Tim Watts (Gellibrand, Australian Labor Party) Share this | Hansard source

I thank the member for moving this motion. Protecting ourselves in the digital age is a challenge that most Australians, young and old, are still coming to grips with. SoThinkUKnow, a free program of cybersafety presentations for parents, carers, teachers and students, is a valuable resource. It is pleasing to see that the initiative was a partnership of the AFP, the Commonwealth Bank, Microsoft and Datacom working closely with state and territory police and Neighbourhood Watch Australasia. Government, business and the general public all benefit from a more secure and resilient info security environment, so collaborations of this kind are important. ThinkUKnow presentations addresses themes, including reputation management, bullying, sexting, grooming, online gaming, privacy management, identity theft, how to protect your devices and what to do when things go wrong.

Australian children are not the only ones who need to educate themselves about how to protect themselves online from online risks. To this end, I encourage all members and staff to participate in the cybersecurity training currently being offered by the Department of Parliamentary Services because, in recent times, members of parliament, their staff and campaign volunteers have become prominent targets for cyberthreats. All MPs should understand that info security is not just a matter for ministers and our security agencies. Infosec is not about protecting classified government information anymore. Hackers now routinely target elected representatives, candidates and staff in political systems around the world with a wide range of motivations. As public figures, politicians are uniquely vulnerable to doxing, ransomware attacks and old-fashioned blackmail.

As influential figures in government policymaking, we are also major targets of influence operations from foreign adversaries using online tools. A report from the US Office of the Director of National Intelligence outlining the US intelligence community's assessment of Russian efforts to use cyberoperations to influence the recent US election told a damning story in this respect. The success of Russian cyberoperations in the US election should be a warning to political actors around the world. Indeed, before the high-profile attacks on Hillary Clinton and the DNC, there were major spear phishing attacks on politicians from Germany, Taiwan, Japan and a range of South American nations. Recent events in the US will only encourage further attacks. It would be naive not to think that Australian political figures are not targets for these kinds of attacks. This risk will only grow as the global geostrategic environment, and Australia's role in it, becomes more complex and contested.

Despite the periodic release of much-ballyhooed cybersecurity strategies, little of this has seeped into the consciousness, and more importantly, into the behaviours of people working in and around Australian politics. You would get mostly blank looks if you tried to start up a conversation in this building about the implications of the Mirai botnet or the Shadow Brokers information dumps—two of the most significant InfoSec developments of the past 12 months. The real-world impact of the WannaCry ransomware worm has attracted some attention in this chamber, thanks to its significant impact on the UK National Health Service. But you would think people would be more interested in exploring the implications of what appears to have happened here: namely, an NSA-developed exploit being stolen by a hacking group that is widely viewed as being a front for a government actor, that exploit being dumped online publicly and then the North Korean government seemingly picking it up and operationalising in a ransomware attack.

It is only a matter of time before we see our own political InfoSec scandals. Indeed, we have already seen evidence that the online security of MPs has been compromised. MPs, staff and campaign volunteers routinely use online platforms outside those administered by DPS: social media platforms like Facebook, Twitter and Instagram; private email accounts like Gmail and Yahoo; collaboration platforms like Slack; and a range of CRM platforms. Almost all of these services would contain sensitive information that would be of value to third-party attackers.

The Have I been pwned website, operated by Australian web security expert and Microsoft regional director, Troy Hunt, aggregates data comprised of these data breaches and allows users to search for their usernames or emails within it. You can find a number of compromised accounts associated with Australian members of parliament official APH email addresses on this site. No doubt, many more accounts associated with the private email addresses of MPs and their staff will have been compromised in this way. I encourage members and their staff to check their email addresses and usernames on this site, to change the passwords associated with any of the accounts that have been compromised and to cease using the compromised passwords on any other accounts.

To build resilience against online threats across our political system we need to invest in awareness, competence building and information sharing about attacks within the political community. That is a responsibility that falls on every one of us in this chamber.

See this speech in context