Monday, 29 July 2019
Private Members' Business
That this House:
(1) notes that:
(a) according to IDCARE, in 2019 they will provide support to over 50,000 Australians and New Zealanders who have experienced identity takeover, cybercrimes, scams and cyber bullying;
(b) in 2018-19, IDCARE's call centre provided approximately 53,400 hours of specialist identity and cyber security counselling support to Australian residents; and
(c) Australia is being targeted by international organised crime and we need a strong approach to educating people on how they can protect themselves;
(2) recognises the commitment by the Government to prioritise cyber security initiatives as part of the Cyber Security Strategy 2016 and the Action Plan that outlines the steps the Government will take to achieve Australia's cybersecurity goals by 2020; and
(3) acknowledges the need for continued investment, support and education to protect Australians from being victims of international organised crime.
Today I rise to talk about people like Bill and Jean from Queensland. I won't say their surname. They recently found themselves victims of a cybercrime. I'm going to struggle to speak about this issue without using unparliamentary language. After innocently clicking on a Facebook ad that promised to deliver long-term financial returns for as little as $250 up-front, Bill and Jean were scammed out of over $300,000 of their life savings and their home. The harsh reality is that Bill and Jean are just one of many. Australians are increasingly being exposed to identity, romance and telco crimes as offshore crooks get smarter and more cunning in their ability to catch us out.
IDCARE is a joint government industry initiated community support organisation which was launched by the coalition government in 2014 to support the community at the frontline of identity crime scams and cybercrimes. Under the leadership of the managing director, Professor David Lacey of the University of the Sunshine Coast, IDCARE operates a phone counselling service offering support and practical guidance to people who report cybercrimes and scams. Demand for IDCARE services has increased fourfold since 2015. By the end of 2019, they will have provided support to around 50,000 people, and they are on track in coming years to reach 100,000. On the Sunshine Coast alone, one in 330 people will contact IDCARE to seek assistance in dealing with a scam or cybercrime activity. Nationally, one in 800 people will call upon the services of IDCARE.
The ACCC's Targeting scams report found that, in 2018, Australians lost $489.7 million to scams, and I'd suggest that's conservative. This report also identified that scammers are increasingly using technology and applications like Facebook to increase their reach and efficiency to develop new scams. Instances of impersonations of the Australian Tax Office also rose by 900 per cent in 2018 through the use of robocalls. I've been a recipient many, many times, with the calls threatening warrants for my arrest if I do not act urgently by calling a particular number to clear my purported debt to the tax office. It makes my blood boil to see these crooks trying to stealing money from hardworking and, often, retired Australians. Scams, cybercrimes and identity crimes impact every Australian. Even my own dad nearly became a victim when he responded to a sales ad for a vintage MG sports car. It was thanks to the suspicions of the bank teller that this was identified as a scam. As it turned out, the teller was right, and it was right that she sounded the alarm. Fortunately, financial institutions just like the one my dad uses are now taking a much more proactive approach to dealing with instances of cybercrime, which will go a long way towards intercepting dodgy sales transactions.
The Morrison government is making strong progress in this space and is committed to providing funding to establish education tools and programs so our community can protect itself against cybercrimes. On 29 April 2019, the Morrison government announced $156 million to protect older Australians, small businesses and national security assets from the risk of cyberattacks. This included investing $50 million to create a Cyber Security National Workforce Growth Program to invest in creating a cyber workforce; $40 million to establish a countering foreign cybercriminals capability within the Australian Cyber Security Centre, drawing on the expertise of the AFP to combat the increasingly sophisticated organised cybercrime gangs; and $26 million to support the Australian Cyber Security Centre. According to David Lacey, we need to talk about these crimes when they happen. David says, in his experience, many people feel ashamed and embarrassed that they have become a victim. These crooks are clever and cunning, and we need to do everything we can to stop them.
There are few better examples of how this tired, third-term Abbott-Turnbull-Morrison government has given up on governing than cybersecurity and the Cyber Security Strategy highlighted in this motion. Cybersecurity matters to our economic prosperity, our national security and the health of our democracy. In the modern world where all of the foundational systems of the society in which we live rely on digitised control systems and connectivity, the stakes couldn't be higher. Indeed, it sounds hyperbolic but Alistair MacGibbon, the former head of the government's Australian Cyber Security Centre, wasn't wrong when he described this area as 'the greatest existential threat we face as a society today'. Cyberweapons or internet weapons are now being used as tools of geostrategic influence every day, and we have seen exploits of international targets as wideranging as nuclear enrichment facilities, energy grids, oil companies, international banking systems, film studios, journalists and, most infamously, the democratic institutions of the United States. And Australia has not been immune from this.
The Australian Criminal Intelligence Commission estimates that the annual cost to Australia of cybercrime alone is over $1 billion in direct costs, with some estimates putting the real costs as high as one per cent of GDP a year—about $17 billion. We've seen breaches at the Bureau of Meteorology, the CSIRO and the ANU, as well as recent attempts at attacks on our major political parties and our parliament. It's a big deal. So what's this tired, third-term government doing to protect us from this significant national security threat? As the member for Fisher noted in this motion, in 2016, former Prime Minister Malcolm Turnbull launched a four-year Cyber Security Strategy to much fanfare. I must admit, though, to being a bit surprised when I saw reference to the strategy on the Notice Paper today because, since Malcolm Turnbull's departure from this parliament, this strategy has been politically orphaned. Three years into the four-year plan, many of the initiatives in the 2016 Cyber Security Strategy have gone the way of Turnbull's ideas boon—they fizzled out through lack of willpower and commitment. Most obviously, the dedicated ministerial position for cyber security created in 2016 bit the dust in Prime Minister Morrison's first ministerial reshuffle, coming just weeks after significant changes to the internal structures of the government's cyber operations in 2018—namely, the establishment of the Australian Signals Directorate as a statutory authority, with the Australian Cyber Security Centre as part of it. This absence of political leadership of directly responsible political leadership was significant.
Cybersecurity is hard but, contrary to what the layman may assume, the most difficult challenge is not the technical challenge; it is actually the governance and cultural challenge. The most difficult bit is not the software or the hardware; it's the wetware—the people using it. The absence of ministerial engagement to drive the culture change necessary to underpin our cybersecurity has led to drift across the objectives of this strategy. To take a few examples, the strategy committed the government to an annual review of its progress to hold itself accountable for driving this cultural change. Three years into the four-year strategy, how many times has this occurred? Once.
One of the things this government is known for is failures of accountability, particularly when it comes to the Minister for Home Affairs' department. After the first review, a review which received decidedly mixed responses from stakeholders, we haven't seen another one since. We haven't seen any follow-up reports on the 2017 ASX cyber health report. We haven't seen any follow-ups to the Australian Cyber Security Centre's 2017 cyber threats report, despite the statement in the 2016 threats report, which said, 'The government is committed to continuing to publish material in this vein'.
What has been the result of this drift in leadership? While our agencies like the Australian Signals Directorate continue to do world-class work and Mike Burgess's recent work in publicising the ASD's mission and thinking has been very welcome, unfortunately, since the Minister for Home Affairs took responsibility for cybersecurity, he has applied the same diligence and attention to this space as he did to his failed leadership challenge. He has been more interested in splashy headlines and new and exciting offensive capabilities in the cyberspace than doing the basic boring fundamental work of keeping the Australian government secure and cyber resilient. In July this year, the ANAO noted that over the past five years it had undertaken performance audits of the cyber resilience of 14 government business enterprises and Commonwealth entities and found 'only four entities, 29 per cent' had complied with mandatory government requirements for information security, and that the regulatory framework had not driven sufficient improvement in cybersecurity. That is auditor speak for get your act together. It is time the Abbott-Turnbull-Morrison governments started giving cybersecurity the attention it deserves.
Can I congratulate the member for Fisher for bringing this motion before the Federation Chamber. Before I get to the substance of the motion, I'd say to those opposite: I don't understand this fascination with the member for Dickson. I mean, he is the Minister for Home Affairs. He has been around a long time. Perhaps you could wonder why it is you are on the opposite side and not on this side. However, in terms of this motion, if people ask whose side are we on, we are on the side of the Australian people. Whose side are we on? We are on the side that will stop scammers in this country. We are on the side that will stop online bullies. We are on the side of Australians just like Violet.
Violet Burley is an 86-year-old in my electorate and this is a story from the local paper, the News Mail. Violet was approached by telephone from a man who allegedly called himself Michael. He told Violet she had a problem with her Telstra account and she needed to go to a store that sold Google Play gift cards and purchase four $50 cards. Violet, being a long-term Telstra customer, went and did that and returned to her home. Fortunately, she was intercepted before she could actually provide the numbers to this scammer. This is the type of scam which has been around for a while but happens constantly. In fact, one of my staff received a call not an hour ago for this exact scam here in the parliament. It is people like Violet who we are standing up for. It is for people like Violet that we must ensure, as things move in the cyberspace, the government moves with them in defensive positions.
On one night, Violet also received 42 calls from these scammers wanting the serial numbers from the gift cards, obviously so they could take the money and use it. That is 42 calls for a woman who is 86 years old. Clearly this is dreadful. Once again, I thank the member for Fisher for putting this PMB before the Federation Chamber. According to Scamwatch, more than $5 million was lost in Australia last year because of these scams. Clearly that is unacceptable.
I will go through some of the things we have done and provide advice for those who might be listening to or watching the broadcast, but we need to crackdown on online bullies. I have been public about this. I am on the record any number of times in terms of social media and I do not see the necessity for someone to have a pseudonym—a name which is not them. Our digital life has become one which is our life. I think that you should be identified online just as you are in reality, as when you set up a bank account. It should be exactly the same. Look at what online bullies are doing particularly to our youth.
The people in this place, members and senators, get used to this. It's an unfortunate position, but we get this sort of stuff all the time. I just thought I would grab a quick quote from the last 24 hours from an alleged Elizabeth Maher on Twitter to me: 'My goodness, what a dog of a politician Keith Pitt is. He is a low-life piece of work'. As someone who turns 50 next month, I've been around the block a few times. I know that that is just nonsense and I'm not too concerned about what some coward might say online from their house without the courage to front up or make a phone call. But can you imagine the effect that it has on a young girl who might be 13 or 14, who is developing, who is going through a difficult time of life? Imagine what it does to their confidence and their levels of anxiety. I continue to see no purpose in having fake names online and I think we should act to do something about that.
In terms of action, we already have the Australian Cyber Security Centre. For those who are listening to the broadcast, you can go to the web site, which is www.cyber.gov.au. There is a wealth of information to help those Australians protect themselves from cybercriminals. Obviously, we have Scamwatch in place, which is a great resource. I am sure others in the room certainly get a lot of calls with regard to scams. This is, unfortunately, a regular and ongoing problem. The reason it's ongoing is that these scammers have been successful. They are taking millions of dollars from Australians. In fact, it has happened to my own family. It's quite easy when an individual might be paying dozens of bills to find one which looks like a Telstra card bill and, unfortunately, throw in your credit card number to pay that bill. Fortunately enough, it was a few hundred dollars. But, for someone like Violet, who I spoke about earlier, that is an enormous amount of money for an age pensioner.
So we continue to crack down. Scamwatch is a great website for those who might want information about what scams are out there, and the Office of the eSafety Commissioner is a wonderful resource for parents, children and anyone else looking for advice or information about staying safe online. I have the opportunity for a plug in the few seconds I've got left. There is a parent online safety seminar being held in my electorate in Bundaberg Wednesday night at 7.00 o'clock by the Carly Ryan Foundation. I would suggest to anyone out there concerned about what their children may need in terms of protection online that they take the opportunity to come down to the Office of the eSafety Commissioner.
Tonight I rise to speak to the member for Fisher's motion on the growing threat posed by cybercrimes, cyberscams and cyberterrorism. I wish to start by commending the work of IDCARE, which is the Australian New Zealand national identity and cyber support service. In 2019 IDCARE will provide support to over 50,000 Australians and New Zealanders who have experienced this identity takeover, cybercrime, cyberscam and cyberbullying. In fact, on the note about identity crime, in December last year, the Australian Institute of Criminology published their reports on the impact of identity crime, revealing that the total annual cost to the economy was $2.65 billion.
To narrow that down to my area: local residents in my electorate of Holt experience cybercrime. As an example, a constituent may receive a call from a person or entity purporting to be from a government service like the Australian Taxation Office or Medicare. It may be people pretending to be from a bank or they may experience a cybercrime simply by wrongly responding to an email. As an example, earlier this month I was dealing with a constituent who had suffered from an ATO scam. They had received a text or an email and they had responded to it. They felt when it was explained to them that it was a scam. They were very humiliated for making a mistake when responding to that email. This is a very common occurrence. It happens from young people that serve me coffee that ask me to things in the morning to the people that assist us in our lives and different areas. It can also be challenging for people from migrant backgrounds, in particular, when experiencing a cybercrime.
Having a service such as IDCARE that can be referred to by the internet is a great resource, and a social-proofing exercise. I would like to support the service, and support its aim of providing critical support for people confronting identity and cybersecurity concerns. The internet is a great connector. It's a great economic tool and it's a great communication tool, but the downside of that tool is that many Australians are affected by identity theft, internet banking fraud, tax fraud, travel fraud, relationship fraud, and other cybercrimes like extortion.
While I have this opportunity, I congratulate the Australian Federal Police on their work in responding and assisting people affected by cybercrime. The AFP always recommends that if someone is affected by an online crime or fraud, the incident should be reported to the Australian Cybercrime Online Reporting Network, and to the Australian Cyber Security Centre—and that's important information for people who may be listening to this broadcast, wondering what to do.
The AFP and others also recommend that people regularly check the Australian Cyber Security Centre's website, because it provides useful information on how to better secure yourself or your business online. The internet, our computers, smartphones and other devices are crucial to our way of life, but it is important that people continue to feel safe using these devices and tools, and not to have to endure the cost of cybercrime. As Deputy Chair of the Parliamentary Joint Committee on Intelligence and Security, I see examples of and I am briefed about cybercrime, cyberterrorism and cyber espionage, as well as the misuse of people's data by tech companies, cyberterrorists and, as I've said, state-sponsored cyberterrorism. It's an ongoing challenge.
One thing to point out: our security services regularly provide advice to the public about electronic tools that would constitute 'cyberhygiene', such as encouraging Australians to regularly update their software and devices, have strong passwords, have two-factor authentications, and exercise the same judgements online that we do in our everyday life. An everyday example that's been provided to me by the head of a security service is this: 'Think about it in terms of using electronic devices. Everyday life examples would be that we wouldn't give our bank account details or passwords to a complete stranger, so why would we be giving it to a complete stranger online? If the offer online is too good to be true, then it's not safe.'
It's interesting to note, when we're talking about the large social media companies and about the value of data, that there's a program on Netflix called The Great Hack. It basically details how, in 2017, data was proclaimed to have surpassed oil as the world's most valuable asset. What that means is that, as the world's most valuable asset, of course it is going to be targeted by people seeking to access that asset through means fair or foul. That's why I'm happy to speak to this motion. It is something that people need to be aware of. Information is stored, but it is vulnerable. We should continue to support governments' efforts to keep people safe online.
I would like to congratulate the government on its commitment to prioritise cybersecurity initiatives, and particularly thank the member for Fisher for bringing this motion to this place. I also acknowledge the very real need to continue to invest in public education to prevent international scams, cybercrimes and identity theft.
One recent case of identity takeover, or theft, in my community involved a small businessman whose email system was infiltrated and monitored by a criminal for several months before $80,000 worth of fake invoices were sent to clients, who deposited moneys into the criminal's quite legitimate bank account in Australia. This crime has had a devastating impact on a small business and on a regional community. Public education is important, but I know that my electorate would like to see more done to track down and shut down international scam operators. Whilst I appreciate that passing laws that cannot be enforced by another country is a futile exercise, many of my constituents have told me they'd rather see the Australian Federal Police cooperating with other jurisdictions to raid scammers overseas, instead of raiding Australian journalists.
As stated before in this chamber, my electorate has the oldest median age in South Australia. It's actually the sixth-oldest in the nation. The Victor Harbor and Goolwa region in particular has quite an elderly population, with an average age of 58 years, compared with the national average, which is just 37 years. Unfortunately, having an older demographic comes with some consequences for cybersecurity, because older residents are more vulnerable. Having a landline makes you more available to opportunistic phone scammers, who go fishing for vulnerable victims. Thanks to technology, scammers are able to impersonate or even hijack legitimate Australian landline numbers to trick people into believing that they are from the Australian Taxation Office or some other legitimate Australian agency. The most recent scam-call blitz in my community has been the fake NBN technician. Criminals call landlines and tell unsuspecting residents that the NBN rollout is finished and that their landline will be disconnected immediately if they don't hand over control of their computer remotely or, if there is no computer, if they don't deposit a sizeable sum of money into a bank account.
Recently, my office was contacted by a couple in their 80s who lost more than $5,000 of their life savings when they gave remote access to their computer to an NBN scammer. It is easy to do. They went to their bank and were told that because they had allowed access to the computer they had given consent and they could not get their money back. There is a legal argument that this was consent by fraud, but this couple isn't about to spend several thousand dollars that they don't have on a lawyer to try and get back $5,000. Unfortunately. this couple's case is not isolated. Last year Scamwatch received 83,247 reports of scams, with a loss of more than $30 million, in which the reporter was contacted using a telecommunications network. Of these reports, 16 per cent, nearly 14,000, were made by people aged over 65 years. Collectively they lost $7.7 million. Scamwatch says reports do not indicate any specific targeting of a particular age group but, instead, suggest scammers attempt to make contact with as many potential victims as possible by a range of communication mediums. Across all communication mediums, the age group that lost the most amount of money, a total of $24 million, was that aged 55 to 64 years. It would appear that the age groups with the least amount to lose and those with the least experience with modern technology are those most at risk.
There is book entitled The Little Black Book of Scams, which I share with my community. We share them at our country shows, at all of our community events. Can I say to all members: please have these available. Your office will be inundated with requests for them when you have them. It's about education. I call on the government to run a paid advertising campaign in mainstream media so that people know what scams there are, particularly as it's tax time. Technology is rapidly changing. We need to support people with these changes, but we also need to send a message to international criminals that they cannot target our most vulnerable with impunity.