SPEECH TO THE FEDERATION CHAMBER - APPROPRIATION BILLS NO. 3 & 4

16 February 2022

EXTRACT OF SPEECH TO THE FEDERATION CHAMBER - 
APPROPRIATION BILLS NO. 3 & 4 

16 FEBRUARY, 2022

In question time yesterday, the Minister for Home Affairs continued this government's desperate politicisation of Australian national security by taking a dorothy dixer on cybersecurity. That's my portfolio. In her answer to the question—

I know the member for Moncrieff aspires to a portfolio on the frontbench, and that's why she sold her values out in the recent debate on the Religious Discrimination Bill, but she's going to be waiting for some time. The home affairs minister, her neighbour on the Gold Coast, said:

We understand that national security is a very serious task and not one that should be risked to a party that lacks the resolve or the gravitas to tackle serious issues in a responsible and resolute way.

Well, let's compare the records of the two parties on cybersecurity over the past three years. This Prime Minister's first act on becoming Prime Minister was to abolish the dedicated role for cybersecurity in the ministry that had been established in the 2016 Commonwealth cybersecurity strategy by his predecessor. In the face of worsening cyberthreats from state and non-state actors alike, this Prime Minister created a political leadership vacuum on cybersecurity, at the worst possible time. Cybersecurity is relegated to the bottom of the home affairs minister's already lengthy to-do list, beneath even the Ruby Princess, it seems. Cybersecurity policy-making became adrift in this government and has been ever since. In contrast, the Leader of the Opposition had the foresight to retain a dedicated role for cybersecurity in his ministerial team—and that's my role on the frontbench on the opposition side—and Labor has been leading the policy debate ever since.

In 2020 we released the 'National cyber resilience' discussion paper, which highlights the systemic risks of cyberthreats to Australia's national resilience. We emphasise that cybersecurity is a whole-of-nation endeavour that cannot be pursued from behind the ramparts of the defence and security establishment silos of government. In this discussion paper, we flag the need for interventions that project the outstanding cybersecurity capabilities of our agencies across government and into the broader community. We flag that the potential of initiatives like the UK National Cyber Security Centre's Active Cyber Defence program, which delivers a range of scalable, automated interventions and tools designed to address commodity-level cyberthreats and to lift the baseline of cyberresilience.

In the wake of the release of this discussion paper from the opposition, I was pleased to see some of these principles adopted in ASD's Cyber Enhanced Situational Awareness and Response package, CESAR, particularly in the form of Telstra's Cleaner Pipes initiative. This was welcome, but there's much more we could be doing in this space. We could be a lot more ambitious and a lot more aggressive, and I'm keen to explore the potential for the ACSC to collaborate with the NCSC on active cyberdefence through the AUKUS agreement.

We've seen a similar pattern when it comes to ransomware. As the shadow minister with policy responsibility in this area, from the moment I took on this portfolio, I was hearing loud and clear from CISOs in the public and private sectors that the ransomware threat was growing on a completely unsustainable trajectory and that the Morrison government's hands-off blame-the-victim approach needed to change. In the absence of a dedicated ministerial role for cybersecurity, the Morrison government did not hear this message and it did not act. Indeed, the former home affairs minister and current defence minister did not once mention the word 'ransomware' in the parliament during his entire time in the role, despite the issue growing into a $1 billion drag on the Australian economy during that time.

In contrast, Labor led the debate, ultimately releasing a discussion paper calling for a national ransomware strategy designed to increase the costs and reduce the returns of ransomware attacks on Australian organisations by using all the policy levers available to government. I campaigned on the need for a national ransomware strategy for eight months and even introduced a private member's bill on the issue before the Morrison government finally acted and released a ransomware action plan, which I suppose is completely different—the marketing spin is different, at least.

I'm pleased that, since then, the Morrison government has picked up many of the policy ideas that we included in our 'Time for a national ransomware strategy'discussion paper, including the increased use of offensive cyberoperations to deter the targeting of Australian organisations; a ransomware notification scheme; a sanctions regime targeting individual hackers; and a task force inside the AFP to address the cyberenforcement gap. Again, Labor led and the Morrison government followed on this important issue in national security.

The lack of political leadership on cybersecurity within the Morrison government has also led it to undervalue the role of the broader Australian cybersecurity ecosystem, outside of government, in building Australia's national cyberresilience. We see this in the fact that, unlike the 2016 Commonwealth cybersecurity strategy, local industry development is completely missing as an objective in the 2020 cybersecurity strategy. The institutions that were put in place by former Prime Minister Malcolm Turnbull to grow Australia's domestic cybersecurity industry are completely gone. They don't exist under the 2020 strategy. There's no joined-up Commonwealth strategy to align procurement, industry development and R&D policy to encourage the development of our domestic cybersecurity or our domestic critical technologies industries. There's a similar blindness to the role of independent security researchers or even private sector cybersecurity firms in building Australia's national cyberresilience. I have long campaigned for the increased use of vulnerability disclosure processes by Commonwealth entities to harness the contributions of independent security researchers. People are giving their time voluntarily to try to uplift the cybermaturity and cyberresilience of the Commonwealth.

I was pleased, after giving speeches in this place, to see this adopted as a recommended cybersecurity control in the Information security manual. But take-up of VDPs across the Commonwealth remains patchy—it's not a mandatory control to be implemented—and the use of bug bounties is almost non-existent, despite the fact that this is now a very common tool used by our allies to lift cybermaturity and cyberresilience in the US and in the United Kingdom. The US has run the Hack the Pentagon program for many years now, and it has discovered literally thousands of vulnerabilities in US national security and defence agencies through bug bounty programs. The United Kingdom, through its National Cyber Security Centre, has mandated the use of vulnerability disclosure processes in all UK government entities and even runs a vulnerability process of last resort itself for situations where that fails. We can do far better in Australia. We can learn from the example of our security allies.

It's the same story when it comes to private sector incident responders. We need a step change in the level of collaboration between the ACSC and private incident responder firms, something that is the norm for our international allies. I know that, at the moment, the US and the UK are experiencing a significant uptick in cyberattacks targeting both government and significant private sector entities. It's associated with the tensions in, and the increasing aggression towards, the state of Ukraine that we are seeing. We are seeing constant cyberattacks on government entities there, more than the incident responders within the NCSC can respond to itself. So, understandably, the NCSC is working with private sector incident responders on a day-by-day basis. It's working hand in glove, sharing information and sharing interventions. This is just something that we do not see happening in Australia. We can do so much better here.

Commonwealth cybersecurity policy is in need of a significant culture change, but it won't happen until we have political leadership in this space and until we address the political vacuum created by this Prime Minister—by the Morrison government when it abolished the dedicated office of cybersecurity in the ministry. The Morrison government is intent on politicising defence and national security in the lead-up to the federal election. We know that this desperate Prime Minister thinks it's in his short-term political interests to play games with these most important issues.

I'm going to do something outrageous here today in this debate on Appropriation Bill (No. 3) 2021-2022. I've already quoted Peter Dutton, the defence minister, favourably. I'll now quote from the valedictory speech of George Brandis, the former Attorney-General. For a very substantial portion of that speech, Senator Brandis warned this parliament of the perils of politicising national security and defence. It's one of those speeches that you listen to, as an opposition member, and you know that the message is not meant for you. He was calling for bipartisanship, but he warned about the 'powerful voices' inside the coalition party room that were calling for a different approach—for a short-term, petty, partisan approach. It's very clear after this sitting fortnight who the powerful voices that Senator Brandis was referring to in that speech belong to.

Senator Brandis was right when he said bipartisanship on national security and defence serves the national interest. It helps Australia face the very serious security challenges we face. It strengthens our hand in the face of authoritarian adversaries. And those opposite who would seek to traduce this in the pursuit of short-term political gain are doing this nation an enormous disservice.