Address to the National Press Club - ‘A Cyber Storm’

Release Date: 
23 November 2016

Imagine in the middle of the night the power goes out across a large part of one of our capital cities. The nightlights in children’s bedrooms go dark; street and traffic lights fail; and security alarms keeping businesses safe cut out.

As residents begin to try to call emergency services, they find their mobiles without reception and landlines dead.

The power cut has sent a surge that has damaged hardware including telephone exchanges and energy generators that feed into the power grid.

As emergency services respond to the outage, they notice that their communications are down.

In hospitals, staff struggle to treat the patients already in their care. Soon there will be a stream of new cases from accidents due to the outage.

Coordination efforts grind to a halt as any communications infrastructure that is still working is overloaded with demand.

Over the coming hours, chaos reigns as people panic, leading to damage and loss of life.

In large part, it’s due to road accidents, fires caused by candles, or carbon-monoxide poisoning from home generators.

In some cases, it may be due to the failure of emergency power at hospitals.

In the light of morning, it becomes clear that the power grid’s failure stemmed not from a natural storm but from a cyber storm.

It takes weeks for the power to be turned on in some areas. Meanwhile the local economy is frozen.

The damaged telephone exchanges mean that local businesses have to revert to cash.

However, local banks struggle to help customers as they have no access to their systems and ATMs are inoperable.

In the aftermath, law enforcement discovers that a power company had been compromised by a virus introduced to their systems through a subcontractor. Someone had opened an email, looked at a document, and sent the system into meltdown.

The virus froze the power company’s ability to act.

It may have been put there by a foreign power, by criminals or by some kids causing trouble.

Whoever the culprit, the public will rightly ask: How could it have happened? How could such a critical part of our infrastructure have been compromised? How could we have left a community so exposed?

The picture I have just painted is based on a combination of real world events. Such storms have been unleashed on Georgia, on the Ukraine and on Estonia.

I’m here today to speak plainly.

Cyber storms will continue to happen around the world.

Malicious state actors are actively using cyber technology against our government and our businesses.

Cyber-crime is growing.

Hackers are still trying to prove that no system is secure.

And as the Australian Cyber Security Centre’s 2016 Threat Report showed, in three years time, terrorists using cyber – known as cyber-terrorism – will be a real and present threat.

We are naïve if we think that in Australia we are immune to any of these threats.

Let’s be under no illusion: a serious cyber-attack has the potential to cause the same damage as a terrorist attack.

But because this government is acting now, we a better placed than most.

Much like farmers who have to assume that drought, flood, fire and plagues will happen and prepare for the worst, as a society we need to make sure that we understand and plan for this growing cyber threat.

How we prepare for when cyber threats hit us will determine how well we manage them. Ensuring the public has confidence in our systems is absolutely critical.

We are the first generation who can say that we are no longer governed by the tyranny of distance.

If I want to see my family, I only need to reach for my phone.

If I want to manage my banking, I only need to open an app.

If I want to message a colleague, I can do it from the other side of the world in an instant.

We take for granted how dependant we now are on that technology.

We take for granted the freedom that technology has given us.

Behind this freedom is a level of connectivity that is difficult for many to comprehend.

The systems and infrastructure are invisible to the naked eye, which means the language used to describe and understand them is difficult for many.

But understand them or not, the fact is that technology can have a darker side.

Today, we have some of the greatest threats to our families, to our finances and to our national security in our workplaces, in our homes and in our pockets.

Life is full of risk and technology is no different. Unlike most things, however, we may never see the thief or the spy or the anarchist coming when it comes to technology.

It means we need to be smarter and more conscious of what we are doing with our technology.

Our systems – government, business or social – all hinge on confidence. In cyber, the key is to make sure that confidence holds and we can only do this by working together.

Where there is no confidence there is no ability to invest, no ability to plan for tomorrow; communities become defensive and markets become volatile. In the end, everyone in society bears the pain.

When it comes to cyber security, being prepared isn’t just having a wall that will block and protect from attacks. Instead, being prepared means minimising risk and having the ability to recover, to remediate, and to respond.

No police force can guarantee that they will eradicate crime completely. But we can make it a lot harder if the windows aren’t open, the doors are locked, and there is a strong cop on the beat.

Public confidence relies on a trust that the appropriate security measures are taken by government, business and individuals all working together.

Information about what happened, how it happened and how to respond are also critical to keeping that confidence.

When the Prime Minister launched our Cyber Security Strategy in April, we laid out a four year plan for the Government to play its part.

Since then, we have been getting on with the job, implementing the Strategy with increasing urgency.

I was sworn in as the first Minister Assisting the Prime Minister on Cyber Security.

Alastair MacGibbon was appointed Australia’s first Cyber Security Special Adviser to the Prime Minister.

Two weeks ago, we appointed Australia’s first Ambassador for Cyber Affairs, Toby Feakin, to promote our interests on the world stage.

Last month, we began co-designing the Joint Cyber Security Centres with the private sector, the first of which will open in Brisbane early next year.

This will provide centralised, real-time threat information sharing with a focus on business.

This month, ASX100 companies were invited to complete cyber security health checks. These checks will raise awareness of cyber security risks and opportunities for our largest companies and allow benchmarking between them.

It is also an initiative that we intend to expand to the rest of the private and public sectors.

We also announced this month the approval for the Academies of Cyber Security Excellence. These academies will help secure the next generation of cyber talent.

Even more recently, we have made significant progress on relocating our national cyber coordinating body, the Australian Cyber Security Centre, to a more accessible location at Brindabella Park.

And today, I am pleased to announce that the Government has taken the next step to unlock the $32 million for the Cyber Security Growth Centre.

The industry growth centre is an investment that will ensure that Australia has a world leading cyber security industry, able to export products and services in the global marketplace.

The Cyber Security Growth Centre and its nodes will generate investment in an industry that will be worth $200 billion worldwide by 2020. The centre will be open in early 2017.

However, while we have been doing all of this, Apple released a new iPhone and a new Apple Watch, Samsung released the Galaxy Note 7 and cancelled the Galaxy Note 7, and Microsoft released the Xbox One S. Twitter saw over 117 billion tweets sent and over 450 billion videos were watched on YouTube.

In more disturbing news, we have also seen an increase in malicious cyber activity.

All of you would be aware of the cyber event that occurred with the Census in August. But it is not the only victim of a Distributed Denial of Service attack in recent times.

In September, the largest DDoS attack the world had ever seen took down a prominent security site.

Two days later, this record was smashed by an attack nearly double the size taking down a French hosting service.

In October, a Distributed Denial of Service attack brought down three online giants: Twitter, Netflix and Spotify.

Interestingly in these DDoS attacks, the perpetrators didn’t use large numbers of hijacked computers but household appliances and in some cases CCTV cameras.

These innocuous networks are commonly referred to as the ‘internet of things’ and as more and more devices have internet capability, the potential scale for these attacks increases exponentially.

It reinforces the fact that anything with an internet capability is a potential cyber weapon.

Today, it is estimated that there are over 22 billion devices with internet capability. By 2020, it is estimated that there will be over 50 billion.

But we haven’t just seen Distributed Denial of Service attacks.

In early November, over 9,000 of Tesco Bank’s accounts were hacked to the tune of £2.5 million. It left some people without savings and some without the ability to immediately feed their families.

And these are just examples of cyber events that are public, of hacks that have been disclosed.

The average time for the discovery of a cyber-breach is 200 days. We can only guess as to the activity that might be underway right now but will only be discovered later.

At the moment, there is no obligation to report breaches in Australia.

However, when it comes to personal information data breaches, the government is moving to address this through the Notifiable Data Breaches Bill, which is currently before the Parliament.

All of us must be on notice – it is not a case of if but when government, business or individuals will be hit.

That is why we have to work together to address these threats.

Suffice to say, while our Cyber Security Strategy still stands it cannot afford to stand still.

What we do today will prepare us for tomorrow. We need to accelerate the implementation of our Cyber Security Strategy and look to where we can further address our vulnerabilities. If we can do this, we can be confident in facing what comes next.

In the four months since I’ve taken on the cyber portfolio, there are four key areas where I believe we need to do more.

  • First, while government has a strong level of coordination against cyber threats, we need to stay ahead of the game. Departments need to take greater responsibility for the security of their agencies and policy needs to reflect that all areas of cyber – security, crime and safety – overlap.
  • Second, we need to continue to be transparent when attacks occur and release this information to the public as soon as the details are known and it is safe and secure to do so. And we need to encourage and create the environment where business can do the same.
  • Third, cybercrime is a growing problem and we need to be more proactive. Cybercrime can be deterred and we should protect ourselves and our communities by having a strong cop on the beat.
  • Fourth, we need to work with businesses and state and territory governments to better secure our critical infrastructure. This will involve better coordination and reform of legislation.

Let me expand on these points.

First, we all know that Government operates in a departmental system. This has its benefits for the making of policy and for the competitive tension that needs to exist in governing.

But we leave ourselves open when departments aren’t communicating to each other or recognising shared vulnerabilities.

We need to acknowledge that the people behind cyber threats don’t work in a vacuum. They see the connections between departments and agencies and are ready to exploit them.

A key example is the breach of the United States’ Office of Personnel Management.

Knowing that this agency contained the information on background checks for positions within the US government, someone saw this low-profile organisation as a much easier target than the Department of Defence or the Department of State, which have much more sophisticated cyber security systems.

It is estimated that up to 21.5 million classified records were stolen.

In Australia, we also need to recognise that the links between departments are where attackers will find vulnerabilities to exploit.

When the Bureau of Meteorology was compromised, it was most likely because it was seen as an entry to other organisations.

We need to be aware of these links – everything is in play.

Keeping departments in silos is no longer an option. Communication between agencies on cyber threats and best practice for cyber security is imperative.

But it is more than this.

We need to ensure that distinctions made at the policy level – cyber security, cybercrime, cyber safety – don’t lead to a disjointed response.

This is why I have written to my Ministerial colleagues seeking their commitment to strengthen cyber security awareness across all of their portfolio areas.

On our second challenge, we need to be more transparent with our information and about the evolving threats we face.

For instance, we have seen how a tool that has been used in cybercrime is now being used in cyber espionage.

Three months ago, during the election campaign, we confirmed that GameOver Zeus, a type of credential harvesting malware, is one of these tools.

GameOver Zeus was designed to steal banking details by recording what keys you hit or what you put into forms online. It is spread through things like small downloads or socially engineered emails.

In June 2014, approximately 1 million computers worldwide were thought to be infected, with losses of around $100m US.

In 2014, the AFP assisted in operational activity led by the FBI which resulted in the takedown of GameOver Zeus infrastructure.

Following this, however, it was found that GameOver Zeus had been used for cyber espionage. It involved a double-hit on the governments of Georgia and Turkey.

I can disclose that the tools identified contained a number of commands issued specifically for these countries, with searches for:

  • documents with certain levels of government classification;
  • specific government intelligence agency employees; and
  • information about politically sensitive issues in that region, particularly the war in Syria.

Some of the people responsible for this attack are still at large.

The Turnbull Government has been more transparent than any previous government on cyber security and we are determined to continue this.

As the Prime Minister announced in April, Australia has an offensive cyber capability housed in the Australian Signals Directorate.

It allows us to deter against threats and respond when we are attacked.

The Prime Minister confirmed today that it has been used in military operations, including in support of Coalition troops fighting ISIS in Syria and Iraq.

While we will not go into the details of these operations, just as we would not go into other military operational details, we are the first Australian government to confirm that we have these offensive cyber capabilities and that we are using them.

However, in showing transparency in government we need to make sure that business follows our lead.

I can confirm today that I will be holding dialogues with business on cyber security each quarter. The dialogues will be an opportunity for us to build the partnerships that are integral to defending against cyber threats.

I will be meeting with businesses in December for the first of these dialogues.

To my third point, cybercrime is something that Australians face on a daily basis. However, they should not have to stand alone.

We know that cybercrime costs the Australian economy over $1 billion each year. This is a conservative estimate. The truth is it could be many times larger than this.

As I mentioned, no police force is able to stop all crime from occurring. But Governments can do more to block some of the most well-known cyber threats from targeting businesses and individuals.

For example, the United Kingdom will begin to block IP addresses which are known to be used to deliver scam emails or used by cyber criminals to mask their activities.

We will be monitoring closely how successful this approach is.

Governments everywhere need to take a more proactive role in pushing against cybercrime. Our government needs to provide our law enforcement with the tools to protect and deter cybercriminals.

Our fourth challenge is linked to the scenario that I outlined at the beginning: critical infrastructure.

The machinery for how our country runs is increasingly becoming digitised. We need to make sure that all levels of government are keeping pace with this change.

Last sitting week, we introduced into Parliament the Telecommunication Sector Security Reform Bill, the TSSR.

It aims to establish a security framework to better manage national security threats to the telecommunications sector, including espionage, sabotage, unauthorised access and interference.

The telecommunications industry is one of a number of key critical infrastructure sectors that are priority targets of cyber compromise by malicious actors – including foreign state actors.

But they are not alone. As our 2016 Threat Report notes, of all the targets of cyber threats, the energy and banking sectors had the highest number of cyber incidences of any critical industry in Australia.

It is imperative that we act now to ensure that all industries and governments move to address this.

The TSSR framework will be the ‘gold standard’ of government cooperation with industry in the protection of nationally important infrastructure.

Government is already overhauling the Cyber Incident Management Framework under our Strategy and we will look to expand this to the public and private sector.

We know that most critical infrastructure is in the hands of the private sector. Expanding these arrangements will mean all parties will be clear on available support and expectations in the event of a national cyber incident.

Today I have spoken deliberately in simple, jargon-free language to describe a complex problem. I have also explained the steps we are taking to address it in simple terms.

The reason I have done this is because this is no longer the realm of cyber professionals and technical language.

In a cyber storm, everyone will feel the impact. Whether we have detailed technical knowledge or not, we will all have to deal with the consequences.

This is why the preparation that we make together today in our cyber security will keep us safe.

Dealing with this issue is not something that Government can do alone. All of us, from boardrooms to lounge rooms, need to recognise that with the power of technology comes a responsibility to protect ourselves.

If we can do this, we will ensure confidence in our systems and our technology.

It is this confidence that will ensure together we ride out any cyber storm.