Good morning ladies and gents.
I’ll start by thanking the Australian Financial Review for putting this together and in advance thanking Paul for the very soft questions he’s going to ask me on stage after I finish, and also the sponsors in the white box over there without whose support we wouldn’t be able to have times like this.
For me, there are few more important things than listening, learning and planning as a group.
Let me start with a slightly self-indulgent story.
When I was around eight years old, I remember coming from school and seeing a large white book sitting on the front verandah of my parents’ house on the Gold Coast. The book was the White Pages and included most of my community’s personal information, conveniently in alphabetical order for ease of reference. Names, addresses and phone numbers for everyone.
My dad had a corner store where I saw people signing cheques – a promise on paper, with a signature unique to the customer. Society functioned on trust. But our horizons have expanded. We are fearful of our information being public – and perhaps so we should be given the risks it inspires.
This is the great irony of the Information Age – the very technologies that empower us to create incredible things also benefit those who seek to disrupt and destroy. One of our benefits
– our ability to communicate through the internet, is also one of our greatest vulnerabilities. It’s this vulnerability I have been asked to work to mitigate.
I’ve been in the role of National Cyber Security Coordinator for a little under three months. Today I want to convey my initial perspectives and update you on what I have been doing since the Prime Minister announced my appointment on 23 June this year.
This morning the Minister the Honourable Clare O’Neil, outlined her broad vision for the National Cyber Security Strategy, giving you an initial glimpse into the Shields we will seek to erect on the path towards 2030.
The desired end state is clear: in just seven years, we will be a world leading cyber secure nation. But it won’t be easy. When things are changing - like they are in cyber security
– you need to think big, pull lead, take measured risk and keep your eye on the end game. Getting collectively caught in the now will see us fall hopelessly short.
But as much as I like helping with strategies and talking about the future, my priority as Coordinator is grounded in what has been happening in our systems recently, and what is occurring literally as I speak as threat actors crawl through as-yet-undiscovered vulnerabilities across the nation. And, of course, what trends will emerge that we need to be prepared for.
My first months in this role have largely been focused on listening and learning; tapping into the network of cyber professionals across a range of sectors; including federal, state, territory and local government, academia, industry big and small and of course everyday Australians. Everybody has a part to play.
In October, I am commencing devoting some of my time towards engaging our international partners, ensuring we are learning cyber lessons in parallel and sharing best practice. From our strongest bilateral partnerships to our multi- lateral groupings such as the Five Eyes, Quad and of course our Pacific family, we will work wherever we have common interests and can deliver common benefits.
Countries in our region look to Australia as a leader in cyber security and resilience, and want to hear how we have protected our critical infrastructure and responded to major cyber incidents. The lessons we learn are also equipping our partners to be better prepared and better positioned to bounce back.
In this, I highlight the excellent work being done by our Ambassador for Cyber Affairs and Critical Technology, Mr Brendan Dowling. Brendan works at our Department of Foreign Affairs and Trade and is getting through a force of work each week in our nation’s interest. Cyber knows no borders, and Brendan is crossing the physical ones every day seeking to build capacity and promote cyber norms and standards around the world. Whether it’s cybercrime or hostile nation state activity, we are stronger when we stand and respond with our partners, and they are stronger when Australia plays a confident and assertive role in standing up for a safe and secure global cyberspace.
Part of my focus has also been our process of “incident management”, as we’ve mentioned a few times today.
This aspect of the role is relatively familiar for me, with strong parallels with the processes for preparedness undertaken by the Australian Defence Force and in our emergency management agencies and services around the nation. We should rehearse and practice, sharing lessons and improving our readiness for the modern cyber threat landscape. If we don’t, we are doomed to a never ending spiral of consequence when we inevitably encounter our cyber-foes, who are plying their trade on equally unprepared victims around the world. Nicholas Taleb would call this ‘anti-fragile.’ He posits that anti-fragile means that when something hurts you, it makes you stronger than before. In other words, we are strengthened by disorder. Cyber is ground zero when it comes to disorder in modern society – full of inequalities and power imbalances. Through our response to cyber incidents, I suggest we will become stronger as a nation and as a society.
I will now run you through how the Australian Government is currently supporting Australians in cyber security.
The Commonwealth’s response to a cyber-incident involves the coordination of a number of agencies, who each play their part:
The Australian Signals Directorate’s Australian Cyber Security Centre provides the technical cyber incident response and assistance as most of us well know.
The Australian Federal Police, through their Cyber Command, seeks to identify, disrupt and prosecute cybercriminals both domestically, and abroad through international law enforcement partnerships.
Collaboration between these two, the AFP and ASD through Joint Standing Operation AQUILA, seeks to investigate, target and disrupt priority cybercriminal syndicates which cause high harm and threaten our national interests – bringing the complementary powers and capabilities of the ASD and AFP.
The AFP-led Joint Policing Cybercrime Coordination Centre brings together the legislative powers, experience, and investigative and intelligence capabilities of all Australian policing jurisdictions, private industry and other partnerships to achieve maximum impact on high volume, harmful cybercrime affecting the Australian community.
Home Affairs’ consequence management unit is maturing and focuses on the broader consequence of a cyber-incident which may impact communities and organisations across the nation. Its role is to support impacted organisations to connect and engage with the array of Government agencies who have a role to play in responding to the incident.
As we all know, recovery is not simply a point in time. Impacts can be technical, but also threaten the physical operation of essential services in the community and nationally. Or they can be intensely personal, with the publication of sensitive or personally identifiable information.
This leads me to the important work of our regulators. Be they privacy, through the OAIC, banking and health through their APRA and AHPRA respectively, or Home Affairs looking at critical infrastructure through the Security of Critical Infrastructure Act. We rely on regulators to ensure our big companies play their part and shoulder the load when it comes to protecting our key assets.
While the management of each individual incident may differ, planning for and mitigating the consequences requires a coordinated response to ensure harm is minimised. Effective cyber security is the antithesis of a solo sport.
Collaboration, coordination and partnerships are key to advancing and protecting our cyber security and our national interests.
Breaches we’ve already talked about today have seen the private data of millions of Australians exposed to cybercriminals, potentially to fall prey to those who would seek to do them harm. These events caused enormous distress and highlighted deficiencies in cyber defence in both private and public sectors.
The breaches also highlighted that our national response could have been better coordinated. I’ve been looking at how we can streamline the incident management process and how we can better position our nation’s cyber preparedness. Of course, we need to identify gaps, but we also need to understand our overlap and our seams and work hard to fix them – despite the friction will cause to many of us. We also need to look at legislative impost or red tape and determine if it is unnecessarily holding us back.
One of the biggest observations I’ve had since coming into the role is the rapid change of mindset over the last 12 months that has been mentioned quite a few times today. Cyber security is an immense operational challenge at every level of society but also one of diffused, yet genuine responsibility, not just for the target of the attack, but for the nation. Cyber security is a whole-of-nation conversation, but it is also a fundamental and underpinning part of our national security.
Australia has some of the best cyber practitioners in the world across industry and government. I will serve as the focal point to ensure a centrally-coordinated approach in preparing for and managing the consequences of cyber security incidents.
I’d like to now take you inside a case study that looks closely at one of the most recent high-profile breaches, one that impacted
HWL Ebsworth, a legal firm with many government and industry clients in Australia and across the ditch in New Zealand. I stress that I do this with the support and knowledge of the Managing Partners of Ebsworth, who have been immensely cooperative since I assumed the role.
They were hit by a ransomware attack in late April. The breach has been claimed by a Russian-based cybercrime gang, who I won’t name because I don’t think they deserve the fame.
In all, some 2.5 million documents were ex-filled and about a million of these were included in a dataset that was published on the dark web on 9 June; three weeks before I commenced my role.
Ebsworth has been consumed since that time advising its clients and meeting its obligations under the Privacy Act, but now at the stage where Ebsworth can manage its commitments without Commonwealth support. I have thus asked my team to pivot from immediate assistance, towards assessing our lessons learned across the very wide stakeholder group. A key element of any sort of preparedness is working out what happened and how to do it better the next time.
The role I chose to play when joining this incident mid-stream was to start with a light touch and ask relevant questions, not just to address the HWL Ebsworth incident per se but to build a picture, an understanding of what may help guide our future approach. I asked for an incident briefing on day one and within a week had met the partners and commenced whole of government coordination through the National Coordination Mechanism, managed by National Emergency Management Agency, or NEMA.
I’ll give you my top three take outs from this experience.
Firstly, we’d been able to deploy into the HWL Ebsworth lessons learned from earlier responses, particularly in relationships. In addition to my time working with Ebsworth, I have spent time with each of the other companies, including with Latitude, only ten days ago in Melbourne. There the Chief Operating Officer and their cyber leads gave me their reflections on their cyber incident six months on. Additionally, through industry groupings like CISO Lens, I have been invited to a number of cyber incident back briefs which have greatly assisted me in understanding the challenges a company goes through when they suffer a breach.
One of the positives being reflected to me is how Home Affairs has convened thematic working groups, which sit underneath the broader Commonwealth management architecture. For Ebsworth, these were sensitive issues and legal services working groups. In total they met 29 times, seeking shared understanding and response in terms of timelines and the facts.
For the Latitude response they were financial sector working groups. Getting all the right people into a room to ensure our response was joined up and informed by best practice. For future incidents, the working groups will be very different – with differing needs for different responses requiring bespoke approaches.
The second thing I have learnt through the response to Ebsworth is that transparency can be very challenging. While information continued to develop, I was presented with decision points where I needed to balance releasing information in the interest of transparency or the public interest, while not compounding the harms or building concern or anxiety in potentially affected individuals.
In all, 65 Government agencies were involved in the breach, which exposed substantial sensitive information. For instance, these included the AFP and Department of Home Affairs – two lead agencies central to the cyber incident response, who were concurrently having to deal with their own data being exposed.
A good example of the transparency challenge would be information relating to claims for recipients under the NDIS. While there is some benefit in getting that information into the public domain early on, I made the decision to allow HWL Ebsworth to notify individuals through NDIS providers and caregivers first before making the information public. In my view, this is the right decision, noting the central role the Information Commissioner inside the Attorney General’s portfolio has when it comes to Australian citizens personal information.
Those notifications are now substantially complete, but I stress that there are still some affected people who have not been informed. Cyber incidents take significant time to work through. Our coordinated response with the Australian Government, states and territories with HWL Ebsworth lasted over 16 weeks.
The third thing I have learned is that you have to build a relationship with affected entities, at multiple levels… quickly. I’d prefer my first contact with CEOs not to be in the middle of an incident, but in this case my dealings with the leadership and incident response team at
Ebsworth were excellent – built solely on trust and transparency.
In the future, having working relationships – especially with big companies and sectoral groupings – will be possible through the way we have prepared together, particularly through the national exercise program, which I will cover briefly now.
One of the ways we prepare to manage and mitigate future attacks is through “tabletop” – or sometimes even – “cyber range” scenarios that allow us and industry to test plans, and processes, and understand organisational and operational priorities.
Exercises also help identify areas for improvement or additional investment, developing relationships between organisations and individuals that will pay off during an actual incident.
While the Australian Cyber Security Centre has been running technical exercises for some time, holistic national exercises are now running in critical infrastructure sectors, concentrating on the management of consequences. They are designed to test processes in the event of industry cyber-incidents that require government engagement to manage flow-on consequences.
The Minister and I recently had the opportunity to attend and participate in a telco sector exercise in Melbourne, hosted by Telstra. An impressive number of industry stakeholders, regulators, and government agencies took part in this nationally-coordinated exercise. This program will enhance preparedness and incident response capabilities nationwide. We are learning lessons every time we exercise. We must continue to practice, learn and practice again.
Before I wrap up, a quick word on culture.
I’ve spoken much about my role and the need for a coordinated response to cyber incidents. But implicit in that approach and within the Cyber Security Strategy is the shift we need in our national culture.
We need to evolve our thinking and our practices around cyber security. We all need to take responsibility and we all need to play our part.
The Government can do a certain amount of the heavy lifting: regulatory frameworks; cyber security policies; bringing cybercriminals to justice; awareness and education; public-private partnerships; and the promotion of course of a culture of cyber security.
But the private sector needs to improve their governance, including audits and risk assessments and in the development of their own policies, training, practices and their own cyber security education and cultures.
I was warmed to hear Richard’s reflections earlier on, on the approach Westpac is taking with its own staff when it comes to social engineering.
This mindset needs to flow down to individuals in their uptake of simple home defences. We talk about it all the time, but we still need better take-up for us to succeed collectively going forward. Topics like multi-factor authentication, software updates, patching and security subscriptions. And understanding how to protect ourselves against the most prevalent of online scams and phishing intrusions. You can expect to hear more from me and others following release of the strategy in this area.
The path forward necessitates everyone lifting their level of self-sufficiency. That’s not to say that government will be vacating the field — far from it. But it will allow us to equally address the big picture, which is the goal of the Cyber Security Strategy 2023-2030 — to create a cyber-resilient nation.
In conclusion, I offer that in industry and government we have expertise that embraces world’s best practice. We have some very tough, very clever cyber professionals who are taking the fight to those that would seek to do us harm.
But make no mistake, by 2030, the global cyber threat environment is going to look very different to how it looks today. As we heard earlier, AI and Quantum are coming like a freight train, presenting legislative and security challenges we are seeing play out around the world.
The strategy will put us in the best position to make the most of the opportunities that the next period will have to offer, and that’s good news for every Australian.
But like all nation-changing pieces of work, we can’t do it alone. We are dependent on individuals, on all levels of government, business and industry to make their own contributions in keeping us safe, protecting our economy and preserving our uniquely Australian character.
And I don’t think anyone would disagree that working together, united in a common cause, all driven by a great strategy is the way forward.