Wednesday, 11 April 2018

Opening Address to the Australian Cyber Security Centre Conference, Canberra


Ladies and gentlemen, good morning and thank you very much for being here today.

Can I also say thank you very much to Alastair for his leadership in this very important space over a long period of time. His expertise is well known to all of you, he is a great asset to the Australian Government and I'm very pleased that he is heading the ACSC.

I am also very pleased to be here in the company of Mike Burgess, the Director General-Designate of ASD. Again, somebody with very accomplished background in this space and brings a lot to the NSC and to our effort to deal with the issue of cyber and many other issues in our country.

I would also like to acknowledge today the presence today of Gai Brodtmann, the Shadow Assistant Minister of Cyber Security and Defence.

And to all of the sponsors, to the people who have made this event possible – this very important event – welcome and thank you very much for taking part in what is a crucial conference in advancing our understanding of the emerging cyber security concerns, as well as the latest threat mitigation strategies.

The Australian Cyber Security Centre (ACSC) brings together capabilities from across the Australian Government into a single location to work cohesively together on cyber security – something that hasn't been done as effectively as it should have in the past. Today's conference gathers experts from our country, but from overseas to share their knowledge and experience as we develop and build Australia's cyber security capability.

There are some significant changes on the horizon for the ACSC. As of 1 July 2018, the ACSC will formally become a part of the Australian Signals Directorate (ASD). Mike Burgess, as I pointed out before, is the Director General-Designate and he will address the conference later on about the collaborative benefits of having the ACSC housed within ASD.

The inherently collaborative nature of the ACSC is vital to protecting the Australian people, our businesses and our institutions. We clearly face threats from cyber-crime, but also from organised crime, terrorism and child exploitation, to name just a few.

Australians interact online every day with businesses, family and friends and today we shop, bank, research, work and connect when and where we want to. Some 94 per cent of adult Australians use the web to bank, to pay bills or buy and sell goods and services. Digital systems provide us with endless opportunities to enhance just about every aspect of modern life.

These online connections have become indispensable for business and families alike, but at the same time, our increasing engagement with these systems carries risk.

This constant online exposure increases opportunities for those with nefarious intentions to exploit and target us.

Cybercriminals are mounting increasingly sophisticated and discrete attacks employing credential-harvesting, ransomware, and social engineering.

Online crime carries enormous risks for our communities, for our businesses, for our families and for our national security. On conservative estimates, cybercrime currently costs our country upwards of $1 billion per year. But the impact of cybercrime is much more than just monetary. The emotional and physical impact on children whose lives are destroyed from having been exploited and abused online is heartbreaking and immeasurable.

Finding solutions and building resilience will require us to adopt a flexible, adaptable and coordinated approach and that's why the Government has taken the decision to stand-up the Home Affairs Portfolio and it is key to this strategy.

Home Affairs – as Alastair pointed out before – was only established in December last year and it will enable better coordination and cooperation between Australia's domestic security and law enforcement agencies.

This integrated approach to Australia's security acknowledges that we are operating in a complex and challenging threat environment. We are stronger if we act collaboratively, harnessing our agencies' combined resources and expertise.

Effective online security is vital for a modern, data-driven economy. It is critical to our national prosperity and security.

The cyber environment is especially complex and rapidly evolving, with criminals and malicious state-based actors quick to adopt new technologies.

Cybercrime operates transnationally and beyond traditional borders: recent examples include the North Koreans and Russian activity as well with malicious software, both of which highlighted deficiencies in our cyber capacity.

No single agency or nation can tackle the problem alone – it requires collaboration across Government, the private sector, with our Five Eyes partners and with other international partners.

Our integrated approach to cyber, with Home Affairs working hand-in-glove with the ACSC, provides an environment to share quality intelligence between law enforcement, intelligence agencies and the private sector to better understand cybercrime.

It is the Government's intention that Home Affairs will help drive the coordination and cooperation needed to improve our cyber security arrangements, to protect Australian families, to protect Australian businesses and our critical infrastructure. This is vital to keeping our nation prosperous, safe and secure.

And to this end, Home Affairs Cyber Policy staff are co-located with the ACSC, enabling greater coordination and interaction between the Government's policy and operational functions.

They will work closely together and with critical infrastructure sectors and key industry partners to protect our most valuable networks and systems, while supporting the development of strategies to prevent cybercrime.

The Department of Home Affairs, in collaboration with the ACSC, is working toward several key priority areas to tackle the cyber security and cybercrime risks posed to Australian businesses and individuals.

The Prime Minister's 2016 Cyber Security Strategy provides the foundation for the Government's agenda, but as with all national security challenges, we aren't standing still. We will be looking to re-double efforts against priority cyber challenges and to protect our priority sectors, regardless of the threat vector.

A major priority is protecting Australia's critical infrastructure, as I say, and that is the assets and services that are essential for everyday life. These include, but are not limited to, energy, food, water, transport, communications, health and finance.

A successful attack on critical infrastructure could have a potentially catastrophic human and economic effect. The WannaCry ransomware incident demonstrated how vulnerable essential services like hospitals can be.

The ACSC, which will include the National Computer Emergency Response Team come the first of July, will work with critical infrastructure and systems of national interest owners and operators to develop exercises that identify capability gaps and strengthen cyber security response arrangements.

Owners, operators and regulators of critical infrastructure are the first line of defence. However, the ongoing stability and safety of infrastructure is a shared responsibility. For our part, the Government has taken a number of steps to ensure our critical infrastructure is as resilient as possible, including from cyber-attack.

The Government has legislated through the Telecommunications and Other Legislation Amendment Act 2017 reforms that, in effect, require telecommunications carriers to notify the Government of proposed changes to their networks to determine whether there is a risk to national security.

Further, we recently passed the Security of Critical Infrastructure Act 2018. The Act seeks to manage the complex and evolving potential national security risks posed by foreign involvement in Australia's critical infrastructure.

Protecting against the threats posed to our national security and economic interests from cyber-attacks, foreign espionage and influence is vitally important.

The Australian Government needs to protect its digital borders, just as we protect our physical borders.

As the Government moves towards more streamlined and technology-dependent systems of operation, we are ensuring adherence to high cyber security standards at all times.

While encryption is a legitimate and necessary means to secure government, personal and commercial information, the Government is deeply concerned about the use of encrypted communications by terrorist organisations, organised crime groups, child exploitation networks and others involved in serious criminal activity.

Australian law enforcement agencies recently worked with US and Canadian agencies to take down Canadian criminal enterprise Phantom Secure. It is alleged that Phantom Secure had been modifying smartphones to allow criminals to use encrypted secure communications capable of evading law enforcement interception.

The network was encrypted using sophisticated technology, including privately owned and operated network infrastructure across multiple offshore jurisdictions. International law enforcement agencies have worked together to dismantle Phantom Secure's infrastructure and disable their platforms.

Five men have been indicted in the United States on charges that they knowingly participated in a criminal enterprise that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communication.

The adverse impact of Phantom Secure's crimes was acutely felt in Australia. In the years since its introduction to the Australian marketplace in 2009, Phantom Secure established itself as the leading supplier to organised criminal groups, including outlaw motorcycle gangs. It is estimated that Phantom Secure had more than 10,000 clients in Australia alone.

In our country, agencies worked cooperatively to help bring down Phantom Secure. They included the Australian Federal Police, the ACIC, AUSTRAC, the ATO and several state police services. This demonstrates what can be achieved and what will be achieved when our agencies work together and is an indication of the kind of benefit we can expect to see from the new Department of Home Affairs.

Phantom Secure is by no means the only demonstration of the risks of encrypted communications. Beyond modified devices, we know publicly available encrypted messaging apps have been used by terrorists to plan attacks, to fundraise and to recruit. This included the use of WhatsApp in last year's Westminster terror attack, which resulted in five people being murdered.

The Government has introduced legislation to ensure that companies providing communications services and devices in Australia have an obligation to assist agencies with decryption. We are committed to working with businesses that have developed encryption tools to assist with matters relating to national security.

Effective cyber strategies are important to more than just national security. The Government is strongly committed – as we announced by way of funding only a fortnight ago – the effort to protect children from dangerous and criminal activities online. There is a full and terrible spectrum of nefarious online activity affecting children, from cyber-bullying through to exploitation, abuse and torture.

Protecting children requires a collaborative effort across government, law enforcement agencies and the digital industry. Technology magnifies antisocial behaviours, such as bullying and harassment. It also enables the spread of abusive materials, including pay per view pornography, sexual abuse and much worse.

The internet has provided perpetrators with a level of anonymity and unprecedented access to child exploitation material via online file storage and sharing. The scale of the problem is shocking. More than 1100 web pages appear every week showing the sexual exploitation of children – that is one every nine minutes.

The Government established the Office of the eSafety Commissioner in July 2015 to work across the spectrum of dangerous and criminal activity online. The eSafety Commissioner and her team work with social media providers to identify and remove cyberbullying material and tackle image-based abuse, while also working closely with Australian law enforcement agencies to take down instances of online child sexual abuse.

Last month Minister Angus Taylor and I announced the establishment of the Australian Centre to Counter Child Exploitation (ACCCE). The Centre will be a national hub of expertise and specialist skills to disrupt, prevent and investigate exploitation. The Centre brings together the combined resources of our Home Affairs agencies and links together with other federal departments and state agencies.

Importantly, the ACCCE will work closely with non-government organisations which have expertise in dealing with child exploitation, its victims and consequences.

The Centre will also link Australia more closely with international law enforcement and agencies such as the US National Centre for Missing and Exploited Children.

A fourth key priority for the Government is building the cyber-resilience of Australian businesses and I want small businesses across the country to hear our message very specifically. Research by Telstra indicates that nearly 60 per cent of organisations in Australia detected a security breach which disrupted regular business operations in 2016.

We are working with businesses, including through Joint Cyber Security Centres, to build cyber-resilience in the private sector. These centres are co designed with industry and function as regional nodes of the ACSC focused on fostering partnerships across industry and government.

Centres have already opened in Brisbane, Melbourne, Sydney and Perth and an additional centre is expected to open in Adelaide very shortly.

More than just cyber-resilience, we are also focused on building Australia's cyber-security industry. Cyber security is a growth industry and Australia is emerging as a leader in the field. The Government aims to establish our nation as the Asia-Pacific hub for cyber security companies.

To this end, the Government has invested in further developing and strengthening Australia's cyber-security industry, including by providing over $30 million in funding to an industry-led Australian Cyber Security Growth Network.

Australia has much to offer in building technology that provides online protections for people and businesses. Our industry, academia and government have all increased their rate of engagement on cyber security dramatically in recent years.

We now rank fourth globally in patent filings in cyber security research and development.

We are also reaching out internationally. For example, the Government is currently leading a mission to the US with more than 50 Australian cyber security organisations. We are continuing to build on our strong strategic partnership and common online security goals, and are exploring further business, investment and strategic partnership opportunities.

The pace of change in the cyber landscape – as your know better than I – is rapid. Emerging technologies and increased malicious criminal and state-based cyber activity mean that we have no opportunity other than that to change, to change our approach and it's neither sustainable nor effective to continue to do things the same way that we have traditionally.

The expectations of industry align with the general public and they are shifting. There is a desire to see increased protections offered by government agencies, as well as leadership to drive wholesale nation-wide change.

The challenge before us is great and it is clear that the Government cannot succeed alone. Everyone needs to contribute to building Australia's cyber resilience and the private sector – in my judgement – is the most crucial partner.

Telecommunications and Internet Service Providers control many of the levers to effect change at a national and global scale and have significant resources and expertise to make an impact.

Initiatives like this conference serve to advance our knowledge and capabilities and provide a platform for ongoing partnerships between governments, business and academia to counter the threats of cybercrime.

The Government, through the Home Affairs Portfolio and the ACSC, is absolutely committed to protecting the Australian community from cybercriminals who seek to undermine our country, our economy, our national security and our privacy.

We understand the critical role a secure cyber environment plays in securing a safe and prosperous future for our country.

Once again thank you for the invitation to speak with you today. I wish you all the very best for a successful conference.

Thank you.