Safeguarding Australia Address
3 March 2021
Michael Pezzullo AO
Secretary, Department of Home Affairs
Government is back in business.
Governments do things. The era of the deregulatory state, the state that is passive, the state that is the holder of the regulatory framework, still, of course, applies to many endeavours of public policy, and that is a very good thing. But in my experience, whether in the defence world that you were touching on earlier, which I left some 12 years ago, subsequently customs and border protection and then immigration and border protection and now Home Affairs, the work has always involved direct delivery of outcomes under the direction of a democratically elected government.
And that’s what I think distinguishes governance in this age, and I think the historians will look back, particularly on this period. I'm not just speaking about the pandemic, although that's obviously a clear gravitational pull where government got back in the business of doing things. Now, I don't in any way seek to disparage or diminish the work done by colleagues elsewhere, or indeed at the moment, where broad regulatory frameworks are set, funding agreements are struck, and either markets or other entities deliver the outcomes. There is still an important role for that—however, in an area where state actors are much more aggressive, including in the shadows. My thesis there, being that grey zone-conflict has never really left us but it's just become revitalised in the imagination, public imagination, with a new label known as grey-zone. I would argue that grey-zone conflict is as old as the existence of states, and probably even exists prior to the formation of states several millennia ago.
Whether it's grey-zone conflict, the power of transnational criminal groups that have got significant capabilities, both technological and financial and otherwise, whether it's the role of digital technology, companies play in the very fabric and being of our society, including the impacts they're having on things like public interest journalism and the addictive effect of social media, whether it's the coupling of strategic competitors in global supply chains and technology such as 5G telecommunications, for those reasons and more, for reasons that hopefully will become apparent through the course of this address, the state is back in business.
The state is active and has to therefore be accordingly organised in order to fulfil this mission of delivering. Its structures have to be balanced. Functions have to be clearly assigned within those structures. Leadership has to be put in place, which is very much characterised by clear thinking, strategic acumen. Whether you're dealing with disinformation, misinformation, cyber and all the other things that we'll touch on in the moment, it's very much about the can-do official partnering, of course, under the direction of democratically appointed ministers, partnering with the private sector to deliver outcomes. You've got to have a workforce that is attuned to can do. It can't simply be a processing workforce or a regulatory workforce that stands one or two or three steps back from operational impact. There has to be clear mission focus and there have to be clear accountabilities in terms of the assignment of those missions, both in terms of the lead agencies or personnel and those who support them.
All of that is by way of a background canvas and I just want to reflect on the journey that Home Affairs has been on within the context that I've just painted. In 2017, the Coalition Government, had been in power for the best part of three and a half years, and I rely for this perspective on Mr Turnbull and his public memoirs. I rely on no other information, including anything that might have imparted to me through confidential discussions.
I refer you, to Mr Turnbull's memoirs. He made it clear that, after being in government both as Prime Minister in his case for several years and as a cabinet minister, and in consultation with his colleagues, he'd formed the view that whilst operational and tactical coordination amongst agencies in the domestic security, emergency management and law enforcement space was more than adequate, we more than held our own, strategic leadership coordination, planning and deliberate preparation to both reduce risk and manage crises as they emerge, was lacking. If you read the relevant chapter in his memoir, he was particularly focussed—and I do recall this at the time as an official member of NSC, in my role then as the Immigration and Border Protection Secretary—the most prominent salutary driver for he and his colleagues at the time was actually critical infrastructure and foreign investment in critical infrastructure. The government, to not put too fine a point on it, was underwhelmed by the lack of coordination and the lack of ownership of clear and direct advice to government on particularly sensitive foreign investment bids.
The third process was strengthened. David Irvine, of course, was appointed as the chair of the FIRB. Treasury was directed to improve its national security work, and the journey started. I very much saw it, I'm delighted to say, firsthand or at least one step removed in about the middle of 2016, and it culminated in the announcement in 2017 of two profoundly important initiatives - the restructuring of our domestic functions around Home Affairs and the creation of the Office of National Intelligence.
With that change in 2017—and I'll go into a few other vectors beyond foreign investment and critical infrastructure when I come back to a number of issues of substance—finally was put in place, the three big action engines or the three big pillars of national security. Defence that had been brought together in the 1970s under reforms proposed by Sir Arthur Tange and implemented through the Fraser years, the prime ministership of Mr Fraser in the middle to latter part of the 1970s. Foreign Affairs and Trade, which had come together as an integrated entity in the 1980s under the leadership of Prime Minister Hawke. And the third, and indeed, some of us would have contended a missing pillar or the third missing action engine, was Home Affairs. After decades of fragmentation of effort, we finally had put in place, through government direction, the three big engines of national security, the doing engines. On an issue of national security, it's impossible to conceive of a circumstance where at least one, two, and in some cases, all three of us aren't going to be involved - Defence and Foreign Affairs and Trade essentially to use sporting parlance - they play the away game and then there's the home team in Home Affairs.
However, the government also took a decision informed by the intelligence review that was led by Michael L'Estrange and Stephen Merchant to also significantly upscale its intelligence effort. For many years, the Australian intelligence community had very much been a foreign intelligence community, with the exception, of course, of the sensitive security intelligence work performed by ASIO. The Government at the same time, as it announced the Home Affairs changes, also announced an expanded remit in relation to national intelligence that would bring in border customs and visa intelligence performed, at that stage, by the Department of Immigration and Border Protection, now the Department of Home Affairs. Policing intelligence to directly support AFP operations, national criminal intelligence, including that gained through sensitive technologies and also through sensitive coercive examinations by the Australian Criminal Intelligence Commission, National Criminal Intelligence Studies, and the intelligence functions of AUSTRAC, which is our anti-money laundering and counter terrorist finance authority, which generates a goldmine of lawfully acquired financial intelligence information that pertains to crime, money laundering, terrorist finance and more to boot. AUSTRAC's profile has certainly increased in recent years.
On the one hand, Home Affairs, very much top-down, driven by the Prime Minister. And I have to say, Jason, in response to what is at times the juvenile notion that Prime Ministers can only act on reports that have been given to them or studies done by supposedly eminent or expert observers and they can only act on the machinery of government in response to those reports, I would counter with the two other examples I've given. The defence reorganisation in the 1970s certainly wasn't done as a result of an eminent person's review or indeed a consultant's report. We didn't have consultants quite as well as we are so well graced these days by consultants. And certainly in the 1980s, the Hawke government was very determined to bring Foreign Affairs and Trade together again, with some senior officials pursuing that as an objective for well-reasoned- with a well-reasoned rationale, but certainly not as a result of some external impetus. The thought that a government can only design itself in response to a report or a commission of inquiry or because some eminent think tank expert has so recommended it, is frankly juvenile. That said, the ONI reforms were certainly suggested by Mr L'Estrange and Mr Merchant, but the Home Affairs changes were very much driven by the Prime Minister and his senior ministers. And again, I commend to you Mr Turnbull's description of that period in his memoir.
By the middle part of 2017, with a six-month implementation phase for us that culminated in the establishment in December of 2017, the three big action engines of national security had been put in place: Defence, Foreign Affairs and Trade and Home Affairs. The analytical, informing and assessment, pillar or layer was put in place with the expanded remit of the Office of National Intelligence that brought in all of those non-traditional and typically non-foreign intelligence functions. And then, of course, there's the crucial national security coordinating function that's traditionally always been performed and quite rightly so in PM&C.
I want to stress in the pandemic, the bushfires and other supposedly or so-called non-traditional security issues have spoken to this; that core architecture of three plus ONI and PM&C, the big five, as it were, operate on a modular basis with other departments that plug in as required. I'll give you a couple of examples.
Our colleagues in the Industry, Science, Energy and Resources Department plug in on things like fuel security, on things like the national security aspects of science and research, the national security aspects of resources and energy. Otherwise, the crossover in the manufacturing policy area between commerce and national security. We have very close relationships with David Fredericks and his department in Industry, Science, Energy and Resources. Similarly, with Secretary Atkinson, Simon Atkinson, over Infrastructure, Transport, Regional Development and Communications, very deep links. They plug in on a whole range of issues we could talk about through the Q&A, whether it's telecommunications security, the 5G, policy parameters that were announced in August of 2018, whether it's to do with transport and infrastructure, the security aspects thereof, whether it's to do with the law enforcement and national security aspects of our ports, be they aviation ports or seaports, there is very much a plug and collaborate model with that department. Education increasingly so, universities particularly have become sites of geopolitical competition in terms of influence, and indeed, at times, interference. There's always risk, national security risks around the research funding and the research activities undertaken, particularly in universities and advanced institutes of study.
We have a collaborative arrangement with our colleagues at the Department of Education—again, they plug into that national security architecture that I described. We have a very close relationship with the Australian Electoral Commission. They actually don't need to develop a sui generis or ab initio deep knowledge of foreign interference problems, because they plug into our countering foreign interference area and they work in collaboration, particularly but not limited to, the lead up of elections. I touched on Treasury before in the last few years, particularly since that period where foreign investment decisions start to become more prominent from a national security point of view, Treasury has scaled up its national security practice. And again, we have a very modular national security architecture and Treasury plug in and collaborate with us as required.
Health, well everyone's seen how we've worked together with health. They've led on the public health and clinical response. We have led on logistics, everything from our supermarket supply chains to ensure that essential supplies keep flowing through to consumers, through to the telecommunications challenges involved in keeping people at home safely, including working and studying at home, and so on and so forth. We do a lot of work with agriculture. We've got the prime lead on plant and animal biosecurity. They are also responsible for biosecurity legislation generally, and we do a lot of work with them in the scenario involving, God forbid, a massive breakout of a biosecurity risk in our lucrative agricultural industry, which could potentially cause great economic harm to Australia. Again, Agriculture can come to that national security apparatus that I've described. It's very modular, they can be plugged in. They don't need to develop little stove piped standalone entities.
These arrangements—and I could speak of a few more but I won't—allow us to undertake deliberate planning through that modular collaborative approach where the big three are constantly assessing the intelligence, looking at the risks, working with ONI and the intelligence community to give us as much of a lead time and warning of problems as they emerge. [Additionally,] we can plug in with those other departments and undertake more deliberate planning to be better prepared for crisis response. Scale also allows us to flex and surge in the face of a crisis - that's been evident through the pandemic and you've probably heard me speak in other fora about our ability to shift resources from areas such as visa processing to assist with pandemic response, for instance.
We can also, through scale, better target our efforts so that areas that were perhaps not operating at scale, potentially tended to be quite specialised in other departments. I'll give you an example. The Transport Security Function in Infrastructure and Transport portfolio, was reasonably small scale. We've now been able to plug it into a much larger architecture where they're not limited to the regulatory functions that the Transport Security Act lays out. But we've now transformed that area into an aviation and maritime security division that has got a holistic view of security in our ports and airports, including from the point of view of transnational crime, supply chain penetration, as well as the post-9/11 transport security regulatory regime.
This also allows us to put in place better workforce planning to have a more flexible functional model for our workforce where people have got broader career choices and also allows us to address those organisational issues that I mentioned at the start of this discussion in terms of how we layout functions in alignment with structures, how we assign accountabilities and so on and so forth. I'm a long-term public servant so I get excited about that but I don't necessarily think that everyone on the call will be as excited, so, I'll just pause those public administration observations.
Let me conclude with a couple of other areas of content. I've touched on foreign investment and the critical infrastructure work that is collaboratively processed by ASIO that looks at threat, that critical infrastructure centre in my department that looks at risk. We support the staff in Treasury who support the Foreign Investment Review Board who look at all national interest factors, not just security factors, in terms of making recommendations to the Treasurer. That's one example which I've already touched on.
Emergency management, we've really scaled - and you'll see this further in terms of the Government's response to the Royal Commission we scaled from an entity that was very much focused and was a centre of excellence in terms of coordinating fire and emergency services responses. Through the pandemic, particularly, we've broadened out the remit of the emergency management function to include all national coordination to support other agencies in a crisis.
Only just today, we've put in place some further support to assist the Department of Health with a vaccine rollout - I touched on things like supermarket supply chains earlier - and you'll see that institutionalised in the Government's response to the Binskin Royal Commission which was into bushfires, but more generally natural disasters.
The Government's already announced the broad shape of what it intends to do. A beefed-up EMA working with a national resilience authority or entity in the Prime Minister's portfolio that will do the longer-term risk reduction work, and the disaster preparation work, and indeed the rapid response in terms of relief and reconstruction.
Foreign interference is a topic of some interest in this conference. At about the same time in 2016-17, the then Turnbull Government and again, Mr Turnbull deals with this on the public record in his memoirs - become increasingly concerned about the re-emergence - not that it ever particularly went away completely off the espionage threat, but also the maligned foreign influence in them at the most egregious end of the foreign interference threat.
We have bundled those functions, probably uniquely in the world, where we've combined strategic communications, particularly in relation to target communities, social cohesion, typically what used to be called multicultural affairs - now, more broadly, community engagement around social cohesion. We work with the AEC, as I mentioned earlier, on the resilience of our electoral processes. We're working with education on things like civics and even entities such as the Museum of Australian Democracy on awareness of our democratic practices, institutions and histories. The sharper end of the blade is, of course, ASIO, and increasingly, the AFP. We've got a counter espionage, law enforcement investigative function that we can also touch on.
Cyber, I know will be expanded upon by Hamish Hansford when he speaks to you. But we're really taking a more holistic view to cyber which goes beyond perimeters and networks, as important as they are, and we're looking at issues. The Government's announced initiatives in this regard. You'll see more in the coming months on data sovereignty and security; on anchored biometric identity to both support security, but also commerce as well as privacy; closer linkages between our data sovereignty and consumer protection and data rights work which requires collaboration across a number of departments; and working with our colleagues in communication. I mentioned earlier, a more robust approach to protecting people from online harms. [Those harms] can extend from trolling and bullying, right through to the most vile and indeed toxic, and in some cases regrettably, mental health inducing harms that, unfortunately, those are sensitive to online commentary signals and triggers are increasingly being affected there are some tragic stories that we're all aware of in terms of online harms.
At the darkest end of that, of course, is the vile and reprehensible and abhorrent practice of child sexual abuse and exploitation, especially on the dark web—which isn't even on the surface level of online harms of the Internet—but it's in the deepest, darkest bowels of the dark web.
Jason, quite a lot of ground to cover - both the historical retrospective and sketching out something of our current agenda. Happy to take the discussion over the next 10 minutes or so, wherever you want to take it. I'll leave your trusty assistant to control the muting and unmuting.
JASON: Ok, well, we've got a few questions that have come along. I'm going to lead in though from my personal interest on a range of things. A bit of introduction to those folks who have been involved in the critical infrastructure, protection and resilience space - noteworthy is the department's outreach on that. For those who aren't aware, this is going to build a pretty formidable set of relationships. I'll be really interested, Mike, in how your vision for that, of working with your team as our members of the forum of security executives; as an Australian industry group; and it's been pretty collaborative to date. But we'd love to hear your views about where that's heading.
MIKE PEZZULLO: Look, very briefly, I want to pay tribute to those staff in the Attorney-General's Department who were MoG'd across in - for those, sorry, I shouldn't use acronyms, it's a force of habit - Machinery of Government changed, MoG'd in at the end of 2017.
My reflection is this. The critical infrastructure practice that had been steadily built up over the years was excellent for its scale, but not engaged at the level of boards and chief executives. That team, because I spoke to them when they came across - and I want to pay tribute to our friend, the late Mike Rothery - with a lot of work building the capability. As with cyber, it tended to plug in at the - in the case of cyber - at the CISO level - very important - and at the, the critical infrastructure end, more of the level of the chief security officer.
Given the way in which global capital has unfolded; the way in which our state operated enterprise; the geo-economics that swirls around foreign investment, you've got to lift that up to the level of Cabinet ministers, chief executives and boards.
The vision we have is to build on the seed of the CIC, the Critical Infrastructure Centre. In the context of the passenger as we - as the Government would hope of the Critical Infrastructure Act, particularly the SOCI Act, the Security of Critical Infrastructure Act - the new version of it - which will have an incredibly important and powerful set of obligations around systems of national significance, which the Minister for Home Affairs, in consultation with the industry, will designate. That will be very much on the table or the desk of chief executives.
The message I have for industry, Jason, and I suspect quite a lot of industry participants will be focussed on this - this is your time now. If you've been down in the bowels of a large corporation, quite properly focussed on managing security risks and you can't get airtime with the chief executive, with this new era of CIC coming along, you'll become the chief executive's new best friend.
JASON: Thanks Michael. I think you've hit on a couple of really important points there, that there has to be a whole of industry response, if you're in the critical infrastructure relationships. I'll add-on a supplement to my last comment, which is very much around the supply networks - I know we use supply chain. I've come to think of them very much as a set of interrelated networks. How do you see those challenges emerging?
MIKE PEZZULLO: Jason, we could probably have a whole conference, just on that. Look, you can't ignore the discussion that's going on at a very strategic level about the integration of economies, whether there in fact is a degree of decoupling occurring between the US networked economies and China networked economies. I won't touch on that. There's lots of literature out there. The commercial model of the 90s, the 2000s and 2010, the just-in-time approach works well when there's optimal balances of resources and optimal balances of risks across borders, in terms of commerce. But when you run into a pandemic where there's a public interest benefit or a public interest imperative to override commercial imperatives, the questions arises then about sovereign capabilities, sovereign stock holdings and the rest of it. Look, we could spend all day on that.
Our role there will be to support government policy thinking, working with our colleagues in industry and Treasury, and whatever model is settled, and it's going to be certainly(*) generous to each industry; pharmaceuticals is going to be different from advanced manufacturing, [which] is going to be different from quantum computing and the like. Our job will be to use all of our levers, be it critical infrastructure, cybersecurity, systems of national significance designation, to underpin our government policy. We could literally spend just the whole 2.5 days just on that question.
And I agree, supply chains rolls off the tongue, but it really is about interconnected supply networks, you're right.
JASON: Thanks Mike. Well, I've got a question from someone in the commercial side of the house. From the perspective of people outside government, there's [indistinct] multiple intelligence agencies dealing with foreign interference. But there's a sense of them working independently. You've sort of addressed that in your talk. How do you see the construction going forward between the Australian Government, the corporate security functions? And I will say, my knowledge of ACSC [indistinct] is very significant, and ASIO as well. How do you see that as a - I guess, a correlated approach in the agencies dealing with industry?
MIKE PEZZULLO: Look, I tend to think, if you're probably close to the coalface, you probably are thinking - well, I've just had a meeting with this team from that centre and that team from that centre. But when you operate in a more strategic level and, again, these discussions are increasingly going on at the board and chief executive level, the entity's actually resolved down to just a handful, and it's not that hard to coordinate them. The harder point is to strategically coordinate the content of the approach. Very simply, the Australian Federal Police has got a unique mandate - only they can investigate foreign interference and espionage offences. ASIO does not have an investigative remit in that sense, a criminal investigative remit. Its’ investigations - they use the same parlance - are limited to security intelligence investigations as set out in the ASIO Act. The Australian Cyber Security Centre is an embedded part of the Australian Signals Directorate. They've got a very specific focus and remit on networks and perimeters, obviously, cyber security perimeters. It's [a] sibling of the foreign interference work, but frankly, spy catching and putting a spy on trial or deporting them is very different from, in terms of methodology, tradecraft and operational effects, how you secure your networks. Yes, there are some crossovers - the actors are often the same and they're often operating against the same set of instructions, but they are very different roles. And look, finally, the Department of Home Affairs, we don't conduct operations. We don't conduct the investigations. We are the policy and regulatory body. So whether it's foreign interference, which is integrated by Chris Teal, who's a serving ASIO officer but in a seconded deputy secretary role here as the CFI Coordinate, Countering Foreign Interference Coordinator. He coordinates all of the matters that need to be dealt with outside of lockdown investigations - social cohesion, advice to government on strategic communications, advice to government, on communicating in diverse languages for particularly culturally and linguistically diverse audiences, the linkage between foreign interference and multicultural affairs and so on and so forth. There is only one coordinator, and that's Chris Teal.
Now, he [Chris Teal] doesn't need to coordinate how the AFP and ASIO conduct their operational work. We're briefed on certain sensitive matters, which I won't go into, but that tactical and operational coordination is actually pretty straightforward. It's a hard nut to crack, don't get me wrong, because of the tradecraft involved. But operationally, it's not difficult. It's societal resilience, - you know, defence of your democracy, defence of your elections – that’s the harder piece in terms of complexity. And that's why you have a Department of State which has got policy authority and direct access to the minister in terms of policy legislation and programs performing that function. They are exclusive roles, but they're complementary roles and they're integrated roles. We're certainly not at all confused as to the overlaps and as to the boundaries.
JASON: Yep. Thanks. Thanks, Michael. I mean, I think I you've summed up something that's going to be very important as we move forward with issues around national sovereignty, when we have a state where so much is in [indistinct]… hands, that engagement from agencies, those of you, like myself, who are engaged with those agencies, get an insight. And I think we'll be working together to enhance that, whether it's through the defence programs or the critical infrastructure projects, out to those smaller entities that are critical but aren't necessarily in a position to have that awareness.
So I'm conscious we've come to the end of yours. I'd like to thank you very much for that. I've got a few other questions here but I won't go to those because otherwise you'd be here for a while. And let's have a chat about how we reconceptualise the supply networks in this environment. I've already part of that discussion with your team who are definitely on the same wavelength as us in industry. So thank you very much, Michael. I'll be coming back online by myself to introduce our next team. [Indistinct].
MIKE PEZZULLO: Thanks, Jason, and I wish you a successful conference. Thank you.
JASON: Thanks Michael. Cheers.