AFR Government Services Summit
28 April 2021
Michael Pezzullo AO
Secretary, Department of Home Affairs
Thank you everyone. I'm conscious that I'm following a Cabinet Minister responsible for Government Services. And he is very committed, passionate, and drives us very hard on Government Services. I'm also just following a panel of colleagues, including the Secretary of Prime Minister and Cabinet at the head of the public service, as well as my good friend and colleague, Rebecca Skinner from Services Australia.
Given that we are a little bit hard on time, we’ve done a bit of adaptive, agile, disrupted activity, we've turned this address into a very brief set of remarks, and that will get us back on track for the most important bit of the morning, which will be your morning tea. So I won't let you be too fatigued waiting to hang out for that cup of tea or bit of pastry. A couple of key points, Tom, then we might revert to our discussion.
Point one: all of the issues that you canvass here today, including those which Minister Robert spoke about, and that my colleagues, Phil Gaetjens and Rebecca Skinner spoke about, need to be made by a secured digital environment that has got trust as a social compact with citizenry. That their data is being well-stewarded and protected. Not the subject of loose controls that sees critical personal information leaked out. And everyone here in this audience knows that we can always try harder or do better. And nonetheless, the adversary of—and I'll refer to the adversary—be they transnational state actors or transnational criminal actors, or sometimes those actors acting in concert, will always be trying to defeat or best our defences. Let me assure you.
So the key take outs that I have derived over three-and-a-half years of being the Secretary of Home Affairs, with policy and regulatory responsibility of cyber security, is that cyber security is very important. I would say that it is not an extension of your ICT function, as important as your ICT shop is. And your cyber security vendor is typically—no matter how good they are—likely to be seeing more than half of the picture. And all the colleagues in the room, who are in cyber security companies - thank you for the great work that you do - are the equivalent of our houses in locks, burglar alarms, fire alarms and the like, you're doing really important work. But if you think running a government agency or running a private company that delivers services, that you've acquitted your responsibility to your shareholders, to your citizens, to your board, by ensuring that you've got fire alarms, smoke alarms, padlocks, motion detectors, CCTV cameras, and there's not someone out there fighting crime, then you've only done half the job. But of course, in your business and in your home, you shouldn’t have your own private way of fighting crime. You shouldn’t, because we consolidate those functions in the state.
We have the police force. We have security intelligence. We have signals intelligence services. We have cyber security agencies. It's a deeply important partnership between our government agencies and service providers in the private sector—particularly cyber security companies and those who provide an increasingly bundled and integrated service. Together, government agencies and the private sector are increasingly being brought into this domain more directly, rather than from the distant abstracted heights of national security; signals intelligence; and covert activity. It's a very difficult balance to achieve, dealing with highly sensitive information and having it redacted or declassified to a point where it is actionable information that companies, state and territory governments, local councils, hospital networks, and not-for-profit providers can deploy onto their networks. This is being addressed through a number of initiatives in the cyber security strategy announced last year, that Mr Robert I'm sure touched on earlier, specifically the critical infrastructure initiatives that sit within that strategy. Further, the data sovereignty and hosting strategy that both in the cyber security strategy, and work that the DTA is doing in relation to Australian Government data hosting, and especially, the Trusted Identity framework that we now have with the states and territories, shows that partnership with the private sector in an increasingly interoperable fashion will continue, with the DTA leading initiatives across the economy.
Can I conclude, just these initial remarks on top, just to—they actually said tap dance, but that would be a waste of your time, both for me—just so that Tom can recompose into a conversation so hopefully, that fits the bill of tap dancing. Just a couple of observations and then I'm keen to have that discussion with Tom.
One, in the Commonwealth Government, and Phil as Secretary of Prime Minister and Cabinet, has been driving this very hard. And were it not for his passion and determination, we would not have gotten to the position we're in now. But the DTA has been positioned, some would say restored, to its rightful place in the Prime Minister's portfolio as a central agency with a Cabinet Minister sworn to the portfolio, and the former government services sworn into Defence portfolios for the purpose of oversight, overseeing digital transformation. Now the initiative that Randall and his team is leading, along with their colleagues in the Department of Finance under Rosemary Huxtable to take a genuinely and truly integrated view of the almost $8 billion worth of digital ICT investment, of getting value out of that at scale and link into the cyber security, data security, and identity security issues that I've just touched on. We've now organised government. Tom mentioned the bringing together Home Affairs. If we didn't organise the domestic security, law enforcement and all the other functions that we perform, you wouldn't have the effects. And so having now organised for digital in the way that we have, and thanks to Phil and his leadership, I should briefly mention the leadership of Kathryn Campbell, who will stay on as the Chair of the Secretaries Digital Committee. I've been on the Secretaries Board for seven years. We've never had the depth of conversation - partly driven by COVID, no doubt, as you would have heard in the previous sessions. I've never had the depth of conversation at a very, both strategic, but also fine grain and tactical level amongst secretaries that I've witnessed in the last two and a half years, in particular the last year and a half, and I've been on the Secretaries Board for seven years. That's a real testament to Phil's leadership, to Catherine driving from her full portfolio vantage point, and Randall you and your team, thank you for all the great work that you and your team do to get us to this point.
My final comment, and perhaps because I’m very rarely given to making provocative comments I'll just make one. I see digital and IT vendors here. We really value the work we do with you. But we're scaling. We're consolidating. And the edict that is coming from Government is that we will engage in fewer procurements at larger scale and will reuse each other's capability.
So a lot of you have to rethink your business plans, because you'll be losing your margins that are being typically built into your forward revenue estimates. I'm just looking at some of the colleagues I know from the private sector and you're quickly redoing the numbers. Your margins will shrink because you'll win bigger contracts, but fewer of you will win them. You need to get ready for that fight, that private-commercial fight, and you can't say that you haven't been warned. Thank you very much.
COMPERE: Thanks very much, Michael.
TOM BURTON: Tap dance is probably the best way to describe that. So thank you very much. The discussion about cyber. Are we just doing an endless game of whack a mole, from your perspective? Watching it now for a number of years in Home Affairs, is it just going to be endless breaches here, fixes, mitigation, et cetera, whack-a-mole? When do we get it? What's our end-game here?
MICHAEL PEZZULLO: The best analogy I can give is one that I've used previously, but I'd ask Tom he not read too much into it. And it relates to the onset of aviation. You go back to the very late 19th century, but particularly the early 20th century, and finally heavier than air aviation started to become a thing. People say: oh, this is interesting. This will get humans from point A to point B. And then someone else came along and said: oh, you could get mail and cargo from point A to point B. And someone came along and said: actually, if you knew where you're going between point A to point B, but on the way through you could fly over an enemy military position, you could drop a bomb on them. First occurred in 1911 in Northern Africa. But hang on, if they're going to start dropping bombs, we might have to figure out a way to disrupt that bombing and either intercept that aircraft to make—prevent it from taking off—and you can see how it evolves. And so then you get biplanes, you get propeller aircrafts, you then get turbo jets and it goes on and on.
There's no point saying that there's a terminal point on cyber because it's like saying, we're finished with aviation. It's a domain, it's a domain that humans took a while to get to—it's like space, it's another domain. And it's now just going to be an endless cycle of positivity, of connection, of benefit but also malice, evil, it's a place where paedophiles lurk, it's a place where some criminal groups are saying, you know, the cost-benefit of moving drugs versus simply ripping off credentials or engaging in ransomware, I might change my business model. It's a domain and there's no point getting too anxious about it because it's better to embrace that as a reality and then think about this constant action and reaction cycle.
TOM BURTON: And in that reaction cycle, what's the balance between, if you like, offensive and sort of defensive cyber?
MICHAEL PEZZULLO: Well, the Australian Government under Mr Turnbull announced an offensive cyber capability in 2016. We've not discussed it much since then and I don't propose to give, we've done enough focusing on key strategic issues this week, Tom.
So, we've declared the capability, it's a known capability. Mr Turnbull announced it. It was repeated and not further amplified quite deliberately in the 2020 strategy. It goes without saying that your defensive measures. So, whether it's the analogy of the household burglar alarm, the locks and the rest of it, that is absolutely the base for all capabilities.
You then have a police force chasing criminals within your domestic jurisdiction and then you engage in international efforts to push back against the most dangerous criminal groups. Cyber's another domain. We employ the same layers of strategic effects as the incentive for cyber activity often is economic - criminals wanting to make use of data.
TOM BURTON: How do we change the big picture drivers of cyber, the economic proposition? We've got, obviously, state actors as well. But within the broad criminality piece, how do we start changing those infrastructures?
MICHAEL PEZZULLO: Well, it's an extension really, less of the aviation metaphor and more of the household security metaphor. If you have no police force and if you had, in any given suburb, an ability for local street criminals to literally be able to say, I know every house is unlocked, most people leave their wallet or their personal credentials in their letter box, most people don't have alarms, most people don't have CCTV. The costs of crime would so reduce that you would have people just roaming around our houses and just lifting stuff.
What have we done over time? We've hardened our own personal perimeters, you know, with varying levels of sophistication. And it's no different in cyber. There's a responsibility that starts at each device, each terminal point of a network and then, of course, you get to the network and so on and so forth.
So, it seems to me that the balance of, if you like, you call it offence and defence, is one thing, but the other factor to have regard to here is that cost of crime is a business factor for the criminals. The lower you make your cost, the easier you make it, the more volume crime will go to that outlets, like water. Water will just find, you know, an easy way.
The harder you make it, the more sophisticated the techniques that they have to employ, frankly, the more signatures that they potentially give off because the more sophisticated ironically, their techniques are - the more chances there are for them to be detected.
So, what we need is the whole economy to raise its hardened posture, Government networks and business networks to be extra hard. Obviously, the most sensitive Government information is already highly protected and that starts to change the calculus of both the economic actors, but frankly also the state actors as well.
TOM BURTON: For the role of sovereign data in that piece, we obviously, start to get very anxious about that and what data should be kept locally et cetera. How do you see that evolving?
MICHAEL PEZZULLO: Well, two parts. In terms of Government services, the Government now has had for the best part of not quite 12 months, but last year, the Government announced its hosting strategy. So, the Government is a big consumer of data services so that it can then turn those data services into the citizen services that you've already heard about and you'll hear about more through the course of the conference.
So we've got a lot of market position and posture in terms of just the data that we consume and by having the hosting strategy with an enforceable dimension to it. And what I alluded to earlier is important here. The DTA's role is as a central agency to vet and to ensure conformance and alignment with that strategy or that will actually be market forming. And I've said in other fora, and I'll say it again and no doubt we'll be saying this before a Parliamentary committee. The key decision then for a government will be—and I certainly don't want to pre-empt what decision Minister Andrews will make with the powers that might well be graced to her office through the passage of the critical infrastructure legislation—is the extent to which both Government and private data is regulated with certain restrictions and obligations that will be nominated and designated by the Minister on the advice of officials under the systems of national significance legislation which comes into effect, should the Government's legislative proposals make favour with the Parliament, on 1 July.
So, both from the bottom up, if you like, of the application of the DTA hosting strategy across every single procurement. And I think mention has already been made of the work that we're doing on a digital passenger declaration through our permissions platform. We will be exemplars, I've given that commitment already to the Home Affairs Minister, to Randall as head of the DTA. There's no point in us being the regulators and enforcers if we're not the exemplars ourselves. So, we certainly will require our successful provider to conform with that strategy. And that will have onerous and stipulated considerations around where the data is, how it's hosted.
I think inevitably, as we lift these standards across the general economy, I think you'll see market forming behaviour domestically. You'll see a sovereign data capability start to emerge because simply meeting the stipulated requirements, whether they're about security clearance holders, whether they're about the physical configuration of facilities, whether they're about the ability of our people to audit exactly where the servers and racks are. I think, inevitably, whether you're an Australian company, there are great Australian companies that are in this field, or whether you're a foreign company that's seeing what the opportunity is opening up in Australia where you start to build local capability, I've got no doubt that a sovereign data industry, even beyond what's been achieved in the last few years, is very much a growth sector of the future.
TOM BURTON: And within that sort of critical infrastructure you mentioned, the management of supply chains to me seems to be one of the weaknesses in the system. Do you see that getting hardened up over time? The major big private companies, big government agencies need to really understand and work with their supply chains to ensure that resilience and security?
MICHAEL PEZZULLO: Well, I think if you just follow the logic of what the Minister was saying earlier and what the panel members said earlier, if you're putting certain obligations, both in terms of the content of the data, which is, you know, whether it's tax information or personal health records and or you're putting obligations on networks and infrastructure, which is more the critical infrastructure angle through the cyber security strategy, you've got this twin effect starting to emerge there where companies who deliver those data services say to the Government or potentially to private regulated entities such as banks, telcos, electricity companies and the like. They'll say, well, we're going to be audited across our supply chain. It won't just simply be some lived assurance that we know where our data is, or we know that identity controls are in place because the obligations might well be - and this will be sector specific and data content specific, but there will be varying degrees of granular detail. And you'll let us know your supply chain - where are the servers? You know, right down to where do I secure and source my racks, my servers, my modems. I mean, this is part of the 5G discussion, which is a completely different but analogous discussion. Unless you can assure your supply chain right down, in some cases to the manufacturer of the board, you're simply not going to pass muster.
TOM BURTON: In switching to the cyber perspective, a lot of people think, cyber will be the first battleground I'm going to lead you, you know I'm going on this is probably the first battleground and that will be the battleground, that will be the first front. Is that your view?
MICHAEL PEZZULLO: Well cyber is already contested space. So when you say the first battle ground, I'm not quite sure what -
TOM BURTON: [Interrupts] Drumbeat of war, if I could make that observation.
MICHAEL PEZZULLO: I'm really unsure as to why you'd be raising that, Tom.
But the Australian Government's been very clear, and if you're referring to my Anzac Day message to my staff, it was a lament—and the PM repeated this yesterday—for peace. It's soldiers who—and I referenced a couple of American five star generals, because it's the 70th anniversary of ANZUS coming up—and I drew attention to two largely forgotten speeches, one by Eisenhower, and one by MacArthur. Eisenhower is very well remembered for his farewell address as President, where he talked about: you've got to be careful about the military industrial complex, you've got to be careful that this sort of self-perpetuating machine of the demand for war creating, you know, demand for war machines.
And Eisenhower's remarks have gone down in the ages. He gave a less remembered speech actually quite early in his presidency, 1953, which says: we've got to constantly be searching for peace. And I heard the Prime Minister, yesterday, say the same thing at a press conference—where he may or may not have been asked a question that may or may not have been about my Anzac Day message—where he said: the Government's policy is constantly to be working through effective statecraft and diplomacy, but also preparedness. He made explicit reference to the investment that the Government's made in our defence capability: constantly searching for peace in a way that's vigilant as to the risks, but in a way that not only presumes that others want peace, but we're all actively working towards it. And that's the Government's policy, and frankly that should be all of our objectives. And the lament that I think we should allow ourselves on an Anzac Day is, if only the same striving for peace, along with, as Minister Andrews said, being alert to risks; if only the same vigilance, as well as the longing for peace had been in evidence in times past, perhaps fewer would have fallen. I think it’s an entirely reasonable point to be making.
TOM BURTON: [Interrupts] Yeah. I thought it was a very personal observation that you'd thought about this a long time. What was your thinking behind making the statement?
MICHAEL PEZZULLO: I just really draw you back to the text. I mean, I'm here to talk about government services, but it's a fair question that you ask. It's a very personal lament for those who have fallen in the past - surely, on Anzac Day of all days we should be, if nothing else, conscious of their sacrifice; and just grappling with this challenge of constantly seeking to find peace.
TOM BURTON: I was interested in the observation some people had that a Secretary should be seen but not heard. What's your-?
MICHAEL PEZZULLO: [Interrupts] What happened, you invited me here?
TOM BURTON: Thoughts about that? The role of secretaries?
MICHAEL PEZZULLO: Well, I wasn't, I wasn't here for Phil's remarks as the Secretary of Prime Minister and Cabinet, but I'm sure that they would have been outstanding remarks. And I had a quick hand over chat with him on our way up, and I think it's terrific that secretaries occasionally venture forth onto the stage. But if you don't want me back, that's fine, Tom.
TOM BURTON: I'd certainly encourage it. I've long said I feel that, you know, the senior level of the bureaucracy needs to lead, and lead means having views, and we shouldn't be shy about that.
MICHAEL PEZZULLO: Well, with one caveat, it's Ministers who are elected and they make the final decisions about policy, and that's as it should be. Because one of the values that we cherish, and indeed one of the values that we mournfully and sorrowfully have to lament and commemorate on Anzac Day, is that ability of a democracy to make its own decisions, to be guided onto very difficult balances where there are often trade-offs—I mean, have a look at the COVID issue, which is a trade-off between health and economics—ultimately can only ever be vested in those who are elected by the rest of us, by all of us to represent them. And it's terribly important that when secretaries speak, or the heads of agencies, we speak about matters of strategy and implementation and administration, but not of policy, which always is a matter for an elected minister.
TOM BURTON: But you do have views and I think it's great for people to see those views?
MICHAEL PEZZULLO: Well, it's no different from me in response to your question, thinking about and teasing out the considerations about the never ending challenge of cyber, for instance. There are certain factors that are self-evident. It'd be defying physics to say that cyber's going to vanish tomorrow. The exact policy position that the Government lands on in terms of the cyber security strategy—I mentioned earlier the declaration that was done by ministers, decided by ministers about offensive—questions of policy must always be settled by ministers and announced by ministers. But within those parameters, I think it's, whether it's Phil speaking as a Secretary of PM&C, whether it's myself, Brendan Murphy. I mean, Brendan's a great esteemed colleague, every second day, quite properly, during the pandemic, he’d stand up and we're reassured by the presence of the official - not the decision maker, there's no doubt in anyone's mind that it's ministers who are making decisions, the Prime Minister and his ministers at the Australian Government level, and through the National Cabinet process - the Prime Minister, the premiers and the chief ministers. No one's in any doubt as to who's making the calls and calling the shots. But I think having my colleague Brendan out there explaining things that not many of us have thought a lot about – epidemiology. I mean, who would have thought that there's a particular technique to doing a cough in the crook of the elbow? The reproduction factor of a virus for example. There are some people who spend their lives expertly working in these fields for 30, 40 years, and they do terrific work. But having someone who can then translate that into accessible information in a way that Brendan can, all credit to him. And he's done a terrific job helping to lead the public confidence and public awareness of COVID.
TOM BURTON: And I think it's a good example where, you know, people want to hear the official's view. Sometimes we don't want to hear the political view, we want to hear the view of experts, the view of domain specialists?
MICHAEL PEZZULLO: Well look, can I just- Tom, you and I've known each other for, for a long time…
TOM BURTON: [Talks over] Too long.
MICHAEL PEZZULLO: … in fact, I've known Tom ever since I had about as much hair as Tom's got. So he somehow managed to retain his. I just- I'm not going to put it on a, you know, in a direct sense, but, but when ministers, prime ministers, premiers speak, people say, well, you know, we're hearing from the politician. They are elected by the people to strike the right balance, to explain the balance that they've struck - and it can be, either in matters of war, you asked me about in matters of cyber, and matters of health - and yes, of course, they benefit from expert opinion. And we give very frank, I have to say, very candid views - much more forthrightly than anything we ever say publicly. But I think it's just terribly important that the sacrifices that they make, on both sides of the aisle and at all tiers of Government, is honoured and respected. Because I have to say, as someone who's worked very, very closely with ministers, prime ministers, going back a very long time, all of them, all of them swept those balances. They're always constantly seeking, am I making the right call? Have I got the balance right? In cases, in some cases, am I sending people into harm's way; in other cases, are we setting up the cyber resilience; in other cases, have we got the right balance between COVID public health imperatives and economic imperatives?
I just see this dichotomy of, well let's hear from the experts and, you know, we'll sort of dismiss the politicians, I just think is- I won't say it's disrespectful - but it's diminishing of the work they do. And I'm saying this across all tiers of government, across both sides of the aisle, incredible work they do to get across their briefs, the deep - and I can tell you, when you're sitting in front of a PM or a senior cabinet minister, and they're probing in and they've read page 63 of the submission and they're saying, explain how this works to me. Hang on what, what is the case for this, what's the evidence for this? We're not dealing with people who are engaged in, what might be inferred from your question, as people who are just constant- as public figures are just constantly engaged in political narrative spin, and-
TOM BURTON: Sure. But CEOs of all organisations, you know, we've got [indistinct]. So, it seems to me that public sector organisations - Home Affairs, very large organisation - you're speaking to that group, you know in your letter.
MICHAEL PEZZULLO: That's perfectly valid. I think we're just grabbing and groping. As long as there's one parameter of law that's understood and respected. Ministers are obligated, mandated, and indeed have the sole legitimacy to set policy. Within that, I think there should be quite expansive discussion, as long as it's understood that elected officials, ministers, typically, and, you know, at all tiers of government make policy.
TOM BURTON: Thank you. We're well over time. I'm keeping everyone from morning tea which is waiting up there.
Thank you, Mike, for coming along.