Good morning all. Thank you very much for the invitation to speak at the Cyber West Summit today.
I would like to start by acknowledging Debra Cousins, Executive Director of the WA Department of Jobs, Tourism, Science and Innovation; Pia Turcinov, Chair of the WA AustCyber Innovation Hub; and Cecily Rawlinson, Director of the WA AustCyber Innovation Hub.
Can I also acknowledge my federal parliamentary colleagues starting with the Shadow Assistant Minister for Communications and Cybersecurity, Tim Watts, and I know my former colleague and the former Prime Minister the Honourable Malcolm Turnbull will be addressing you later today.
I would also like to acknowledge my good friend Asta Morton who is with you today representing Joseph Banks Secondary College, a local school in WA which has a very model of industry working with education to build our future cyber security workforce.
We do live in a digital world.
This digital technology has become the mainstay of our lives.
FaceTime and video calls are something I do every day with my wife and two young children.
During COVID, this has become a common experience for many Australians.
The internet is now the neural system of our lives – from news, to work, to social media. It is also very important to our economy, and it’s the lifeblood of our democratic society, it’s where we do a lot of debate now.
The effectiveness of our economy depends on the cyber security of our businesses, our research institutions, our critical infrastructure and our essential service providers.
It also depends on all Australians feeling confident and secure to be active online.
And this is more important than ever before.
Last financial year, the Australian Signals Directorate and the Australian Cyber Security Centre received over 60,000 cybercrime reports.
That equates to one report every eight minutes: and these are only the ones we know about.
Scams are estimated to have cost Australian businesses over $143 million last year alone. This is from only 4,245 incidents – an average of $33,500 taken each time.
On a daily basis now, Australians are reading about new vulnerabilities being exploited by malicious actors, and news stories about hacks affecting governments and organisations globally.
It’s a broad spectrum of threats, but on one end we have lone hackers, in the middle we have sophisticated criminal networks or syndicates working together either for business or on behalf of state actors, and then we’ve got very sophisticated state actors working to undermine our sovereignty and conducting cyber activity against Australians.
The Federal Government is quite rightly taking action.
The government is investing $15 billion in our cyber and defence capabilities over the next 10 years, and through the Cyber Security Strategy we are investing a record $1.67 billion in cyber security initiatives.
- boosting the capabilities of the Australian Signals Directorate;
- strengthening Australia’s counter cybercrime capability;
- growing Australia’s future cyber security skills and workforce;
- supporting small and medium sized businesses; and enhancing the cyber security of universities;
- increasing cyber security awareness for Australian families, households and small to medium enterprises; and
- ensuring our agencies have the powers and capabilities they need to identify and disrupt threats to the safety of Australians.
On July 1 last year at the Australian Defence Force Academy, the Prime Minister launched the Defence Strategic Update, which highlighted that Australia is sitting in the middle of vast change in the Indo-Pacific region.
We’re seeing greater geostrategic competition between nation states, especially the United States and the People’s Republic of China, and we’re seeing militaries modernise rapidly, and we’re seeing the use of grey zone tactics to coerce states below the threshold of conventional war.
What is the grey zone? It’s the space between international law and conventional war: deniable operations – whether it’s economic coercion, cyber attacks, paramilitary operations, building artificial reefs and islands out of nothing – that’s what we call grey zone activity and it’s undermining our habits of cooperation in the region.
Cyber warfare is of course a very common grey zone tactic used to undermine sovereignty.
We’ve always thought about war in terms of Land, Air, and Sea, and Space, but now we need to start thinking about it in cyber terms.
Cyber is the new battlefield – and whether you like it or not, if you own a smart phone or a tablet and you’re connected, you are on the battlefield and a potential target. So, the challenge for us now is to preserve our personal security but also our digital sovereignty as a country.
If we are all connected and we are all part of this vast network then that’s a massive surface area for criminals and state actors to attack using cyber means.
We cannot be complacent, we’ve got to defend ourselves.
Last year, the Prime Minister announced that a ‘sophisticated state-based actor’ was targeting Australian organisations across a range of sectors.
This included all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.
We need to think about critical infrastructure – and I’ll come to that in a second – but that’s a really key point today.
In 2020, cyber criminals conducted successful attacks on major Australian organisations at a volume that we’ve never experienced before.
Ransomware attacks require minimal technical expertise, they are low cost and can potentially cripple a businesses, bring it down and destroy it.
The ability to monetise cybercrime has proved attractive to organised criminal groups, which have developed sophisticated and scalable ransomware software, made available now ‘as a service’.
This is cybercrime as an enterprise and poses an increased risk to organisations globally.
Cybercriminals are opportunistic. They seize on uncertainty to exploit business.
So it is essential we consider cyber security and our digital sovereignty as a country when we talk about Australia's national security, our innovation, and our prosperity.
We recognise the immense challenges corporations and governments alike face in protecting themselves against cyberattacks. And only collaboration between government, industry, and individuals will deliver the uplift in our defences that is required.
That’s why the summit here today is so important, it’s part of that larger move across Australian society to defend ourselves.
Central to the Government’s focus is the security of our critical infrastructure, and the impact of cybercrime like ransomware attacks.
A key reform under Australia’s Cyber Security Strategy 2020 is the protection of Australia’s critical infrastructure to secure the essential services all Australians rely upon.
While Australia has not suffered a catastrophic attack on critical infrastructure, we are by no means – by no means – immune from a potential attack.
A cyber attack on critical infrastructure can cut off a country’s power, water, or telecommunications – not to mention the other things that are critical to our lives together. Just think about how vulnerable the health sector would be if cyber criminals could shut down hospitals and all the bits of technology that keep people alive and well.
What I’m worried about is a “cyber Pearl Harbor” — an online attack that cripples our critical infrastructure and catches us all by surprise.
This isn’t a science fiction script – this is now the reality of our world.
Whether it's Ukraine having their power cut off in the middle of winter by Russia or people working on behalf of Russia; or in the United States, where hackers tried to poison a water treatment plant in Florida; or the cyber attack on Colonial Pipeline, which provides 45% of fuel to the East Coast of America.
Critical infrastructure is vital to our lives. Without it, we are incredibly vulnerable. That’s why we’re seeking to pass legislation that safeguards those critical assets that make up our digital economy and sovereignty.
Recently, the G7 joined together to call out Russia for harbouring cybercriminals, demanding – and I quote from the communique – that it “hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes”
In Cornwall, the Prime Minister met with world leaders and intelligence chiefs to discuss cyber threats – the spreading of misinformation, foreign interference, ransomware, all enabled by new and emerging technologies.
Democratic nations are united and we’re working together to counter these threats and call out those who would seek to do us harm which is an important part of fighting cyber criminals and state based actors who use cyber.
In their report released July last year, the Government’s Cyber Security Industry Advisory Panel said this: “that threats to critical infrastructure, digital supply chains and systems of national significance should be addressed first”.
This is precisely what we have done.
In December, Minister Dutton introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 to Parliament, signalling a strengthening of Australia’s critical infrastructure security.
The Bill seeks to expand the Security of Critical Infrastructure Act to cover additional sectors that are critical to our way of life.
This includes communications; financial services; data storage or processing; defence industry; higher education and research; energy; food and groceries; health care and medical; space technology; transport; and water and sewerage.
This Bill will ensure early reporting of cyber incidents to the Australian Cyber Security Centre to allow them to provide first responder assistance and technical advice to those in need and under attack.
It also informs threat sharing with industry to prevent future cyber incidents.
Our agencies are also working with international partners to disrupt criminal organisations.
We know that in many cases – despite paying a ransom, criminals don’t provide decryption keys or they don’t work properly.
That is why we don’t pay ransoms. That’s a key message from the Government.
That is why prevention of attacks is critical for business, government, and individuals.
The Government’s critical infrastructure reforms include both preventative and responsive measures to respond to the security threat posed to Australia.
The Minister for Home Affairs has also asked her Department to look at a further package of reforms to bolster the existing efforts to respond to the scourge of ransomware.
And of course, we are counter-punching – which is absolutely critical.
Through the Australian Cyber Security Centre and the Australian Signals Directorate, we are defending Australian organisations and businesses from cyber threats like ransomware attacks.
The ACSC is working 24/7 to provide assistance to Australian businesses to uplift their cyber security, or provide technical assistance in the event of an attack, and forensic analysis to find the hackers.
And we are counter-punching through the ASD and the Australian Federal Police who are taking the fight to offshore criminals.
We're going after their cyber infrastructure, we're disrupting their activities on the dark web, and we're keeping them off balance.
We want to be the people presenting the pirate flag on their screen – taking it to them and pulling apart their digital infrastructure, keeping them off balance.
My view is the best defence is often offence.
Using our intelligence capabilities, ASD protected two other entities from becoming victims of the same cybercriminals responsible for the Nine Network cyber incident.
ASD also prevented an Australian-based financial company from falling victim to Ryuk ransomware by analysing information from previous ransomware attacks and using its unique intelligence capabilities to identify and warn potential victims.
And the ASD are generating offensive cyber effects against cybercriminals – these not only include disrupting and destroying adversary cyber infrastructure, but also disrupting dark web activities, undertaking information operations, sowing discord in these syndicates, and working with law enforcement partners to disrupt cyber-criminal syndicates.
Let me go back to the Islamic State – the ASD did some critical work getting inside their networks, creating all sorts of chaos, degrading their morale, and then pulling apart their networks and that was absolutely critical to the defeat of ISIS. So we’ve done it before and we can do it again, and this time to those who are attacking us in the cyber space.
This year, ASD has assisted to remove over 6,000 websites hosting cybercrime activity from the internet.
ASD used offensive cyber capabilities to disable the infrastructure of offshore cyber criminals responsible for stealing money and data from Australians during the COVID-19 pandemic.
ASD undermined the business model of a large scale offshore syndicate, shutting down its transnational operations that were targeting Australians.
ASD has worked with GCHQ, its UK peer, to target cybercriminals selling credit card details on the dark web, identifying over 200,000 stolen credit cards globally, including 11,000 Australian cards - preventing a potential loss of over $7.5 million in Australia and approximately $90 million globally.
Now it doesn’t seem like a lot of money but that was a very significant operation and it means a lot to individuals out there.
In 2018 we established the Australian Cyber Security Centre within the Australian Signals Directorate as the standing taskforce, the unblinking eye of government that combines the expertise of foreign and domestic law enforcement and intelligence agencies to fight cybercrime, including countering ransomware.
As part of this effort we also established Joint Cyber Security Centres in capital cities across the country, including here in Perth – and we are bringing online top-secret infrastructure and communications to allow high-level threat sharing with businesses and organisations in place across the nation.
Finally, we're building Australian's digital sovereignty.
It's really important that we uplift our cyber security across the country, from mums and dads, from seniors, small business owners, students at school - everyone – uplifting their cyber security just through some basic things.
- firstly, using complex passphrases: Password1234 won’t cut it in today’s world;
- updating their security patches, or their software updates;
- using multi factor authentication; and
- backing up their data.
If we just do those things well, we put ourselves in a much stronger position.
And so the Government, through my portfolio – and this is what I do, is educating as many people and reaching as many people as we can, and you might have seen 60 Minutes on Sunday night – that was part of our campaign to educate the Australian public about cyber security.
So in conclusion, the Government is taking action on cybercrime and as the Assistant Minister for Defence, I am focused on building Australia’s digital sovereignty.
We are developing the next National Plan to Combat Cybercrime, which will bring together the powers, capabilities, experience and intelligence of all jurisdictions to build a strong operational response to cybercrime harming Australians.
We are investing to strengthen Australia’s capability to counter cybercrime.
We are introducing legislation to bolster the powers of the Australian Federal Police and the Australian Criminal Intelligence Commission to identify individuals and their networks engaging in serious criminal activity on the dark web; and to uplift the security and resilience of Australia’s critical infrastructure.
General Stanley McChrystal said: “it takes a network to defeat a network.” And I believe this very much – it’s an important truth.
Cyber security is a team effort and a shared responsibility.
The networks we build together through industry and government are critical to defeating the networks online that are seeking to undermine our sovereignty and prosperity as a country.
It’s a global problem, it’s growing, and it’s rapidly evolving. We can’t afford not to act. We must act and that’s what we’re doing.
The safety and security of Australians is our first priority, but it is not a problem that Government can solve alone – we must combine our knowledge and our expertise to detect and respond to the broad and evolving threat landscape.
I need every Australian thinking about their cybersecurity, because when we all do, that means we have a safer, stronger, more sovereign country.
That is what digital sovereignty looks like.