House debates

Monday, 17 October 2016

Private Members' Business

Cybersecurity

11:32 am

Photo of Nola MarinoNola Marino (Forrest, Liberal Party) Share this | | Hansard source

I move:

That this House:

(1) recognises that 10 to 14 October was Stay Smart Online Week, which saw the Government educate businesses and individuals on the importance of cyber security, including how to protect themselves online;

(2) further recognises that this year's theme of 'Cyber safety from the lounge room to the board room' focuses on the importance of good online security habits at home and at work;

(3) congratulates the Government on launching Stay Smart Online Small Business Guide and Stay Smart Online My Guide for individuals which:

(a) provides:

  (i) advice on vital areas of online security including aspects of privacy, passwords, suspicious messages, surfing safely; and

  (ii) information on cyber security when accessing online finances and making payments; and

(b) gives advice on security solutions for tablets and mobiles;

(4) welcomes the Government's free Alert Service, which has online safety information and solutions to help people protect themselves online; and

(5) congratulates the Prime Minister on launching the National Cyber Security Strategy which sets out the Government's vision for meeting the dual challenges of advancing and protecting Australia's interests in the digital age.

Members would know my longstanding interest in cyber safety and cybersecurity. I have delivered hundreds of cyber safety presentations to schools and to community and business groups. So, in Stay Smart Online Week, I am very pleased to see the government is so committed to improving the nation's cybersecurity awareness. It is relevant to every aspect of our lives, whether it is at home, at work, at school, in business or just when we are out and about. Cybersecurity breaches are estimated to cost Australians over $1 billion a year, but there are a few simple things you can do. Considering that approximately 84 per cent of Australia's small and medium businesses are online, there are steps that each business needs to take to protect their business. So the government has launched two cybersecurity guides for Stay Smart Online Week—the Stay Smart Online Small Business Guide and the Stay Smart Online My Guide for individuals.

The My Guide contains eight key steps that individuals should choose. In relation to privacy, be wary of what you share. With passwords, make sure you create strong passwords. Do not reuse them. Of particular importance for young people: with suspicious messaging, treat any and every unsolicited message with great caution. In relation to surfing safely, avoid malware and keep to trusted websites. With respect to online finances and payments, make sure you keep your bank details away from prying eyes. Be very careful. Check your bank account details constantly. With tablets and mobiles, stay secure while you are on the move. With security software, make sure it is updated and keep yourself safe, and report anything and everything that you can.

Small business can do a range of things: use pass phrases, which protects the information; back up data; raise cybersecurity awareness in your organisation or business; make sure you maintain good privacy—keep friends close and information even closer; lock down your computers and networks; and keep your security software up-to-date. The Stay Smart Online alert service is free and can help individuals and businesses understand recent threats as well as continuing, changing threats and how they can be avoided.

I have asked small businesses in my community: does the company or business have cybersecurity as an agenda item when they meet? Does the business, irrespective of its size, have state-of-the-art cybersecurity, not just state-of-the-art technology? How are information and data secured and used in the business with employees, with associated businesses and entities and, ultimately, with customers? These are all requirements of digital trust. Daily reports of data theft and threats to individual company's brands are common, as are leaks by insiders. These are some of the threats. How would your business respond if it were you? I am pleased to see the government, under the national Cyber Security Strategy, offering government grants to up to 5,000 small businesses to have cybersecurity tested by a CREST Australia New Zealand accredited provider.

On a personal level, I recently saw that our online reputation is our greatest asset. Tim Thomas, Detective Inspector for Technology Crimes Services, said in TheSunday Times:

No police investigation will ever undo the harm. Once the material is out on the internet it's there to stay.

I commend the eSafety Commissioner's work as well. I say to every parent: talk to your kids. If you look at iParent on the eSafety Commissioner's website, you will see they list seven ways to make your home cybersafe. I commend that to people. When I am out and about I also talk about the risks around some of the apps such as Snapchat. We have recently seen some of the risks around Tinder that parents need to be aware of, as they do with what happens with Instagram. Kik, in my experience, is meant for 17-year-olds but, from listening to the young people I talk to in schools, in my area it is mostly being used by children of the age of nine. That gives me great concern. Of course, there are other sites where parents also need to be very well aware of what is happening. You need to have a look at your child's history, talk to your children about this space and have a family plan.

Photo of Craig KellyCraig Kelly (Hughes, Liberal Party) Share this | | Hansard source

Is there a seconder for the motion?

Photo of Tony PasinTony Pasin (Barker, Liberal Party) Share this | | Hansard source

I second the motion.

11:37 am

Photo of Gai BrodtmannGai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | | Hansard source

Last week, in Stay Smart Online Week, the Australian Cyber Security Centre released its 2016 threat report. The report is a wake-up call. It suggests that malicious non-state actors could develop an offensive cyber capacity within the life of this parliament, so we need to be prepared. We need to prepare ourselves for that possibility, and our window of time in which to do that is narrowing by the day. The government's Cyber Security Strategy was released with great fanfare in April this year, and it recommended a number of 'priority actions, including the appointment of a Cyber Ambassador'.

Labor recognises the need for diplomacy in the modern cybersecurity environment. That need was highlighted and underscored in the threat report that was released last week, which also highlights the lack of international consensus on what constitutes a 'proportionate' response to offensive cyberactivity. This is particularly challenging in the modern era, when the line between national security and cybersecurity is blurring. As the operation of critical infrastructure moves online, the scope for disruption increases. The destruction potential of a successful attack is growing, yet progress towards establishing a standard policy response to a state-sponsored cyberattack is standing still.

This paralysis is unacceptable. In most areas of national security, policy responses to state-sponsored activity are well established. They have been well established for decades—for hundreds of years. A country can expel diplomats in response to a spying scandal, issue a demarche if a country considers its sovereignty to have been violated, and use force in response to an armed attack. Clear and established policy responses such as these don’t yet exist for cyberattacks. The Turnbull government has not outlined what sort of events it considers worthy of a proportionate response. It has not even decided what a proportionate response to a cyber attack actually looks like, and if we do not know, we cannot act.

This is a challenge that is not unique to Australia. The international community is working on establishing these thresholds and these benchmarks. These negotiations have important implications for Australia's national security, because Australia's interests are at stake in these negotiations. We need a place at the table to promote them, and that is why the cyber ambassador role is vitally important. That is what the cyber ambassador should be doing. Not only has a cyber ambassador not been announced by this government since the release of the Cyber Security Strategy—a major strategy with hundreds of millions of dollars of investments since its release in April this year—but also the government has not said when it will be announcing one at all. We do not have any idea when we are going to get a cyber ambassador. In the 2016-17 financial year, $2.7 million was set aside for this position. We are how many months into the financial year and we are still unspent on that position and there has been no announcement. This is a part of a pattern of growing delay with this government.

The strategy called for the Australian Cyber Security Centre to be relocated to enable the government and the private sector to work more effectively together. The strategy was announced in April this year and yet, just as we might have expected, the centre has not yet been relocated and we do not know when it will be relocated. Australia's Cyber Security Strategy also called for the establishment of joint cyberthreat sharing centres. The ACSC Threat Report 2016 that was released last week echoed this call, but the government has not established these centres either. So what have we got? We have got no cyber ambassador, we have got no relocation of the Cyber Security Centre, and there is no news on the joint cyberthreat sharing centres—no news on that at all. We do not even know when these hubs are going to be established. Meanwhile, the strategy makes no mention of mandatory data breach notification legislation. There is also no mention of that in the ACSC Threat Report. So, we have got a government here that is sitting on its hands when it comes to cybersecurity. Despite its call for priority actions, we do not have a cyber ambassador, we do not have a relocated Cyber Security Centre, and we do not have any information on when these cyberthreat hubs are going to be established. This government is just sitting on its hands. There is no priority action from this government when it comes to cybersecurity.

11:42 am

Photo of Ann SudmalisAnn Sudmalis (Gilmore, Liberal Party) Share this | | Hansard source

Last week was Stay Smart Online Week. The internet is effectively a story of the good, the bad and the ugly. With an estimated 20.6 million internet users in Australia, it is essential that we make sure all Australians are aware of cybersecurity and its importance. Just about every aspect of our lives is linked with some use of the internet. Almost everything to do with the internet is referred to as 'cyber' something: 'cyber cafe' means you can get internet services as well as a coffee and 'cyberattacks' means someone is trying to hack your system. I am sure, as we become more and more dependent on the internet, the use of the word 'cyber' will continue to grow.

While many parts of the internet that we know now are just great—Facebook to stay in touch with relatives, internet banking instead of going to the bank, and even sending a gift if we are so busy we forget; we can just google the gift, pay and get it sent—the bad part of the internet is its misuse by those who are trying to steal part of your personal life, part of your business or part of your intellectual property rights. This bad part of the internet is called cybercrime, and it is estimated to cost Australians over a billion dollars a year. However, there are a range of steps that can be taken to keep both families and businesses safe online. Last week the Turnbull government launched two cyber security guides: an updated Stay Smart Online business guide and a Stay Smart Online My guide for individuals. These can both be downloaded from the Stay Smart Online website. More than 1,700 partners across Australia have combined to prepare these guides to help protect Aussies from some sort of cybercrime.

There are eight key steps for individuals: be careful of the information you share; use really strong passwords; if you receive a message that you did not really expect to get, delete it—if it was from a friend they will contact you again; when browsing the internet, be careful of the pop-ups that appear—are they coming from a trusted web site?; keep your bank details away from prying eyes and do not share them with anyone; mobile phones and tablets are really convenient but they can be used by others so make sure the shut down time is pretty short and password protected; update your security software to keep yourself safe; and if you feel that something is too good to be true then it probably is and it is likely to be a scam so report the source so it can be investigated.

Approximately 84 per cent of small-to-medium Australian business have an online presence and it is super important that we all take the right steps to protect ourselves. You really have to have pass phrases that are unique to each employee. If you leave your desk for some reason, lock your computer; you may think you are only going to be a minute but you may take longer. Make sure everyone is 'cyber sensible' for your business or organisation. Maintain high levels of privacy; keep your friends close but keep information closer. Back up your data; you never know when you may have a system fail, and re-doing the work from scratch is both tedious and very un-productive.

I tell this story to many students during my visits to schools. It is amusing but it does really emphasise the need to back up. Many years ago, when computers were a pretty new concept and records were only just being moved from paper to floppy disks and clunky computers, I was a teacher and a form advisor for more than 300 students. I was often in the position of having to write lists of students going to different events, swimming carnivals and the like, so I thought I would capture all their names on a master list. Well I typed in all those names in alphabetical order and then prepared the sprocket loaded paper ready to print—that tells you how old this story is—but the paper bundle fell and knocked the power point out of the socket. Every name was lost and I had to begin all over, so the most important lesson was 'save as you go'.

Staying smart online will become more important as we advance our technologies and our digital applications. For parents, carers and responsible adults, there is potential in the ugly side of the internet. Do you know who your children are talking to? Are they educated about the different searches on the net? Have they switched off their geo-locators before posting Facebook photos? Are their posts showing them possibly drinking and that their parents are away from home? Are we doing everything possible to keep our children from being the subject of an online stalker? And finally, perhaps most important of all, are we helping them through ways and techniques to deal with online bullying from their mates at school or work who are supposed to be their friends? Too often we leave the wellbeing of our children and family to the potential influence of online cheating, cynicism, crime and criticism. We all have a role to play in so many aspects of our cyber life, both now, tomorrow and all the tomorrows ahead of us. For all our sakes, stay smart online.

11:48 am

Photo of Tim WattsTim Watts (Gellibrand, Australian Labor Party) Share this | | Hansard source

Last week was online safety week and an increasingly critical part of online safety today is data security. It is more important than ever that we keep personal data safe. Massive volumes of data are being collected online every second. Data about your spending patterns, your daily movements, who you associate with and in what contexts and obviously data that can be used for the purposes of fraud and theft—credit card details and the like. The responsibility to keep this data secure is a shared one. Individuals should take care to change their passwords periodically, to not use the same password across different internet sites and to use two-factor authentication where possible. However, while some of this data is stored on hardware owned by individuals, most of it is now shared 'on the cloud', which is geek speak for on someone else's computer—in a server farm controlled not by the individual but by a company. Australians rely on the companies entrusted with this data to protect it and, when they are unable to protect it, to minimise the consequences of these failures.

Unfortunately, data breaches are a continuing fact of modern life. Australia has more data breaches reported than anywhere else in APAC, according to the Gemalto Breach Level Index. So far in 2016 there have been 2,928 publicly disclosed data breaches which have exposed more than 2.2 billion records—records including the data of individuals like you or I.

In the past two years we have seen a huge number high-profile hacks around the world, including Anthem Health Insurance with 80 million records stolen, the DNC and Hillary Clinton's campaign chair records, where five million records were stolen. Ashley Madison had 37 million records stolen; Mossack Fonseca, 11.5 million; and the Philippines' Commission on Elections had 55 million records stolen. Recently, tech giant Yahoo had the details from 500 million accounts stolen—that is, 500 million records capturing names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts. This breach occurred in 2014 but was only publicly reported in 2016.

This is the new normal. Australian governments, businesses and individuals need to adapt to a new environment in which the security of their data is constantly challenged and in which data breaches periodically occur. Responding to this new online security environment will require a multifaceted approach. One crucial element of this response must be legislation requiring individuals to be alerted when their data has been compromised. Globally, Australia is falling behind in this respect. The majority of states in the US have already introduced data breach notification laws. The EU has similar regulation, and New Zealand and Canada are already well advanced on this matter.

In contrast, in Australia, companies currently report to the Privacy Commissioner on breaches on a voluntary basis. The previous Labor government introduced legislation to require such data breach notification through the Privacy Amendment (Privacy Alerts) Bill 2013, but the incoming Abbott government did nothing to advance the issue for the next two years. In February 2015 the Parliamentary Joint Committee on Intelligence and Security produced a bipartisan report recommending introduction of a mandatory data breach notification scheme by the end of 2015. The government agreed with those recommendations in March 2015, and an exposure draft to deliver on this was subsequently released eight months later, despite this issue having been well ventilated for more than three years before this.

This draft legislation would require companies and organisations to inform people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information—for example, where a person's credit card details, identification details, passwords or other information were leaked or obtained fraudulently. The bill was included on a list of bills intended to be introduced during the winter 2016 sitting of the 44th parliament, but, like the end of 2015 deadline previously agreed by the government, there is no sign of the data breach notification bill.

Still no such bill has been tabled. The government has now indicated that it will be introducing a data breach notification bill in the spring sittings of this parliament. We will wait and see. But the delays to date are not good enough. Labor thinks that all Australians have a right to know when their data has been breached. In the modern environment this is a crucial element of overall online security. We can look to consumers and we can inform consumers about what they can do to protect themselves, but we need to ensure that corporations play their role as well in the data governance arrangements of this country. There is nothing that an Australian consumer can do if their data has been breached on a server in Singapore. We will continue to push the government on this issue until it takes action. I hope to see a mandatory data breach notification scheme introduced into this parliament as promised by the government in this setting.

11:53 am

Photo of Tim WilsonTim Wilson (Goldstein, Liberal Party) Share this | | Hansard source

I welcome this opportunity to get up and talk about cyber safety and security. I do not think there is any ambiguity among members of parliament that this is a rising and emerging issue that needs to be addressed, particularly in the light of technological change. While I welcome the comments from members on the other side of the House, I think it is always important to deal with it in a substantive way and to make sure that we are taking the Australian community along with us in addressing cyber security.

We know it is an issue; we know it is going to continue to be an issue; and we know it is going to become more sophisticated over time. That is why it is so important to talk about it and why this motion has been put forward—to make sure every Australian is aware of the risks and the problems that they may face. When it comes down to it, we are leading by example to encourage everybody, businesses and individuals, to come forward and share information about the incidents and experiences they have directly around cyber security. We need to make sure that the strategy is in place so that people can be safe, their data can be secure and that people can use technology with confidence into the future, as it evolves and continues to face threats. That is why the government takes this issue seriously. In April we launched the cyber security strategy, which does an enormous amount to build and bring forward information that is relevant to the Australian people.

This government is doing an awful lot of work in this space—$230 million over four years for 33 initiatives in the Cyber Security Strategy; $38 million in cybersecurity initiatives through the National Innovation and Science Agenda; $400 million over the decade as part of the 2016 Defence white paper; and $80 million to improve public-private partnerships and cyberthreat sharing information. So it is easy to make criticisms and assessments that people want to add or contribute and they are most welcome, but we need to acknowledge the enormous amount of work that has already been done and will continue to be done to make sure that people are safe and secure.

Speaking perhaps from a position of history and experience, as the former Australian Human Rights Commissioner, these issues were regularly dealt with in terms of navigating the very difficult challenges around privacy, security and law in my term in that office. If we do not deal with them in a sophisticated and considered way, you can create problems where not only can too many things be reported to government but equally things are not appropriately dealt with by government. Those are some of the great challenges dealt with by the Privacy Commissioner in making sure that everybody's information—commercial, personal, private, medical et cetera—is secure while also making sure that the government does not become a gatekeeper intrusive in all matters related to privacy. That is where the power of technology and its role can be so important in driving change, and the private sector has done so much in this sector through the evolution of technology that helps deal directly with the challenges of cybersecurity.

We also need to acknowledge that there is a very serious cost, if we do not properly address challenges of cybersecurity. There are not just obviously the human costs of sense of security and safety but also a lost productivity in income and the costs of diverting staff and resources, particularly in business, from other activities to deal with any compromise that may occur. There is the loss of revenue associated with the theft of information, particularly intellectual property which is so central to innovative businesses that are going to make a contribution to the future of this country, grow jobs for the 21st century and build Australia for the 21st century as well as, of course, if we are dealing with cybersecurity at a governmental level, particularly across boundaries, compromising our negotiating position, our security position, in some international fora.

There are of course broader costs to the Australian economy where information is stolen from networks, particuarly around personal information for the purposes of fraud. As somebody who has had the occasional phone call from their bank saying that my credit card has somehow been maliciously used in a country I have not visited in some time and to purchase goods and services that I do not believe I have purchased, I know that experience firsthand.

But there is also, of course, a reputational cost that comes from negative social and news media exposure around the challenges of trust not just between individuals but individuals and companies. That is why dealing with cybersecurity, particularly at a local level is so important. In 38 of the primary schools in my electorate of Goldstein, there have been initiatives and efforts made to help children understand the importance of cybersecurity as part of protecting themselves and their families into the future. I encourage more of those initiatives, because, as most issues come back to personal responsibility, we need to make sure that these are expanded and worked as part of secondary schools as well. I thank you for your time.

11:58 am

Photo of Anne AlyAnne Aly (Cowan, Australian Labor Party) Share this | | Hansard source

The internet has become a ubiquitous part of our lives, especially among young people who have been called AORTAs—always online and real-time available. In 2010, I presented a paper at the International Cyber Resilience Conference following the release of the Labor government's 2009 Cyber Security Strategy which recognised cybersecurity as a top-tier national security priority. The paper I presented was entitled Building resilient cybercommunities. In that paper, I spoke of the human link in the security system as being the most vulnerable and the need to improve both individual and business culture towards cybersecurity.

I spoke about the need to raise awareness and educate people about the importance of maintaining strong and robust cybersecurity habits—things like ensuring our passwords are safe, logging off when leaving the office and being aware of suspicious messages. These may seem like small and insignificant actions, but the impact of not having a resilient cyberculture can be devastating to business. The 2016 IBM cost of data breach study found that the average organisational cost of data braches for the year was $2.64 million in Australia. That is a per capita cost of $142. Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain and, as a result, they have the highest cost per record. But around one-third of data breaches were due to human error.

For individuals the impact can be equally disastrous, ranging from fairly minor inconveniences caused by malware to leaking of private photographs to identity theft. The recent leaking of explicit photos involving Perth schoolgirls underscores the urgency of a comprehensive cybersecurity education campaign to educate young people about the risks involved in posting private and intimate information online, particularly in an age when the so-called 'selfie culture' has infiltrated traditional boundaries of privacy and confidentiality.

It can sometimes be difficult for those of my generation—and forgive me for making generalisations here—to understand just how hardwired the lives of young people are, but understand it we must. It is not enough to just tell young people about the dangers of posting personal information or explicit photos online just as it is not enough just to tell young people about the dangers of engaging with certain violent extremist messaging online. We need comprehensive strategies in place that are build on an understanding of both positive and negative opportunities the internet offers, and we need to harness the positive and guard against the negative.

But it is also not enough for governments to tell people about the importance of cybersecurity while its own systems remain vulnerable to attacks and breaches. The ABS has reported 14 data breaches since 2014. Most recently, of course, we had the major denial of service attack on the 2016 census. A recent Four Corners investigation reported that sensitive Australian government and corporate computer networks have been penetrated by cyberattacks in the last five years. Newstat Limited, whose assets were sold off last year, was among those and was so completely hacked that it had to rebuild its entire network. And of course the most recent breach of Medicare and PBS data again reminds us that government is not immune. I reiterate the words of Labor's shadow minister for health that the government's 17-day delay in admitting the breach is simply unacceptable, particularly when there are reported to be around 1,500 downloads of that data.

While I rise today to commend any efforts to increase awareness of cybersecurity and individual responsibility in creating strong and resilient cybercommunities, I also rise to remind this government that they too above all have a responsibility to ensure that they take cybersecurity seriously. This should not be a case of 'do as I say and not as I do'. The government should lead by example, and cybersecurity starts with and ends with this government.

Photo of Tony PasinTony Pasin (Barker, Liberal Party) Share this | | Hansard source

The time allotted for this debate has expired. The debate is adjourned and the resumption of the debate will be made an order for the next day of sitting.