Gai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | Hansard source

Last week, in Stay Smart Online Week, the Australian Cyber Security Centre released its 2016 threat report. The report is a wake-up call. It suggests that malicious non-state actors could develop an offensive cyber capacity within the life of this parliament, so we need to be prepared. We need to prepare ourselves for that possibility, and our window of time in which to do that is narrowing by the day. The government's Cyber Security Strategy was released with great fanfare in April this year, and it recommended a number of 'priority actions, including the appointment of a Cyber Ambassador'.

Labor recognises the need for diplomacy in the modern cybersecurity environment. That need was highlighted and underscored in the threat report that was released last week, which also highlights the lack of international consensus on what constitutes a 'proportionate' response to offensive cyberactivity. This is particularly challenging in the modern era, when the line between national security and cybersecurity is blurring. As the operation of critical infrastructure moves online, the scope for disruption increases. The destruction potential of a successful attack is growing, yet progress towards establishing a standard policy response to a state-sponsored cyberattack is standing still.

This paralysis is unacceptable. In most areas of national security, policy responses to state-sponsored activity are well established. They have been well established for decades—for hundreds of years. A country can expel diplomats in response to a spying scandal, issue a demarche if a country considers its sovereignty to have been violated, and use force in response to an armed attack. Clear and established policy responses such as these don’t yet exist for cyberattacks. The Turnbull government has not outlined what sort of events it considers worthy of a proportionate response. It has not even decided what a proportionate response to a cyber attack actually looks like, and if we do not know, we cannot act.

This is a challenge that is not unique to Australia. The international community is working on establishing these thresholds and these benchmarks. These negotiations have important implications for Australia's national security, because Australia's interests are at stake in these negotiations. We need a place at the table to promote them, and that is why the cyber ambassador role is vitally important. That is what the cyber ambassador should be doing. Not only has a cyber ambassador not been announced by this government since the release of the Cyber Security Strategy—a major strategy with hundreds of millions of dollars of investments since its release in April this year—but also the government has not said when it will be announcing one at all. We do not have any idea when we are going to get a cyber ambassador. In the 2016-17 financial year, $2.7 million was set aside for this position. We are how many months into the financial year and we are still unspent on that position and there has been no announcement. This is a part of a pattern of growing delay with this government.

The strategy called for the Australian Cyber Security Centre to be relocated to enable the government and the private sector to work more effectively together. The strategy was announced in April this year and yet, just as we might have expected, the centre has not yet been relocated and we do not know when it will be relocated. Australia's Cyber Security Strategy also called for the establishment of joint cyberthreat sharing centres. The ACSC Threat Report 2016 that was released last week echoed this call, but the government has not established these centres either. So what have we got? We have got no cyber ambassador, we have got no relocation of the Cyber Security Centre, and there is no news on the joint cyberthreat sharing centres—no news on that at all. We do not even know when these hubs are going to be established. Meanwhile, the strategy makes no mention of mandatory data breach notification legislation. There is also no mention of that in the ACSC Threat Report. So, we have got a government here that is sitting on its hands when it comes to cybersecurity. Despite its call for priority actions, we do not have a cyber ambassador, we do not have a relocated Cyber Security Centre, and we do not have any information on when these cyberthreat hubs are going to be established. This government is just sitting on its hands. There is no priority action from this government when it comes to cybersecurity.

See this speech in context