Australian Information Security Association’s (AISA) Australian Cyber Conference 2023

Australian Information Security Association’s (AISA) Australian Cyber Conference 2023 Main Image

22 March 2023

​Let me begin by honouring the enduring custodianship of the Ngunnawal and Ngambri people of Canberra. I acknowledge the Indigenous Australians who are here with us today.

I would also like to acknowledge my parliamentary colleagues present in the audience today, other distinguished guests, and in particular Australia’s 25th Prime Minister, John Howard.

I also want to thank everyone who is here today for the passion and energy shown by organisations like the Australian Information Security Association in stepping up to challenges presented by cyber security.

Now the Government has not been short in ambition in this area.

I want Australia to be the most cyber secure nation – a cyber-security superpower – by 2030.

And we’ve started on that journey.

This month, Australia has been ranked number 1 – by MIT no less – on the Cyber Defence Index among countries showing the greatest progress and commitment to enhancing cyber security.

In fact, that it put Australia first in three of four assessment criteria – critical infrastructure, organisational capacity and, importantly, policy commitment.

That is a credit to everyone in this room and everyone in the sector.

But I’ve no plans on resting on our laurels – because there is much to do.

Four months in to the role, we faced the Optus data breach, followed closely by the Medibank Private incident – the two biggest cyber incidents in Australian history.

Terrible as they were,  the Optus and Medibank breaches woke the country up from the cyber slumber.

No matter what we do, no country can reduce cyber risk to zero. Part of being a strong Australia is getting up off the mat quickly when we’ve experienced an attack.

Our Government has made changes in the wake of Medibank and Optus, and I’d like to spend some time this morning taking you through what they are.

Last month Prime Minister Albanese announced the creation of a new National Coordinator for Cyber Security, supported by a National Office for Cyber Security.

The Coordinator lead on developing and maintaining a capability that is not only looking outwards to promote cyber resilience across business, critical infrastructure, and civil society, but also looking inwards to protect and secure the cyber infrastructure underpinning the successful delivery of government services and programs.

In a cyber incident, they will coordinate work across government, to support a streamlined response and help manage the consequences for everyday Australians, like what we saw last week with Latitude Financial.

The Coordinator will be supported by the National Office for Cyber Security, a function housed in my Department. The Office will work closely with other arms of the Home Affairs Portfolio and the National Security Community.

Later this year, the Australian Government will release our new national cyber security strategy out to 2030.

We’ll set out what we need to do  in government, in business, in the community –  both to bring the security of our digital economy up to where it needs to be, and position Australia as a global leader ready to securely maximise all of the opportunities that new technologies and the exponential growth in internet connectivity of millions of devices can bring to our everyday lives.

Helping the government to develop the new Cyber Security Strategy is an Expert Advisory Board led by former Telstra CEO Andy Penn, and including one of Australia's foremost cybersecurity and telco experts, Rachael Falk, and former Chief of Air Force Mel Hupfeld.

Since their appointment, Andy, Rachael and Mel,  along with officers from my Department of Home Affairs, have conducted 11 roundtables with industry partners across multiple sectors including small and medium business, legal, technology, domestic industry, insurance, and transport.

We have also released a Discussion Paper calling for views  on the key initiatives we should include in our new Cyber Security Strategy, while my colleague Tim Watts, the Assistant Foreign Minister, has engaged with a range of our international partners to understand how we best support the ongoing security and prosperity of the region and consolidate our position among leading cyber nations globally.

In stakeholder consultation to date, we have heard that a few things:

  • Government needs to lead by example on cyber security exemplar and there is more we can do with information sharing on cyber security threats and incidents.
  • Business do not feel that their cyber security obligations are clear or easy enough to follow.
  • The development of Australia’s cyber capabilities relies on meeting our needs for skilled cyber professionals
  • There is an opportunity to better align responsibilities across industry so that cyber risks are managed by those best-placed to do so.

If we get this right, Australia can capitalise on the economic and social dividends of the digital age.

The Prime Minister’s Cyber Security Roundtable last month further reinforced that the initiatives I intend to explore and pursue through the Strategy are necessary if we are going to address the concerns of industry partners, and the Australian community.

The range of measures which I am considering, with the support of the Expert Advisory Board, for the new Cyber Security Strategy include:

  • creating a legislative framework to shift cyber security risks away from our most vulnerable members of the community towards those who are best placed to manage it, including software and cyber security service providers, telecommunications firms and technology developers;
  • supporting Australian businesses, including small business, to enhance their cyber security and remain resilient to cyber threats which can be existential for many of our most important businesses;
  • driving our businesses to understand that cyber security and trust is a competitive advantage – so we see a race to the top for cyber excellence, enabled by Australian cyber security firms;
  • ensuring that Australia is building a future workforce of skilled cyber security professionals to contribute to our national cyber security, both in the private sector and in government; and
  • raising the costs of the cyber crime business model and supporting Australians facing complex cyber threats.

We also know critical infrastructure networks are being targeted by a range of malicious cyber actors, including criminal and state-backed actors in some instances. The types of cyber threats and consequences from attacks are rapidly changing the risk environment.

We are demonstrating our commitment to working with industry to address cyber threats through continued investment in a dedicated Cyber and Infrastructure Security Centre and application of the Security of Critical Infrastructure Act.

Mandatory cyber incident reporting obligations now require all entities to report cyber-attacks to Government, ensuring that we have a much better understanding of what attacks are coming down the pipeline and impacting our critical infrastructure, and by extension, more widely across our economy. 

Importantly, we are also collecting this information so we can also share it with industry to help them be better prepared, and break that cycle of threat.

We’ve set minimum standards for cyber security for a whole range of Australian businesses and companies – especially in critical sectors such as energy, food, fuel and water.

As a Government, we appreciate that risk management in some sectors is relatively mature.

Nevertheless, a cybersecurity incident affecting our critical infrastructure has the potential to be devastating – for the victims of the attack, for trust in Australia’s digital economy, and for the reputation of the company involved.

In February, I announced new rules to ‘switch on’ the Critical Infrastructure Risk Management Program obligation – or the ‘RMP’.

The RMP is the third and final positive security obligation within the Act, alongside mandatory cyber incident reporting and the requirement to report certain information to the Critical Infrastructure Asset Register.

Now the RMP is in effect, existing critical infrastructure assets will have six months to comply with the new obligations.

What this means is that within six months, entities must have a system or process in place to identify hazards, and where there is a material risk of a relevant impact occurring; implement accompanying processes to – so far as is reasonably practical – minimise or eliminate that risk.

The Government is committed to assisting entities understand the new rules – and we have more information about the new requirements and obligations on the CISC’s website.

In June last year, I declared 82 assets, relating to 38 entities, as Systems of National Significance from the gas, financial services and markets, transport, and communications sectors.

And in December 2022, I commenced consultation on an additional 90 proposed Systems of National Significance, relating to 34 entities, from the data storage, domain name systems, telecommunications, gas and electricity sectors.

While consultation closed in February 2023, I am currently considering industry feedback ahead of making further declarations.

These obligations are important and we expect owners and operators to take them seriously, as befits their companies’ contribution to Australia’s economic success and social and national security.

Equally important, the Australian Government can now also help our Critical Infrastructure assets if they are struck by a nationally significant cyberattack that they are unable – or in some cases unwilling – to deal with on their own.

These are powers of last resort, we won’t be using them lightly, but they are part of our response toolkit to ensure Government is able to render assistance that could very well stave off a national emergency.

The Security of Critical Infrastructure Act – like all of our legislative arrangements – requires constant review to ensure it is keeping our critical infrastructure resilient and secure.

As I have said previously, when we look to 2030 and see the growing and relentless nature of the threat that we confront, one question that comes up is: how can we equip Government to be better able to support businesses and organisations when they are facing serious cyber risk?

This is why it is essential that Government has the powers it needs to engage with businesses experiencing a cyber incident and to work in partnership with them to manage the incident and its ongoing consequences.

As we continue to pursue sensible regulation, our approach is not intended to increase the burden on owners and operators; which is why we will continue to balance industry obligations, with a genuine partnership between the public and private sectors.

But regulation won’t be enough. The best results will come from real cooperation between business and government. We’re working with businesses across the economy to encourage them to share information, help them understand the risks they face, and make sure they meet their obligations.

Although these changes represents a significant step forward in Australia’s cyber security landscape, there is a lot more to do.

The threat – from nation states, from criminal gangs, from petty thieves – is constantly evolving. That’s why we established the Hack the Hackers initiative, a partnership between Australia’s best cyber experts, and the Australian Federal Police to hunt criminals around the world, and disrupt their activities.

It’s about putting the same fear into hackers as they try to put into their victims.

Cybercrime is the break-and-enter of the digital age, and protecting Australians will mean constant vigilance. I want Australia to be the most cyber-secure country in the world by 2030, and I believe we can get there. As long as we stay focused, and work together as a nation. 

At the moment, I’m working with experts from Australia and around the world to make sure we understand the cyber threat out to 2030.

Many of those experts are here in this room today, and I am grateful for the advice you are providing the government to help us work out the big moves Australia can make to ensure we’re not just safer today, but prepared for an uncertain future.

The threat we face is real and significant. Optus and Medibank made that clear.

The Albanese Labor Government and I will not settle for the complacency and neglect of the past. We are building a more resilient Australia, so that our country isn’t seen as a soft target. Because we’re not.

We are building a strong cyber defence around our country.

We are punching back where necessary. And we are fighting to protect our citizens, every day.

I look forward to hearing more from all of you as we continue our journey to make Australia the most cyber secure nation in the world by 2030.