Mike Kelly (Eden-Monaro, Australian Labor Party, Shadow Assistant Minister for Defence Industry and Support) Share this | Link to this | Hansard source

I will come back to where I was before I was rudely interrupted. The Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, as I said, has been given full Labor cooperation. As you are well aware, Mr Deputy Speaker, the Parliamentary Joint Committee on Intelligence and Security was the beneficiary of great advice from Mr Michael L'Estrange, who conducted an extensive review of the intelligence community and services. I want to commend Mr L'Estrange for his work because he also very effectively drilled down beyond the superficial levels of issues that may have been presented by only senior levels of services and came to appreciate very well the issues that also occupied some subterranean levels of the intelligence community and services and the issues that were playing on and perhaps hampering the best delivery of those services.

As I said, the effect of the reforms has been wonderful for the morale of ASD and its staff. I also want to emphasise, however, that out of that there is no change to the role of ASD in supporting the Defence Force. ASD will report directly to the defence minister. An MOU has been entered into between the CDF and the head of ASD. While I'm on that subject, I'd like to commend Paul Taloni for his service within ASD. Some suggested he would've been a great head for ASD, but that wasn't to be. Paul has been a fantastic servant to this nation in the security area. I've had many wonderful dealings with Paul and really appreciate the service that he has rendered, particularly the service he rendered in his time at ASD.

Before we broke this debate I was also talking about the workforce issues. I know this is an issue that my colleague the member for Chifley is very keen to also pursue. I was talking before the break about the fact that the Australian Defence Force has now gone into the approach of establishing an Information Warfare Division and a cyberwarfare capability within Defence that is more creative and imaginative than simply trying to shoehorn uniform members or shoehorn civilians into the regime within which members are recruited and trained within the Defence Force. They may not need any of that training or need that elaborate framework that supports our uniform personnel to work in this space.

I mentioned we were very pleased with the appointment of Major General Thompson, who is eminently qualified to head up this group and some of the areas that are under his wing. He also works in that role to the Commander of Joint Capabilities Group, so it has been given the appropriate emphasis within Defence. He, as I mentioned, has a PhD in cybersecurity and a special forces background.

That division is starting with about 100 personnel. That was the goal to kick it off, but it is planned that it will grow to about 900 by the end of the decade. In order to support a workforce of 900 you probably need a supply pool of around 3,000 personnel, as we usually work through these things and as a rule of thumb for support for capabilities, taking into account leave, reassignment, turnover and mobilisation issues. That level of work force to sustain just this unit is extremely significant. It poses a real issue for our country about how we supply and support all of our security agencies. I was talking about what the AFP had brought to us. I think you were there with me, Mr Deputy Speaker Vasta, the day they talked about those petabytes of data they had to wade through. We met with the PhD student from Data61 who was on loan to hem, helping them design and build the algorithms to penetrate that deep well of data that's so important in the mission they have for tracking terrorists.

This poses issues to us more deeply as to how we manage that workforce issue and how we share these demands with industry. There are examples of how that's been done. My colleague, the member for Chifley, is aware of what is done in Singapore in relation to their service people that are based on their national service requirements. We don't have that available to us. Israel also has a very creative way of approaching this, taking the best and brightest from their high school graduates in the STEM areas and taking them into a program called Talpiot, where they enhance their skills and education over a long period of time, a number of years, without putting them in uniform. When they've finished and completed that refinement, they are then deployed into these security areas right across the security establishments with the specific mission of finding ways to improve what they do, to refine, innovate and develop the capabilities. That has led them to be able to use some really creative and innovative methods of dealing with, for example, terrorist financing. A really instructive work that's come out recently, called Operation Harpoon, describes the journey they've been on in tackling the matrix of counter-terrorism financing that needs to be put in place across the spectrum and across the globe and how you bring down those networks of financing. That Talpiot system is working extremely well for them. Those graduates then go out when they've finished their security time to help build their innovation economy and the innovation state, as we know.

We don't have national service available to us to draw on those Singaporean or Israeli models. We need to look at a creative way of managing and sharing that workforce. The workforce of the future in the defence force may not even be largely made up of the classic warriors we've had in the past. There'll always be a need for boots on the ground in many circumstances, but in the complex technological battlefield of the future a lot of our systems will be automated. You'll be seeing a lot of warriors sitting with bottles of coke and pizzas in shipping containers, steering automated systems. They don't need to be people who can do run, jump, dodge courses and these sorts of requirements.

Ed Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | Link to this | Hansard source

Unless you can do it on an Xbox!

Mike Kelly (Eden-Monaro, Australian Labor Party, Shadow Assistant Minister for Defence Industry and Support) Share this | Link to this | Hansard source

Kids who are good at Xbox and those sorts of videos games are actually well prepared for the new digital environment that we will see in the future. The JSF and our new future submarines may well be the last crewed platforms of their type. We're already seeing Israel experimenting with automated land vehicles as well, resupply vehicles in the Gaza conflict. There'll be more and more of this automation, more and more emphasis on these technological skills, and certainly in the battles of cybersecurity that we will see in the future, which overlays so much into the industrial space. We've been hearing a lot about industrial espionage and foreign interference on the intelligence committee. There is such a need and demand for us to tackle that more effectively. In this industrial space, the back door approaches that a lot of the cyberassailants use really require industries, subcontractors and other industries that are involved in supplying our security capabilities to be reinforced and secured as well. So I think the government has taken a very good approach in establishing these regional cybersecurity hubs where business can engage in that respect. That needs to be built upon and expanded.

In terms of the workforce, what I believe we need to look at—this is just a personal view—is some form of civil defence corps in the future whereby we don't necessarily take full-time people for whom we can't compete with industry on a race to the top with wages but who can do national service duty, reserve duty, with our security organisations for whatever periods of time and then go back to their home business or company. We know that workers who work in the field at the moment are attracted to the motivation of serving their country and that the areas of work that they do in this space are unique. You will not find this experience in private industry. Some workers are obviously attracted to being able to do that work, which they won't find anywhere else. So I think we could set up some mechanism or regime by which we share these skills, these talents, with private industry. The private companies involved in supporting this could be given appropriate consideration, kudos, for doing that—gold star companies who provide us with those kinds of workers. I do think we need to come up with some creative solutions for that in the future. It will need a rethink of how we structure these workforces in Defence, the Reserves and private industry.

I also think in the future, for ASD, we've got challenges in terms of the other organisations that we're going to have to monitor. We've been dealing with the issues of how we tackle this challenge of foreign interference, civil society and politicians and how all that conflates. The complexity of the legislation that's currently before the committee points to the challenge of how that is addressed in legal terms, in legislation. We've seen some serious challenges in the drafting, in making that coherent and effective. In that space, we're going to need good consultation and take on board the advice, particularly of those whose job it is to oversight our security agencies. We've heard some very important evidence from people like Margaret Stone and Bret Walker. At the end of the day, we will not be winning this fight against those who seek to do us harm by surrendering all of the unique features that make up our democracy and the unique features that create the level of freedom and civil society that we enjoy in this country. It's about getting that balance right. We're looking forward in the committee to working through that process with the Attorney-General's Department, our colleagues on the committee and our security agencies to get that balance right.

Ed Husic (Chifley, Australian Labor Party, Shadow Minister for the Digital Economy) Share this | Link to this | Hansard source

Mr Deputy Speaker Vasta, I acknowledge at the outset your deep interest in these matters, as well as that of the member for Eden-Monaro. He and I have spoken on this issue. I was very pleased to be able to have the opportunity to follow him in this debate on the bill that's before us now, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018. It has come about as a result of previous thought that has been contained within reviews in this area, specifically the 2017 Independent Intelligence Review. A specific recommendation within that review, recommendation 6, called upon the very things that this bill is trying to establish today—that is, the Australian Signals Directorate be set up independently as a statutory agency within Defence. The review examined the history of ASD, looked at likely direction but reflected specifically on its current value within Defence and the types of things that needed to happen, specifically that greater independence needed to be granted to the ASD.

I note two paragraphs from that review that are worth reflecting on in this debate, chiefly, that ASD has evolved from a primarily defence signals collection agency after World War II to become Australia's national signals intelligence authority, conducting intelligence, military, cybersecurity and effects operations through the application of advanced technologies. It also added this paragraph:

… ASD is now a genuinely national asset—

absolutely true—

playing a much broader role than that defined by its previously exclusive Defence focus. This is highlighted in its current additional responsibilities as a—

emphasis on this—

national source of information assurance and cyber security. There are also strong and growing interdependencies between ASD and other intelligence agencies.

The reason I highlight these points is that, while ASD is absolutely providing critical support within our defence and intelligence communities, it must be recognised that ASD is also providing broader support within government circles against the growing cybersecurity threats confronting both government and business. On an almost minute-by-minute basis there will be either an agent or an actor, somewhere on the world stage, always testing the defence mechanisms of government and business through cybersecurity attacks.

This is a growing problem. In fact, when I do talk with businesses, particularly those engaged in the digital economy, whenever I just make reference to cyberskills there is an almost instantaneous reaction. Businesses are very much engaged in this issue. They are thinking a lot about it and deeply concerned about the impact of cybersecurity on their operations. There are two things. One is obviously the tech knowhow and having the equipment that can help you deal with those threats. But, ultimately, the tech is only as good as your people, your processes, adherence to those processes and ensuring that your organisation will be able to defend itself against some of these acts.

In saying that, I want to recognise that ASD has been heavily relied upon within the public sector to help guide public sector agencies, departments and the like on how to withstand the cybersecurity attacks and threats that we're seeing on a much more regular basis. It has done an exceptional job in that way. But the reality is that the ASD has become a victim of its own popularity. With so many people depending on ASD, it is putting a lot of pressure on their operations. It's also potentially accelerating the need for this next phase of its evolution, as has been prompted by this legislation, and, thankfully, has been given added impetus by the intelligence review that I referenced earlier. But not only is ASD under pressure to change because of the increasing demand and call on its services; on this whole issue of cybersecurity, while a lot of major businesses are thinking a lot about it, there's probably a greater need in particular for small and medium enterprises to start thinking more and more about what can be done in this space.

The other element that was touched upon by my colleague the member for Eden-Monaro a few moments ago is the whole issue of workforce development. I've spoken strongly about the fact that the biggest thing affecting the digital economy is skills shortages. It's been estimated, by people in the know, that we probably need in the order of 100,000 new people—skills—to help in our broader economy and, in particular, in terms of our digital capabilities. When you look at cybersecurity, there is an absolutely acute need for greater cybersecurity skills. From ASD to the public sector and to the private sector, this will affect our ability to withstand some of those increasingly sophisticated attacks that we're seeing.

Australian Cyber Security Growth Network CEO Craig Davies said that the demand for skills in this sector has outstripped anyone's ability to produce skilled candidates. He said: 'It's such a rocket ship this industry; we have zero unemployment and the demand is massive.' As has been observed, he's been given the responsibility to work out how to respond to that shortage. He says: 'Education and growing the skill set is an important part of our program of work.' There have been recent government estimates that we need at least another 11,000 cybersecurity specialists over the next decade.

I humbly commend Craig Davies on his observation that TAFE will play a very important role in vocational education. I imagine and believe in the broader digital skills capability development in this nation that vocational education will play a bigger role in being able to move a lot more quickly and be a lot more agile in meeting skills, and we do need to ensure that it's provided support in this area. If we are relying upon it to help train up cyberexperts in this nation then it will require an investment by governments in relation to that. I think that is something we need to look at in the longer term.

Other nations, as the previous speaker noted, have taken a lot more novel approaches, if I may characterise it in that way, to the way they respond to cyberskills shortages. In November I was in Singapore visiting, in particular, Singaporean cybersecurity experts who'd reflected upon other initiatives that have been embarked upon by the Singaporean government—for example, modifying their national service program to ensure that, as is the case over there, where young people are required to embark upon national service they can nominate to basically conduct themselves or participate in a cybersecurity training pathway. Off the top of my head—and I'm happy to be corrected if I'm wrong—they're expecting in the short term 200 young people to participate in that and, over the longer term, 2,000 young people. They are building skills in that way. Then they will not just deploy them within the defence establishment of Singapore but also look to ensure within the private sector that young people go on and recognise that there is a pathway for them to be able to apply their skills in a cybersecurity sense. They obviously—and, again, the previous speaker reflected on this—have a pathway that's not necessarily open to us but are thinking very carefully about the fact that Singapore is being used as a route where agents will try to channel some of their attacks. They witnessed this in the course of the last 12 months and they are deeply concerned about it. I was very grateful for the briefings that I received from them. As has been recognised by this government and by many of us in the opposition, they are a partner we should work with on these matters. Particularly in terms of skills development and developing longer term strategies in relation to preparing for these threats, they're a very valuable partner. I suspect that our friends in Malaysia and Indonesia, too, think very deeply about these issues.

I mention this because of the fact that we will probably need to think laterally about how we meet that skills shortage. Some have suggested, for example, including cybersecurity options in the national curriculum. Certainly that is an idea worth pursuing, but I do note that every time there's an issue that's confronting us in either the economy or the community the first port of call as a solution is the national curriculum. There may be some things we need to pursue. I do note, as I said earlier, that vocational education may offer us a pathway, but some of the things put on the table earlier about working within our own reserve system and some of the things that are being considered there to encourage young people to use that as an avenue to develop their cyberskills are absolutely worthy of further consideration.

Again, this is not simply a business threat or a business risk that needs to be managed. What is happening is our businesses, large and small, are being used as a mechanism or entry point to cause problems on a much broader scale from a cybersecurity perspective. We need a much broader approach to cybersecurity, not just depending on the ASD, although they will play a critical part, but recognising we all have a responsibility in this space. We should be ensuring that either from the business sector or from government we are addressing this very serious issue in terms of: (1) capability with respect to having the skills available to help us out; and (2) putting in place the processes and mechanisms to take this very seriously and not pushing it off to a specialist or someone we believe is in the know and can always sort this out. As I said earlier in my remarks, you can have the best tech in the world but, if your people don't follow the processes, you will find yourself in a world of grief. We've found that in some of the cybersecurity and data breach episodes that have been experienced. It has been something as simple as leaving a password on a Post-it note that has allowed someone to get access to someone's account and open up a whole raft of data that should not have been exposed more broadly. It does need to be taken very seriously.

As I said earlier, the ASD has been empowered under this legislation to become an independent statutory authority. It's being heavily relied upon by both government and business to provide guidance on cybersecurity. I've asked within the opposition about resourcing of the ASD longer term, and, given the increased pressures and expectations that are being placed on them, how we'll do that, but I'm conscious that you can't continually ask for resourcing of the ASD in an environment where we are facing these skill shortages. So this is something that needs to be addressed more broadly.

Again, from the opposition's perspective, we welcome what has been put forward. I think it is important that we on both sides of the House use this as an opportunity to emphasise the need for us to take this issue of cybersecurity seriously, to prepare for attacks and, certainly, if we do put those mechanisms in place, to adhere to the mechanisms because it is in our longer term interests that we do so. I thank you for the opportunity to be able to contribute to this debate.

Damian Drum (Murray, National Party, Assistant Minister to the Deputy Prime Minister) Share this | Link to this | Hansard source

I thank honourable members for their contributions to the debate and the support for this bill across the chamber.

The Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018 implements the recommendations of the 2017 Independent Intelligence Review to establish the Australian Signals Directorate as an independent statutory agency within the Defence portfolio, reporting directly to the Minister for Defence, as endorsed by the government.

The bill will amend ASD's functions to allow the Australian Cyber Security Centre, or the ACSC, to cooperate with industry and to operate within ASD, in accordance with recommendation 3(b) of the review. In broad terms, the bill will separate ASD from the Department of Defence and establish it as an independent statutory agency within the Defence portfolio, under the control of the director-general of the ASD from 1 July 2018. The agency will from this date report directly to the Minister for Defence.

Establishing the ASD as an independent statutory agency outside of the Department of Defence will provide the agency with greater independence in how it recruits and retains its specialist workforce. The report by the review was very clear in its views on ensuring ASD is best structured into the future to meet its responsibilities and the requirements of government. In this context, the report of the review noted:

… ASD will be better placed if it remains in the Defence portfolio but if it is in a position to operate with greater independence from the Department's requirements, especially those in relation to its capacity to recruit, retain, train, develop and remunerate its specialist staff.

For ASD, the option of continuing to operate within the Department of Defence's employment framework, even with some specific exemptions, is not the most effective way forward. It would increase the risk of losing additional critical talent, skills and capabilities. ASD needs to be more in control of its own destiny.

In relation to the employment of staff, ASD would operate outside of the Public Service Act framework. This will provide ASD with greater flexibility to recognise the skills of its specialist workforce. This structure will reflect the need to retain those individuals with highly sought after skills, such as those with science, technology, engineering and maths qualifications. ASD will be required under the bill to adopt the principles of the Public Service Act in relation to employees of the ASD to the extent that the director-general of ASD considers they are consistent with the effective performance of the functions of ASD.

In addition to changes to how ASD will engage and remunerate its specialist staff, the bill implements the recommendations of the review by amending ASD's functions to include providing material, advice and other assistance to any person or body listed in the act—rather than Commonwealth and state authorities only—on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means, which will allow the ACSC to liaise with industry. The bill also amends ASD's functions to include preventing and disrupting cybercrime. This section will provide ASD with a function to prevent and disrupt by electronic or similar means the use of information and communication technologies to commit or facilitate serious crime by people or organisations outside Australia. Serious crimes, such as child exploitation, will be captured by this new function.

The bill provides for the establishment of ASD on a statutory basis and the appointment of the Director-General of ASD to control ASD and its staff. It provides that the Director-General of ASD must brief the Leader of the Opposition about matters relating to ASD. It gives the Director-General of ASD powers to employ persons or employees of ASD outside the framework of the Public Service Act 1999. And it amends other legislation as appropriate to replace references to 'director of ASD' with 'Director-General of ASD' and to remove references to the Department of Defence.

The bill also includes an additional function for ASD to protect the specialised technologies and capabilities acquired in the performance of its other functions. ASD cannot perform its important functions without being able to protect its tools to ensure that ongoing utility and protect Australia's national interests.

The bill also has a number of transitional provisions to ensure that good governance of ASD continues during the implementation of the new arrangements. The establishment of ASD as a statutory authority puts the ASD on a similar footing to ASIS and ASIO as a national security and intelligence asset. Given ASD's increased national responsibilities in relation to cybersecurity, and also the critical operational support it provides the Australian Defence Force, ASD will now have the appropriate statutory functions to ensure it is well placed to support ADF operations and its national responsibility for combatting cybercrime, including the provision of advice to the private sector into the future. Also, to correct the record, the bill will not be making consequential amendments to the Crimes Act that were outlined in the second reading speech relating to assumed identities, as those matters will be addressed in a later bill. I commend the bill to the House.

Question agreed to.

Bill read a second time.