Monday, 22 March 2021
Foreign Interference in Universities
I too welcome this motion. I'm pleased to support it. And I join the other speakers in the debate by offering my best wishes to the member for Lindsay and her community as they confront this very significant weather event and natural disaster.
Foreign interference is a real and significant threat to Australia's national sovereignty. Indeed, ASIO Director-General Mike Burgess has been warning about the increased scale and sophistication of foreign interference in our society for some time. Last week, in his annual threat assessment, the director-general warned about the risks of espionage and foreign interference, describing them, appropriately, as threats to our way of life.
Universities are significant institutions in our democracy, and an obvious target for this kind of espionage and foreign interference. Universities have a profound ability to influence the democratic process in Australia, whether it's academics who contribute research that shapes the national conversation or it's research that leads to major scientific breakthroughs that shape our national capabilities. Universities are vital democratic institutions that should be protected from espionage and foreign interference.
More broadly, attacks on these institutions can be used to influence government and its processes, and we've seen examples of this overseas. One of the most prominent was the hack of the University of East Anglia's Climatic Research Unit. This was a hack-and-leak operation that is now widely believed to have been directed by a nation-state with the intent of undermining the Copenhagen climate summit. More recently, we've seen COVID vaccine researchers targeted as part of Russian-backed vaccine disinformation campaigns.
So I welcome government action on this important issue, particularly in my own portfolio of cybersecurity. However, to be frank, it shouldn't have taken multiple cyberbreaches at universities to prompt this action—most notably, the campaign against the Australian National University in 2018 by a state-sponsored advanced persistent threat actor—but better late than never.
We are in a 'somewhat' situation in this regard, with respect to the cybersecurity posture of our most central democratic institutions—our Commonwealth entities. On Friday the Australian National Audit Office issued a scathing report that highlighted serious and alarming failures in the government's compliance with its own mandatory cybersecurity standards. The report found that of the nine non-corporate Commonwealth entities audited by the ANAO, including Prime Minister and Cabinet, the Attorney-General's Department, the Department of Home Affairs and the future fund, none have implemented the Australian Signals Directorate's Top 4 mandatory cybersecurity mitigations—almost eight years after they have become mandatory. The ANAO explicitly found that the Department of the Prime Minister and Cabinet, the Attorney-General's Department and the future fund were 'not cyber-reliant as defined by the government itself'. That's the Prime Minister's own department, which handles cabinet papers regularly, and the Attorney-General's Department, which is responsible for the Commonwealth cybersecurity framework.
Last year the Prime Minister held a press conference with the defence minister to warn that a sophisticated state actor had been targeting Australian organisations. He told Australians:
Our objective is to raise awareness of these specific risks and targeted activities and tell you how you can take action to protect yourself … It is vital that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks.
Yet even the Prime Minister's own department did not take notice of the Prime Minister's warning in his press conference with the defence minister.
The reality is that cyber-resilience failings are a systemic problem within Commonwealth entities under the Morrison government, and that leaves the government exposed to cyberenabled espionage and foreign interference campaigns. The ANAO's report highlighted that only 24 per cent of Commonwealth entities audited by the ANAO since the election of the coalition government have implemented the ASD Top 4 mitigation measures. Those are mandatory cybersecurity measures, and they have been mandatory for eight years.
The report also highlighted that 436 cybersecurity incidents were reported by Australian government entities to the ASD in 2019-20 alone. It made the cause of these failings plain; it's a failure of accountability. The ANAO report found:
The cyber policy and operational entities have not established processes to improve the accountability of entities' cyber security posture. The current framework to support responsible Ministers in holding entities accountable within Government is not sufficient to drive improvements in the implementation of mandatory requirements.
Where have we heard that before?
The Morrison government's aversion to accountability is not just protecting its own political interests; it now has real national security consequences. It is now undermining the Commonwealth's ability to defend itself against the exploitation of Commonwealth entities for cyberenabled espionage and foreign interference. While I commend the government on acknowledging this problem and on the motion before the chamber, I urge them to do more to protect our vital democratic institutions from these serious national security threats. (Time expired)