ASD reform welcome, but still a long way to go

Reveal their secrets, protect our own: that's the mission of our Australian Signals Directorate. And given the nature of the agency, not many people know its mission or the work it has done for the Australian community.

So today as I speak to this bill I want to share with Australians who are listening the history of our Australian Signals Directorate. It was formerly the Defence Signals Directorate but changed its name a number of years go. Prior to the Second World War the Navy, Army and Air Force had independent wireless units and intercept stations that operated and mainly conducted direction-finding activities. There was no central coordination point for those activities. But during the Second World War these independent units were brought together to support the campaign in the Pacific by intercepting and decoding Japanese radio signals. From there the ASD was born. But it took a while before the ASD became the ASD we know today. After the war, the war-time signals intelligence units were wound down, but government approval was given for a peace-time signals intelligence organisation in 1946. Its role was to exploit foreign communications and be responsible for communications security in the armed services and government departments. This is a role that ASD has maintained to this day, and it's an enduring history.

While ASD operated out of Melbourne after the Second World War, its functions only moved to Canberra in the late 1990s. From memory I think the ASD, or DSD as it was then, was the last Commonwealth government department to move to Canberra as part of the Menzies vision to have federal government agencies serving the federal government here in the nation's capital. I remind those opposite that this was the Menzies vision, the Menzies legacy: to consolidate federal government agencies here in the nation's capital to serve the government of the day. That was the whole idea about Canberra. It took a very long time for all those government agencies to arrive here. ASD, DSD as it was at that point, didn't move here until the 1990s. I remember when I was working in the Department of Foreign Affairs and Trade, working on the Iran and Middle East desk and working on Iran and Iraq. I met a number of those DSDers who had moved up here from Melbourne in the 1990s. It was quite a shock for them to move to our nation's capital, but I'm sure, because the nation's capital is just so wonderful, that they now embrace the Canberra way of life. They embrace those beautiful big skies. They embrace the fact that we have the most altruistic community in the country. They embrace the fact that we have the most highly educated community in the country. They embrace all that is wonderful about our wonderful nation's capital.

ASD has seen a dramatic expansion of its information security role as a result of the growth of the internet and online activities undertaken by individuals, groups and the government. This saw the creation of one of the first cybersecurity operations centres in 2010. It was an attempt to understand ICT security threats to Australian systems and to coordinate a response to those threats across government and industry. From there the Australian Cyber Security Centre evolved, bringing together a number of government agencies and cybersecurity functions and capabilities under the one roof in 2014.

In 2017, the Independent Intelligence Review made a number of recommendations for ASD, including establishing ASD as a statutory authority within the Defence portfolio and bringing the ACSC into ASD. I had a read of the independent review today, and again I just want to share these facts about the intelligence community with all Australians listening. As the report points out, with an annual budget approaching $2 billion and about 7,000 staff spread across 10 agencies, it's clear to us that, on size alone, the Australian government's intelligence activities supporting national security are now a major enterprise—and they are, just from those figures—and would benefit from being managed as such. The report, as I said, talks about the ASD. It talks about the fact that, if these recommendations are followed, the ASD will ensure that its capabilities are strengthened in new legislation. The report also recommends that ASD's legislative mandate be amended to explicitly recognise its national responsibilities for cybersecurity, including the provision of advice to the private sector, and that it take formal responsibility for the Australian Cyber Security Centre. This bill is the beginning of the significant reform for ASD based on that review.

As the shadow assistant minister for cybersecurity and defence, I welcome the reform and the progress being made on the outcomes of the intelligence review as outlined in the bill. The review recognised that the ASD is now a genuinely national asset. As I said before, it plays a much broader role than that defined by its previously exclusive defence focus. This is highlighted in its current additional responsibilities as a national source of information, assurance and cybersecurity. Cybersecurity has become one of the major security issues facing Australia at this time. Throughout the world, this is a significant issue. It comes up as the No. 1 or No. 2 challenge for nations throughout the world, in economic forums, security discussions and intelligence discussions. Between 2015 and 2016, five cyber incidents were reported every hour in Australia, at all levels of society from government to business, large and small, and individual citizens are affected.

So this review recommended new functions for the ASD to help combat cybercrime. These new functions are aimed at preventing and disrupting cybercrime by people and organisations outside Australia, and that in itself is the key point. The new function to proactively identify, disrupt and/or prevent cybercrime is limited to those criminal activities committed by people or organisations outside Australia. It's anticipated that the types of crimes that would be disrupted or prevented could include child exploitation and illicit narcotics.

For example, late last year, I met with a group who brought to my attention an issue that sickens me to my core, and that is cyber sex trafficking. It's a form of cyberabuse which involves offenders commissioning the abuse of children in developing countries on a pay-per-view basis. Just talking about it is quite sickening, really, and I'm warning anyone who's listening. For example, somebody jumps on a social media platform like Skype and pays a trafficker, via a wire transfer, to view, via webcam footage transmitted over the internet, a child engaging in sexually explicit acts or posing for sexually explicit photos or videos. The cost of the show to the viewer increases with the level of abuse directed by the viewer. It's just sickening, and most of the victims in this type of cyberabuse are under the age of 12. This is absolutely appalling. It's sickening to talk about it and to hear of the horror faced every day by these children who are under 12 in developing countries as a result of these sickos—and that's all you can call them—getting on these social media platforms and paying per view to watch a child engaging in sexually explicit acts or posing for sexually explicit photos or videos.

This is not something happening in a faraway land that we can put to the back of our minds and forget about. Australians are making the wire transfers. This is happening in our community today, every day. These are the types of child exploitation activities ASD's new functions will be able to detect, disrupt and prevent—and hooray! Providing the ASD with functions to prevent and disrupt cybercrime beyond Australia's borders will help bolster efforts to reduce the impact of what is currently called a wild west. Cybercriminals repeatedly go unpunished for their crimes, and prosecution statistics for cybercrime remain dismally low. The new functions given to the ASD under this bill will help lay the groundwork for a more active approach to protecting the Australian cybersphere and for going after those sickos who engage in that disgusting behaviour.

At a more local level, bringing the Australian Cyber Security Centre into ASD will mean it is able to communicate more widely with stakeholders at all levels, from small business to critical infrastructure to government agencies. Since gaining the cybersecurity portfolio at the last election, I've had extensive consultation with industry, with think tanks and with academics here and overseas. One of the major issues that keep coming up, particularly for industry here in Australia, is the fact that we need to better connect the engagement between industry and government and, through that, we need to better share information and intelligence gained by the private sector with the government sector. At the moment, industry is telling me that it is sharing some highly sensitive information with the government sector, but unfortunately that isn't being reciprocated by the government sector. It's either too classified or too sensitive, despite the fact that industry is sharing highly classified and highly sensitive information with government agencies. So I'm looking forward to this new arrangement. The ACSC moved from ASIO to a site that is more penetrable, more accessible, for the private sector, at Brindabella Park. I'm looking forward to seeing the new location and I'm looking forward to seeing the ACSC, in its new guise under this new legislative arrangement, actually fulfil its mission to actively engage in an open, transparent, constructive and trusting way with the private sector, small business, medium business, large business—critical infrastructure.

This bill also provides for ASD to regularly brief the Leader of the Opposition on Australia's cybersecurity posture, which is a welcome initiative. It enhances transparency and provides an opportunity for clear communication around what is a rapidly changing environment. This bill is currently before a committee, which is due to report back on 21 March, and I'm looking forward to hearing what the committee has to say in terms of the transparency arrangements contained in the bill. I'll also be taking a close look at annual reporting and other arrangements through which we can get a greater understanding of what's actually happening in ASD. ASIO releases an annual report, so it will be interesting to see what transparency mechanisms we have to get an understanding of what's happening in ASD without in any way breaching issues of national security. This is an issue we grapple with in Defence in gaining an understanding of what's happening on the acquisition front and also on the sustainment front without breaching national security. It's a fine balance, but one to which we should aspire. We need greater accountability and greater transparency around government in general, and I think that applies equally to Defence and ASD.

One thing this bill does not immediately address, although it goes some way towards it, is what I call the spaghetti junction of overlapping and poorly defined cybersecurity responsibilities. Instead of taking a holistic view of cybersecurity and drawing a thread through all the various government agencies, removing duplication where possible, this government continues the trend of having various agencies responsible for different bits of cybersecurity and operations. We've got the ACMA, the eSafety Commissioner, the Department of Communications and the Arts, the Attorney-General's Department, the Australian Signals Directorate, the Department of Defence, the Australian Federal Police, the Cyber Security Centre, the Department of Finance. This gives you an idea of the spaghetti junction of responsibilities when it comes to cybersecurity.

The transfer of the computer emergency response team, CERT, and its functions relating to cyberpolicy and cybersecurity from the Attorney-General's Department to the ASD will help improve capability and information sharing, and I welcome that initiative. But this consolidation is greatly overshadowed by the continued separation of cybersecurity operations and policy following the formation of the Department of Home Affairs. I remind those listening that CERT develops policy—that is acknowledged—but for some reason the government has put cybersecurity policy in Home Affairs, and it's got the operational and the interface elements in ASD, Defence or the ACSC.

Then you have the Special Adviser to the Prime Minister on Cybersecurity, Alastair Macgibbon. Poor Alastair! He seems to be responsible to multiple masters. At estimates this week, he said he is now wearing three hats: he is a special adviser to the Prime Minister, so he reports to the Prime Minister on cybersecurity matters; he's also responsible for cybersecurity policy, so he reports to the Minister for Home Affairs on cybersecurity policies; and he's also responsible for the ACSC, so he's involved there. From what I can gather, Alastair Macgibbon spends half his time in the ACSC and half his time in Home Affairs, reporting to the Minister for Defence, reporting to the Minister for Home Affairs and also reporting to the Prime Minister. He's a busy man. I hope he's not expecting to get any sleep for the duration of his contract, because, with those sorts of responsibilities and being pushed and pulled in all those different directions, it's going to be quite exhausting. I don't think the man is going to get any sleep.

What we need is as much streamlining as possible for cybersecurity, communication and also governance, along the lines of the UK. The view amongst some in the intelligence community is that we can't have operations and policy in the same location. For some reason there seems to be this view, which seems to have been around for 30, 40 years in the intelligence community, that we can't have them all under the one roof. I don't know where that view comes from. I don't know from what experience that comes from. But what I have been hearing from others in the intelligence community is that that is oldthink. It is oldthink to separate policy and operations in the intelligence environment.

I think the government should be considering putting policy into the ACSC, ensuring that Alastair Macgibbon will at least get some sleep as a result of this position rather than being torn between the two agencies and the Prime Minister as well. Who is Alastair Macgibbon reporting to, and who provides the ultimate tick off on cybersecurity policy? Is it the Minister for Law Enforcement and Cybersecurity? Is it the Minister for Home Affairs? Is it Alastair Macgibbon? Is it the director-general of ASD? There are so many cooks in this area, particularly in cybersecurity policy, that it's going to be a real challenge.

I encourage the government to take a close look at the arrangement we've got now. They still have not eliminated the spaghetti junction when it comes to cybersecurity policy, operations, engagement with the community, communication and coordination. There are still way too many players in this space—and just think about poor Alastair, being torn in all those different directions! That said, Labor welcomes the consolidation presented in this bill and hopes it will not stop here. I commend the bill to the House.

Tweets by @TwitterDev