Thursday, 25 March 2021
Appropriation Bill (No. 3) 2020-2021, Appropriation Bill (No. 4) 2020-2021; Second Reading
I'm pleased to rise to speak on the appropriations bills for 2020-2021. It's been an extraordinary 12 months. During the COVID-19 pandemic, time has taken on a very strange quality. For those of us who, for more than 100 days in the last 12 months, were engaged in the homeschooling of primary-school-age children, it sometimes felt that time had stopped passing altogether, as the days, the weeks and the months melded into one. In other aspects of our lives, it was like time had gone into fast-forward. In the technology space, we've seen a decade's worth of adoption of new technologies in just 12 months as we've learned how to work remotely and to consume services like health and education via telecommunication services. We've seen a similar pattern in international relations, where the tensions and pressures of the COVID-19 pandemic seem to have brought on a decade's worth of worsening strategic tensions in just 12 months.
In my portfolio of cybersecurity, we've seen these trends come together in one. In 2021 we've already seen some of the most significant cybersecurity incidents on record. Each of these incidents has raised significant issues for the nation and the Morrison government. First, the security firm FireEye identified the SUNBURST backdoor within the SolarWinds Orion IT monitoring software, a vulnerability that formed part of the most successful supply chain attack in history, an attack that could have compromised 18,000 users of SolarWinds software and that the US government believes hackers backed by the Russian government did in fact use to gain access to targets as significant as the US departments of treasury, state, homeland security and energy and the National Institutes of Health and the National Nuclear Security Administration.
The president of Microsoft, Brad Smith, described that as the 'largest and most sophisticated attack' ever. We're yet to hear anything from the Morrison government about this incident. There seem to be two ways that they could view this incident. Some analysts view it as simply a particularly successful form of cyberespionage by one government against another, long regarded as accepted under emerging cybernorms. Others argue that the supply chain aspect of this attack gives it a different character. The report of the 2015 UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security provides a recommendation about normal state behaviour in cyberspace, saying:
States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions …
Does the Australian government believe that there is a norm for state behaviour in cyberspace that prohibits supply chain attacks, even for purposes that would be acceptable under existing norms? We don't know; we haven't heard from them.
Anne Neuberger, US Deputy National Security Advisor for Cyber and Emerging Technology, has described the SolarWinds attack as 'more than a single incident of espionage; it's fundamentally a concern for the ability for this to become disruptive'. Does the Australian government believe that supply chain attacks have the potential to be disruptive in the way described by Ms Neuberger? We don't know; we haven't heard from them.
Hot on the heels of SolarWinds, on 5 January, Taiwanese researcher Cheng-Da Tsai identified a series of new vulnerabilities in locally hosted instances of the Microsoft Exchange Server software. Microsoft assessed the vulnerability and attributed the attack to state based hackers. At this point I should note for the record that as an opposition spokesman I have neither the access nor the expertise to make an attribution assessment of this attack, but Microsoft has, and Microsoft developed a patch for these vulnerabilities and, on 3 March, issued an alert about the threat. That alert made it clear that 'even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems '.
The operators of unpatched Microsoft Exchange Servers were highly vulnerable, not just to this state backed espionage but also to follow-on ransomware attacks by cybercriminals. Getting the word out to as many potentially vulnerable organisations as possible about this threat was urgent. But, in the subsequent days, researchers estimated that more than 100,000 servers around the world could have been compromised by these hackers. It was an urgent issue. Hackers used automated scanning tools to identify vulnerable systems and then installed unauthenticated web shells on the servers to enable easy subsequent access. The issue was so significant that, on 6 March, US President Biden's press secretary, Jen Psaki, said at the White House press briefing:
… this is a significant vulnerability that could have far-reaching impacts.
She said that network owners also needed to consider whether they had already been compromised and should immediately take appropriate steps. Former Cybersecurity and Infrastructure Security Agency director Chris Krebs warned operators of vulnerable servers that they should assume compromise.
By 9 March, six days after Microsoft issued its first alert, The Australian was reporting that 7,000 servers in Australia were vulnerable. But, while the ACSC had been issuing alerts to ACSC partners, and those who closely monitored its website during this time saw the alert, we heard nothing from members of the Morrison government about this allegedly state sponsored attack.
On 19 June last year, the Prime Minister and the defence minister held a high-profile press conference about the threat to the nation posed by the exploitation of the copy-paste vulnerability. Yet we didn't see the same response from the Prime Minister or the defence minister to this, objectively, even more serious cybersecurity threat. If ever there was a cybersecurity incident that demanded the Prime Minister mount the bully pulpit and get the word out about the urgent need for organisations to protect themselves, it was this one. In Microsoft's alert about this vulnerability, it claimed that the state sponsored actor that was exploiting this vulnerability primarily targets, among other things, infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks and NGOs. Many of these organisations won't be ACSC partners and they won't be hitting 'refresh' on the ACSC cyberalerts page. Political leadership was needed to get the word out to these entities as soon as possible, but the PM and the defence minister were silent. Why? The Morrison government had been engulfed by its own sleaze and scandals and distracted from this important national security issue.
At the time the Microsoft exchange vulnerability was going public, the defence minister was on leave. The acting defence minister, who is also the Minister for Women, was in hiding from the media. The Assistant Defence Minister, the member of the executive to whom the Morrison government intended to give responsibility for the ACSC and cybersecurity more broadly, still hadn't received his charter letter setting out his responsibilities, three months after his appointment. We didn't see any form of statement from any member of the Morrison government about this Exchange server vulnerability until 10 March, a week after these vulnerabilities were disclosed, when the assistant defence minister issued a press release, a press release simply urging people to patch their systems and follow technical advice—too late; too late.
The other Morrison government minister we haven't heard from on this is the home affairs minister. Who could forget the tough talk we heard from the minister in October 2019. He gave a press release in October 2019 where he said, with much chest-beating machismo, that the Australian government 'won't allow our government bodies or our non-government bodies to be hacked into' and that it will 'call out cyberattacks on the nation'. Despite the macho rhetoric, the minister is now nowhere to be seen. He's too busy backgrounding the media that he will be the new defence minister. To add insult to injury, we now read that the Minister for Government Services is in line to become the new home affairs minister, with responsibility for cybersecurity policy, in the upcoming reshuffle.
After eight long years of scandal and sleaze have decimated the coalition frontbench, this is what we are left with: the minister for 'my bad' and fictitious DDoS attacks, the member for $40,000 home internet bills and the master of disaster leading Australia's national security. Members of the Morrison government are so obsessed with themselves—with their own scandals and their own promotion prospects—that they've taken their eye off the ball on an important matter of national security. These incidents demanded more than simply technical advisories from government and warnings that organisations needed to patch their systems. Under another government, we would have seen a ministerial statement on these incidents outlining how the Australian government saw the very serious issues they raised. Given the scale of this attack and the potential state-actor element, we need to hear from the government about whether they believe this behaviour accords with international law.
Dimitri Alperovitch, the co-founder and former CTO of the highly respected cybersecurity firm CrowdStrike, has stated that the state sponsored dimension of these Exchange server attacks is 'a major norms violation', because:
While it started out as targeted espionage campaign, they engaged in reckless and dangerous behavior by scanning/compromising Exchange servers across the entire IPv4 address space with webshells that can now be used by other actors, including ransomware crews …
We need to know if the Australian government shares the view that these attacks are a violation of the expected international norms of appropriate behaviour by states in cyberspace. Alperovitch has further stated:
This in my view deserves a significant response by the Biden Administration, especially if we start seeing, as expected, damaging ransomware attacks against American companies …
On 9 March 2021, the day before the assistant minister's media release, Alperovitch further noted:
Because this campaign is still ongoing … webshells on tens of thousands of networks - the response must demand immediate shutdown of those implants to limit damage, not just signal our displeasure with the fact that it had occured. Needs to happen NOW …
Yet we've heard nothing from the Morrison government on attribution of this attack—not then, and not now. There's nothing on how it intends to respond, nothing on whether it is working with Five Eyes allies to craft a response to this incident and nothing on whether it's made direct representations to any other government about this conduct. In one sense, this is appropriate, because we've heard nothing from the government about the way it thinks about international cybernorms for quite some time.
Indeed, the Morrison government began consultations on its cyber and critical technology international engagement strategy on 22 April 2020. Public submissions on the strategy closed on 16 June 2020. It's been 11 months since the government began public consultations on this strategy and nine months since public submissions on the consultations closed, but the strategy still hasn't been released. A DFAT disclosure on GrantConnect from June 2020 states that the public-facing strategy is scheduled to be released in late 2020. We're now three months after late 2020, and the strategy still hasn't been released.
The foreign affairs minister announced the establishment of the Quad Tech Network on 23 December 2020 to 'strengthen global discussion of cyber and critical technology'. It's a great initiative, but it sounds like the kind of initiative that would have been heavily informed by the government's intended approach in its as yet unreleased cyber and critical technology international engagement strategy. But, bizarrely, that strategy isn't even mentioned in the minister's press release announcing the Quad Tech Network. You'd think that it would have made more sense to finalise the overarching strategy before implementing specific agreements with other areas in this exact area, especially considering that the overarching strategy was originally scheduled for finalisation and publication before the Quad Tech Network.
What is going on inside the Morrison government on cybersecurity policy? After eight long years of the coalition government, responsibility for cybersecurity policy inside this government is a complete mess. It's not led from the top. There's no political leadership. It progresses solely as a function of who inside the government is most adept at bureaucratic knife fights. Australians deserve better in this important area of public policy.
Labor has sought to be a constructive opposition in cybersecurity policy. We have sought to help the government on this important area of national interest. We have released discussion papers on national cyberresilience, examining the lessons we could learn from the systemic risks present in the cybersecurity sector from the challenges we faced in the COVID-19 pandemic. We've released a national ransomware strategy trying to develop a dedicated strategy to combat the most serious cybersecurity threat confronting Australian businesses, the most serious as identified by the Australian Cyber Security Centre. I'm pleased to see that the government has adopted many of the elements of the active cyberdefence strategy that Labor advocated in our national cyberresilience paper, and I'm pleased that Labor's national ransomware strategy discussion paper was followed soon after by a paper on ransomware by the government's Cyber Security Strategy Industry Advisory Panel.
Labor has sought to constructively hold the government accountable for its compliance with the cybersecurity requirements of the Protective Security Policy Framework. I'm pleased that the Joint Committee of Public Accounts and Audit issued a bipartisan report late last year on Commonwealth cyberresilience that highlighted the concerns of both members of that committee and the Australian National Audit Office with the continuing failure of the vast majority of Commonwealth entities to implement the ASD's top four cybersecurity mitigations nearly eight years after they became mandatory. Only 24 per cent of Commonwealth entities audited by the ANAO since 2014 have been found to be compliant with the ASD's top fourth mitigations. These are the most fundamental cybersecurity mitigations that can be implemented by an organisation to protect them against cybersecurity threats, and unfortunately non-compliance with these mandatory standards remains endemic. The ANAO continues to hold audits into this issue. The JCPAA continues to hold inquiries into these audits. It's time that the government did better.
Labor in opposition is playing its part in cybersecurity policy, and it's time that the Morrison government did so too. I welcome this government's decision to assign the Assistant Minister for Defence responsibility for these matters. He will provide much-needed political leadership in this space and I wish him well in this endeavour. I simply hope, though, that the upcoming broader ministerial reshuffle will result in cybersecurity getting the political leadership that it needs at the highest level of the Morrison government that has been so sorely lacking since the Prime Minister ascended to his role in 2018.