Joint Press Conference with Minister for Home Affairs and Cyber Security

  • Transcript, E&OE
Subjects: Cyber security strategy, High Court decision

Clare O’Neil, Minister for Home Affairs and Minister for Cyber Security: Today is a really big day for the government and it's a big day for the national security of our country. Today, the Albanese government launches a game changing cybersecurity strategy that will help us keep our citizens safe and secure in the face of what is the fastest growing national security threat that we face.

If we have learned anything in the last year in this country it is that we cannot continue as we have. We can't have a situation where we've got data flying around the country, where we've got critical infrastructure starting to fail, where we've got small business and citizens who are consistently telling us that they feel vulnerable and unable to cope with the cyber threats themselves.

Our cyber strategy being released today is about a pathway out of that.

We have spent the first 18 months that we've been in government catching up, waking out of that cyber slumber and catching up to where we should already have been.

What today's document is really about the future, because we know that as bad as the cyber environment is for us right now, we have reason to believe that things are going to get worse and that we are going to face increasing risk.

We know that because we see technological change, creating new opportunities for cybersecurity threats. We know that because the Internet of Things is going to bring billions more devices online by 2030. And we know that because we are in a geopolitical environment that is the most challenging that Australia has faced since the Second World War.

That's why we need a better way of managing this problem. And that's what today's cyber strategy is about. The goal of this strategy is not to reduce cyber risk to zero. And we need to be really clear about that - there is no politician in the world, no politician in any country who can look their citizens in the eye and say that we're not going to have any more cyber attacks.

There is no public policy option here that reduces cyber risk to zero. What we do need to do is make sure that we're making our country a hardened target, that we're fighting back against cyber criminals who are seeking to do us harm and that we're building a bounce back so that when we do get hit by cyber attacks, small businesses and citizens can get back up off the mat, and when critical infrastructure is the target the country can continue to function while the cyber incident is resolved.

So, what is in the strategy? The big picture here is making citizens and small business the heart of what we do. We have a country at the moment where millions of millions of people are affected by cyber incidents. Small Business tell us that they lie awake at night worrying about that phone call that tells them that their systems have been locked down. And we're simply not doing enough to protect those people and help them protect themselves.

The broad principle here is to build six cyber shields around our country to make sure that we're doing everything we can. Big business, government, owners of critical infrastructure, to provide those protections for people as well as supporting citizens and small business to understand how to protect themselves.

So, I'm going to go through some of the big policy ideas in the document in front of you. I'm going to hand to Minister Watts, who's worked incredibly hard on some of the international elements in this strategy, and then we'll open for questions for people who are here in the room.

Before I told you about the six cyber shields, and I want to start with the first shield, which is about strong business and citizens. One of the things that I want Australians to understand is that yes, the cyber environment feels scary, it feels technical, and it feels hard to decipher, but there is so much that you can do to protect yourself.

One of the things that's at the heart of this strategy is education programs that will explain to Australians for the first time that in the vast majority of cases they can prevent cyber attacks on themselves and their businesses if they undertake some simple steps.

Part of our solution here is specific funding programs that are targeted at the most vulnerable. I'm thinking here about seniors, about people who are from non-English speaking backgrounds, where there are those additional barriers to them accessing normal supports.

We are doing an enormous amount in this strategy specifically for small business, and that is because we know that as much as we worry as a nation about cyber attacks on really big companies. Usually these are matters that can be handled. For a small business, a cyber attack can be automatically fatal, and we need to do more to support them.

One example is that today, there is no cyber incident response function, no cyber incident response support for small businesses in his country that come under cyber attack and our strategy will help change that.

One of the important elements that we're undertaking to make sure that we're supporting small business and citizens is providing additional funding to the AFP to boost the Hack the Hackers program.

So this is about $75 million investment which will make sure that the police who are responsible for fighting cybercrime are able to build those capabilities and get the skills that they are going to need to help us protect the community.

I want to talk about the second shield, which is safe technology. And really this is saying that we shouldn't live in a world where Australians can be confident about the safety of the physical products they buy, yet there are no protections for in the digital products that they buy. Why is it the case that you can go into a baby store today and know that the baby seat that you're buying has been tested and is safe for us yet in the next aisle there might be a baby monitor which is taking imagery of your child all the time, and there's no standards, no cyber standards applied to that product.

So we're building trust in digital products by a range of different public policy tools to make sure that we start that journey, so that by 2030, we live in a world where safe digital products are the norm in our country.

The third cyber shield is about world class threat-sharing and threat-blocking. So, this is really about pushing responsibility and harnessing the power of those in our economy who can actually reshape the cyber environment for us.

I'm thinking here about our telcos, for example, who can do a lot to work with government to make sure that we are sharing the very best information about what the cyber threat environment looks like. And then making sure that we're putting obligations on companies in in Australia's economy to do something to help protect the public with that information.

The fourth cyber shield is about critical infrastructure, and this is a really important one. We've had attacks on Optus, we've had attacks on Medibank we had an attack on DP World earlier this year. But one of the things that I know that Minister Watts and I are most worried about is when we experience debilitating shutdowns of pieces of infrastructure that all of us in this country rely on.

I'm thinking about our water systems, our telecommunication systems, our energy grid. What we need to do is a lot more work to work with the owners of those infrastructures and those big companies to make sure that they are being set minimum slavery standards and that they actually follow them.

One of the important parts of our response here is in particular for telecommunications companies. Our government has a strong view that telcos need to be subjected to the highest level of cybersecurity standards in our country. And that is and that is why we are changing the way that we regulate telcos in this country to make sure that they meet those standards.

We have a cyber threat in front of us, but we also have a cyber opportunity. And that's why sovereign capabilities is a really core part of the work that we've done here. We want to build a country where we've got the cyber skills, we need we've got the small businesses that are building products that they are going to be able to sell all over the world. And we have a number of initiatives that will support those efforts. Finally, we have a lot of work that's been done by Minister Watts on the international front. And I'll hand over to you now to just talk a little bit about the policy in that area.

Tim Watts, Assistant Minister for Foreign Affairs: Well, thank you, Clare. It's appropriate that this strategy calls for a new era of collaboration on cybersecurity in Australia, and we are practicing what we preach inside government, releasing the first integrated domestic and international cybersecurity strategy in Australia's history.

We've made our foreign policy priorities as an Albanese government clear for some time. We want to see a region that's peaceful, prosperous and secure. A region that's governed by rules, norms, and agreed international law. A region where no country dominates, and no country is dominated. We've been clear that Australia needs to use all the tools of statecraft in order to realize a region that operates in this way. And in this strategy, we announce new areas of endeavour, new lines of work to realize that vision.

This strategy, now the sixth cyber shield in this cybersecurity strategy - resilient region, global leadership - outlines a framework for how Australia will sustain, uphold and defend - shape, uphold and defend - international laws, technical standards and norms of responsible state behaviour that govern cyberspace. We’ll also outline the way that we will hold those that flout these rules accountable.

They're accountable for their behaviour. This is an agenda that has been ably led by Australia's Ambassador for Cyber Affairs and Critical Technologies, Brendan Downling.

Importantly also though, this strategy includes a range of new initiatives designed to build a more prosperous and more secure Pacific region. It's a priority for the Albanese government to listen to the priorities of our Pacific Island neighbours.

We've heard loud and clear that our Pacific Island neighbours want to realize their economic development ambitions through increased digitization and connectivity of their societies. We also appreciate though that the extent that they have success in this increasing digitization and connectivity will also increase the extent to which they are exposed to the very same cyber threats that we seek to address domestically in Australia.

We understand that we need to lift our level of engagement in response to these threats. And that's why this strategy includes a number of important initiatives for lifting Pacific cyber resilience. We're lifting our engagement to establish rapid response cyber crisis teams in the Department of Foreign Affairs, led by DFAT, but drawing on the expertise of government agencies and the private sector to enable us to better respond to requests from Pacific Island nations when cyber incidents hit their nations and our ability to consolidate our position as the partner of choice for the Pacific family in responding to cyber incidents.

The strategy also includes new initiatives for boosting cyber resilience in the Pacific Islands before incidents occur, identifying areas of vulnerability, outdated hardware, outdated software, and helping our Pacific Island family to lift their resilience to attacks before they occur.

The strategy also includes recent commitments we have made to very substantial submarine cable infrastructure rollouts, building on those announcements made by Prime Minister Albanese and President Biden during their recent trip to the United States.

Subsea digital infrastructure is the most important infrastructure most people have never seen before. We want to ensure that our Pacific Islands family has options for trusted providers to expand their connectivity and their resilience and redundancy on their connections to the global digital economy.

The Albanese Government's made it clear that when we see the forces and the dynamics that are shaping the international world, we're not content to be mere spectators.

We're not content to merely opine, we want to shape those trends in the Australian interest and that's why the international shield in the strategy does.

Journalist: Minster O’Neil, Australians are still smarting from the Medibank and Optus hacks. You've spoken about the response of the previous government being inadequate - is $500 million over seven years really adequate then to address this threat. Where's the plans for legislation and a bigger federal contribution?

Clare O’Neil: Thanks, Andrew. And just to clarify, it's $587 million over four years, not seven. And this is in addition to an investment that was made by the former government into what's called the REDSPICE program that you would be aware of, so that's roughly a $2.3 billion investment in the same set of activities.

What you have here is a federal government that - putting that together - is spending $2.8 billion roughly on cybersecurity over the coming four years. That is a very substantial investment for the government to make. What I would also just say is that this is not a problem solved completely by money. If you've been paying attention, there is billions of dollars in this country and around the world being poured into cybersecurity, what's lacking at the moment is a way for us to knit together all of the activities that are occurring around this country. And this is what the strategy is about.

It is not about saying that Telstra is doing something about this, the government's doing something about this and Westpac might be doing something about this. It's about harnessing all the forces in our country, properly regulating this environment and working together so that we can provide better protections for our citizens.

And in response to your question about legislation. The document is full of legislation. There is an enormous regulatory response here that's going to be really useful for business. We are going to clarify the cyber standards that are required across the economy and make sure that we enforce those standards properly.

Journalist: Alright. When the Medibank hack happened. You got up in the parliament, you said we're going to have the toughest and smartest people come after you and it just appears that's impossible, isn't it because a lot of these attacks are from offshore, most of them from China and Russia?

Clare O’Neil: We are having enormous success in the Hack the Hackers program which is the task force that was set up in response to what has been unprecedented cybercrime experienced in our country.

Hack the Hackers is a flagship initiative of our cyber response. It brings together the smartest cyber guns in the Australian Federal Government - in the Australian Federal Police and the Australian Signals Directorate - and they are right now sitting in offices around this country hunting down people who would seek to do us harm and debilitating them before they are able to hurt us.

There is a lot of success that has been achieved by this task force already. It collaborates with the FBI – with all of our Five Eyes partners - and performs what will be a pivotal and growing role in this problem. The cyber strategy before you now commit an additional roughly $75 million to the AFP to help them to support these efforts. It is essential for our response going forward.

Journalist: But when you say, you know, the former government did $2.3bn and we're putting $500 million on top and you’ve been nothing but, nothing but critical of their response. You have to give them some credit.

Clare O’Neil: So, I have been really clear that I think the REDSPICE investment was a really important starting point for our country. What the former government seem to forget about is that there are people outside of government who also need to be harnessed into our activities.

So, what you we had, a REDSPICE investment that was important, that I was supportive of at the time, that I'm supportive of now. What we didn't have is any real thought to citizens and to businesses who are at the end of experiencing this problem.

And this is why our strategy is so different. It puts citizens and business at the heart of all the government's efforts. It makes sure that we bring together all of the things that have been done around this great country about cybersecurity and knits them into shields that will help better protect our public.

Journalist: Minister, you mentioned the need to regulate telecommunications companies under tougher cyber standards. Optus has kept their reporting into its cyber attack private, should that be made public and also do you think that there needs to be greater accountability for telecommunications companies to explain what went wrong?

Clare O’Neil: So firstly, the regulation of telecommunications companies. It is absolutely clear to me and should be to every Australian that we are not subjecting telcos to high enough cyber standards today. That is abundantly clear in what's happened over the last 18 months.

Our government is going to fix that. We're not going to make sweetheart deals with telecommunications companies. We're going to bring them under the SOCI Act, which is the tough law that we have that we regulate many other parts of the economy.

Now once that occurs, we are able to subject telcos to new world’s best practice standards that will require them to meet the standards that frankly already should have been set down.

With regard to cyber incidents, this is a really important question. So, what we're seeing over the past 18 months is some very, very significant cyber incidents affect our country, but a very ad hoc approach to thinking about what went on to establishing a fact base and to helping frankly, the rest of the economy learn from the mistakes that have been made by these very large companies.

Part of our strategy is to try to change that. We have agreed to set up a cyber incident review board. This is a model that is seen in some other countries around the world, which will actually in a very clinical way assess what went wrong in cybersecurity incidents of national importance, provide some public understanding about what occurred, and try to do this in a way that will encourage the rest of the economy to work.

Now, one of the examples I think this really shows itself to be very important is that we have continuing problems with companies around this country, big companies that should know better, who continue to do simple things wrong, like not patching their software. This is the sort of thing that a cyber incident review board will help us bring to light and make sure that not only is there better accountability for the public, not only is it depoliticised so it's not the Minister who decides for political reasons what gets examined and what doesn't, but it's a mechanism to make sure that we're all learning and all lifting our cyber capabilities together.

Journalist: How much of an issue is the Chinese government in terms of cyber attacks?

Clare O’Neil: The Australian Signals Directorate articulates the countries that are, those countries, and it does articulate that China, Russia and Iran are three actors who are engaged in his practice. I would say though, that at the end of the day, what's really important about cybersecurity is that the same mechanisms work whether it's a state actor or a non-state actor, whether it's someone sitting in their basement in Sydney or a Russian cyber criminal who's operating from somewhere in Russia, the same things need to be done. And that is we've got to think about how we make ourselves a tougher target, how we can educate our public about what they can do to protect themselves, how we can make sure that the companies take responsibility.

We've got to fight back against this and punish those criminals who are trying to target our citizens. And we've got to make sure that we bounce back. And if we do those things, whether it's a state actor who's behind a cyber incident or it's a criminal gang, or anyone else, we're going to be better protected.

Journalist: You mentioned that the big companies that are failing to patch and the DP World appears to be non-compliant. Would you support the idea for some punitive measures for directors and organizations like DP World?

Clare O’Neil: Well, we consulted a lot to actually with company directors as we were bringing together this strategy. I think there's general recognition amongst company directors that the world has changed, and I think there is a reasonably good understanding that cybersecurity is going to be on the top of the board agenda for the foreseeable future, and the company directors in this country must have an understanding about this and must educate themselves so they can ensure they're meeting their responsibilities.

Now, what directors have told us is that they are unclear about how their corporate obligations, the section 180 obligations under the Corporations Act, translate into cybersecurity and part of our strategy is helping the private sector articulate what best practice looks like, and making sure that we work with those companies to bring themselves up to standard.

So, a part of that is creating standards that will help give meaning to Section 180. And of course, there are corporate penalties attached to that. That the short answer to your question is we don't need specific cyber rules here. We have rules for company directors. We just need to give a better translation of what cyber responsibilities look like in regard to those rules.

Journalist: The sovereign capability shield – you’ve spoken about the importance of building up local industry and the workforce. But you've only allocated in new funding around I think eight and a half million dollars to that. So how is $2 million for an industry that you've said is probably behind some of the world's best going to move the needle?

Clare O’Neil: So cyber skills is where the 2.8 comes from - which I think you're referring to - we did a lot of work with cyber professionals with the private sector all around the country on the question of skills. And what became really obvious in those conversations is that it's actually not a lack of funding and it's a not a lack of programs that is driving our cyber skills problem here in Australia.

It's actually the fact that we don't have enough people who are hungry to try to study cyber. So one of our solutions to this initiative is to push harder on bringing cyber into the whole school curriculum so that we've got young people around this country thinking about this as a career pathway and getting interested in this.

The big piece of feedback we've got that was specific to cyber from a skills point of view is that today, the cyber training environment isn't properly structured. And what I mean by that is you can get a bachelor's degree from one university and a bachelor's degree from another university and those two students are being taught entirely different things. And so the $2.8 million is simply the money that we will need to fix that problem.

What does it mean to be a skilled cyber professional in this country? And how are we going to work to structure that up so that people know what they're getting effectively. The other thing that we heard really clearly from industry with regard to cyber is that they have gaps early in the workforce.

So, we're not getting enough cyber graduates into their programs. But we've got a real problem as well around the sort of 10 plus years of experience area and some changes that we will be making to the migration strategy next year will support a more seamless movement of really experienced cyber professionals in and out of the country.

Journalist: Just quick what is the overall goal? I think when you announced the strategy last year, you said you wanted Australia to be the most cyber secure nation in the world by 2030. But the language seems to have changed this morning to be among the world leaders.

Clare O’Neil: Yeah, I think we want to be among the world leaders, I think, I think there's some about this problem that's beyond our control. And I think that's the realistic and achievable goal for us that we can be confident about.

Journalist: Okay, so did something change in the last year or?

Clare O’Neil: No, it just became clear in the discussions that we're having, and we've done an enormous amount of consultation here, that there are things that are going to influence this problem that the Australian Government and Australians don't control. We want to set a goal that's achievable. And I think being a world leader is absolutely achievable here.

Journalist: How will you measure that? Is it a metric of success?

Clare O’Neil: I mean, there's lots of different metrics. And there's lots of tables that you can look at around the world that rank countries in terms of their performance. And I think we'll be using lots of different metrics. What we shouldn't use is not having any cyber attacks, and that's the one where we've just got to be really upfront at the beginning of this process. We're going to continue to have cyber attacks. The cyber environment is deteriorating, not just here, but in every single other country in the world. And what we need to do is not accept that as our reality. That there's things we can do to reshape the cyber environment and to reduce cyber risk. But we've really got to focus on that fighting back and particularly that bounce back; this is about cyber resilience and making sure we're going to continue to get hit, but we've got to understand that that's the future and plan around it.

Journalist: On the data retention requirements and the need to review that there's a mention in the document of needing to be complementary with the privacy review, which is obviously ongoing, also the need to bring small businesses alongside so they're probably not just getting overwhelmed with varying pieces of regulation. Can you unpack a little bit more the idea of being complementary to the privacy review and the different pieces of which where we’re moving here on data retention?

Clare O’Neil: I think, participating in the public conversation about cyber, one of the things that's really obvious is that companies holding really large amounts of data was seen as a huge asset probably a decade ago. Today, it's a huge risk. And when we talk to companies about why they are holding so much data, they're often saying to government, we don't want to be holding this much data, but we are required by a old kind of mix and matrix of different laws to hold on to data for long periods of time.

During the Optus and Medibank aftermath a lot of you would have talked to members of the public who hadn't been Optus or Medibank customers for 15 years, and yet for some reason, their identity documents or numbers about them were still being held by the companies. That's not a good situation to be in.

It doesn't have an easy answer because these things never do. We built up a set of laws thinking that the more data, the better. And now suddenly, we're in a world where data is in some respects a liability. The work that Mark Dreyfus and I are doing together is to try to analyse the entire set of policies and laws that apply to data retention. And we are going to work to simplify those laws and that work has already started between our two departments.

Journalist: Just on the ankle bracelets [indistinct]. Have you had an update since this morning on the six - the detainees from WA who don't have the bracelets on? They've left the state apparently and are you considering, or have you sought advice as it's been reported on preventive detention [indistinct]?

Clare O’Neil: With regard to the scheme Minister Giles is operationalizing the scheme and he is in charge of its implementation, and I will ask him to provide a report on what is happening with the ankle bracelets. With regard to the preventative detention regime, this is absolutely something that government is considering. And I'll just say again, for the record, if it were up to me, none of these people would have been released from detention and if I had any legal power, all of them would be right back in detention, the high court's decision that makes that legally impossible. And the job for me now is to manage the NZYQ decision in a way that best protects the safety of the Australian community, and I will be examining every and all options and that includes a preventative detention regime.

Journalist: Just to get an update - how many people have currently been released, and I just want to double check; so, you're no longer the responsibility of ankle monitoring is not in your portfolio is that right?

Clare O’Neil: It's in my portfolio but the Minister for Immigration has been charged with implementing the scheme that was produced by the Parliament last week and he will provide an update to you on the logistics of how that's unfolding.

Journalist: And the number of people who have been released?

Clare O’Neil: He’s going to provide these kinds of updates.

Journalist: Have you received any information about that since you were asked about it on Breakfast TV or [indistinct]?

Clare O’Neil: Yes.

Journalist: What [indistinct]?

Clare O’Neil: I don't have specific numbers for you, Andrew, and as I say Minister Giles is implementing the scheme, and he's going to provide updates.

Journalist: Is it three quarters? Is it half of them? Or is it none of them that have anklets on?

Clare O’Neil: Andrew, Minister Giles is implementing the scheme and he'll provide an update.

Journalist: Has the Government made a decision about Mike Pezzullo’s future? And if not how soon are we going to get that decision?

Clare O’Neil: The Minister was always entitled to due process as the public is well aware. The Prime Minister and I referred his conduct to the Australian Public Services Commission for review. That review has not been processed by the government and I won't be making public comments on it until we are ready with a response.

Journalist: The refugees that are in PNG that Australia originally placed on Manus Island are likely to be evicted soon, most likely making them homeless. Does Australia still owe any obligation to these men and their families?

Clare O’Neil: So, we can be really clear about this one. A decision was made when Scott Morrison was prime minister at the request of the PNG government, that Australia removed itself from engagement with the asylum seekers who were on PNG. That deal was made and executed on under a previous government.

Journalist: Earlier was reported when 93 People were released back into the community, this document shows that 21 were living in community detention before the High Court decision, even including that group and the number of people you are saying had been released.

Clare O’Neil: Excuse me can you just you're saying is the people who are already in the community inclusive in the 90?

Journalist: Yeah, they were living in community.

Clare O’Neil: I’ll need to check that fact with Minister Giles.

Media enquiries

  • DFAT Media Liaison: (02) 6261 1555