Tuesday, 10 September 2019
Appropriation Bill (No. 1) 2019-2020, Appropriation Bill (No. 2) 2019-2020, Appropriation (Parliamentary Departments) Bill (No. 1) 2019-2020; Second Reading
The appropriation bills before the House set out the spending priorities of this tired, third-term Morrison government. In my response today I would like to focus on cybersecurity, given my new role as the shadow assistant minister for cybersecurity and communications. Cybersecurity incidents cost Australian businesses up to $29 billion per year. In 2018, cybercrime affected almost one in three Australian adults. Our critical infrastructure—power stations, transport systems, industrial plants—is currently vulnerable to cyber-enabled attacks. Last week, the outgoing ASIO general director, Duncan Lewis, identified cybersecurity as one of the biggest threats to Australian national security. Strong cybersecurity is crucial to Australia's future, to our economy, to our national security and to our very democracy.
Last week, the Morrison government announced it will develop a new Australian cybersecurity strategy. Since the Turnbull-era strategy will reach the end of its life in 2020, this is a welcome announcement, particularly as it took this government 17 months to produce the last strategy. The 2016 cybersecurity strategy was released by the then Prime Minister, Malcolm Turnbull, with great fanfare and hundreds of millions of dollars of funding. Three and a half years later the new minister responsible for cybersecurity, the Minister for Home Affairs, now tells us that the Morrison government has made 'strong progress towards the strategy's many goals'. You'll just have to take their word for it, though.
A division having been called in the House of Representatives—
Sitting suspended from 18 : 07 to 18 : 21
As I was saying, 3½ years after the announcement of the 2016 Cyber Security Strategy, the home affairs minister told Australia that the government has made 'strong progress' towards the strategy's goals, but you'll just have to take his word for it. There's no data or evidence to back up any of the government's claims and no metrics with which we could assess the performance of the government against the strategy's goals. None of the 2016 Cyber Security Strategy's five action plans specified any metrics or outcomes against which you could actually measure success. Where the government did make specific commitments, they went down a memory hole. In the government's A call for views, they describe it as having an 'updated approach'.
There are a few examples. The 2016 strategy promised a minister assisting the Prime Minister on cybersecurity, but, when the member for Cook deposed Malcolm Turnbull as Prime Minister, that position disappeared as well. The 2016 strategy promised annual updates reporting on implementation and progress of the report. The first annual update was published in 2017, but it wasn't until last Friday when A call for views on the new strategy, passed last week, included an appendix A, which included a perfunctory dot point update on the status of the strategy. The 2016 strategy promised annual cybersecurity leaders meetings, CEO meetings and meetings with leaders in the Public Service. The then Prime Minister, Malcolm Turnbull, did meet with public and private sector leaders in 2017, but no meetings have been held since. The 2016 strategy promised a layered approach to cyber-threat information sharing, including through a dedicated online portal. Nearly four years later, the government describes the progress made towards this particular outcome in this way:
An interim public-private communications platform has been established while a long term solution is created.
That's very fancy bureaucratic speak for saying that the government has established a slack channel that public sector and private sector companies are currently on. Intel sharing more broadly across Australian public and private sectors is patchy at best. As for sharing threats on cyber.gov.au, the government didn't publish any threat advice at all on that site for 10 months, between September 2018 and June 2019.
If you ask independent third parties about Australia's progress on cybersecurity during the life of the first Cyber Security Strategy, they will say that Australia may even have gone backwards. Australia's commitment to cybersecurity has fallen according to the International Telecommunication Union's Global Cybersecurity Index. In 2014, Australia was ranked third in the world under this index. By 2018, three years into the Turnbull strategy, we had fallen all the way to 11th in the world. Of the 17 Commonwealth entities and agencies audited by the ANAO for their cyber-resilience—one of the objectives of the 2016 Cyber Security Strategy—only six were found to be adequately cyber-resilient—a very poor outcome indeed. Australia's also ranked in the top five nations around the world for data breaches by population. It's a real issue.
The major failing in Australian cybersecurity policy over the life of the current strategy has been an absence of political leadership and accountability within the federal government. The 2016 strategy was politically orphaned when Malcolm Turnbull was deposed and the Prime Minister abolished the dedicated minister from his cabinet. Rather than being a day-to-day policy focus for a minister focused on their job, cybersecurity was reduced to just another trophy on the wall of the Minister for Home Affairs, just another conquest in his bureaucratic empire building. As a result, the initiatives announced in the 2016 strategy were simply forgotten. Cybersecurity is more than just a technical problem.
One issue that was largely absent from the 2016 strategy, and from the consultation document for the development of a new strategy, was the potential for the use of the internet to interfere in our democracy. In the early days of the internet, democratic nations were optimistic about the internet's democratising effects and the potential for those democratising effects on authoritarian regimes. But now we see that, in the event, authoritarian regimes have been able to use the internet to successfully control what their citizens can see on the web. In contrast, it is open societies, democracies like Australia, who are most vulnerable to the evolution of the internet.
Duncan Lewis warned that Australia is a 'rich target' for state-sponsored cyberattacks aimed at spreading false information, interfering with political processes and undermining our democratic institutions. Indeed, the Australian Strategic Policy Institute, in a recent report, has found that 20 countries have experienced cyberenabled foreign interference in their electoral and democratic processes since 2016.
In February this year the Prime Minister confirmed that a sophisticated foreign-state actor had targeted the Liberal, Labor and National Party head offices—our party organisations—as well as the IT systems supporting Parliament House. Intelligence officials are reported to believe that a foreign actor was responsible for the ANU data breach in June this year where the records of many, many thousands of students and staff, spanning 19 years, were illegally accessed.
Beyond breaching systems, foreign entities have employed a variety of tactics to influence public discourse and undermine trust in elections and democracies. Influence operations work by finding cracks in the fabric of society and exploiting them to weaken trust in our democratic institutions. This is why cybersecurity is not simply a technological issue.
Our best defence against these kinds of information operations isn't a new technology; it's our democratic institutions; it's the health of our institutions. The more robust our democratic institutions, the more they're able to immunise us, to protect us, from these information operations from foreign adversaries. Unfortunately, the Australian public's mistrust in our democratic institutions today leaves them more vulnerable to the types of foreign influence operations that we are seeing around the world. That's why I regard it as an important part of my portfolio responsibilities to push for ways to strengthen the health of our democratic institutions, to increase the public's trust in our democratic institutions, so that these institutions will be resilient and help us protect ourselves from this foreign interference.
There are many things that we need to do to start to improve the health of the democratic institutions in our country, but here are three just to start. Experts at the Australian Strategic Policy Institute cyberpolicy centre recommend a key measure for protecting Australian democracy is a healthy and robust media environment. Unfortunately, the Morrison government is actively undermining public confidence in our media. The coalition's misplaced priorities were seen earlier this year when the Australian Federal Police raided Annika Smethurst, of News Corp, and the ABC. These raids further eroded public confidence, the Australian public's trust, in our fourth estate. The Chief Executive of the Media, Entertainment & Arts Alliance, Paul Murphy, put it perfectly when he said:
It's yet another example of the culture that's been created in this country of an absolute disregard for the role of journalists in an open liberal democracy …
The second thing we need to do is to restore trust in our institutions through the establishment of a national integrity commission. Trust that our democratic institutions are acting in the interests of the Australian public, not in the personal interests of individuals within a system, is falling in Australia. Currently, only 41 per cent of Australians express trust in our democracy, only 31 per cent of Australians express trust in our federal government and only 16 per cent of Australians express trust in our political parties. We need a national integrity commission to tackle perceptions of corruption and to restore public trust in our democratic institutions. Less than 12 months ago the coalition agreed with this, or at least they said in the lead-up to the election that they agreed.