to me, always at least weekly, regularly, daily. And in providing that information as things escalate, I'm then regularly talking to the relevant CEO, sometimes in the event of major disruptions, we are on daily phone calls during various crises, some of which hit the media, some of which never do. It means, thanks to the Executive Cyber Council, that for each of those CEOs, if we do get to the unfortunate situation, which neither of us look forward to, notwithstanding that they're pleasant calls, but no one wants to be in that situation, we are, at that moment in time dealing, we're not establishing a new relationship. We know each other. We have been meeting together, and the trust and professional relationship has already been well established.

So against all that, we now go to Horizon 2. And let me put it in these terms. Effectively in Horizon 1, we looked at government and Critical Infrastructure as the areas that were the most significant, and we did everything we could to uplift capability for government and for Critical Infrastructure. Effectively, what we were seeking to do was to lock the front door. The challenge is the front door is not the only vulnerability. In Horizon 2, we start locking the windows. And with Horizon 2, effectively, no matter how good someone's firewall is, no matter how good the cyber security systems that a major business has built in a technical sense, there are key vulnerabilities which remain. The key vulnerabilities are, as I said, 60 per cent human error. 60 per cent human error. So we need to build the human firewall. We also need to make sure that every small and medium sized business that plugs into someone's system, that of itself can be the key vulnerability, and we need to be locking that down as well. Beyond that, anything in the supply chain on which you are dependent as Critical Infrastructure, even if not, they're not plugging into their system, into your cyber system, if they go down, you might not be facing a cyber attack, but effectively your business is under attack because of someone else's cyber attack. And finally, devices. Small devices, the number of times when the Coordinator is contacting me about a cyber attack, and it is an old piece of legacy IT, and each device connected to the internet, connected through to the system, which has then provided the easy pathway through, becomes the other, the other layer of vulnerability. So effectively, in Horizon 2, we say, OK, even if it's a major business, even if it's part of government and Critical Infrastructure, you've done the full uplift. Where do the remaining vulnerabilities lie? And so in Horizon 2, we look at three main areas of uplift. We look at infrastructure, we look at devices, and we look at people. And in each of those three areas, I'll now go through, basically gives you the architecture of Horizon 2. Infrastructure, devices, and people.

For infrastructure, and when I talk about infrastructure with cyber, let me say this. With cyber, people's minds, always immediately go to the intangible. They always go to the concept of data. The concept of the cloud. But we need to remember that all of that intangible ones and zeros live somewhere. We call it the cloud, it lives in a physical data centre. We call it traffic on the internet, but 99 per cent of it travels through subsea cables. Some of it goes through satellite, but 99 per cent through subsea cables. So in dealing with infrastructure, we need to deal both with the physical infrastructure, and we also need to be dealing with the intangible nature of cyber as well. With respect to subsea cables, there is a mixture of government responsibility across various departments that we need to do the work to start to narrow this down. On subsea cables, we need to classify and secure. We cannot continue to have a situation where there is a mixture between Infrastructure, between the Communications portfolio, between Home Affairs, with a clear interest from Defence as well, without starting to streamline far more effectively how we deal with the regulation and protection of our subsea cables. Similarly, we need to classify and secure data sets of national significance and have a risk-based framework to deal with those data sets. Those two areas of assessment become the first part of what we do under infrastructure. The next thing that we do under infrastructure goes with respect to standards. We need to strengthen our logging and monitoring standards. Now, when I talk about logging and monitoring standards and why does this matter, let me give a simple example. In March of this year, a major transport company, has a breach. Now, they had really good logging and monitoring standards. So the firstst thing that happens when there's a breach, the question is asked, how long have they been on? And how far have they got? Effectively, logging and monitoring standards means you've got CCTV over the top of your data sets, over the top of your system. And by having, having that logging and monitoring, this particular transport company was able to go backwards and work out very quickly, this is when they got in, this is how far they've got. And to know that from the start. If you don't know how far they've got, you need to presume they've got everything. And it means a much more extreme response becomes the only option. But for this transport company, because they had the logging and monitoring, they were able to specifically target what needed to be isolated, and how they could rebuild, and knew that very quickly. So we want to be able to strengthen the standards on logging and monitoring. Next, with respect to under infrastructure is our partnerships. The work of the Coordinator will now have a very significant expansion of the exercise program. The exercise program is something which guarantees that people have thought through, even though you will never get an exact match to the exercise and the attack. It does mean that people have thought through their systems and started to identify weaknesses well in advance of an attack. But effectively to date those exercises have been for the principal business, and we haven't been extending them through the supply chain. We now start extending them through the supply chain. I'll say more about this when I get to the section about people. But effectively, in working out how to do the massive outreach for small and medium business and people. You weigh up, will do you do an advertising campaign? Yes that matters. Do you have other methods of outreach? Yes, they matter. But effectively, if we are really going to target, where is the greatest risk, the greatest risk works on the basis of connection to government systems of significance and Critical Infrastructure. And so the smaller medium businesses that are part of those supply chains or plug into those systems are the smaller medium businesses which we have to prioritise. In terms of what's the greatest lever, to get that uplift…one of the things with the Executive Council on Cybersecurity, it's no one no one gets to send a rep. It's either the CEO is able to make it or the organisations aren't represented. And that's for the very simple reason we do not want this to become something that chief officers in IT became the people because cyber is not simply an IT issue. It is existential for every business. And we wanted to make sure that we had it at that level. In the same way, for small and medium businesses, we could run whatever advertising campaigns we wanted. There is no lever that is stronger than making sure that whoever is the head contractor sees the need for the companies they are engaging with to have solid cyber security. And that's with the exercise program starting to bring in the full supply chain with those exercises allows us to have a far more effective way of getting outreach right through to the most at risk sections of the Australian economy than we would otherwise have.

So that's the infrastructure part. I then go to devices. So for devices, there are the devices that you physically bring into your business, and then now the external devices that carry risk. In terms of the internal devices, the first thing is with respect to government will be embarking on specific government policies and design to be able to reduce legacy IT within government, to be able to improve our procurement, standards to specifically deal with the risks of legacy IT, and to have standards and requirements for devices available for the economy generally, whether they be routers, operational technology, consumer energy, smart devices, and connected vehicles. Making sure that standards are available, that businesses can then apply for how to deal with these various emerging forms of technology. Obviously, there are levels as well, of regulation now available under the Cyber Security Act, where I am able to put in specific regulations, the first of those that we've done has been with respect to making sure that the era of default passwords comes to an end. It will no longer be possible to import material where the default password is password on devices. People have often thought of that as simply being a risk to that particular product, be it a robotic vacuum cleaner or fridge or router, where in fact, it is a risk to everything that is connected to the same system. We then go to the external risk, and this is where for telcos and the cloud, we are wanting to be able to establish upstream blocking to be able to deal with threats. Effectively to be able to, in the same way as your email server these days, those of us, early enough adopters of email, will remember where you had to search desperately through to find the spam, and now the spam's excluded before it gets to your inbox. Effectively, we want to be able to work with the telcos and clouds upstream so that we start to intervene at the very start of those sorts of threats being able to come in. And then we're also wanting to have a whole of government framework, with respect to the misuse of drone technology.

But I then get to people. There are a series of operatives now in the English speaking world, which have new methods of effectively what we call vishing – or voice fishing. There has been one example of a company in Australia, where the upload… if I put it in these terms, we've got used to now you get you get one of those text messages with a link, it doesn't look quite right, you know not to click the link. But would you click the link if you had a call from your help disk saying I'm going to send something through now, I need you to click on it. Or if you had a call from the CEO of your company saying I'm about to send you an email, I need you to upload it quickly. It's urgent. And it was clearly the voice of your CEO. These things are now possible to be faked. It is possible that what sounds as the voice of the helpdesk or the voice of your CEO, is in fact someone with a completely different voice using artificial intelligence technology to use the same sort of fishing as those emails or text messages you should never click on, so that the upload and vulnerability was able to completely circumvent everything that a business had invested in their firewall, because a worker thought they were doing what they were told to do. Simple example. An Australian energy supplier on the first of July last year received a call. The caller was saying that they needed to know what version of remote access software was being used. Now, this particular energy supplier had already put in place upstream cyber security tools, which were able to intervene and terminate the call. To intervene and terminate that call. The call having been recorded, they were then able to go back and work out whether this was the first call. It wasn't. There'd been a previous one a week earlier on the 26th of June. Two further calls came through in July and August. The particular setup of that business meant that they did not fall for the voice fishing. But we need to remember, these systems are getting more sophisticated, and we should not simply view the cyber attack as being data sets that flow through and that try to get through with false passwords. Or trying to undo encryption. We need to recognise the weakest link may well be the people who are not, not the bad employee, but actually, not the trusted insider who behaves the wrong way, but somebody who thinks they are doing what they are told. And to be able to improve that human firewall, as artificial intelligence ramps up its impersonation capacity, is going to be absolutely essential. Now, to be able to deal with that, this is where with respect to the House of Reps committee, the work and why it was so important for Sally Sitou to be able to be here today to be able to meet with you all as well. Why their work is going to be so important…because we need to be able to do this uplift. Major businesses and critical infrastructure will be able to do it because the employee employer relationship will be able to make sure that this uplift continuously occurs. We need to be able to reach small and medium business, to be able to get this uplift because they, as I gave in those statistics right at the start of this presentation, are disproportionately where the attacks come in, and it is not simply a risk to themselves. It becomes a cyber risk to anyone they're in the supply chain with, or do any major piece of Critical Infrastructure that they plug into. We will still be doing the Act Now, Stay Secure campaign. It's been tremendously successful. It's taken 850,000 Australians out of the high risk category, with respect to cyber attacks. So the advertising campaigns have mattered, and we will continue with our Act Now, Stay Secure. But we have an urgency in the areas of the economy that are most vulnerable for our national security. And that's where we need to be able to use the full supply chain, with the Critical Infrastructure businesses themselves, to be able to help them ensure that the uplift of their own personnel and the personnel and businesses that they deal with is something that is guaranteed. Because the weakest link is enough to break an entire chain. So effectively though, it's enough for me to say that, but how do you do it? The challenge for small and medium business has been that the Essential Eight, and I acknowledge the agreement that I signed earlier this week with Microsoft, and effectively, the Essential Eight, designed very much for Microsoft products, effectively gives us a principled based process that works for government, that is quite easily transferrable to large businesses and to Critical Infrastructure, to be able to do that cyber security uplift. But I have to say, the Essential Eight is not terribly helpful if you're a small or medium business. It's not designed for you. It's principles based at a in a way that smaller than medium business will often not function in the same way. That's why we need to be able to establish a standards-based process as well. We'll be developing CyberSmart. modelled, modelled in part on what the UK have with their Cyber Essentials kit, which effectively gives a simpler standards-based process for smaller medium business so that we have something that is easily accessible, that is transferrable, but also gives major businesses something by which they can measure the contractors who can't come to them. So everyone's functioning from the same piece of information, and the uplift and tangibly what is required for the uplift is made clear to all.

Infrastructure, devices, and people. All of this, artificial intelligence accelerates the need. All of this, artificial intelligence means that those who want to attack have new tools. But effectively, the methods by which they attack are all the same vulnerabilities that we've been dealing with the whole way through. The need to be logging and retaining, to have effectively, the CCTV of data remains. To make sure that we are preparing for post-quantum cryptography. To make sure that we're replacing legacy IT. To make sure that we are dealing with the 3rd party supply chain, and to make sure that we are uplifting the people who work in our organisations to establish the human firewall.

I have no doubt, by the time we get to Horizon 3, there will be another part of the house that needs locking up. I have no doubt that for everything we do, those who want to cause us harm will uplift as well. But be no doubt, we are a more secure nation because of the changes that have been made in Horizon 1. We are a more secure nation, because government and business have gone to a cooperative model. And we are working together to protect the security of Australia. And be in no doubt, that the next layer of making sure that security is real is to deal with the devices, to deal with the full length of the supply chain, and to establish the human firewall. Nothing will stop those who want to attack us. But we can make them as frustrated as possible, and Horizon 2 will do exactly that.

[END]​