Thursday, 12 November 2020
Appropriation Bill (No. 1) 2020-2021; Consideration in Detail
I have a few questions about cybersecurity aspects of the Home Affairs portfolio. On 30 June 2020, the Prime Minister announced $35 million in funding to deliver 'a new cyberthreat-sharing platform for industry and government to share intelligence about malicious cyberactivity as part of the 2020 cybersecurity strategy'. But this wasn't the first time the government announced a cyberthreat-sharing platform for industry and government. On 21 April 2016, 1,531 days before, the government announced in the 2016 cybersecurity strategy that it would 'establish a layered approach for sharing real-time public-private cyberthreat information through an online cyberthreat-sharing portal'. The strategy further provided that this threat-sharing portal would enable 'a broad range of organisations to share information on a secure online cyberthreat-sharing portal, including the results of analysis by the joint cyberthreat-sharing centres'. Funding was then allocated to the Attorney-General's Department to deliver this platform, and it sat unexpended on the budget papers for the next four years. The 2020 Cyber Security Strategy Industry Advisory Panel report on the cybersecurity strategy noted the surprise of industry that a real-time government-industry threat-sharing intel platform hadn't been delivered, stating:
There is clear appetite from industry for real-time sharing of threat information. The Panel was surprised to learn that technical limitations currently prevent the Australian Cyber Security Centre from meeting these requests.
ASD indicated in answers to questions on notice from Senate estimates last year that it had undertaken an approach to market to select a commercial off-the-shelf cyberthreat intelligence management and sharing capability, due to be delivered by 30 June 2020, which turned out to be the day that the Prime Minister reannounced a cyberthreat-sharing platform with new funding, as part of the 2020 cybersecurity strategy. My question for the minister is: why did the government fail to follow through on the delivery of the threat-sharing platform announced in the 2016 cybersecurity strategy for four years? Why did the Prime Minister then reannounce this threat-sharing platform in the 2020 cybersecurity strategy?
I have another question about vulnerability disclosure processes and bug bounties. The ACSC's Securing the internet of things for consumers: code of practice advises developers to implement a vulnerability disclosure policy—'a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues'. The code further recommends that manufacturers have 'a bug bounty program' to encourage users to report vulnerabilities. The code further states, 'The Australian government recommends industry prioritise vulnerability disclosure as it will bring the largest security benefits in the short term.' My question is: why does the Commonwealth government not follow this best-practice security advice in the IT services that it offers to Australian citizens? There's no vulnerability disclosure policy published for the COVIDSafe app or myGov or any other IT services delivered by the government. The government has never run a bug bounty program. Is this a case of the government telling manufacturers, 'Do as I say, not as I do,' on cybersecurity? Why does the Commonwealth believe it's more important for an internet connected fridge to be protected by a vulnerability disclosure process and bug bounties than the COVIDSafe app?
Malcolm Turnbull's 2016 cybersecurity strategy established a dedicated role in the ministry for cybersecurity. After Malcolm Turnbull's ousting, one of the first acts of the current Prime Minister was to abolish that role and wrap the responsibilities into the Home Affairs portfolio. Since then, cybersecurity policy-making has been politically orphaned. Industry publication ZDNet reflected industry's views on these arrangements, after observing the media conference launching the 2020 cybersecurity strategy—the Home Affairs minister's first dedicated press conference on cybersecurity, well over a year into the role—with the headline 'Does Peter Dutton understand his own cyberstrategy?'
The article concluded, 'The minister is already spread thin across this sprawling department. How well do we think this strategy will progress under his leadership?'
Those views were echoed by former prime minister Malcolm Turnbull, who noted on the Risky Business podcast, 'Part of the problem is that probably since I left there isn't anyone at a senior level taking an interest in cybersecurity. There isn't a minister for cybersecurity. I don't think Scott Morrison is particularly interested in it or familiar with it.'
I think you need a minister who is clearly responsible for cybersecurity, someone who is prepared to actually learn. It has to be someone who is not a once-over light skimmer of things. It has to be someone who is a bit nerdy. My question to minister then is: when can the Australian people expect real leadership on cybersecurity and the appointment of a dedicated member of the executive with responsibility for cybersecurity, someone that's willing to learn, someone who is a bit of a nerd and not just a skimmer? When am I going to get someone as an opposite number who is actually interested in cybersecurity policy and the issues that underlie it?