Gai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | Hansard source

The minister assisting the Prime Minister said in an address yesterday that we need to accelerate the implementation of our Cyber Security Strategy. Truer words have never been spoken, because the pace of implementation has been a crawl. We were supposed to have mandatory data breach notification laws, which Labor supports, in place by the end of 2015—by the end of last year—and we still do not have them. Here we are at the end of 2016. It took nearly seven months from when the Prime Minister announced he would pick a cyber ambassador for him to actually pick one. The recent Australian Cyber Security Centrethreat report2016 made it clear that malicious non-state actors could develop the means for a serious cyber attack on Australia within the life of this parliament. Australia cannot wait for the government to get its act together. Australia deserves better than a government that spends 18 months developing a strategy and seven months ignoring it. Australia's cybersecurity needs protecting today—right now.

On average across the developed world, online commerce accounts for six per cent of GDP per year, and it is growing. We live our lives online, and the migration of global trade and communication from the physical to the digital is irreversible. We cannot just pull the plug out of the wall. We must focus on managing the risks of the online world.

Some of the sounds the government has made on cybersecurity are promising. Some of the sounds we would like to hear, however, are not being made. It is this silence that is concerning. Emergency planners in and out of government use the term 'critical infrastructure' to refer to infrastructure that is essential to the ongoing functioning of the state. These are sectors such as communications, energy, water, transportation and information technology—or at least these are what we suppose them to be, because the government has not outlined what it does and does not consider to be critical at a level of detail and specificity even approaching what is necessary. This is a serious concern, because policymakers and security agencies need to be aware of what is and is not considered critical infrastructure, because the term comes with expectations: for security to prevent a disruption, and for resilience when a disruption occurs.

The government has apparently been working on a definition for two years now. These are the reports around town, and yet we seem no closer to a level of granularity and detail that other nations have managed. The latest we have heard on this matter is that states and territories might have more of a role than the federal government on the issue. It is true that there is a role for the states and territories. It is also true that there is a role for the private sector. And, most importantly, it is true that there is a role for uniformity across the nation, because electricity is not just important in Queensland and water is not just important in South Australia. The federal government needs to accept that it has a role in this process and stop shifting the responsibility to anybody and everybody else. That means working with the states and territories and the private sector to develop a definition and a standard to expect from those assets that fall under the definition of critical infrastructure.

Australia is experiencing a significant cyberskills shortage. With employment of ICT security specialists growing by 40 per cent in the last five years, we have set a pace that has put enormous strain on Australia's stock of qualified professionals. Businesses are frustrated by the lack of graduates coming through with requisite skills for cybersecurity. Graduates are needing years of on-the-job training following their undergraduate studies to simply bring them up to speed. The government talks about investing in education as a priority, and this is an important long-term step, but these investments will start bearing fruit in five to 10 years from now. The urgency is now. Until then, we need a strategy to bridge our skills shortage in cybersecurity, and on this issue the government is entirely silent.

More than 90 per cent of all data created in human history has been created since 2014—two years ago. We produce data with everything we do online: when we trade, when we communicate, when we upload or download anything, when we do our jobs. This data is collected and analysed to produce an impression of the person or the organisation that left it. On its own it is often insignificant, but the more we do online the more data about us is left to be collected and considered. Each single piece of data is like a pinprick in a blindfold: the more pinpricks in the fabric, the clearer the vision of what is behind it. So, as we add ever more data to the digital impression of ourselves, the approximation of who is creating it gets closer and closer to the truth, and the nearer the approximation the more valuable the data to advertisers, to governments and to cybercriminals.

By some estimates, more personal private data records were stolen in a single data breach in 2016, this year, than were stolen in every data breach everywhere in the world in 2015, last year. Just as the amount of data we produce is growing at an exponential rate, so too is the threat to its security. Australian government services and agencies collect an enormous amount of data. Australians trust that when they enter their personal information online and submit it to the ATO or Centrelink or the census the data will be kept secure.

The minister assisting the Prime Minister seems to be of the belief that the job of keeping that data secure is somebody's responsibility, but just not his. Earlier this month he is quoted to have said of his government's attitude towards public sector cybersecurity standards:

... we want each individual department and agency to take responsibility themselves, and the best way we can do that is just remind them of the need for them to take this issue incredibly seriously.

The Turnbull government does not support mandating standards for cybersecurity, despite a 2013 audit report that found that of the seven agencies it examined, none were fully secure to cyberthreats; despite 15 percent of agencies having no person responsible for cybersecurity; and despite the department of industry and the AFP declaring themselves fully compliant with the standards of central government agencies—only for a subsequent audit to find that they actually were not. It is startling that the Turnbull government would not see a need to mandate baseline levels of safety. We see wild variation in the level of security from within government and it will take more than a sternly-worded letter to bring everybody up to the same level.

On 25 October this year, hundreds of Centrelink customers had their emails disclosed, not by a hacker but by someone using the CC instead of the BCC field on their email. Centrelink then compounded the error by attempting to recall the email. That meant that every email address that was sent out by mistake the first time was sent out for a second time. So Centrelink, which the Turnbull government does not think should face mandated data security standards, has a password-reset process that relies on emails being sent manually.

As has been mentioned, the country is currently without data breach notification laws. This is despite the fact that the Joint Parliamentary Committee on Intelligence and Security recommended in February 2015 that Australia have breach notification laws in place before the end of last year. Data breach notifications have bipartisan support, so the excuse cannot be the one we often hear from the government—that it is facing too much opposition to be able to implement its own priorities. It is not law today because it is not a priority of the Turnbull government.

The digital economy hinges on trust, and trust cannot develop without disclosure. The Turnbull government speaks valiantly of its commitment to transparency and then fails to actually transparently reveal anything. The internet offers enormous productivity benefits to the economy and we have much to gain from embracing its potential, yet there are risks. It was recently reported that the Reserve Bank of Australia experiences an attempted cyber incident every two seconds. We cannot expect to never be attacked, but we must be confident that when we are attacked we will withstand it.

There are a range of issues that I would like to address from the speech that the minister made yesterday. Labor has a range of concerns. The most important is the urgency of action on climate change. There has been significant inaction by this government since the launch of the strategy in April. A successful cyber attack could scale similar levels of destruction to a conventional attack and we should treat the threat accordingly. Cybersecurity cannot be a priority on paper and an afterthought in practice.

Debate adjourned.

See this speech in context