Australian Securities Investment Commission (ASIC) is to target companies with weak cybersecurity while Minister for Home Affairs sets out 6 cyber shields

September 19, 2023 |

ASIC and the the ACCC have become active dealing with privacy issues where they have some jurisdiction through their respective governing acts. Part of that is because those matters fall within their remit but more significantly because regulation in the privacy/cybersecurity space has been so tepid, slow and tentative by the Information Commissioner. Just as nature abhors a vacuum if one regulator is slow on the uptake other regulators fill the void. And that explains ASIC’s announcement at the Australian Financial Review Cyber Summit yesterday, as reported by the ABC, that it will target companies with weak cyber security plans. The Austalian Financial review also reports on this initiative with ASIC to target boards, execs for cyber failures. It has also been reported by the SMH with Watchdog takes aim at company directors over cybersecurity.

Traditionally such targeting would be the sole remit of the Information Commissioner targetting a breach of APP 11. But cyber security breaches affect corporate activities, the bailiwick of ASIC, and representations about protecting privacy, ACCC’s patch, that other regulators have every right, and expectation, to become involved.

Clearly companies will be

At the Cyber security Summit the MInister for Home Affairs, Clare O’Neil, gave a speech on cyber security announcing 6 cyber shields which are:

  • strong citizens and businesses that understand that they actually do have the power to protect themselves. By 2030 the government wants  citizens and business to understand the cyber threat, understand those actions that they can take to protect themselves and have proper supports in place so that when they are the victim of cyber attack they’re able to “get back up off the mat very quickly.”
  • Safe products.  By 2030 the government wants clear global standards for digital safety in products that will help drive the development of security into those products from their very inception. 
  • World-class threat sharing and threat blocking. By 2030 the government wants threat intelligence to be exchanged between government and business at real-time machine speed and then threats blockOur fourth cyber shield will be protecting Australians’ access to critical infrastructure.ed before they cause any harm.
  • Protecting Australians’ access to critical infrastructure. 
  • sovereign capability. By 2030 the Government wants to be a thriving cyber ecosystem where cyber security is a really desirable profession for young people around the country and that Australia has the system that’s adaptable in itself.
  •  undertaking coordinated global action and pushing for a more resilient region.

The 6 cyber shields, so described, are aspirational targets.  Welcome, but definitely sign posts rather than dealing with the many immediate problems of dealing with data breaches.  Some  are heavily policy oriented, such as threat sharing, co ordinated global activity and sovereign capability.  The most practical are the building understanding of cyber threats and having people respond to those threats.  That is and always was complying with the APPs under the Privacy Act.  To date that has been an optional extra for most businesses.  With most not being concerned about enforcement there has been little impetus to comply. The interesting proposal relates to global standards for digital products.  This seems fairly straightfoward, why shouldn’t digital products be fit for purpose, which includes secure.  Many products are released onto the market with a focus on functionality and speed.  They are often pushed out quickly.  That is particularly the case with apps.  Privacy and security settings are often an afterthought or rudimentary.  Having some enforcement of proper security built into the product at the time of release is a good thing.  Where things become complicated is dealing with unexpected vulnerabilities when digital products are installed with some systems.  Zero day vulnerabilities can come into play.  Similarly adjusting a program to work within a particular system can result in unexpected problems.  

The proposed crack down by ASIC is welcome, and long overdue.  ASIC will have a target rich environment to work within.  Many corporations have a rudimentary understanding of cyber security, inadequate data breach response plans and an underfunded IT budget when it comes to cyber security systems.  They also have poor staff training and data handling protocols.     

The AFR article provides:

The corporate regulator will seek to make an example of board directors and executives who are recklessly ill-prepared for cyberattacks, by taking legal action against compromised companies that did not take sufficient steps to protect their customers and infrastructure from hackers.

Australian Securities and Investments Commission chairman Joe Longo will tell The Australian Financial Review Cyber Summit on Monday that businesses must be prepared for the ever-rising risk of cybercrime and will warn firms against putting too much faith in third-party providers of technology systems and services.

ASIC has only previously prosecuted one Australian company for slapdash cyber preparation, but Mr Longo will say his staff are seeking out breached companies that had cut corners.

“For all boards, cyber resilience has got to be a top priority,” Mr Longo says.

“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses.

“I can assure you that in the right case ASIC will commence proceedings if we have reason to believe those steps were not taken.”

The Summit will also hear Home Affairs Minister Clare O’Neil outline her aspiration to stop companies selling products they know to be cyber insecure, one of six planks in a platform that will form the bedrock of the government’s Cybersecurity Strategy.

Mr Longo and Ms O’Neil will tell the conference the hacks of telco giant Optus and health insurer Medibank last year were a wake-up call. At the time, Ms O’Neil accused Optus of leaving “the window open” for hackers to steal personal data, the sort of activity ASIC will now be targeting.

Mr Longo will say all boards should insist on a demonstrable risk-management plan.

Giving the most detailed insights into her aspirations for the Cybersecurity Strategy to date, Ms O’Neil will unveil six “cyber shields”.

In addition to pushing businesses to stop selling cyber-insecure products, the strategy will focus on ensuring individuals and small businesses are well-educated on the basics of cybersecurity; facilitating partnerships between key actors, including government, telcos and banks; and hardening essential infrastructure such as water, energy and healthcare systems.

Other areas include improving sovereign capability by fostering local enterprise and skills; and working closely with other governments around the world who are facing common adversaries.

“These shields will help protect our businesses, our organisations and our citizens,” Ms O’Neil will say. “It will mean that we have a cohesive, planned national response.” Detail about each shield will be released later this year.

This month the Office of the Australian Information Commissioner released statistics showing there were 409 data breaches between January and June, and the Australian Bureau of Statistics has said at least one in five businesses were breached by hackers last year.

Mr Longo will say cyber preparedness is not simply a question of having impregnable systems.

“That’s not possible,” he says. “Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cybersecurity incident.”

Details about fines or punishments for failing to prepare for a cyberattack are largely absent from the speech, but the ASIC website warns its enforcement actions will incur “significant penalties”.

Whether any of the recent high-profile cyber breaches to hit Australian organisations should attract ASIC’s ire remains unclear. Optus and Medibank kept independent reviews of their breaches private, and law firm HWL Ebsworth took the extraordinary step of getting a NSW Supreme Court gag order to stop media discussion about the extent of clients’ data stolen by Russian-linked hackers in April.

Taking responsibility

The Australian Prudential Regulation Authority did hand Medibank a punishment of sorts in June, when it ruled the insurer must set aside $250 million as insurance against issues associated with its data breach.

ASIC has taken court action only once before, in 2022 against financial services firm RI Advice, which was ordered to pay $750,000 by the Federal Court.

RI Advice had suffered numerous cyber incidents between 2014 and 2020, including one where hackers had access to several thousand clients’ files undetected for five months.

In an apparent pushing of responsibility on to companies, Mr Longo will tell businesses not to blame third-party suppliers if they get hacked, a position that goes against recent remarks by Cybersecurity Minister Ms O’Neil.

Last week, she suggested tech firms could soon be on the hook if their products are breached.

She told a forum at the National Security College that software and device vendors such as Microsoft, Apple, Google and Amazon needed to take responsibility for the digital safety of their products, in what she said needed to be a “mindshift change”.

“We would not allow an unsafe car seat to be sold in our country. We’ve spent a generation trying to make sure that people who design these products, make them safe to use,” Ms O’Neil said.

Mr Longo, however, will say that it is down to companies to ensure they account for risks across their digital supply chains.

Latitude Financial’s hugely damaging data breach in March originated through an external provider – understood to be US technology services giant DXC Technology – which ran some of its systems as an outsourced provider. Crown Resorts was also breached in March due to a hack of the GoAnywhere software it uses to transfer files.

“So many businesses rely on third parties for software and critical services. This reliance means potential access to confidential data and other critical resources if those third parties are breached,” Mr Longo will say. “This is a serious weakness.”

Government oversight of businesses’ cyber protection has come under greater focus in the last year, with the appointment of Air Marshal Darren Goldie as a new national cybersecurity coordinator, based in the Home Affairs Department.

In February Australian organisations deemed as running infrastructure critical to the country’s national interest were told they will have to increase their investment in cybersecurity protection to comply with new national security requirements, with the measures estimated to cost companies almost $10 billion combined.

The SMH article provides:

Company directors could be in breach of their duties if their companies fail to adequately deal with cyberattacks, warns Australian Securities and Investment Commission chairman Joe Longo.

This could include the directors of high-profile companies such as Medibank, Optus and consumer finance group Latitude, which have been the subject of high-profile and damaging cyberattacks over the past year.

“For all boards, cybersecurity and cyber resilience have to be top priorities,” Longo said in a speech to the Australian Financial Review cyber summit on Monday.

“If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” he said.

ASIC’s research has shown there is often a disconnect between a company board’s oversight of cyber risk, management reporting on this topic to their board, as well as the identification and assessment of risks and how controls are implemented. Longo said this disconnect must be addressed if the board wanted to meet its legal obligations.

“Cybersecurity and resilience are not merely technical matters on the fringes of directors’ duties,” he said.

The Office of the Australian Information Commissioner has opened investigations into the cyberattacks on Optus, Medibank and Latitude, which could open the door for ASIC to take legal action. This is on top of potential class action lawsuits over the cyberattacks.

A year ago, Optus revealed that hackers had stolen the personal data of more than 9 million of its customers. Weeks later, Medibank was the subject of a cyberattack in which the data of 10 million former and current customers was stolen, as well as some sensitive customer health records. Latitude also reported it was the victim of a significant cyberattack.

The information commissioner investigations will focus on whether these companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification or disclosure.

Longo also singled out recent hack of Latitude Group, which was blamed on a third-party service provider, as a risk that companies must manage effectively.

“If you’re not evaluating your third-party cybersecurity risk, you’re deceiving yourself. And recent events show that you will suffer for it,” Longo said.

Cybersecurity Minister Clare O’Neil, also appearing at the summit, unveiled the government’s next stage of plans to help combat the growing cybersecurity issues for Australian companies with a national security framework.

“Part of our strategy is to build six protective layers around our population to make sure that business and industry and government are doing everything that they can to make sure that our citizens are kept safe from this terrible problem,” she told the ABC on Monday morning.

“These shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia,” she said at the summit.

O’Neil, who blasted Optus last year for its lax security after its hacking incident, has taken a more conciliatory approach since then. She said Australian businesses were taking note of the growing threat.

“Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now, cybersecurity is a top priority for the board, and it is one they discussed in every single board meeting,” she said.

The Home Affairs Minister’s speech provides:

Good morning, everyone. Can I acknowledge that we are on the traditional lands of the Gadigal people of the Eora Nation. Today our country faces a once in a generation opportunity to do more than make acknowledgements. We can recognise first Australians in our constitution and give them a voice on the 14th of October. And I acknowledge that there are many businesses in this room that have been integral to helping us build public support for this position, and I thank you for that.

I am really grateful and thrilled to be here today. I have been itching to share some thinking interest Australia’s new cyber security strategy that the government will release before the end of the year, and to talk about my very genuine passion for cyber security, an issue that affects the lives of literally every single person that lives in our country.

The people who are in this room right now have the capacity and will reshape this problem for our country, and it is a huge privilege for me to be able to lead some of that work and thinking in my role as Australia’s first Cabinet Minister with responsibility for cyber security.

Today’s event could not be better timed as we have, of course, already heard from those introductory speakers that it is exactly a year ago that Optus revealed in an it had had the personal data of more than 9 million of its customers stolen. At the time that was easily the biggest cyber attack in Australian history, but it was superseded just three weeks later when Medibank told us that they’d had a hack which had affected fewer people, but this was particularly vicious in nature as it took deeply hurtful health information about Australian citizens and posted that on the dark web in an attempt to try to extort money from the company. And since then we have seen one or two – we’ve seen HWL Ebsworth, and these I would put as the four really acute cyber attacks that we have experienced at a national level over this last year. But, of course, there were thousands and thousands more that never penetrated the public consciousness.

I think last year we also saw really for the first time open, public reporting about the extent of cyber attacks that are successfully thwarted. We heard the National Australia Bank come out and tell us that they’d experienced 50 million attempted cyber talks a month. The Australian Taxation Office experiences 3 million attempted cyber attacks a month. Now, when I look around the world and see what our comparator countries are doing, I observe that most of them had a particular year where their nation woke up to the enormously important threat that cyber security will mean for our citizens, and for Australia last year was it.

And I think most people in this room, too, can probably see where this problem is going. There are three really big and important shifts underway that are going to make the current cyber threat more challenging for us but I think also create new tools and opportunities to help us manage it.

The first is the growth of the internet of things. Some estimates say that by 2030 the number of device that is are connected to the internet will double to about 30 billion. And that’s in a world in which all of the devices in your home and your car, your fridge, your television, your heating and cooling systems are all online and all continuously collecting data about you. The cyber risk here is obviously and serious.

Technological change is also going to involve the threats that we face. In particular, machine learning and AI are going to create more pervasive and complex threats, but they’re always going to build new tools to help us manage them.

And 2030 will be a world in which our geopolitical circumstances will probably look quite different. Already Australia faces the most challenging geostrategic circumstances that we’ve confronted since the Second World War. We live in a region of strategic competition, and cyber will be integral to how the events of the coming decade play out.

In short, cyber security is the fastest changing national security threat that our country faces. It is also a bloody big opportunity. The global cyber industry is massive. It is growing like topsy, and it is here to stay. If we play it right, Australia is uniquely placed to be best in the world in a number of cyber capabilities, creating well-paid jobs for Australians and products that we can export all over the world.

So when you put it together, it’s really clear: we have an urgent economic and security imperative to make a step change as a country for how we deal with cyber issues. So our government’s work on this has been driven really by two tracks: the first is that we have implemented 10 really important reforms in the last year or so that have changed how government deals with cyber security nationally. So these are those obvious and important things that we could progress really quickly.

So in August last year I declared 81 assets as systems of national significance. So these are systems which under Australian law we are declaring are those which if they fail will have broad-sweeping and serious impacts on the Australian population. In September we conducted a number of reviews into the government’s ability to handle major incident response, and we have profoundly transformed the way the government interacts with companies that are undergoing cyber attack and the consequence.

In October the Attorney-General, Mark Dreyfus and I launched Hack the Hackers, a new collaboration between the Australian Federal Police and the cyber guns in the Australian Signals Directorate, which is seeing really for the first time the Australian Government adopt an aggressive stance where we look out to the world to find cyber criminals who are seeking to harm us and we debilitate and degrade their ability to do this.

In October we reformed the Privacy Act to bring penalties up to community standards. In January Australia became the Chair of the International Counter Ransomware Taskforce. So this is a 37-country collaboration. We accept that all the countries that we are partners with around the world are dealing with the same shape of the cyber security challenge – in fact, it is often the exact same perpetrators using the exact same technologies. So we are trying to use those opportunities to fight this problem globally.

In February we delivered world-leading protection for Australia’s critical infrastructure assets by setting risk management rules for SOCI entities – that will make sense to you if you are one of them. And in the same month we established the Office of the National Cyber Coordinator, and we appointed Air Marshall Darren Goldie to that position a few months later, and he’s doing a brilliant job in his work, which we’ll get to hear a little bit more about later.

So after all this, in March last year something very positive for the country happened – that is, MIT University has established a cyber security index, and because of the policy reforms that the government had undertaken, they actually ranked Australia number one has having shown great progress in how we are managing these issues as a country, which is a really important endorsement.

In June the government announced the release of the national strategy for identity resilience. So this is a piece of work that was led by Finance Minister Katy Gallagher, and it is aiming to try to create a digital environment where we can better protect the identities of Australians when they are stolen.

Last month we declared another 87 critical infrastructure assets as systems of national significance, and in June, as I mentioned, we appointed Air Marshall Darren Goldie to his role. One of the things that Air Marshall Goldie has been conducting and leading is a serious of cyber war games that we have also begun – something that I think arguably should have been happening a long time ago. But, importantly, we are bringing together sectors of Australia’s economy that we are most concerned about and we are running a major systemwide cyber simulations with the main players in those industries. And one CEO told me that this was the best industry and government collaboration he’d ever been involved in. So we’ve run three of these now – one in aviation, one in telecommunications and one in financial services. And what we are trying to do is build and flex that cyber response muscle.

We know we cannot stop these cyber attacks; what we can do is prepare for them so that when they occur we can bounce back better.

So that’s some of the highlights of the first track of work over this last year, and I want to turn now to the second track. It was really clear when we arrived in office that as well as some of these practical things that I’ve already mentioned, we did not have the ambitious national plan, a national framework, which could help us knit together all of the cyber activity that’s going to occur over the coming years so we can bring the country together in our efforts to fight this incredibly important topic.

And this brings me to the national Cyber Security Strategy. The key to this strategy was always going to be around engaging in conversation and collaboration with you in this room and many others. So we started this process by bringing together leading thinkers in the communities we know are going to be our core partners in this fight into the tent to help us with our work. So a lot of the policy thinking for the strategy was actually driven by our expert advisory board. So we’ve got Andy Penn here, who is, of course, known to everyone in this room probably as a great business leader and former head of Telstra. Rachel Falk is also here. I’m just looking for Rachel to give us a wave. So Rachel is down the front here. So Rachel, of course, I think many of you would know, is a brilliant telecom lawyer and an expert in cyber innovation. And we also had Mel Hupfeld, who is a very senior leader from our defence community. So these three worked together, travelled the country and drove the thinking and discussion with a lot of communities about what we can do nationally to help improve this problem.

So Andy, in particular, I just want to point out, he was not only an absolute top shelf core partner for me in a lot of the work that we did, but he was the voice of business in the room every day, really pushing us to leverage the commitment that is already there from the people in this room and beyond to make sure that we are getting the best out of everyone.

We received 330 submissions to the consultation process. Home Affairs hosted 50 consultation events and stakeholder roundtables and spoke to over 200 businesses, community groups and individuals regarding the strategy. And I, too, engaged really, really deeply in these discussions. When I’m working to solve a problem I need to really be in the detail. I need to see it and feel it for myself. And that journey has taken me into the guts of the Australian Signals Directorate where I sat on the shoulders of some of the smartest cyber guns in the country and watched them as they hunt and track criminals who are trying to do Australia harm.

It’s taken me to the security operations centre of some of the biggest Australian companies, to meetings with small business owners, universities, non-profits and community roundtables. And to genuinely thrilling conversations with technical experts about what the possibilities are for us if we can work together and coordinate our activities better as a country. And amid all of these blinking lights and flashing screens, I was allowed to sit at the coal face and observe the people who are going to lead this fight, and I watched them analyse lines of security incident notification and complex malware codes.

So what did we learn from this extensive process of consultation? We learned that there is a lot of incredible work on cyber security around the country. We have got small businesses innovative and creating world-leading products. We’ve got big companies which are striving for better protection for their customers. We are absolutely not starting from scratch here.

But I can also tell you that with a few notable exceptions, there is broad agreement that when you put the national picture together, we need to do better. And I absolutely include government in that.

I want to acknowledge, too, how far we have come in the last year. Those high-profile attacks that I mentioned off the top were deeply painful events for our country. If there’s a silver lining, it is that for every board that I talk to now cyber security is a top priority for the board and it is one they discussed in every single board meeting.

There is enormous hunger for board directors to get – to understand the problem better, and I see CEOs and other leaders who are really down in the detail, supporting their technical people and working out where they need to improve. And all of that hard work is having an impact, and I thank you for it.

One of our main assets going into this fight is the extraordinary team of technical professionals from around our country who are already on the frontline. Some of you in this room belong to this community – the info set, cyber security and CISO communities. These people are often invisible to the public eye, but they are the gladiators of the 21st century – a community of people with incredibly unique skills that are truly critical to our country’s safety and prosperity.

And for those who you that are lucky to interact with these people every day, the culture within this community is absolutely astounding. This is a group of people who are completely solutions oriented and totally public minded in their outset, and their natural stance is sharing, pushing and doing and working and collaborating across businesses and across sectors to try to keep their country safe. And they do it every day without thinking twice. And it’s going to be a really important part of our response.

We really clearly heard from community and business that they want the government there in the fight and at the table with them. And we also heard that they want government to show some leadership. It’s not good enough for us to push and demand more of business without making sure that we have got our own house in order too.

One of the clear areas of critique we heard through the consultation for government is around our role in incident response, and there has been a lot of enthusiasm for the appointment of a National Cyber Coordinator. Yet I still meet with boards today who tell me that they have a long list sometimes of 30 or 40 people that they need to call within government when they come under cyber attack. And I want to acknowledge to you that that is not government being a good partner to a company undergoing a crisis.

We had a very lively conversation about ransomware while we were on the road. I think there’s more recognition that we cannot continue indefinitely to be a country where it is a part of business to be funnelling money into cyber criminal gangs. But we also heard that we do not have the proper supports in place today to be able to implement an outright ban on ransomware payments.

There was universal recognition of the need to do more about cyber skills and the sense that when it comes to the cyber industry, quality can be a little bit hard to discern for many Australian companies.

For citizens, what we heard is that Australians feel deeply vulnerable. They feel there is an invisible, ever-shaping, every-shifting threat that is sitting there on their shoulder every day that they basically feel very little capacity to control and constrain. Many Australians are desperately anxious about this problem, and I hear from a lot of people, in particular seniors and those from multicultural backgrounds, that they are actually starting to scale back their use of the internet and digital products because they are so anxious about this problem.

And if there was one thing that came up no matter who we were talking to, everywhere we went in almost every consultation it was about small business. I have spoken to small business owners who are in genuine panic, who genuinely lie awake at night worried that the next day is going to bring a cyber attack that they do not have the capacity to control. And, remember, that for a large company, a big cyber attack is an enormously distressing problem to manage. For a small business, this could be an immediately fatal event.

And so we have to work together here to help small business. We heard again and again that they know they need to change things. They know they need to tackle this challenge. The big issue for them is that they just don’t know where to start.

And, finally, one more really consistent theme that we heard from business, government and the community citizens was this: we will not get out of the cyber challenge by all acting alone. This is a national challenge shared by all Australians that we will only solve if we work together. And what I hear loud and clear is to address that challenge you need something from us – and that is the government at the table as a leader and a partner in addressing this problem for the nation. You need us to build a strategy that provides a backbone to all of the good work that can and will be done over the coming years. And you want us to build a framework that will help knit all of those actions together so that when we have companies in this room that are doing really important things to protect cyber security, it’s not just providing a layer of protection for their company but in a coordinated way building better protection for our nation as a whole.

So ultimately this is the goal of our cyber strategy. Australia’s new Cyber Security Strategy will begin to build six cyber shields around our nation. So these shields will help protect our business, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem. It will mean a cohesive, planned national response that builds to a more protected Australia.

So let me explain a little bit more about what the cyber shields are intending to do for our citizens. So the first shield that we intend to create is strong citizens and businesses that understand that they actually do have the power to protect themselves. So by 2030 what we want is citizens and business who understand the cyber threat, understand those actions that they can take to protect themselves and have proper supports in place so that when they are the victim of cyber attack they’re able to get back up off the mat very quickly.

We want to protect our citizens and businesses with a layer of safe products, and that’s why our second shield is safe technology. Why do we continue to allow digital products for sale in our country when the makers of those products sometimes know them to be cyber insecure? We would never accept this from any other type of consumer product. So in 2030 our vision for safe technology is a world where we have clear global standards for digital safety in products that will help us drive the development of security into those products from their very inception, a world where just as you can’t go into a car yard and buy a car that will not be safe to use, when you buy a digital product on sale in our country we know that it’s safe for you to use.

Our third cyber shield is world-class threat sharing and threat blocking. And in some ways I see this as a real key to making the change that we need to make in this country. And it’s to me one of the most exciting parts of the strategy. So by 2030 we envision a world where threat intelligence can be exchanged between government and business at real-time machine speed and then threats blocked before they cause any harm to the Australian population. So there’s a lot of inspiring, interesting work to be done here and a lot of things that we can do actually in the short term about it.

Our fourth cyber shield will be protecting Australians’ access to critical infrastructure. So, remember that this world of data breaches that we have been living through over the past year is terrible, but it is actually not as bad as it can get. And one of the things as Cyber Security Minister that I’m most concerned about is attacks on infrastructure Australians rely on every day – on our water systems, on our electricity, on the provision of the internet, on our energy grid. So what we need to do is make sure that we’re addressing not only the problems of today but the problems of the future. And I include in this the critical role of government. So like many organisations in this room, we own critical infrastructure, we deliver essential services and we certainly hold a lot of very sensitive and private data about Australians. And so that’s why part of this year will be about government lifting up its own cyber defences to make sure we’re protecting our country.

Our fifth cyber shield will be sovereign capability. So by 2030 we want to be in a thriving cyber ecosystem where we have the skills we need, where cyber security is a really desirable profession for young people around the country and that we are making sure that we have the system that’s adaptable in itself. So that means that as we innovate and as we see the cyber security problem change, that Australia is at the frontier of those technologies and those changes to make sure that we’re getting to the benefits out of what this problem presents to the country.

And finally our cyber challenge is truly global. So undertaking coordinated global action and pushing for a more resilient region is an absolute no-brainer for us here. My good friend Tim Watts is the Assistant Minister for Foreign Affairs, and he has been driving this part of the strategy, helping us think through how we can double down on our engagement around the globe but, in particular, how we can build these really strong and valuable partnerships within our region to assist countries which are really struggling with this problem too.

So our government will unveil the detail of the strategy a little bit later this year, but you’ll see this diagram again, I’ll come back to explain to you is what it is specifically that we will be able to do over the next period of time to build these shields for our country.

So I wanted to give you just one more sense of how we are going about this task before we get into Q&A. So cyber is one of the fastest moving national security threats we face, and sometimes, oddly enough, I feel like I can almost see the 2030 vision of what the future holds. What’s actually really hard is what does the next two or three years look like. Our government is deeply committed to delivery, and that’s why one of the core challenges that I set the team who have been working on this strategy with me is what are we actually going to do about this. We can see a world of 2030 where we’ve got AI and machine learning running, you know, real-time exchanging of threat sharing and threat blocking. That’s an exciting vision, but what I care about is my job – to protect Australians today, tomorrow and the next day in this problem. And that’s why we’ve pushed really hard to be specific.

So this is quite unique because, as you know, government strategies of this kind can sometimes be a little bit light on detail – great on vision, light on detail. Our strategy, as you will see, will be actually very different in this respect. So we’ll share a big vision, as I’ve talked about today – the six cyber shields that we will surround our citizens and small business with. But my plan for how we are going to tackle this as a country is really to do it in two-year blocks. And our first horizon, which is 2022 to 2025 is about building out strong foundations. So as the cyber challenge reshapes, we will take stock and each two years when will build out the next phase of this plan that will ultimately see the country surrounded by these six firm shields of protection that will help keep our citizens safe.

If we push as hard as we have over the last year all the way up until 2030 I truly and genuinely believe that our country will be a world-class cyber security nation by 2030. I really do believe that we can do this, but we’ve got to have a plan and we’ve got to work together.

What’s very important always to emphasise in this conversation is that success here does not mean a world without cyber attacks. No government can promise this. What it will mean is having the clear national approach that will build to more than the sum of the parts. It means a world where we’re using every piece of information that all your companies have about the cyber threat so we can build a clear national picture and respond to it as quickly as possible. It’s a world where when we do come under cyber attacks we’re able to bounce back quickly and where government is a convenor and a leader and a partner to all of you in helping tackle that challenge.

Could I just say in closing that working with some of you in this room as I’ve had the great privilege to do over the last year has been an amazing experience for me. And we’ve got a lot of work to do, but I know we’re going to get this done by working together. We’ve got this really shared clear national imperative to build a cyber safe Australia, and I’m really looking forward to working with you on this task. Thanks for having me.


Leave a Reply

Verified by MonsterInsights