HOUSE OF REPRESENTATIVES, CANBERRA
THURSDAY, 24 NOVEMBER 2016
***CHECK AGAINST DELIVERY***
The Minister Assisting the Prime Minister said in an address yesterday that, “we need to accelerate the implementation of our Cyber Security Strategy.”
Truer words have never been spoken, Deputy Speaker.
Because the pace of implementation has been a crawl.
We were supposed to have mandatory data breach notification laws in place, which Labor supports, by the end of 2015 – and we still don’t have them.
It took nearly seven months from when Malcolm Turnbull announced he’d pick a Cyber Ambassador for him to actually pick one.
The recent Australian Cyber Security Centre Threat Report 2016 made clear that malicious non-state actors could develop the means for a serious cyber attack on Australia within the life of this Parliament.
Australia cannot wait for the Turnbull Government to get its act together.
Australia deserves better than a Government that spends 18 months developing a strategy and six months ignoring it.
Australia’s cyber security needs protecting today.
Deputy Speaker, on average across the developed world, online commerce accounts for 6 per cent of GDP per year – and growing.
We live our lives online, and the migration of global trade and communication from the physical to the digital is irreversible.
We can’t just pull the plug out from the wall.
We must focus on managing the risks of the online world.
Some of the sounds the Government has made on cyber security are promising.
Some of the sounds we would like to hear aren’t being made.
It is this silence that is concerning.
Deputy Speaker –
Emergency planners in and out of government use the term “critical infrastructure” to refer to infrastructure that is essential to the ongoing functioning of the state.
These are sectors such as communications, energy, water, transportation and information technology.
Or at least, these are what we suppose them to be, because the Government has not outlined what it does and does not consider to be critical at a level of detail and specificity even approaching what is necessary.
This is a serious concern, Deputy Speaker, because policymakers and security agencies need to be aware of what is and is not considered critical infrastructure.
Because the term comes with expectations.
For security to prevent a disruption, and for resilience when a disruption occurs.
The Government has apparently been working on a definition for two years now and yet we seem no closer to the level of granularity and detail that other nations have managed.
The latest we have heard on the matter is that states might have more of a role than the Federal Government on the issue.
It is true there is a role for the states.
It is also true that there is a role for uniformity across the nation.
Electricity isn’t just important in Queensland, Deputy Speaker.
Water isn’t just important in South Australia.
The Government needs to accept it has a role in this process and stop shifting the responsibility to anybody and everybody else.
That means working with the states and territories to develop a definition and develop a standard to expect from those assets that fall under the definition.
Deputy Speaker –
Australia is experiencing a cyber skills shortage.
With employment of ICT security specialists growing by 40 per cent in the last five year, we have set a pace that has put enormous strain on Australia’s stock of qualified professionals.
Universities and businesses are frustrated by the lack of graduates coming through with requisite skills for cyber security.
Graduates are needing years of on-the-job training following their undergraduate studies to simply bring them up to speed.
The Government talks about investing in education as a priority and this is an important long-term step.
But these investments will start bearing fruit ten years from now.
Until then we need a strategy to bridge our skills shortage and on this issue the Government is entirely silent.
More than 90 per cent of all data created in human history has been created since 2014.
We produce data with everything we do online. When we trade, when we communicate, when we upload or download anything, when we do our jobs.
This data is collected and analysed to produce an impression of the person who left it. On their own they are often insignificant, but the more we do online the more data about us is left to be collected and considered.
Each single piece of data is like a pinprick in a blindfold. The more pinpricks in the fabric, the clearer the vision of what’s behind it.
So as we add ever more data to the digital impression of ourselves, the approximation of who is creating it gets closer and closer to the truth.
And the nearer the approximation, the more valuable the data.
To advertisers, to governments, to cyber criminals.
Deputy Speaker, by some estimates, more personal private data records were stolen in a single data breach in 2016 than were stolen in every data breach, everywhere in the world in 2015.
Just as the amount of data we produce is growing at an exponential rate, so too is the threat to its security.
Australian government services and agencies collect an enormous amount of data.
Australians trust that when they enter their personal information online, and submit it to the ATO or Centrelink or the Census, they trust that data will be kept secure.
The Minister Assisting the Prime Minister seems to be of the belief that the job of keeping that data secure is somebody’s, but it’s not his.
Earlier this month he is quoted to have said, of his Government’s attitude towards public sector cyber security standards,
“we want each individual department and agency to take responsibility themselves, and the best way we can do that is just remind them of the need for them to take this issue incredibly seriously.”
The Turnbull Government does not support mandating standards for cyber security.
This, despite a 2013 audit report found that of the seven agencies it examined, none were fully secure to cyber threats.
This, despite 15 percent of agencies having no person responsible for cybersecurity.
This, despite the Department of industry and the AFP declaring themselves fully compliant with the standards of central government agencies only for a subsequent audit to find they were not.
It is startling that the Turnbull Government would not see a need to mandate baseline levels of safety.
We see wild variation in the level of security from within government and it will take more than a sternly-worded letter to bring everybody up to the same level.
Deputy Speaker, on October 25 2016, hundreds of Centrelink customers had their emails disclosed.
Not by a hacker - by someone using the CC instead of the BCC field on their email.
Centrelink then compounded the error by attempting to "recall" the email. That meant that every email address that was sent out by mistake the first time was sent out again.
So Centrelink, which the Turnbull Government does not think should face mandated data security standards, has a password-reset process that relies on emails being sent manually.
As has been mentioned, the country is currently without data breach notification laws.
This is despite the Joint Parliamentary Committee on Intelligence and Security recommending in February 2015 that Australia have breach notification laws in place before the end of 2015.
Data breach notifications have bipartisan support so the excuse cannot be the one we often hear from the Government, that it is facing too much opposition to be able to implement its own priorities.
It is not in law today because it is not a priority to the Turnbull Government.
The digital economy hinges on trust, Deputy Speaker, and trust cannot develop without disclosure.
The Turnbull Government speaks valiantly of its commitment to transparency then fails to actually transparently reveal anything.
The internet offers enormous productivity benefits to the economy and we have much to gain from embracing its potential.
And yet, there are risks.
It was recently reported that the Reserve Bank of Australia experiences an attempted cyber incident every two seconds.
We cannot expect to never be attacked. We must be confident that when we are, we will withstand it.
And if we lose the confidence that the online environment is safe and worthy of trust, we will scare ourselves out of maximising the opportunities that the internet provides.
As Bill Shorten noted in his address to the parliament yesterday, millions of small and medium sized businesses around the country need Government to stay safe in the digital world.
They need safety to be available in a way that's simple enough for them to incorporate into their business and that they can afford.
There is a role for government to play, in collaborating to deliver standards of cyber safety that are robust and stress-tested.
Deputy Speaker –
There remains a lack of international consensus on what constitutes a “proportionate” response to offensive cyber activity.
Yesterday saw the Prime Minister confirm Australia is using its offensive cyber capability in support of military operations against Daesh in Iraq and Syria.
Now that it is active, we must determine what when it should be used and when it should not be.
We would not invade a nation for an offensive slight by a foreign leader because we know what a proportionate response looks like to a diplomatic incident.
But we do not know what it looks like for a cyber threat.
So long as we are not clear on the threshold for response, we face a serious risk of miscalculation.
Australia needs to engage with the international community to set and sustain appropriate thresholds of engagement.
We are not hearing anything about this engagement from this Government. We are hearing silence.
A successful cyber attack could scale similar levels of destruction to a conventional attack, and we should treat the threat accordingly.
Cyber security cannot be a priority on paper and an afterthought in practice.