Gai Brodtmann (Canberra, Australian Labor Party, Shadow Assistant Minister for Cyber Security and Defence) Share this | Link to this | Hansard source

Reveal their secrets, protect our own: that's the mission of our Australian Signals Directorate. And given the nature of the agency, not many people know its mission or the work it has done for the Australian community. So today as I speak to this bill I want to share with Australians who are listening the history of our Australian Signals Directorate. It was formerly the Defence Signals Directorate but changed its name a number of years go. Prior to the Second World War the Navy, Army and Air Force had independent wireless units and intercept stations that operated and mainly conducted direction-finding activities. There was no central coordination point for those activities. But during the Second World War these independent units were brought together to support the campaign in the Pacific by intercepting and decoding Japanese radio signals. From there the ASD was born. But it took a while before the ASD became the ASD we know today. After the war, the war-time signals intelligence units were wound down, but government approval was given for a peace-time signals intelligence organisation in 1946. Its role was to exploit foreign communications and be responsible for communications security in the armed services and government departments. This is a role that ASD has maintained to this day, and it's an enduring history.

While ASD operated out of Melbourne after the Second World War, its functions only moved to Canberra in the late 1990s. From memory I think the ASD, or DSD as it was then, was the last Commonwealth government department to move to Canberra as part of the Menzies vision to have federal government agencies serving the federal government here in the nation's capital. I remind those opposite that this was the Menzies vision, the Menzies legacy: to consolidate federal government agencies here in the nation's capital to serve the government of the day. That was the whole idea about Canberra. It took a very long time for all those government agencies to arrive here. ASD, DSD as it was at that point, didn't move here until the 1990s. I remember when I was working in the Department of Foreign Affairs and Trade, working on the Iran and Middle East desk and working on Iran and Iraq. I met a number of those DSDers who had moved up here from Melbourne in the 1990s. It was quite a shock for them to move to our nation's capital, but I'm sure, because the nation's capital is just so wonderful, that they now embrace the Canberra way of life. They embrace those beautiful big skies. They embrace the fact that we have the most altruistic community in the country. They embrace the fact that we have the most highly educated community in the country. They embrace all that is wonderful about our wonderful nation's capital.

ASD has seen a dramatic expansion of its information security role as a result of the growth of the internet and online activities undertaken by individuals, groups and the government. This saw the creation of one of the first cybersecurity operations centres in 2010. It was an attempt to understand ICT security threats to Australian systems and to coordinate a response to those threats across government and industry. From there the Australian Cyber Security Centre evolved, bringing together a number of government agencies and cybersecurity functions and capabilities under the one roof in 2014.

In 2017, the Independent Intelligence Review made a number of recommendations for ASD, including establishing ASD as a statutory authority within the Defence portfolio and bringing the ACSC into ASD. I had a read of the independent review today, and again I just want to share these facts about the intelligence community with all Australians listening. As the report points out, with an annual budget approaching $2 billion and about 7,000 staff spread across 10 agencies, it's clear to us that, on size alone, the Australian government's intelligence activities supporting national security are now a major enterprise—and they are, just from those figures—and would benefit from being managed as such. The report, as I said, talks about the ASD. It talks about the fact that, if these recommendations are followed, the ASD will ensure that its capabilities are strengthened in new legislation. The report also recommends that ASD's legislative mandate be amended to explicitly recognise its national responsibilities for cybersecurity, including the provision of advice to the private sector, and that it take formal responsibility for the Australian Cyber Security Centre. This bill is the beginning of the significant reform for ASD based on that review.

As the shadow assistant minister for cybersecurity and defence, I welcome the reform and the progress being made on the outcomes of the intelligence review as outlined in the bill. The review recognised that the ASD is now a genuinely national asset. As I said before, it plays a much broader role than that defined by its previously exclusive defence focus. This is highlighted in its current additional responsibilities as a national source of information, assurance and cybersecurity. Cybersecurity has become one of the major security issues facing Australia at this time. Throughout the world, this is a significant issue. It comes up as the No. 1 or No. 2 challenge for nations throughout the world, in economic forums, security discussions and intelligence discussions. Between 2015 and 2016, five cyber incidents were reported every hour in Australia, at all levels of society from government to business, large and small, and individual citizens are affected.

So this review recommended new functions for the ASD to help combat cybercrime. These new functions are aimed at preventing and disrupting cybercrime by people and organisations outside Australia, and that in itself is the key point. The new function to proactively identify, disrupt and/or prevent cybercrime is limited to those criminal activities committed by people or organisations outside Australia. It's anticipated that the types of crimes that would be disrupted or prevented could include child exploitation and illicit narcotics.

For example, late last year, I met with a group who brought to my attention an issue that sickens me to my core, and that is cyber sex trafficking. It's a form of cyberabuse which involves offenders commissioning the abuse of children in developing countries on a pay-per-view basis. Just talking about it is quite sickening, really, and I'm warning anyone who's listening. For example, somebody jumps on a social media platform like Skype and pays a trafficker, via a wire transfer, to view, via webcam footage transmitted over the internet, a child engaging in sexually explicit acts or posing for sexually explicit photos or videos. The cost of the show to the viewer increases with the level of abuse directed by the viewer. It's just sickening, and most of the victims in this type of cyberabuse are under the age of 12. This is absolutely appalling. It's sickening to talk about it and to hear of the horror faced every day by these children who are under 12 in developing countries as a result of these sickos—and that's all you can call them—getting on these social media platforms and paying per view to watch a child engaging in sexually explicit acts or posing for sexually explicit photos or videos.

This is not something happening in a faraway land that we can put to the back of our minds and forget about. Australians are making the wire transfers. This is happening in our community today, every day. These are the types of child exploitation activities ASD's new functions will be able to detect, disrupt and prevent—and hooray! Providing the ASD with functions to prevent and disrupt cybercrime beyond Australia's borders will help bolster efforts to reduce the impact of what is currently called a wild west. Cybercriminals repeatedly go unpunished for their crimes, and prosecution statistics for cybercrime remain dismally low. The new functions given to the ASD under this bill will help lay the groundwork for a more active approach to protecting the Australian cybersphere and for going after those sickos who engage in that disgusting behaviour.

At a more local level, bringing the Australian Cyber Security Centre into ASD will mean it is able to communicate more widely with stakeholders at all levels, from small business to critical infrastructure to government agencies. Since gaining the cybersecurity portfolio at the last election, I've had extensive consultation with industry, with think tanks and with academics here and overseas. One of the major issues that keep coming up, particularly for industry here in Australia, is the fact that we need to better connect the engagement between industry and government and, through that, we need to better share information and intelligence gained by the private sector with the government sector. At the moment, industry is telling me that it is sharing some highly sensitive information with the government sector, but unfortunately that isn't being reciprocated by the government sector. It's either too classified or too sensitive, despite the fact that industry is sharing highly classified and highly sensitive information with government agencies. So I'm looking forward to this new arrangement. The ACSC moved from ASIO to a site that is more penetrable, more accessible, for the private sector, at Brindabella Park. I'm looking forward to seeing the new location and I'm looking forward to seeing the ACSC, in its new guise under this new legislative arrangement, actually fulfil its mission to actively engage in an open, transparent, constructive and trusting way with the private sector, small business, medium business, large business—critical infrastructure.

This bill also provides for ASD to regularly brief the Leader of the Opposition on Australia's cybersecurity posture, which is a welcome initiative. It enhances transparency and provides an opportunity for clear communication around what is a rapidly changing environment. This bill is currently before a committee, which is due to report back on 21 March, and I'm looking forward to hearing what the committee has to say in terms of the transparency arrangements contained in the bill. I'll also be taking a close look at annual reporting and other arrangements through which we can get a greater understanding of what's actually happening in ASD. ASIO releases an annual report, so it will be interesting to see what transparency mechanisms we have to get an understanding of what's happening in ASD without in any way breaching issues of national security. This is an issue we grapple with in Defence in gaining an understanding of what's happening on the acquisition front and also on the sustainment front without breaching national security. It's a fine balance, but one to which we should aspire. We need greater accountability and greater transparency around government in general, and I think that applies equally to Defence and ASD.

One thing this bill does not immediately address, although it goes some way towards it, is what I call the spaghetti junction of overlapping and poorly defined cybersecurity responsibilities. Instead of taking a holistic view of cybersecurity and drawing a thread through all the various government agencies, removing duplication where possible, this government continues the trend of having various agencies responsible for different bits of cybersecurity and operations. We've got the ACMA, the eSafety Commissioner, the Department of Communications and the Arts, the Attorney-General's Department, the Australian Signals Directorate, the Department of Defence, the Australian Federal Police, the Cyber Security Centre, the Department of Finance. This gives you an idea of the spaghetti junction of responsibilities when it comes to cybersecurity.

The transfer of the computer emergency response team, CERT, and its functions relating to cyberpolicy and cybersecurity from the Attorney-General's Department to the ASD will help improve capability and information sharing, and I welcome that initiative. But this consolidation is greatly overshadowed by the continued separation of cybersecurity operations and policy following the formation of the Department of Home Affairs. I remind those listening that CERT develops policy—that is acknowledged—but for some reason the government has put cybersecurity policy in Home Affairs, and it's got the operational and the interface elements in ASD, Defence or the ACSC.

Then you have the Special Adviser to the Prime Minister on Cybersecurity, Alastair Macgibbon. Poor Alastair! He seems to be responsible to multiple masters. At estimates this week, he said he is now wearing three hats: he is a special adviser to the Prime Minister, so he reports to the Prime Minister on cybersecurity matters; he's also responsible for cybersecurity policy, so he reports to the Minister for Home Affairs on cybersecurity policies; and he's also responsible for the ACSC, so he's involved there. From what I can gather, Alastair Macgibbon spends half his time in the ACSC and half his time in Home Affairs, reporting to the Minister for Defence, reporting to the Minister for Home Affairs and also reporting to the Prime Minister. He's a busy man. I hope he's not expecting to get any sleep for the duration of his contract, because, with those sorts of responsibilities and being pushed and pulled in all those different directions, it's going to be quite exhausting. I don't think the man is going to get any sleep.

What we need is as much streamlining as possible for cybersecurity, communication and also governance, along the lines of the UK. The view amongst some in the intelligence community is that we can't have operations and policy in the same location. For some reason there seems to be this view, which seems to have been around for 30, 40 years in the intelligence community, that we can't have them all under the one roof. I don't know where that view comes from. I don't know from what experience that comes from. But what I have been hearing from others in the intelligence community is that that is oldthink. It is oldthink to separate policy and operations in the intelligence environment.

I think the government should be considering putting policy into the ACSC, ensuring that Alastair Macgibbon will at least get some sleep as a result of this position rather than being torn between the two agencies and the Prime Minister as well. Who is Alastair Macgibbon reporting to, and who provides the ultimate tick off on cybersecurity policy? Is it the Minister for Law Enforcement and Cybersecurity? Is it the Minister for Home Affairs? Is it Alastair Macgibbon? Is it the director-general of ASD? There are so many cooks in this area, particularly in cybersecurity policy, that it's going to be a real challenge.

I encourage the government to take a close look at the arrangement we've got now. They still have not eliminated the spaghetti junction when it comes to cybersecurity policy, operations, engagement with the community, communication and coordination. There are still way too many players in this space—and just think about poor Alastair, being torn in all those different directions! That said, Labor welcomes the consolidation presented in this bill and hopes it will not stop here. I commend the bill to the House.

Richard Marles (Corio, Australian Labor Party, Shadow Minister for Defence) Share this | Link to this | Hansard source

I rise to speak in support of the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, and, in doing so, want to make a brief contribution to support the contribution made by member for Canberra.

Richard Marles (Corio, Australian Labor Party, Shadow Minister for Defence) Share this | Link to this | Hansard source

It was a fine contribution—indeed it was. I rise to speak in favour of this bill. The realm of cyber has been a transformative realm in respect of both the way in which military operations are conducted and also the way in which we live our lives in the civilian world. The Australian Signals Directorate, which began its life as the Defence Signals Directorate, came out of the time of the Second World War. Cyberspace has grown into the Australian Signals Directorate's domain, and ASD is now responsible for this most transformative part of military operations and also civilian operations. The world in which military conflict is conceived and planned is now dramatically different, by virtue of cyberspace. The area of cyberspace is changing the thinking in military affairs as much as any area that is around.

The Australian Signals Directorate, therefore, has had to grow as much as any agency: in its scope, in what it seeks to be, and in how it seeks to perform its role. The Australian Signals Directorate is a huge national asset. The work it performs and the people who are working for it do our nation an enormous credit. These are some of the smartest and brightest minds that exist in Australia. And it is an asset that needs to be nurtured, protected and grown in the context of Australian public policy.

Part of the challenge in doing that is that the role that is being played by the Australian Signals Directorate, whilst it is fundamentally a role based in defence, is now broader than simply defence. That is a function of the way in which the cyber realm has changed the world in which we live. As a result of that, the Australian intelligence review recommended that the Australian Signals Directorate be moved from the Department of Defence and be established as a separate statutory agency. That is a proposition with which Labor agrees, and that is at the heart of the bill before the House right now. That is why we, very much, support this bill as it goes through the House today.

That it should become an independent statutory authority is a recognition of a much wider remit in terms of the work that the Australian Signals Directorate is now asked to perform. Crime, for example, is a space in which the Australian Signals Directorate needs to focus its attention, and that goes beyond simply matters of dealing with the defence of our nation. Because it deals with issues of crime, ASD has to be given, in a legislative sense, a wider remit.

It also means that the clients of ASD are broader than those simply those within the defence space, such as the Defence Force or the Department of Defence. The clients of ASD, those to whom it gives advice and provides services, now stretch across the entire public service, but beyond that as well and into the private sector. ASD provides really useful advice to companies, for example, about how they can protect themselves in the cyber realm. Again, establishing ASD as an independent statutory authority gives it a proper legislative base to perform that work.

Finally, given that ASD is in that space, attracting the kinds of people that it needs to in order to perform all that work requires ASD to be given a degree of flexibility for employment practices. Having ASD taken out of Department of Defence and made an independent statutory authority will give it greater flexibility with the employment of staff. All of that makes sense, and that is what this bill provides. In doing so, it will lift the ASD, if I can put it that way, to the same status as ASIO and other agencies within our intelligence community. That's appropriate as well. It would mean that the Director-General of the Australian Signals Directorate would be at the same level as the directors-general of ASIO and other intelligence agencies.

The oversight arrangements and the reporting arrangements which go with being an independent statutory authority, in our view, also reflect what is appropriate as oversight arrangements and reporting arrangements for a body like this, the Australian Signals Directorate. We welcome the fact that in this bill there will be greater reporting requirements—for example, an obligation to brief the Leader of the Opposition, which has been occurring but would now be a statutory obligation as a result of this bill.

The bill has been referred to a Senate inquiry. I think that's important in terms of just getting into the detail of exactly how that reporting and oversight regime ought to apply to the Australian Signals Directorate. It's possible that as a result of that inquiry there might be amendments that come forth out of that process. If they do, we'd consider them in the Senate in the usual way. But, as a matter of principle, this is a bill which deserves support. This is enacting the recommendations of the intelligence review. This is a sensible path forward, and Labor very much supports it.

Mike Kelly (Eden-Monaro, Australian Labor Party, Shadow Assistant Minister for Defence Industry and Support) Share this | Link to this | Hansard source

I'm pleased to be able to continue the contributions of my colleagues the shadow defence minister and the member for Canberra, who is obviously passionate about the presence of ASD in Canberra. Labor was proud to have been an active participant in the consideration of this legislation, the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, through the Parliamentary Joint Committee on Intelligence and Security. That committee is a wonderfully bipartisan committee with very fine members of this House participating, as well as members of the Senate. It is guided by our interests in national security and the national interest. Certainly there's no room for politics in our deliberation, and this was a good step forward.

I'm well aware of some of the issues that were occurring at the time—internal issues with ASD and the relationship with some aspects of how that organisation worked within Defence and without. This solution has actually resolved those matters, so I'm very pleased about that. I'm pleased for the personnel within ASD, who are breathing big sighs of relief now that this reform has taken place. It provides some administrative tidying up as well; I won't go into the details of that.

One of the remaining issues, of course, relates to the challenge that's being presented to Australia by the technological threats that we face in general and the breadth of those, including in our domestic counterterrorism spaces, where this overlaps with other areas of criminality. One of the things that struck home to me in getting briefings from the AFP was the correlation of paedophilia and some really horrendous aspects of criminality that conflate with terrorist activity and terrorist targets.

So there is a huge demand for analysing and sifting through vast amounts of data these days, and there is a really big challenge for us to share the skills and talents that are out there—those people who are great at writing algorithms and managing this data—with private industry. That is going to be the challenge for this nation in the future as our security demands increasingly require those skills in the defence workforce: how we share that with private industry. This was brought home to me by the briefing that we received at the ADF facility at Majura, where there was a PhD student from Data61, who was assisting AFP to sift through what they described as petabytes of material in meeting their challenges.

So it's pleasing to see that the ADF are working on their own challenges to create the cyberwarriors, the keyboard warriors of the future, and managing how they support these changes to ASD and the broader changes that they are engaged in, such as the creation of the Information Warfare Division. I'm very pleased to see that division has been placed under Major General Thompson, who has a PhD in cybersecurity and a special forces background himself. That brings together not only information warfare capability and C4 issues—command, control, communications and coordination—but also battle management capability.

Mark Coulton (Parkes, Deputy-Speaker) Share this | Link to this | Hansard source

Order! The debate is interrupted in accordance with standing order 43. The debate may be resumed at a later hour, and the member for Eden Monaro will be given an opportunity at that time to conclude his contribution.