Tim Watts (Gellibrand, Australian Labor Party, Shadow Assistant Minister for Communications) Share this | Hansard source

There are few better examples of how this tired, third-term Abbott-Turnbull-Morrison government has given up on governing than cybersecurity and the Cyber Security Strategy highlighted in this motion. Cybersecurity matters to our economic prosperity, our national security and the health of our democracy. In the modern world where all of the foundational systems of the society in which we live rely on digitised control systems and connectivity, the stakes couldn't be higher. Indeed, it sounds hyperbolic but Alistair MacGibbon, the former head of the government's Australian Cyber Security Centre, wasn't wrong when he described this area as 'the greatest existential threat we face as a society today'. Cyberweapons or internet weapons are now being used as tools of geostrategic influence every day, and we have seen exploits of international targets as wideranging as nuclear enrichment facilities, energy grids, oil companies, international banking systems, film studios, journalists and, most infamously, the democratic institutions of the United States. And Australia has not been immune from this.

The Australian Criminal Intelligence Commission estimates that the annual cost to Australia of cybercrime alone is over $1 billion in direct costs, with some estimates putting the real costs as high as one per cent of GDP a year—about $17 billion. We've seen breaches at the Bureau of Meteorology, the CSIRO and the ANU, as well as recent attempts at attacks on our major political parties and our parliament. It's a big deal. So what's this tired, third-term government doing to protect us from this significant national security threat? As the member for Fisher noted in this motion, in 2016, former Prime Minister Malcolm Turnbull launched a four-year Cyber Security Strategy to much fanfare. I must admit, though, to being a bit surprised when I saw reference to the strategy on the Notice Paper today because, since Malcolm Turnbull's departure from this parliament, this strategy has been politically orphaned. Three years into the four-year plan, many of the initiatives in the 2016 Cyber Security Strategy have gone the way of Turnbull's ideas boon—they fizzled out through lack of willpower and commitment. Most obviously, the dedicated ministerial position for cyber security created in 2016 bit the dust in Prime Minister Morrison's first ministerial reshuffle, coming just weeks after significant changes to the internal structures of the government's cyber operations in 2018—namely, the establishment of the Australian Signals Directorate as a statutory authority, with the Australian Cyber Security Centre as part of it. This absence of political leadership of directly responsible political leadership was significant.

Cybersecurity is hard but, contrary to what the layman may assume, the most difficult challenge is not the technical challenge; it is actually the governance and cultural challenge. The most difficult bit is not the software or the hardware; it's the wetware—the people using it. The absence of ministerial engagement to drive the culture change necessary to underpin our cybersecurity has led to drift across the objectives of this strategy. To take a few examples, the strategy committed the government to an annual review of its progress to hold itself accountable for driving this cultural change. Three years into the four-year strategy, how many times has this occurred? Once.

One of the things this government is known for is failures of accountability, particularly when it comes to the Minister for Home Affairs' department. After the first review, a review which received decidedly mixed responses from stakeholders, we haven't seen another one since. We haven't seen any follow-up reports on the 2017 ASX cyber health report. We haven't seen any follow-ups to the Australian Cyber Security Centre's 2017 cyber threats report, despite the statement in the 2016 threats report, which said, 'The government is committed to continuing to publish material in this vein'.

What has been the result of this drift in leadership? While our agencies like the Australian Signals Directorate continue to do world-class work and Mike Burgess's recent work in publicising the ASD's mission and thinking has been very welcome, unfortunately, since the Minister for Home Affairs took responsibility for cybersecurity, he has applied the same diligence and attention to this space as he did to his failed leadership challenge. He has been more interested in splashy headlines and new and exciting offensive capabilities in the cyberspace than doing the basic boring fundamental work of keeping the Australian government secure and cyber resilient. In July this year, the ANAO noted that over the past five years it had undertaken performance audits of the cyber resilience of 14 government business enterprises and Commonwealth entities and found 'only four entities, 29 per cent' had complied with mandatory government requirements for information security, and that the regulatory framework had not driven sufficient improvement in cybersecurity. That is auditor speak for get your act together. It is time the Abbott-Turnbull-Morrison governments started giving cybersecurity the attention it deserves.

See this speech in context