News and Media

Contains news and media resources, speeches and links to social media.

Michael Pezzullo

Michael Pezzullo

Secretary of the Department of Home Affairs

Remarks on Cyber Security

Edith Cowan University, Perth

22 November 2018


Thank you Professor Omari.  I am honoured to be here today and may I acknowledge my colleague Mr Randall Brugeaud, Chief Executive Officer, Digital Transformation Agency and Professor Stephen Smith, Chairman of the Advisory Board, University of Western Australia Public Policy Institute. 

We are fortunate to live in a truly transformative era. The world today is more connected, networked and interdependent than at any point in history.  This is a statement so true it is almost not needed to be stated.

The Internet and the resultant global connectivity will be seen in decades hence as the most dramatic and transformative social development since humans started to live in cities over 5,000 years go. Global connectivity, however, has a dark side—as have cities if they are not well-designed, well-built and well run.

Cyber intrusions, cyber-attacks, and cyber warfare are transforming the geopolitical features of the global order more rapidly than strategic concepts and plans can be formulated and deployed.  Over the past decade, discussion (at least in the West) has been shaped by technologists, academics, businesspeople, and operational practitioners, from the private sector and from government.  There is nothing wrong, of course, with inclusive discussion.  Only good ever comes of intellectual diversity and wide dialogue, but absent the policy-maker and the strategist, discussion will only ever, in my view, stumble in the dark, without historical analogies, analytical constructs and other reference points to guide action.

In traditional conflict and warfare, separable phases of peace, confrontation and war can be discerned, even in the 'gray zone' of counter-insurgency and so called hybrid warfare.  Cyber warfare and covert cyber activity exists, I would contend, on a different plane altogether, co-existing with and alongside war, confrontation, peace, hybrid conflict and the gray zone.

Cyberspace challenges our historical models and all prior human experience. Some reference points which are drawn from history—such as say the faulty logic of a 'cyber Maginot Line', the perils of a 'cyber Pearl Harbour', or the risk of a 'cyber Cuban Missile Crisis'—might well assist in generating public awareness and debate, and are accordingly useful, but taken as substantive starting points, they are almost certainly likely to lead us into barren analytical ground.

We should accept the reality that applicable future strategic concepts and plans for cyberspace will have to be built from the ground up—informed, of course, in general terms by history and precedent, as well as strategies which have evolved in the physical realm, but reflective essentially of new thinking and new constructs. 

It is, of course, the pervasiveness of cyberspace that generates both its beneficial qualities and its transformative—indeed revolutionary—terrain of vulnerabilities.  In cyber, everyone and everything is externally-facing and therefore connected to benefit and possibility, risk and threat.  As the Internet of Things enmeshes human existence, the attack terrain will become planetary and therefore existential.  Absent a viable and scalable security programme for the Internet of Things—which we will have to build painstakingly in the years ahead while chasing the ever-accelerating curve of the connectedness of Things—all we are potentially doing, absent such a security programme, is purchasing and connecting the devices of our future enslavement to a dystopian world of cyber threat and harm.

When I survey our threat scan—and the benefit I should say of the establishment of the Department of Home Affairs was the bringing together of our understanding of all threat vectors—I am most alert for two things: a terrorist-borne nuclear, chemical, biological or radiological attack, the imperative of which speaks for itself; and a society-wide cyber-attack.  The former has been on our threat horizon for twenty years since the collapse of the Soviet Union essentially, and while it is not an easy target, we understand it and know what to look for.  Cyberspace could hardly be more different.  We are adding to risk every day through the connectedness of devices, systems and networks, without I would contend the possible exception of those in this room today, any real appreciation of our potential exposure to harm and danger.  

Instead, these cyber developments are seeing humankind re-enter the 'state of nature', that described by Hobbes rather than Rousseau, which will not be tamed or regulated by the political imperative for order which, from the 17th Century in the West at least, gradually generated the societal architecture which best balanced security and liberty, responsibility and right, constraint and freedom.  Hobbes referred to the sovereign state—'Leviathan' of course—as all-powerful in keeping this public order. Who, or what, in this new 'state of nature' will be the Leviathan, which can legitimate public order and enforce that order, and thereby create the secure space for commerce, learning, culture, leisure, family life and so much more?  In the cyber 'state of nature', does it even make sense to think of the 'Leviathan function' of the state?  If it does not, then we have reached the frontier of a new political order, which will have to supplant that which has emerged over four centuries in the West.  Indeed, it might have come to pass that the centuries-old nexus of the sovereign's protection and the territorial integrity of the state will have to be re-thought, where everyone and everything within the bordered state is externally-facing, and cyber-exposed, and public safety cannot be guaranteed within orthodox and well-understood constructs.

The cyber 'state of nature' I would contend has a bias towards offensive action, plausible deniability, and an asymmetry which unravels the hierarchy of geopolitical power which is generated in the physical world through geography, commerce, access to resources and military capability.  Each acts against all, or at least against as many as might suit their interests or inclinations.  Chaotic outcomes inevitably arise from the tangle of unforeseen consequences and unrestrained action in cyberspace.  Rogue actors, often acting in concert with, or through, proxies and criminal confederates, can harm larger ones and—in experience hitherto at least—escape serious sanction.  Some states are effectively issuing modern cyber 'privateers' the virtual equivalent of the old letters of marque, which in the days of sail gave their holders the assumed authority to prey on designated enemies at sea.

The lack of consequences, and the negligible imposition of costs, for malicious conduct in cyber emboldens yet more malicious conduct—which is ever ratcheting up, with more brazen attacks in prospect, which will make the cyber-attacks of the past decade seem like the first dogfights between bi-planes in the earliest days of aerial combat.

It is still an open question as to whether cyber-attacks could deliver a decisive blow in terms of warfare amongst the major powers.  Rather, and most notably, the cyber domain will be a contested assemblage of networks and actors, where war, peace, conflict and commerce will be interspersed and not easily separable.

In cyberspace, borders are essentially irrelevant for the purpose of formulating a fundamental strategic response.  Few, if any, limits exist in the form of even tacit restraints.  There are no agreed strategic constructs in relation to deterrence, mutual restraint, standards of conduct, nor agreed measures in place, or in prospect, to prevent a cyber crisis arising from miscommunication, misunderstanding or, worse, misinformation.  Actors make their own decisions about risk, reward, deniability and consequence.  The inner dynamics of such a system will have a tendency to instability, absent any process or force to create the pressure of self-corrective action.

In such a cyber 'state of nature', our very definitions of 'the state' and 'sovereignty' will need to be re-worked.  Hard thinking will need to be devoted to new concepts of deterrence, defence and retaliation—including in relation to which assets, and which sectors of infrastructure, will need to be defended by the cyber forces of the state; which acts in cyberspace would be considered to be acts of war, such as would invite appropriate responses consistent with the international law of war, in the virtual and the physical worlds; and which acts would be considered not to meet such a threshold, where the principal burden of risk would sit with the private sector, with government business enterprises and others outside of the security sector of the state.

Of necessity, an open and continuous dialogue will need to be undertaken with a multiplicity of actors, where researchers, 'white hat hackers', cyber security vendors, infrastructure operators, legal experts, intelligence analysts, and others—including of course strategists I would like to think and security planners—will need to come together and hold discussions the like of which have not been seen in human experience.  Cyber security is a unique mixture of activities—it brings together on the one hand the equivalent of road maintenance crews whose task it is to repair and maintain our highways, roads and streets, and on the other hand the virtual equivalent of the Special Air Service Regiment, and all manner of capabilities in between.

Even in the 'total war' of the 20th Century, one could distinguish between, as Churchill dubbed them, 'the Few' of Fighter Command, and those who, in the Battle of Britain, Kept Calm and Carried On.  In the era of cyber war, there will be no frontlines and no clear distinction between combatant and civilian.  Just as benefit will be networked, so will be harm and danger.  To extend the imperfect analogy of the Battle of Britain, in cyber war the first indication of the virtual equivalent of a Luftwaffe bombing raid might well come from the information security 'war room' of a major financial institution or a major energy supplier, which might, with appropriate authorities and immunities, cue the cyber Spitfires and Hurricanes of the Australian Signals Directorate, should the relevant legal and constitutional issues be first resolved through diligent and creative policy making and strategic planning.

This policy and strategy task will be doubly challenging as strategic rivalry is increasingly being played out in cyberspace—whether concerned with the collection of strategically valuable information; the processing of data at scale in order to gain insight; the manipulation of perceptions and attitudes favourably in the interests of national security; or for the penetration of networks, whether for the purpose of disrupting adverse strategic developments (for instance, the threatening development of weapons of mass destruction) or denying an adversary a strategic advantage otherwise.

It is my contention that while the age of continuous cyber warfare began around a decade ago, and some of that first decade of conflict in cyberspace is only likely to come to light many years hence, if ever, the alignment of policy, strategy, capabilities and actions has only just begun.  I doubt very much that with such a start, we will ever catch the curve—but we are obligated to try and that duty should animate these deliberations.

The Australian Government I should add has started to call out malicious cyber activity as a matter of policy and will continue to do so.

For example, in December 2017, Australia joined with the United States, the United Kingdom, New Zealand, Canada and Japan to attribute the 'WannaCry' ransomware attacks on businesses and public institutions to the Democratic People's Republic of Korea. 

This was followed, two months later, by attribution of the 'NotPetya' malware attacks on critical infrastructure and businesses to Russia. Here, Australia joined the United States, the United Kingdom, Canada, New Zealand, Ukraine, Estonia, Lithuania and others. 

Then, in April 2018, Australia, the United States and the United Kingdom mutually attributed the worldwide targeting of routers—that is, Cisco devices using the Smart Install feature—to Russian state‑sponsored actors. 

And as recently as October this year, the Australian Government stood with the United Kingdom and other allies in attributing a pattern of worldwide malicious cyber incidents again to Russia. These incidents included the hacking of the United States Democratic National Committee, the World Anti-Doping Agency, a United Kingdom television network; and the targeting of critical infrastructure around the world [i] as well as the Organisation for the Prohibition of Chemical Weapons, and Malaysian entities supporting the Flight MH-17 criminal investigation.

While we and our allies are being increasingly vocal about the deliberate and malicious actions of states, the pervasiveness of cyber incidents suggests that malicious actors believe that their behaviour is immune.  States that conduct or support illicit cyber behaviour are becoming emboldened.  They believe positive attribution is far too often too difficult; that if it occurs, it is too slow to enable any meaningful rebuke; and that international law constrains strong retaliatory action.  Accordingly, the perception of a lack of deterrence coupled with the unlikelihood of punishment lends credence to the notion that the benefits of carrying out a cyber attack outweighs the costs.  Bolstering this perception is the fact that responses to cyber incidents continues to be rooted in the relatively comfortable terrain of established norms that were hard won in the context of the Cold War era and détente subsequently.

Although other nations have suffered from devastating cyber attacks, to this point in time, Australia has been more fortunate it has to be said.  We have been on the front foot.  We developed our first Cyber Security Strategy; we invested early I would contend; and we created the Top 4 cyber security mitigations overseen by the Australian Signals Directorate—replicated as best practice around the world.  Eventually our fortune will run out.

But we are far from immune.  Just this month, a Defence contractor headquartered here in the great state of Western Australia revealed that its Australian business had detected and responded to a cyber security breach of its data systems.  While there is no evidence that any classified or highly sensitive information was compromised, we were lucky on this occasion.  A 'light touch' approach is no longer enough if we want to ensure Australia's success and security in the digital age continues.  We must do more to ensure the resilience of our networks, systems, functions, and data against those who seek to do us harm.  Equally, we must strive to improve our collective capacity to detect, deter, respond to, and indeed recover from such incidents.

On reflection speaking candidly, we have not yet fully articulated the extent of the risk to the public.  We have yet to reach the threshold where fears about a cyber attack have permeated the global psyche in the way that the Cuban missile crisis, mentioned earlier, did for nuclear weapons.  However, the threat to our way of life in some ways is just as great, and possibly, even more probable.

It is telling that were a foreign state secure explosives to the footings of the Sydney Harbour Bridge in the event of heightened tensions, such an act would be taken to be an egregious and hostile breach of our sovereignty.  Yet, in the digital world, equivalent events are occurring around the globe including in Australia, but we do not yet have an established doctrine with which to deal with such an incident.  This is a void that we must now fill and urgently.  Fortunately, work is underway; we are not starting from ground zero. 

Our current approach to this society-wide issue is outlined in the Government's 2016 Cyber Security Strategy.  Over two years since its release, Australia's cyber security initiatives have gained much needed momentum.

If I may say, the creation of the Home Affairs Portfolio has brought greater coordination to cyber security and more generally domestic security alike.  We are able to harness the collective powers of law enforcement agencies, border security, and our domestic security intelligence organisation alongside strategy and policy development which is conducted in the Department.  And we are looking at the interconnected nature of cyber threats—particularly as they relate to countering foreign interference, combatting serious and organised crime, safeguarding transport and supply chains, protecting our critical infrastructure, and working with the Australian Signals Directorate to secure Australian Government systems and networks.

Since the release of the Cyber Security Strategy, the Government has separated the Australian Signals Directorate from the Department of Defence.  The Australian Signals Directorate is now the national information and cyber security authority.  It is responsible for combatting cybercrime at the Commonwealth level, protecting Australia's networks and systems, and providing advice to Australian businesses and individuals.  This separation is a recognition of the ASD's place as a national capability—while of course entrenching its ability to defend Australia from national security threats.  Legislation passed on 11th April this year enables ASD to now prevent and disrupt serious and organised crime—such as child exploitation and the illicit trade in narcotics—by people or organisations operating outside of Australia.

In a shift away from traditional government structures and silos, the Australian Cyber Security Centre—or ACSC—within the Australian Signals Directorate is a true multi-agency fusion.  The National Cyber Security Adviser—Alastair MacGibbon—works across Home Affairs and ASD as a single point of accountability and leadership.  As the National Cyber Security Adviser, Alastair reports to me, the Secretary of Home Affairs, on cyber security policy matters, and has the rank of Deputy Secretary in the Department of Home Affairs.  He also reports to the Director-General of the Australian Signals Directorate as the Head of the ACSC and holding the rank of Deputy Director-General in ASD.

The ACSC brings together capability, policy and operations from ASD, the Australian Federal Police, the Australian Security Intelligence Organisation, the Australian Criminal Intelligence Commission, and the Department of Home Affairs.  This multi-agency approach is critical in a world where threats do not adhere to categorisations; where adversaries are increasingly exploiting the gray area between peace and war.  And importantly, within these arrangements we have built a 24/7 capability to bolster our ability to respond to significant cyber threats.

Industry has shown a willingness and desire to engage with government on cyber security, and vice versa—a crucial first step to transmit a conversation from the realm of technical specialists to the boardrooms ultimately of Australian businesses and ultimately into lounge rooms of Australian families.  Last month, ASD tweeted for the first time, signalling a new openness from a previously very secretive agency.  Yet while these conversations are necessary, they are not sufficient.  Talk must translate to action; momentum into results.

I recognise that cyber security concerns are rightly shared among industry, government and academia.  But to date, there has been too little action.  We need manufacturers and providers to take their share of responsibility, and for consumers to make informed, responsible choices to ensure their own security.

I echo the recent comments of Lynne Owens'—the Director-General of the British National Crime Agency.  We have not been as demanding of industry as we should have been.  We cannot—and will not wait—for a catastrophic cyber incident before we act to prevent future attacks.  And cyber security is ultimately a whole of community issue.  Too often, the onus falls straight to Government to address and mitigate cyber security risks.

In many ways, the status quo is reflective of a degree of fatalism—the belief that the Government could individually defeat all cyber security threats by itself to the extent that anyone can and take on all the risk.  The Australian Electoral Commissioner, Tom Rogers recently said:

"There are some individuals who think we are just going to solve cyber security—it is not solvable.  We have to make sure it is not just an emerging threat—that we are treating it actually as business as usual, it is part of what we do."[ii]

I'd ask you to reflect on the significance of that.

Tom is absolutely right—cyber security incidents are inevitable.  Anything connected to the internet can never be 100 per cent infallible.  But what matters is how quickly we can respond and how we partner to minimise the harm of an attack and the likelihood of reoccurrence.  And we need to be open and honest about what we are doing well, and where we are vulnerable, sensibly of course.

Regulatory reform focused on critical infrastructure such as the Telecommunications Sector Security Reforms and the recently passed Security of Critical Infrastructure Act are a start.  But more needs to be done including in the regulatory space.

We are now driving a new cyber agenda, focused on better managing risks and getting everyone to play their role.

As we embark on this next phase of Australia's cyber security journey, we will push harder, act more decisively, defend ourselves more aggressively and ask more of ourselves and our partners.

As I have already acknowledged, an effective approach to cyber security will rely on broad cross-sectoral collaboration—there is no doubt about that.  A partnership, in which roles and responsibilities within our national ecosystem are better defined, articulated and communicated.  True engagement necessitates more than commercial dealings and industry needs to contribute to the broader mission—as partners, more than as vendors or individual businesses.

One of the areas that requires greater partnership is in the creation of a trusted Australian ecosystem—for individuals, businesses and governments.  To make that trusted ecosystem a reality, we need to better leverage all parts of industry and academia in partnership with government as part of a holistic national cyber security apparatus.  We need to amplify the skills and capabilities of domestic industry by investing in both niche capability and specialised areas of focus.  We need to grow a critical mass of sovereign capability so that all sectors have an Australian option for secure products.

We need to deepen partnership, coordinate ourselves more effectively and leverage our respective strengths for the benefit of a national outcome.  We are launching into a rolling reform agenda and more will be said next year to build up our national cyber defences, using all the levers of national power.

Today forms the first part of that endeavour in this new phase.  And what better setting could we ask for than Edith Cowan University—one of our Academic Centres of Cyber Security Excellence—in the middle of Western Australia's cyber week.  I'm delighted to be here for that reason alone.

I wish you a very forthright and frank panel session as we take the next steps to improve Australia's cyber security.

Thank you.

[i] by 'BadRabbit'

[ii] Rogers, T., 2018, Australian Electoral Commissioner as part of a Cybersecurity Panel at the National Press Club in Washington DC.