Australian Strategic Policy Institute
TUESDAY 4 APRIL 2023
I’m really pleased to be addressing the Sydney Dialogue this year. I’m sorry I can’t be there in person.
But I couldn’t pass up the chance to speak with you about how far we’ve come in cybersecurity since our government was elected in May 2023, and share a picture of where we are taking this incredibly important part of protecting Australia’s national security.
As you know, last year Australia experience the Optus and Medibank attacks – the two biggest attacks in Australian history – with three weeks of each other.
For a lot of you in this room, the big challenge before this was getting cyber security to be taken seriously.
But now, it’s at the top of the agenda, at the boardroom table and at the kitchen table.
One of the first decisions of Prime Minister Albanese was to appoint me as the first Cabinet Minister with responsibility for cyber security.
I can’t emphasise how important having a standalone Cabinet Minister with responsibility for Cyber Security is.
You see it in your own organisations – when cyber is competing with other risks and priorities it can be the ninth or tenth thing on the to do list.
For me, this is top of mind every single day. And that’s allowed us to move really quickly.
A big part of the Australian Government’s approach is punching back at cyber attackers for the first time. We’re doing that through our Hack the Hackers Taskforce. A 100-strong force of ASD and AFP officers who are hacking back at criminals who would seek to do Australia harm.
Australia is also working closely with our international partners under the Counter Ransomware Initiative, with Australia leading that initiative to get global cooperation in how we tackle ransomware.
In February this year the Prime Minister announced the establishment of a National Cyber Security Coordinator role to bring a renewed focus to the way we manage cyber security incidents across Australia.
In August 2022, I announced that Australia would develop a new cyber security strategy, with the aspiration to make us the most cyber secure nation in the world by 2030.
We will ensure we are working to protect our people and economy, leading by example with our Government’s cyber security, supporting our region and building our cyber security ecosystem.
And we can’t do this without your input on how we can best achieve this together. Our discussion paper on the strategy is out now – make a submission and get your voice heard.
Our government is committed at every level.
And that commitment was recognised last month when the Massachusetts Institute of Technology ranked Australia Number 1 in the world among countries showing the greatest progress and commitment to enhancing cyber security.
To get that endorsement from MIT - that we are going in the right direction – is really good news.
But really, we’re only just getting started.
Threat and Tech
Today I want to offer a frank assessment of the threat landscape – the actors, and the technology.
Let me also say that despite the threats we face, I am convinced that as a nation we are up to the challenge. You only have to talk to brilliant, passionate Australians at the Australian Signals Directorate or in the security operations centres of corporate Australia to feel confident in this.
The apex predators are the Advanced Persistent Threats or APTs, traditionally directed to use cyber means to fulfil the strategic intent of state based actors.
Their technical capability and targeting intent are in varying forms directed, enabled and supported by state sponsors.
We’ve seen examples where APTs infiltrate and infest critical infrastructure systems or attempt to take them over in order to exert leverage.
APTs can be the hardest threat to tackle, demanding the full spectrum of our brightest minds and deepest technical knowledge to detect and deter, because of the sophistication of their tools, techniques and procedures, hacking back and the scale of deployment that can usually only be generated with the resources of a nation state behind them.
Australia and other like-minded nations will of course call out and attribute these threats where it is in our national interest to do so.
But today I want to make the case that the global gang of bad cyber actors and those operating in the grey zone between nation state intent and financially-motivated criminal conduct are also just as important when considering cyber security as national security.
Part of waking up from the cyber slumber is waking up to this reality: the harm and inconvenience wrought by huge data leaks through the exploitation of basic vulnerabilities from actors ranging from the proverbial teenager in a faded black hoodie in mum and dad’s basement to high end threats is a big national problem. But the truth is, we face a scale and intensity in the threat landscape that far outstrips the recent cases we have seen.
Optus and Medibank are the tip of the iceberg.
Financially-motivated cyber actors and extortionists are public enemy number one.
These groups subvert legitimate business models for financial gain, creating online portals for ‘hacking as a service’ where anyone can purchase the tools and support necessary to conduct a cyber incident or data, especially in the form of a ransomware attack.
In Australia, the Australian Cyber Security Centre has seen Ransomware-as-a-service products – most recently LockBit3.0 – deployed at wide scale and opportunistically against businesses. That’s included a logistics firm and a charity delivering vital services in the remote Outback.
The group behind the attacks then offered this stolen data in the dark corners of the internet.
Some of the groups posing the greatest threat operate with the sanction and wilful blindness of nation states in which they physically work and operate. In this way they can be thought of as an adjunct or overlap with the APTs, as they contribute to the wider interests of that sponsor.
These criminal groups are fully vertically integrated throughout their business model, with parts of their business ranging from the cyber arm to illicit financial services, partner relationships, customer – read extortion – facing systems and research and development.
This drives aggressive product strategy, both competing and collaborating in their product offerings on access and exploitation tools, lease agreements for their use and numerous means to on-sell and exploit compromised data.
Fuelled by the dark web and crypto, their business models scale because of the digitisation of our economic life. As we introduce more tech into our systems, these actors see new markets to enter and for all aspects of their businesses to proliferate.
While APTs might be deep and narrow, the global ransomware actor threat is prolific and increasingly capable because of their networks and relationships.
In terms of intent, while their motivation is profit, their target set is where they can fuse vulnerability with extortion.
While an APT might spend months or years working on a single critical target, these groups represent a threat to our national economic life because every sector, every business that can pay, is a target.
Just like how critical infrastructure is critical because of how it interacts with the wider economy, these attacks are rarely isolated.
Given the combined breaches of Optus, Medibank and now Latitude, there probably is not an Australian who either has not been impacted personally or does not have a close family member that has.
Last week, Latitude advised that a forensic review of the incident uncovered the fact that a total of 14 million records, encompassing 7.9 million Australian and New Zealand drivers licence numbers, 53,000 passport numbers, and 100 monthly financial statement records had been exposed.
It is understood that the personal information accessed for impacted individuals also includes name, address, telephone, and date of birth.
When you add the three major incidents together – Optus, Medibank and Latitude – probably almost every Australian family – has had their data privacy breached in some way.
That means almost every Australian has in some way also felt compromised or plain straight out angry about what’s happened.
Recall how these breaches occupied national news for weeks on end and consumed significant resources of the Commonwealth - the ASD, the Australian Federal Police and numerous other federal and state agencies.
So if every business is a target, every Australian is at risk. And the Government response needs to be significant. That means our national choices, our economy prosperity, our peace of mind as citizens and as a nation, are directly threatened by these groups.
This impact to our sovereignty and way of life is why ransomware threat actors are a core national security challenge for Australia.
One of the reasons I am pushing government hard on the creation of a 2030 Cyber Strategy is because the conversation about cyber threats is too much in the here and now.
And those of you here know that we are facing is changing and growing by the day.
Why do I say this? One reason is how technology is reshaping cybercrime.
There is a paradigm shift occurring in the intersection of humans, technology and cyber security.
Today’s cyber challenge has at its heart a simple fact: at present, a clear majority of data breaches can be traced to human error. It’s the theft of credentials, the accidental clicking in a viral link in an email, which lets an attacker effectively in the front door. And from there, they can wreak havoc.
On the defence, ultimately a failure to patch is not usually an IT failure – it’s often a failure of system design, organisational culture, unwillingness to invest or other human factors.
As technology becomes more advanced, this will change. There will be more attacks that are purely technological, and that makes them harder to defend against.
A second major change is that we are all seeing more and more aspects of our life move online. The Internet of Things will see billions more devices connected to the internet – from our baby monitors to our toasters. And, we’ll have more digitised cities.
These two technological trends will combine to produce a new kind of cyber threat by 2030.
Now of course, technology advantage flows in both directions. Technology will enhance the opportunities for cyber crime, it will also enhance the opportunities for cyber defence.
If anything, today I would say the initiative is with cyber defence – because automation is still favouring detection and blocking rather than penetration and movement, as well as detecting attempts at credential harvesting.
What I am concerned about in 2030 – the endpoint timeline our Cyber Security Strategy is focused on – is keeping governments and police and the good guys ahead of the game.
I do not want to be alarmist, because ultimately technological shifts are at their core neutral – it is all about how you harness them.
Let me be clear, I’m not saying the following dystopian future will happen, but if there is one thing I’ve learnt in the cyber security portfolio is that you need to plan for the most consequential scenario and work to stop it.
So consider a world where:
• AI-driven lateral movement outpaces internal cyber defences;
• Quantum decrypts allow for previously “secure” highly sensitive data sets to be compromised;
• Instead of data breaches, we could have data integrity attacks – where small errors are induced in compromised sets with outsize implications – such as financial records, and
• Our interconnected cities are held hostage through interference in everything from traffic lights to surgery schedules.
It is however also important to also remember that all of these technologies present new opportunities for collaboration. Our Government is working hard to balance the risks against the many opportunities presented by an increasingly online world.
I raise these issues not to scare people, but to help people understand why it is so important to prioritise not just the current challenge, but also the future challenge.
We are trying to answer the question in the strategy, of how Australia can be the most cyber secure country in the world by 2030. Well, this is the context.
To this end, there are four big themes of the cyber strategy as it is shaping up.
• We’ve got to be a hard target
· We’ve got to fight back against the threat;
• We’ve got to bounce back quickly when we get hit, and
• To do all this, we need a really strong, powerful cyber-security eco-system for Australia.
Last year Australia put hackers on notice – we are hacking back.
Our objective is to put the same type of fear into hackers and ransomware groups as they try to exert on their victims.
The Hack the Hackers joint standing operation leverages our most advanced capabilities and smartest and toughest cyber operators to strike back.
And this important work in making hackers think twice about targeting Australian interests is being conducted with some of our closest allies and partners to impose costs, shatter technical capabilities and undermine the cohesion of these threats by targeting all aspects of their business model such as Ransomware-as-a-Service earlier.
The Australian Signals Directorate’s ACSC has also seen non-state actors such as cyber gangs working alongside states, amplifying the potential for damaging cyberattacks.
Our concern is that these non state actors are ungoverned and their impacts unpredictable, which may then have flow on effects for Australia and the supply chains we rely on.
Until now there have been few cases where these actors have injected their influence into international affairs in such a prominent and direct way.
Non-state actors’ intervention in the Russia-Ukraine conflict has significantly expanded combat into the digital space.
Hacking back can also play a role in mitigating the consequences of an attack, in some cases by taking down stolen data from the dark web so it cannot be weaponised against citizens, businesses or the nation.
It is also provides confidence and assurance that Australia is not going to be a soft touch when it comes to cyber threats and is an important demonstration of the national resolve the Government is bringing to the cyber security mission.
How Australia – government, business and citizens – make themselves secure from cyber attacks is of course the central challenge of the Cyber Security Strategy.
Today I wanted to give an insight into some – not all – of the questions we are exploring through the discussion paper and I encourage you to make a submission to contribute to the development of the strategy.
First, we’ve heard loud and clear of the need for Government to lead by example on the cyber security of our own systems and services – something that the former government failed to do.
Despite multiple ANAO reports on cyber security underperformance, the former government relied on voluntary measures and failed to make the sort of meaningful progress that would have set us up to keep pace with the evolving threat landscape I have described.
The 2022 Commonwealth Cyber Posture report found that most government entities did not meet the minimum requirements for cyber security, there was incredibly low uptake of the comprehensive cyber defence services ASD offers, and less than half of the entities were regularly exercising their incident response plans.
I also want to explore how Government can be the purchaser of our own innovation, to create that sovereign cyber security ecosystem that will be so fundamental to our national security in 2030.
Second, we know that it’s got to be a mix of incentives and regulation – especially ensuring that where there is a case for regulation, it is sensible, streamlined and can be complied with in the midst of a cyber-attack on a business.
Third, given the type of threats I’ve identified above are proliferating, fuelled by technical advancement and impacting the nation as a whole, what does threat sharing and blocking look like in 2030?
What success may look like is where, although every single one of us can and should be part of the solution to harden our digital lives to cyber threats, the core responsibility for managing cyber risks rests with those who have the scale and reach to achieve it. This is especially true in the corporate and big tech sectors who know their networks, their data and critically, their vulnerabilities, and must take responsibility for securing them to protect our population.
For corporates and especially technology and service providers, this might look like:
• The right investment to uplift and build-in security to their systems and services
• Strong relationships with regulators including rigorous application of co-designed Risk Management Programs
• Machine-to-machine threat sharing and blocking in partnership with the Australian Cyber Security Centre in ASD.
Now because you can’t surge trust in a crisis, today I am announcing the rollout of a national cyber exercise series, where we will systematically and frequently exercise with entities covered under SOCI on a sectoral and cross-sectoral basis supported by the Cyber and Infrastructure Security Group in my Department and led by the National Cyber Coordinator and in partnership with critical infrastructure.
I’ve said Australia is waking up from the cyber slumber, but now we need to hit the gym.
This exercise series will build muscle memory in how to deal with a cyber attack – and importantly cover the types of incidents we have not yet experienced on a national scale – such as a lock-up of critical infrastructure or integrity attacks on critical data. Critically it will look at how to work with governments including dealing with the consequences of a crisis that inevitably will not impact just one company but potentially millions of Australians.
I have no doubt we will discover some areas where we need to train harder on incident response ensuring plans don’t just sit on the shelf or finding where vulnerabilities exist Being forewarned is forearmed.
This initiative is something that has been raised with me in a number of cyber security consultations and, while there have been some great examples of targeted exercising, we need to move faster and in a more integrated way. This is something that should not wait for the Strategy to be completed to get started.
When it comes to resilience from cyber attacks, there are two things we need to do; first-class consequence management and building agility into the system so shocks are absorbed.
The first thing I’d like to say is how steadfast Australians have been despite their data – in some cases their most sensitive information – being needlessly compromised.
First of all, ordinary Australians and the media didn’t even think of playing the voyeur in seeing what data they could access on the dark web.
In the national mind, diving into stolen data, people’s personal data, was a red line that very few actors had crossed.
Second, business footed the bill in offering identity theft protection and covering the costs of issuing new credentials.
And of course government rallied through the National Coordination Mechanism to ensure every agency was brought into the response and every harm was mitigated where possible.
Now I do want to emphasise that data breaches are only one type of cyber incident, despite being the one we have unfortunately been most familiar with.
Only this morning I was discussing with my colleagues the urgent need to refresh our national strategy for identity resilience, together with our state and territory counterparts.
Under the leadership of my colleague the Minister for Finance, Katy Gallagher, this government is moving forward on a new national Digital ID system.
This will streamline transactions and reduce the need for companies to hold unnecessary data, and where they do hold personal data, ensure it has the highest level of protection. Ultimately, this is all about making Australian identities hard to steal and, if compromised, easy to restore.
We are also looking very closely at the Australian Governments cyber coordination arrangements – through steps including the establishment of a Coordinator for Cyber Security, supported by a National Office for Cyber Security within the Department of Home Affairs, and updates to our national crisis management frameworks.
The forthcoming appointment of the Coordinator demonstrates our commitment to respond to the inevitable cyber incidents of the future, and their consequences, in a coordinated way across Government and with industry, with the needs of our community at the forefront.
It comes with the territory as the Minister for Home Affairs and Cyber Security that the issues you deal with can be perceived as quite dark.
But I want to say when it comes to cyber security it’s a case for optimism not pessimism.
We’ve come a long way as a nation in less than a year.
If this is what we can do in a year, think about where we could be in five years.
There is a real chance for Australia to be a leader when it comes to cyber security and the jobs, industries and growth that comes from that.
We’ve got amazing national competitive advantages to build on:
• A robust Parliament and a tradition of world first and world class legislative responses;
• Nation building investments like the National Reconstruction Fund in Ed Husic’s portfolio, the huge role that Jobs and Skills Australia will play with Brendan O’Connor and our envy of the world education system under Jason Clare;
• Australia back in the global commons with credible foreign policy led by Penny Wong and Tim Watts;
• And real commitment to the challenge shown by the leadership of both the Prime Minister and Deputy Prime Minister in responding to the cyber challenges of our times.
First, I want to leave you with a challenge.
If you have not yet read the discussion paper on the Cyber strategy, please do.
If you have read the strategy, have some ideas and have not made a submission, jump on the keyboard.
Second, I want to leave you with some thanks:
If you work for the national security of Australia, our allies and partners – thank you for your determination, resolve and work every day.
To ASPI, thank you for this opportunity to address this important dialogue