I’d like to thank CISO Sydney for the kind invitation to address you today and launch this important event.
Australia – and indeed the world – stand at the precipice of significant technological advances.
Quantum; blockchain; algorithmic automation; 6G; artificial intelligence advances in these fields are occurring at a significant pace, and will soon revolutionize our world in ways we can scarcely yet imagine.
Concerningly however, these advances are also occurring at a time in which the core tenets of the liberal rules-based geopolitical order – established in the wake of the Second World War – are being aggressively challenged by hostile states and malicious actors.
As we meet today, Russian bombs rain down on Kyiv – capital of the democratically elected Government of Ukraine…
…As the Prime Minister has noted, a new ‘arc of autocracy’ is forming to reshape the world…
Sadly, the internet, not only in Russia, but also in China, and in Iran – and elsewhere – is not a space for the free and open exchange of ideas…
…but rather a powerful tool for political censorship and stifling oppression.
This is a tragedy for the people of those nations, but here in Australia we are not immune from the dark tentacles of a number of malicious actors – some of whom have state backing – that are reaching out over online systems.
They have many goals…
…to undermine democracy at scale;
…destroy trust in global digital markets;
…attack our hospitals and healthcare networks;
…hold our data to ransom;
…or bombard our citizens with violent extremist content, hateful rhetoric, and propaganda.
In the face of this sustained and determined assault on our values – we are not helpless however…
All over the world, liberal democracies like ours are stepping up in response…
We are creating a rules-based global digital order in which critical infrastructure is supported and defended when it comes under attack;
…where sensible, measured regulation of social media breeds a healthy transparency in the digital public square;
…and where technology adds to, not detracts from, our shared security, prosperity and unity.
Technology is at the frontline of state-on-state competition – and we can’t risk our most cutting edge technology supply chains being dominated or exploited by those who don’t share our values.
In an increasingly complex world, Australians can trust that under the Morrison Government, the defence of Australia will not be compromised – ever.
This applies to our physical defences – which of course the Prime Minister has announced will grow to above 100,000 personnel by 2040 – and, increasingly, to our cyber defences.
And be under no illusion – the cyber threat to Australia is very real.
…we have seen attempted cyberattacks on government agencies, federal Parliamentary networks, logistics companies, the medical sector and universities — just to mention a few.
…throughout the pandemic, Australia’s critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and our essential services.
… and we need think back only 12 months, to the attack on the Nine Network, to see a sophisticated cyber-attack that knocked a free and independent news media outlet off the air.
Over the past month we have also been dealt new challenges as a result of Vladimir Putin’s war on Ukraine.
I can confirm today that our intelligence agencies have been closely monitoring Russia’s involvement in malicious cyber security incidents that are occurring as a result of the invasion.
Following Russian aggression against Ukraine, it is a sad reality that there is a heightened cyber threat environment globally, and the risk of cyberattacks on Australian networks, either directly or inadvertently, has increased.
As recently as overnight, we’ve seen a warning from US President Biden about the risk in his country of cyberattack from Russia, underscoring yet again the threat we all face.
Now more than we ever, we all need to be vigilant. This applies especially to the owners and operators of our most critical infrastructure – but we all have a role to play.
That’s why, the Morrison Government has approached cybersecurity with a strategy based around three core pillars…
1) support for industry
2) support for security agencies and law enforcement; and
3) support for citizens directly.
I will address each in turn today.
By supporting these three pillars, we have thus far kept Australia safe from a massively disruptive cyberattack… but they are no panacea.
Cybersecurity is a complex and evolving field.
If mismanaged by an amateur Government, digital spaces could become an existential threat to our prosperity, sovereignty, values and principles.
No-one can afford to be complacent, least of all the owners and operators of our most critical, sensitive and relied-on technologies…
These include not only power stations and airports, but our universities, supply chains, banks, water infrastructure, space and transport logistics firms — among others.
In the 2020–21 financial year alone, one-quarter of cyber incidents reported to the Australian Cyber Security Centre were associated with Australia’s critical infrastructure or essential services.
That’s why we are serious about supporting industry to protect Australia’s critical infrastructure.
Owners and operators will always have an important frontline role in assuring their own cybersecurity.
However, with the tools and resources available to the Commonwealth, it makes sense for our specialists to step in and assist when these companies come under serious attack.
Under new laws, secured through the Parliament last year by the Morrison Government, Commonwealth agencies can now provide emergency assistance or directions to large businesses operating in critical industries, helping them deal with a significant cybersecurity incident.
As an example, it’s not reasonable for a supermarket retailer to have all of the highly specialised personnel and expertise to deal with a major debilitating cyberattack that misdirects their supply chains, shuts down payment points and holds their customers data to ransom.
This type of complex, coordinated attack would – more than likely – be beyond the capabilities of any business’s IT division.
Thanks to this Government’s leadership, now, when major attacks occur, we can call upon the capabilities and expertise of the Australian Signals Directorate – the ASD – to address the problem.
Of course, business owners and operators still have a vital frontline role to play…
…just the same as with physical security, they need to ensure their doors are locked and their alarms are set.
But the fact is, the ASD has a unique capability that can support industry’s response to a major cyberattack that would impact on the entire Australian community.
These important laws were a good start, but there is still more to be done to protect the most vulnerable in our society.
I used the example of an attack on a supermarket just now, but imagine for a moment if this were to occur instead at a hospital…
…patient data encrypted and held to ransom…
…lifesaving medical systems knocked offline when they are most urgently needed…
…hospital staff not able to properly perform their duties because of an ongoing cyber-attack…
Chillingly, we don’t have to imagine – it has occurred.
In Germany, a hospital’s systems were attacked; systems failed and critical data access was lost.
The hospital could not provide emergency care…
…incoming patients had to be diverted elsewhere – putting them and medical staff at increased strain and risk…
…it took the hospital almost two weeks to restore essential services.
So too, in America, a hospital recently suffered a ransomware attack that blocked and encrypted vital systems.
Tragically, it is alleged that a baby died as a result of the critical deterioration in patient care.
This is not just a problem for people overseas however.
I can confirm that the Australian health care system is no less of a target.
Cyberattacks on health facilities have already occurred in Victoria, in Queensland, and in New South Wales.
In the 2020-2021 financial year, the health sector reported the second highest number of ransomware-related cyber security incidents, and the fourth highest number of incidents overall.
For operational security reasons, there are details I cannot reveal publicly about these incidents – but I can confirm that in at least one attack, the Ryuk ransomware variant was used – which is a known tactic of Russian cybercriminals.
Clearly, there is no tyranny of distance when it comes to cybercrime.
And it would be naïve to think that Putin’s aggressive ambitions, or those of his henchmen, are confined to Ukraine.
In a digitally connected world, dominance can be established and damage inflicted by any state or non-state actor by means of cyberattack.
I don’t say this to scare – indeed I can reassure Australians that their data and ongoing access to essential services is secure – but rather to underscore the threat we face.
As a Government, we are taking this threat very seriously.
Last month, we introduced the second phase of our critical infrastructure reforms, in the form of the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022.
This Bill sets out preventative and mitigation measures to improve the security of Australia’s critical infrastructure.
They include a requirement for critical infrastructure to adopt, comply with, and keep up-to-date, appropriate risk management programs for cyber-attacks.
They also introduce Enhanced Cyber Security Obligations for Systems of National Significance – to strengthen cyber security on our most critical assets.
This Bill is now before the Parliament, and I look forward to its passage.
An old medical saying is that ‘prevention is better than cure’. This rings true for cybersecurity, which is why – before any more large scale cyber-attacks occur – we’re going after the criminals themselves.
The Morrison Government is proud to have given our police and law enforcement bodies important new authorities to go after criminals on the dark web…
…and take the fight to those who ply their illegal trade.
Many here will be familiar with Operation Ironside, which saw the Australian Federal Police, working closely with the FBI and other international partners, successfully develop an app – ANOM.
Criminals thought this app facilitated secure anonymous communication.
Little did they know, but the ANOM app – an idea conceived over beer between colleagues – was giving police and law enforcement officers a full readout of their most sensitive discussions…
where drug transactions were going to take place….
how they planned to illegally import weapons….
and who they planned to silence next.
In Australia alone, this operation has seen more than 350 alleged offenders charged and more than $55 million in cash seized.
The bad news for the bad guys, is that Operation Ironside was just the start of a new era in digital police work, and it’s continuing at pace…
…yesterday, I launched Australia’s National Plan to Combat Cybercrime.
The Plan will:
- support industries to grow online;
- build wider confidence in the digital economy;
- ensure safer online spaces for children; and,
- better support law enforcement to bring to justice those who would break our laws.
It brings together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response to cybercrime.
The Plan will coordinate Government and law enforcement action to:
- prevent cybercrime;
- investigate, disrupt and prosecute those who attempt it; and,
- help impacted businesses, groups, and individuals recover.
The Plan truly is national – and I thank my State and Territory counterparts for endorsing it at a meeting I chaired on the Gold Coast last week.
I encourage you all to download a copy today from the Department of Home Affairs’ website.
Importantly, the Plan has not been launched in isolation – it is backed up by real, tangible action.
Last month I introduced legislation in the Parliament to create a range of new criminal offences in relation to ransomware with tough new penalties – including up to 25 years imprisonment for those who target critical infrastructure.
And yesterday, I joined AFP Commissioner Reece Kershaw to open the AFP’s new dedicated cybercrime centre – the JPC3.
The centre is a tangible demonstration to anyone thinking cybercrime might be profitable…
…that under the Morrison Government, the AFP has the power backing and resources they need to put you behind bars.
The centre will use far-reaching Commonwealth legislation – passed under this Government – and high-end technical capabilities we have funded, to aggressively target cyber threats, shut them down, and bring offenders to justice.
Sixty AFP members will be attached to the JPC3, which will:
- Coordinate Australia’s policing response to high volume cybercrime
- Enhance intelligence sharing and target-development.
- Promote cybersecurity to industry and the public.
- Coordinate law enforcement action; and,
- Counter cyber threats.
The Centre will be led by an Assistant Commissioner, who this year became the AFP’s first full-time Assistant Commissioner dedicated to countering cybercrime…
And it was established with $89 million in funding provided through the Morrison Government’s $1.6 billion Cyber Security Strategy…
…demonstrating once again that the Morrison Government is serious about enforcing the law and protecting Australia’s digital future.
In addition, I am pleased to say that I have authorized the expenditure of seized assets and ill-gotten gains to further support Australian law enforcement’s crackdown on cybercrime.
Today, I can reveal to you that I have provided the AFP and ABF will an extra $9 million to fund artificial intelligence programs that will detect and prevent crime.
The AFP’s funding will expand and enhance the joint AFP / Monash University ‘Artificial Intelligence for Law Enforcement and Community Safety’ Lab based in Clayton, Victoria.
It will fund the development of a capability to harness AI to automatically classify distressing material, characterise criminal communications and behaviour – including on the dark web – and rapidly process and interpret large volumes of police data.
The world-leading work conducted at the Lab will accelerate the prosecution of child exploitation and terrorism, and reduce investigators’ exposure to material that can cause significant psychological trauma.
The ABF’s funding will support a joint project between Border Force, the Department of Home Affairs and the Department of Agriculture Water and the Environment.
The project will use AI to improve law enforcement’s ability to detect attempts to smuggle drugs and weapons into Australia through the international mail system.
It will create a national image database of high-threat items, like drugs and weapons, which will be automatically compared, at scale, to inbound international mail passing across our border.
The program will then instantly alert Australian border officials to possible concealments.
Using AI in this way will improve current detection processes that must currently be conducted manually.
It will also provide a foundation to scale up capabilities by developing more robust detection algorithms.
Algorithmic automation is a force multiplier – but of course so too is collaboration.
That’s why, in cracking down on cybercrime, I know we’re in the company of good friends.
Until recently, Australian agencies have relied on complex and time-consuming mechanisms, such as mutual legal assistance agreements, to access crucial evidence from other countries.
Investigations and prosecutions had stalled and even derailed as a result of these arrangements – but now – we’ve now resolved this.
Last year, the Morrison Government secured passage of a new international production order framework, paving the way for a more efficient and modernised approach to international data access with trusted foreign partners.
This legal framework provides Australian law enforcement agencies, and the Australian Security Intelligence Organisation, with access to the vital data they need from foreign communications service providers, subject of course to appropriate safeguards and oversight.
In December 2021, I travelled to the United States to sign the first agreement to be designated under this framework – the CLOUD Act Agreement.
The signing was of tremendous significance for our two nations and our law enforcement agencies.
It’s also the start of an exciting new development, as it further supports our police, giving them timely access to the evidence they need to uphold our laws and to protect our communities.
As is right and proper, important safeguards in the agreement reflect our two countries respect for the rule of law and for human rights.
As I said in my introduction, this Government will always balance the need for agencies to have the powers they require to protect Australians while ensuring these powers are subject to robust controls, safeguards and oversight.
In the same way, the final pillar in our response is to empower all Australians to use online spaces openly, transparently, securely, and with confidence.
All of us are increasingly using digital and online technology to communicate; to bank; transact; learn; and a myriad of other completely legitimate and necessary activities.
By raising awareness of cyber threats, we will embed cybersecurity into the muscle memory of our society – ensuring that good cybersecurity becomes as reflexive as locking the front door or putting on a seatbelt.
When I launched a public information campaign on this last year, I asked Australians to ‘beat cybercrime in their downtime’.
The campaign encouraged Australians to consider their cyber vulnerabilities and take tangible action to improve their security, rather than using their downtime to scroll social media.
Present company excluded of course… but cyber security isn’t something people normally stop to think about.
Even in 2022, it can come as a shock to some that phones, smart devices, TVs, WIFI routers, social media accounts, emails and e-commerce transactions can all be exploited by criminals.
Simple things like increasing the complexity of passwords by using passphrases, and turning on multi-factor authentication and software updates…
…can have an outsized impact when they prevent identity theft or save a business from a ransomware attack.
Last December, I also launched a series of cyber security seminars for small business.
These downloadable seminars can be used by the professional services industry, community organizations and peak bodies to educate and upskill their members and communities.
And just last week, I was in the Northern Territory – hosting cybersecurity forums with business leaders and community groups in Darwin and Alice Springs.
I have more of these roundtables planned while I’m here in New South Wales, and I encourage other leaders and cybersecurity experts to organize similar workshops among their own networks.
As leaders in this field, we all have a responsibility to increase cybersecurity where we can.
In closing, Australians can be assured – as can the malicious actors aligned against us – that the Morrison Government will continue to prioritise the online safety and security of our citizens.
We know that Australia’s prosperity and security depends on our ability to securely harness the opportunities created by digital technologies and connectivity.
Which is why we’re committed to supporting industry, national security and law enforcement agencies, and our citizens.
Taken together, I have confidence we will continue to make sure that advances in communications and online connectivity are a force for good.
But this isn’t ‘set and forget’; just as cyber threats continue to evolve, so too must our responses, and as they do, we must ensure that technology continues to support our shared security, prosperity and unity.
Any misstep or inexperience in cyberspace, such as might come from a new Government finding its feet, could have dire consequences.
As the Morrison Government has shown however, we have the skills and track record to keep Australians safe. Thank you.