Cyber Collaborate, The Australian Cyber Security Conference
11 October 2022
Michael Pezzullo AO
Secretary, Department of Home Affairs
Hotel Realm, Canberra
MICHAEL PEZZULLO: Can I commence by acknowledging the custodianship of the traditional owners of the land upon which we meet, the Ngunnawal people, and pay my respects particularly to Elders past and present, but also emerging.
Can I also extend my thanks to the organisers of this conference for reasons that, hopefully, will become apparent through the course of the day and certainly through the course of my remarks. It’s groups like this coming together at conferences such as this that’s kept the pilot light of awareness on for the last 24 years or so. There’s no boardroom now, there’s no chief executive officer now, people in certain companies, there’s no senior management team that isn’t thinking about cyber in ways that people in this room have probably been thinking about for 5, 10, 15 – looking around the room – maybe 20, potentially 25 years. So, I thank you for your passion, your commitment, because collaboration is what it’s all about.
It is about the Government coming together at all levels of Government—Commonwealth, State, Territory, municipal—but also with vendors, with specialists, with academics, with people who work in the field professionally, people who work in the field in terms of corporate relations, people who work in the field in relation to very specialised fields, but also people who work in the field in relation to spreading the risk and corporate governance around cyber across their businesses and organisations. It really is a team sport.
Let me just commence there by contrasting the nature of the cyber threats that Australia has to protect itself from by using a metaphor with warfare. Traditionally, warfare was very much the province of the state. Only Governments had the information necessary to make decisions about strategic employment of force, about the threats that their country faced. Yes, they had to mobilise the citizenry, and if they went to war, they had to mobilise the citizenry in relation to joining their armed forces; they had to raise taxes to pay for those things. But typically, citizens and industry had a passive role in relation to the defence of the nation. And that’s understandable in the physical world for all those factors. Cyber is completely the opposite.
In cyber, the so-called attack surface—that is well understood in this room—is everywhere. Every single device. The phone I’m carrying in my pocket, which is somewhat hardy, but not invulnerable, right through to the devices that are all around us, right through to the operating technology that power our weather control, our dams, our power grids, our banking systems, right through to the IT systems that control everything from payroll right through to operations right through to customer service. The very connectivity from which we derive that immense prosperity, creativity, the benefit of information technology, information technology that puts more computing power in my pocket—I’ve got a smartphone here—than what was available to the Apollo astronauts as they landed that lander on the moon. Remarkable achievements that humanity has managed to garner.
Now, some of that has been devoted to our obsession with viewing cat videos and looking at the other rubbish that we scroll through on our social media. I don’t know why humanity would have devoted so much effort just for that purpose, but think about all the other benefits—about connectivity, creativity, academic research, all of the benefits that we know that power our businesses that create both personal, corporate as well as national prosperity, pleasure and benefit and utility. Those very same points of connection, that ubiquitous connectivity, that ubiquitous presence of this technology is what imports a threat. Because of course the hyper-dependency, the hyper-connectivity, of these systems mean that attackers come in the gaps and seams; they jump across those gaps and seams, and get to places where they want to get to.
Whether they want to get to sensitive personal information as we’ve seen recently spectacularly demonstrated in one case, whether they want to get through the operating systems of a dam, whether they want to get through to the operating systems of a traffic management system, whether they want to get through to a small business so they can compromise either by way of email compromise or phishing or some other means, locking up that small business’s data in order to extract a ransom payment—for any of those purposes right through to the most nefarious potential uses that we haven’t yet experienced or seen. Even in the conflict that’s going on in Ukraine at the moment, the devastating application of cyber as a societal scale that would bring consequences that would make the hacks that we think of today simply diminish in terms of magnitude into almost nothingness compared to what potentially could be done in terms of some of the more extreme scenarios that we need to contemplate.
So, if the threat is all around us, but we don’t want to live in a cyber-militarised state, where everyone is constantly on guard and everyone is actually not employing the benefits, not employing the utility, not employing the connectivity that this technology affords us, how do we resolve this dilemma of living freely, living prosperously, living securely but without living in a state of hyper-anxiety and without becoming, if you will, to use a term I just used a moment ago, a cyber-militarised state. This is a paradox, because there’s no point having all this technology if in a sense it becomes so threatening in terms of its use to you that you become so anxious about its use that you don’t take advantage of its benefits.
So, the only solution is, in fact, to reverse that military paradigm and say, ‘It’s not just the state, the nation-state, that controls our approach to military strategy.’ This is truly a collaborative effort across society and economy. It goes right through to—for those of us who are grandparents, looking around there might be one or two others in the room who are also grandparents—that digitally native granddaughter or grandchild that you might have, who in 15 or 20 years’ time might be thinking, ‘Granddad spoke at some conference 20 years ago and he talked about problems that were really hard to fix, but these are easy to fix because I’ve grown up being digitally immersed for 20 years.’ That’s 20 years off. So, it extends from our children. It extends from the cyber protection around our family, our small micro family businesses, medium-sized businesses, those larger businesses that provide so much by way of essential services and utility across the nation to Governments, Governments themselves as well as other vital sectors such as universities. If we don’t come together, if we think that it’s someone else’s responsibility, it’s the Commonwealth’s responsibility or it’s the responsibility of some cyber force that is like the Air Force or the space force, we will fail.
That’s why collaboration and conferences such as this, the work of the CRC, the work that many of the companies that were depicted on the board before that are sponsoring this conference, and also some champions that I know from the Commonwealth who are in the room. I think Chris Fechner, you’re here—Chris, the work that DTA does, for instance. That’s why everyone contributes something materially to facing this challenge. Whether you’re in academia, whether you’re in the private sector, whether you’re in Government, whether you’re in one of the think tanks, whether you’re in one of the research enterprises, thank you for what you do.
So, let me just pull all of that together. That’s just by way of a very general canvas about the need for collaboration, the need for national effort, the need for tackling this in a very different way from how we’ve tackled security challenges in the past, simply because the ubiquity of the benefits we get from cyber creates the ubiquitous threat as well. And let me just pull it together in terms of the directions in which the Commonwealth Government is going. Clare O’Neil is my Minister, the Minister for Home Affairs. She’s also a specified, titled Minister for Cyber Security, the first time we’ve had a specified, titled Minister for Cyber Security at the Cabinet level. We’ve had other Ministers with cyber responsibility, but not at the Cabinet level. She’s made it very clear in her directions to the Department, which means her directions to me, and through me to my Department—and she’s said this in part of some of the public comments she’s made around the Optus issue, which I’m not going to canvass; I’m just going to go to the directions that she’s given me, and that she’s also expressed publicly—that in her judgement, as the national Cyber Security Minister, we’re about a decade behind in terms of some of the ancillary, important strategy areas around consumer data protection, around privacy, and some of the consequential policy areas that are adjunct to the very technical areas that IT security specialists tend to focus on. We’re about a decade behind.
And she as the lead Minister within the Government, along with her colleague the Attorney-General, the Treasurer and other ministers who have got responsibilities across those general areas have said that that catch-up is going to occur under this Government’s watch. She’s made it very clear the Government is determined—and this is not just in relation to the Optus matter, she has used the Optus matter to speak about this generally—to bring together into more closer policy alignment those ancillary and related areas of digital identity, consumer data protection, privacy protections et cetera. Responsibilities of various different Ministers and it is her job, working with her ministerial colleagues, to marshal all of that.
More centrally, in the more technical area of cybersecurity, in her judgement, she said this publicly, we’re about five years behind where we should really be. She’s paid due regard to the work done by the previous Parliament, the 46th Parliament, to pass certain laws that have dealt with certain parts of this problem. So, the critical infrastructure legislation passed the Parliament in March, for instance, gives us some world-leading authorities in terms of dealing with cyberattacks on critical infrastructure. The hack of Optus was not that.
The things that are potentially coming at us that could potentially take the grid down, that could affect our water systems, our traffic management systems, our logistics, warehousing, medical health infrastructure are far darker in terms of their impact on society than the still very, very desperately sad situation that many people find themselves in as a result of their sensitive personal information now being out there as a result of the access into the Optus system.
So, I don’t want to in any way diminish or downplay the significance either of that incident itself or the consequences that that has for people at the level of their only personal identity security and, therefore, their own anxiety about their security, and the prospect there for fraud. I don’t want to downplay that at all. But in terms of the risks that we’re trying to manage there are regrettably, I have to say, more catastrophic, more consequential and darker scenarios that can very easily be painted that could well unfold. I hope I’m not proven right tonight. So, yes, we have to deal with what’s coming at us, what we can see that’s coming at us. We also have to deal with those more consequential risks that, in the end, Governments have to lead on.
So, in sum, the Home Affairs Department as the coordinating department working with other agencies in the Commonwealth, across States and Territories, with our municipal government colleagues, with civil society, with industry, with specialist researchers and experts, will be pulling together, at Ms O’Neil’s direction, a cyber security strategy that builds on the work that’s gone on in previous Parliaments, but tries to catch up that five and ten-year gap that she’s spoken about. Of particular focus, we will be building on those protections around critical infrastructure. I can’t stress enough just how important that is. There’s still more work to be done.
The security of Government systems is very important as well. We’re all watching what’s happening with the Optus situation, and all of us thinking whether we run a service delivery business within Government, whether we run another form of privately delivered essential service like telecommunications, banking et cetera. Everyone’s watching that incident thinking (a) there but for the grace of God go I, and (b) what do I need to do to learn? So absolutely that is front of mind. But so is digital identity. So is consumer data protection. So are the workforce issues that were touched on; growing sovereign and trusted capability within Australia, some of which will have to be sovereign—by which in my definition or language ‘sovereign’ means vested in Australia, controlled and owned by Australia, generated indigenously in Australia. ‘Trusted’ might well be in partnership with other like-minded countries, where there’s such a level of trust that there’s interchange across international borders with like-minded countries. And you’ve seen some of that discussed under, for instance, the AUKUS auspices. Some of it also relates to the protection of vulnerable people, young people, families that I mentioned earlier. In the end, it’s all going to come down to integrating a national effort in the way that traditionally has not had to be done.
To end on where I started, to take the comparison with national security in a very traditional physical sense, warfare, Governments lead. People say, ‘Well, they’ve got the information, you know, I don’t really like that the fact that potentially we’re in a military conflict, but I’m going to have to do what I’m told. I either have to pay my taxes or get conscripted or go off to war.’ That’s been the model for thousands of years.
And, of course, regrettably as we’ve seen in Ukraine, war is still a feature regrettably of the modern world, and our hearts go out to the suffering that the Ukrainian people are currently undergoing as a result of the heinous and illegal atrocity that’s being enacted upon them by the Russian Federation under Putin. So war is still a thing. But separate from that, cyber is a thing that requires a completely different, almost inverted model of treatment. So I ask you to think about that as you go through your proceedings today, as you do your workshops, as you do your table exercises.
And I just really want to end on the point I that made earlier of gratitude. Thank you for your personal commitment. Whether you’re in the private sector, whether you’re a Government colleague of mine, whether you’re from a different jurisdiction, whether you’re in research or academia, whether you’re in one of the companies that provides services, thank you for being part of a great, collaborative national effort. Thank you so much.
CONVENOR: Thank you very much. We have five minutes’ time for a few questions, and I wondered if you have some questions… otherwise we’ll just open it up to the room and you’ll have to shout out loud.
Any questions? While you think about questions, I might ask one.
MICHAEL PEZZULLO: You asked me one in Perth the other week, so you can ask me again.
CONVENOR: Possibly a different one. So, if we’re looking at critical infrastructure, in particular how critical infrastructure is evolving to have much more smartness, much more smart devices… where do you think that the supply chain management comes in when we talk about national sovereignty and national capability?
MICHAEL PEZZULLO: I think the examples of threats to critical infrastructure that have been realised in recent years have typically—not always but typically—shown that there are supply chain vulnerabilities. This would kind of make sense five or ten years ago when people think, ‘Look, I need a bit of software. It’s available openly. It’s cheaper. Let’s just repurpose it.’ You wouldn’t do that for your water. You wouldn’t allow people just to mill through your house saying, ‘Look, just come through my house.’ You wouldn’t say in the design of a car, ‘Look, I think this brake works. I’ve just found it for free so I’m just going to apply this brake to the vehicle.’ And yet in this world, partly because of margins, partly because of the nature of the industry, partly because of the way in which the industry has evolved, that’s actually a practice. We’re going to look back in years to come and say ‘That’s crazy. Like, they were seriously downloading uncertified, unchecked software because it was simply easy.’ And, as you know, Log4j is probably the archetype example, but there have been other examples. People in years to come are going to say to us or think of us, ‘What were they thinking?’
So I think as supply chains are tightened up and trusted supply chains start to emerge, the balance that will need to be struck is: what is truly national? That is to say under no circumstances will we have any trust at all in anything provided from outside of our own national jurisdictions. And I think there will be a class of both software and other componentry that falls within that definition. Then there will be another class where we say, ‘Look, there are trusted arrangements—they’re certified, assured, checked—that apply to software, components, hardware. And then, if you like, the rest of the globalised market supply chain, the global supply chain will be allowed to play in. I think those three layers—the inner core, the middle core and an outer layer—is inevitably where we’re going to go.
CONVENOR: Thank you. We have received a question here, so you mentioned the Optus attack. That’s possibly very hard to answer categorically, but is the Government itself guarded against similar attacks taking place?
MICHAEL PEZZULLO: Well, no-one’s invulnerable. Any system that touches the internet is vulnerable. The question is to what extent you can remediate that vulnerability to as close to zero as you can; you will never get quite to zero.
On the Optus incident itself, Optus itself is conducting some diagnostics, some forensics, so I think it’s fair to say that they need to come to a view about what exactly happened and, obviously, we’ll come to our own assessments. You would have to say that whatever’s happened, some basic control has had to have failed for so much data to have been exfiltrated in the way that it was. But I’m not going to get into any further commentary on that.
I am joined by my colleague here, the chief executive of the DTA, and I suspect if Chris and I were having this discussion agency by agency, it would be quite an interesting discussion in this room, but I won’t subject you to it all. It wouldn’t be that interesting perhaps. Look, across the Commonwealth, we’re doing a lot, whether through trying to up our cybersecurity, protect our gateways, really reinforce those human behaviours and the importance of ‘don’t click on this’, ‘don’t open that’; whether it is about the interagency connections. We’ve got 190 accountable agencies within the Commonwealth. Whenever you add an accountable entity, whether it’s in a large private corporation or a large Government enterprise, you do create those gaps and seams. We’re working tirelessly to patch and remediate as best we can.
It’s impossible to say exactly, apple for apple, orange for orange, is the Government similarly exposed. I would like to think not, but I don’t want to hold myself hostage to fortune. I can just give this audience an absolute assurance and the citizens that rely on our services, that we’re very conscious of these gaps, these seams and the need to patch, the need to keep our workforce on its toes. And ultimately—and this is a message for our private sector colleagues as well—we try very hard and it is not being just the job of the CIO and the CISO. This truly is something from the secretary of the agency down to the most junior officer; you’ve got to be part of that defence shield, including your own personal behaviors online. We try to mitigate and protect as best we can, but there’s no such thing as an invulnerable system. Anything that touches the internet is vulnerable.
CONVENOR: Thank you. I think that’s an excellent answer. I have to say also from my limited view of the world a big thank you because I think as a consequence of the Optus hack there was a lot of thoughts on protecting citizens and customers… with the limited view that I have of what is going on, really impressive to see how many people worked late nights to make sure that citizens are protected.
MICHAEL PEZZULLO: Can I just add to that, and Minister O’Neil has made this point, and so has the Prime Minister and a number of other ministerial colleagues as well. Maybe five or 10 years ago, this issue wouldn’t really have been handled in a very technical way. The CIOs would have got together, the technical advisory would have been shared, ASD would have done its thing through the [Australian] Cyber Security Centre—and that, of course, is very essential, that’s foundational work.
And we’re learning all the time from emergency disaster response in other areas. You wouldn’t for instance in a flood situation—we’re currently seeing a very significant rain event in New South Wales with some associated flooding—say, ‘Well, we rescued you and, you know, you’re dry now. I mean, your house is full of mud. There’s no services in town. The municipal services are out.’ The Government would evacuate. So, as we deal with natural disaster response, I think we are getting better at what I call not so much incident management, because incident management has got a very particular and somewhat tightly focused bound to it or scope to it. We’re getting better at what I’d say is consequence management.
So if there have been ten million records, or whatever the material number of records ends up being, what does that mean for the passport? What does that mean for the driver’s licence? What does that mean for your credentials otherwise? It’s not technically part of the cybersecurity incident response, but it is a part of the consequence management. And Ms O’Neil has made it very clear both in the public comments, but certainly in the directions that she’s given to me, that she really wants us to think hard about—not just off the back of Optus, because there are lots of other cases that we can look at around the world—about how we do consequence management, which we do increasingly better in the physical world, where we’re getting exposed to changing climate or extreme wet weather events with greater frequency. But then they have a tail.
We have to think about cyber a bit more like climate. Yes, the initial incident has to be looked at. The initial incident has to be remediated. It has to be patched and has to be dealt with, but the work then doesn’t finish. There’s this long tail which goes to some of those other areas that I mentioned around consumer data, digital identity, replacement of credentials where that’s relevant et cetera. So, Ms O’Neil has made it very clear as Minister that she wants more work and more effort put into consequence management beyond the strict cyber incident management.
CONVENOR: Excellent. We have another question coming up here so now that we have a Minister for Cyber Security, are we going to see a legislative uplift in cyber safeguards for the private and public sector?
MICHAEL PEZZULLO: Just judging by what ministers have said publicly, they certainly want to examine that question. They do want this consequential tail dealt with as a matter of urgency, so the passports, the driver’s licenses, all the other matters that I’ve just mentioned. But as Ms O’Neil has said on a number of occasions, if you look at other comparative jurisdictions—and she hasn’t proclaimed policy and I’m certainly not proclaiming policy on her or the Government’s behalf today—if this spill of sensitive personal information had happened in other jurisdictions, some of the financial penalties would have several digits submitted before a single digit in terms of fines et cetera. So, that’s just simply a point she’s made. So, maybe there are some issues there around a general data protection regime.
There certainly will need to be more attention given—and the last Parliament started to look at this question around the duties of directors, for instance, so for listed companies. I’ve spoken already about the critical infrastructure protections that were put in place by the last Parliament. I suspect there’s going to have to be some remedial work done as some ministers have mentioned that go to that consequence management piece, where there might be incident reporting obligations that relate to the initial incident, but what about reporting obligations that relate to consequence?
So I’m certainly not this morning proclaiming an agenda, but there are a number of areas that require attention and the Government I know is actively turning its mind to that. I know, because it has told me to do the work, so that’s how I know. And as a consequence of that I’m sure the Government will have more to say. I suspect the simple answer is yes to the question, but the shape, cadence and the arrival of different legislative packages, of course, will have to be worked through the Cabinet process, and ultimately that will be a matter for our Government to decide.
CONVENOR: Excellent answer. And I think there’s a benefit of obviously looking to other jurisdictions as well for the experience… so I think that’s really important. Most Australians seem to take a passive approach to cyber, so how do you bring cyber security considerations more in the public consciousness? It’s everyone’s game. We all have to cooperate. How will you get it out to schools and families?
MICHAEL PEZZULLO: Look, I think it’s generational as I touched upon as a recent grandfather. I suspect in 20 years’ time, my grandchild will have a very different consciousness. She’ll just be so immersed in it. I think we’re going through a transition where dinosaurs like me—and I’m happy to date myself—a 58-year-old white male who came to technology very late, struggles every day. I think we are going to have a generational solution to this problem, but we can’t wait that 20 years. So, I think in the meantime we’re going to need some remedial gap-filling measures by way of outreach to vulnerable people, cyber education in schools, better and clearer guidance perhaps for non-IT-literate citizens. And that’s a lesson for all of us not just at the Home Affairs Department. I know they’re working on this in ASD. I’m sure they’re working on it in other parts of the Federal Government too, providing user-friendly, actionable, simple information that doesn’t go through all the engineering and all the computer science and the complex mathematics, which is very important and of keen interest to some people. But a bit like consumer safety or aviation safety, just on what I need to know. I think more can be done.
I do want to contest slightly the premise of the question, and I do so, hopefully, not disrespectfully. I’m not sure that there’s a passive attitude to cyber. I think certainly there’s a—certainly for non-technical people like me, there’s a degree of apprehension about the technology side. It’s all bewildering. And particularly you get told you’ve got more power in your phone in your trouser pants than the Apollo mission and you go, ‘How can that be?’ A PhD could explain it to me, I’m sure. But I don’t know if it’s passive. I think there’s some parts of our community that are perplexed, but they’re all engaged and interested, because whether you’ve had your credentials stolen, whether you know or yourself have been the victim of fraud, you hear those heartbreaking stories of people going through a conveyancing transaction and through business email compromise, the BSB banking details are substituted in and hundreds and thousands of dollars go missing to a crypto account somewhere. Just about everyone, I suspect, either has heard of that story, knows of that story or tragically may have been a victim themselves, whether it’s an online scam, whether it’s a conveyancing compromise, whether it’s small business being jacked up by a ransomware gang.
So, I’m not sure that the attitude is passive. I think it’s a curious form of ‘Tell me what I need to know.’ And that’s where that generational change I think over time will come to the rescue, because people will—as the younger generation come into the position of growing businesses, being in authority and just living their lives, I think they’ll be more cyber-savvy. It will be wired into them. So I think we are going through a transition. So, not so much passive, but slightly apprehensive, slightly perplexed unless you’re like really expert in this field. And so it’s incumbent on all of us, whether we’re running businesses, whether we’re running Government agencies, whether we’re providing these sorts of public venues, to try to break down as simply as possible for the many hundreds of thousands if not millions of our fellow citizens who know that there’s a problem, who know that something has to be done… they just want actual information.
CONVENOR: I think that’s a wonderful closing statement at the end. So, thank you again. Please join me in thanking Mr Pezzullo.