Ed Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | Hansard source

Mr Deputy Speaker Vasta, I acknowledge at the outset your deep interest in these matters, as well as that of the member for Eden-Monaro. He and I have spoken on this issue. I was very pleased to be able to have the opportunity to follow him in this debate on the bill that's before us now, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018. It has come about as a result of previous thought that has been contained within reviews in this area, specifically the 2017 Independent Intelligence Review. A specific recommendation within that review, recommendation 6, called upon the very things that this bill is trying to establish today—that is, the Australian Signals Directorate be set up independently as a statutory agency within Defence. The review examined the history of ASD, looked at likely direction but reflected specifically on its current value within Defence and the types of things that needed to happen, specifically that greater independence needed to be granted to the ASD.

I note two paragraphs from that review that are worth reflecting on in this debate, chiefly, that ASD has evolved from a primarily defence signals collection agency after World War II to become Australia's national signals intelligence authority, conducting intelligence, military, cybersecurity and effects operations through the application of advanced technologies. It also added this paragraph:

… ASD is now a genuinely national asset—

absolutely true—

playing a much broader role than that defined by its previously exclusive Defence focus. This is highlighted in its current additional responsibilities as a—

emphasis on this—

national source of information assurance and cyber security. There are also strong and growing interdependencies between ASD and other intelligence agencies.

The reason I highlight these points is that, while ASD is absolutely providing critical support within our defence and intelligence communities, it must be recognised that ASD is also providing broader support within government circles against the growing cybersecurity threats confronting both government and business. On an almost minute-by-minute basis there will be either an agent or an actor, somewhere on the world stage, always testing the defence mechanisms of government and business through cybersecurity attacks.

This is a growing problem. In fact, when I do talk with businesses, particularly those engaged in the digital economy, whenever I just make reference to cyberskills there is an almost instantaneous reaction. Businesses are very much engaged in this issue. They are thinking a lot about it and deeply concerned about the impact of cybersecurity on their operations. There are two things. One is obviously the tech knowhow and having the equipment that can help you deal with those threats. But, ultimately, the tech is only as good as your people, your processes, adherence to those processes and ensuring that your organisation will be able to defend itself against some of these acts.

In saying that, I want to recognise that ASD has been heavily relied upon within the public sector to help guide public sector agencies, departments and the like on how to withstand the cybersecurity attacks and threats that we're seeing on a much more regular basis. It has done an exceptional job in that way. But the reality is that the ASD has become a victim of its own popularity. With so many people depending on ASD, it is putting a lot of pressure on their operations. It's also potentially accelerating the need for this next phase of its evolution, as has been prompted by this legislation, and, thankfully, has been given added impetus by the intelligence review that I referenced earlier. But not only is ASD under pressure to change because of the increasing demand and call on its services; on this whole issue of cybersecurity, while a lot of major businesses are thinking a lot about it, there's probably a greater need in particular for small and medium enterprises to start thinking more and more about what can be done in this space.

The other element that was touched upon by my colleague the member for Eden-Monaro a few moments ago is the whole issue of workforce development. I've spoken strongly about the fact that the biggest thing affecting the digital economy is skills shortages. It's been estimated, by people in the know, that we probably need in the order of 100,000 new people—skills—to help in our broader economy and, in particular, in terms of our digital capabilities. When you look at cybersecurity, there is an absolutely acute need for greater cybersecurity skills. From ASD to the public sector and to the private sector, this will affect our ability to withstand some of those increasingly sophisticated attacks that we're seeing.

Australian Cyber Security Growth Network CEO Craig Davies said that the demand for skills in this sector has outstripped anyone's ability to produce skilled candidates. He said: 'It's such a rocket ship this industry; we have zero unemployment and the demand is massive.' As has been observed, he's been given the responsibility to work out how to respond to that shortage. He says: 'Education and growing the skill set is an important part of our program of work.' There have been recent government estimates that we need at least another 11,000 cybersecurity specialists over the next decade.

I humbly commend Craig Davies on his observation that TAFE will play a very important role in vocational education. I imagine and believe in the broader digital skills capability development in this nation that vocational education will play a bigger role in being able to move a lot more quickly and be a lot more agile in meeting skills, and we do need to ensure that it's provided support in this area. If we are relying upon it to help train up cyberexperts in this nation then it will require an investment by governments in relation to that. I think that is something we need to look at in the longer term.

Other nations, as the previous speaker noted, have taken a lot more novel approaches, if I may characterise it in that way, to the way they respond to cyberskills shortages. In November I was in Singapore visiting, in particular, Singaporean cybersecurity experts who'd reflected upon other initiatives that have been embarked upon by the Singaporean government—for example, modifying their national service program to ensure that, as is the case over there, where young people are required to embark upon national service they can nominate to basically conduct themselves or participate in a cybersecurity training pathway. Off the top of my head—and I'm happy to be corrected if I'm wrong—they're expecting in the short term 200 young people to participate in that and, over the longer term, 2,000 young people. They are building skills in that way. Then they will not just deploy them within the defence establishment of Singapore but also look to ensure within the private sector that young people go on and recognise that there is a pathway for them to be able to apply their skills in a cybersecurity sense. They obviously—and, again, the previous speaker reflected on this—have a pathway that's not necessarily open to us but are thinking very carefully about the fact that Singapore is being used as a route where agents will try to channel some of their attacks. They witnessed this in the course of the last 12 months and they are deeply concerned about it. I was very grateful for the briefings that I received from them. As has been recognised by this government and by many of us in the opposition, they are a partner we should work with on these matters. Particularly in terms of skills development and developing longer term strategies in relation to preparing for these threats, they're a very valuable partner. I suspect that our friends in Malaysia and Indonesia, too, think very deeply about these issues.

I mention this because of the fact that we will probably need to think laterally about how we meet that skills shortage. Some have suggested, for example, including cybersecurity options in the national curriculum. Certainly that is an idea worth pursuing, but I do note that every time there's an issue that's confronting us in either the economy or the community the first port of call as a solution is the national curriculum. There may be some things we need to pursue. I do note, as I said earlier, that vocational education may offer us a pathway, but some of the things put on the table earlier about working within our own reserve system and some of the things that are being considered there to encourage young people to use that as an avenue to develop their cyberskills are absolutely worthy of further consideration.

Again, this is not simply a business threat or a business risk that needs to be managed. What is happening is our businesses, large and small, are being used as a mechanism or entry point to cause problems on a much broader scale from a cybersecurity perspective. We need a much broader approach to cybersecurity, not just depending on the ASD, although they will play a critical part, but recognising we all have a responsibility in this space. We should be ensuring that either from the business sector or from government we are addressing this very serious issue in terms of: (1) capability with respect to having the skills available to help us out; and (2) putting in place the processes and mechanisms to take this very seriously and not pushing it off to a specialist or someone we believe is in the know and can always sort this out. As I said earlier in my remarks, you can have the best tech in the world but, if your people don't follow the processes, you will find yourself in a world of grief. We've found that in some of the cybersecurity and data breach episodes that have been experienced. It has been something as simple as leaving a password on a Post-it note that has allowed someone to get access to someone's account and open up a whole raft of data that should not have been exposed more broadly. It does need to be taken very seriously.

As I said earlier, the ASD has been empowered under this legislation to become an independent statutory authority. It's being heavily relied upon by both government and business to provide guidance on cybersecurity. I've asked within the opposition about resourcing of the ASD longer term, and, given the increased pressures and expectations that are being placed on them, how we'll do that, but I'm conscious that you can't continually ask for resourcing of the ASD in an environment where we are facing these skill shortages. So this is something that needs to be addressed more broadly.

Again, from the opposition's perspective, we welcome what has been put forward. I think it is important that we on both sides of the House use this as an opportunity to emphasise the need for us to take this issue of cybersecurity seriously, to prepare for attacks and, certainly, if we do put those mechanisms in place, to adhere to the mechanisms because it is in our longer term interests that we do so. I thank you for the opportunity to be able to contribute to this debate.

See this speech in context