Australian Government coat of arms

Prime Minister of Australia

The Hon Malcolm Turnbull MP

Launch of Australia’s Cyber Security Strategy Sydney

21 April 2016

Sydney

Prime Minister

E&OE

PRIME MINISTER: Our opportunities for innovation in the realms of the cyber sphere. There are far too many to name you all, however, it is important to single out the Strategy’s expert panel comprising Jennifer Westacott, from whom we have just heard, Sir Iain Lobban, John Stewart, Mike Burgess, who is here, and Dr Tobias Feakin, who is here. Sir Iain and John Stewart are not here – they’re obviously from the UK and the United States. 

I want to pay also particular thanks to the tireless hardworking and dedicated team in my Department led by Lynwen Connick – it’s been a great team effort.

Now, my friends, the Internet is the most transformative piece of infrastructure ever created.

It has changed the world, it has changed history, it has changed us.

It has transformed the way we learn and the way we remember - or not.

For all of human history the default has been to forget - so to remember we had to make an effort - paint on a cave’s wall, scratch an image on a rock, learn a ballad by heart, write things down, take a photograph. But now, is everything we do - no matter how trivial - forever in the digital record?

Has the default become never to forget? Has the default become perpetual remembrance?

I remember lawyers who had photographic memories and could recall details of cases, even the pages where the learned judges had made the key observations. And of course there were those who owned expensive libraries - toiling away in sunless chambers surrounded by thousands of volumes and of course the smell of mouldering calfskin bindings.

But now even the most forgetful, impecunious clerk has in his or her hand a smartphone which can turn up any statute, any case, anywhere - with a few clicks.

Is this as big a moment in our evolution as fire, or the wheel, or electricity? A watershed past which nothing can entirely be the same again?

My former business partner Sean Howard used to say that there was always plenty of technology - it was technological imagination that was scarce. We had plenty of that when we founded OzEmail 22 years ago and we pioneered several, then very new applications including Voice over IP. But as is often the case we overestimated the speed at which new technologies would become broadly adopted, but then dramatically underestimated the pace, scale and impact of the transformation once it had taken off.

Back then less than one per cent of the world’s population used the Internet. Fast-forward 20 years and more than 45 per cent of the world’s population are Internet users.

One of the most amazing trends over this period is the rate of convergence in use between Asia and the rest of the world. Like economic convergence - where developing economies had, until recently, competed for low cost, low skill jobs but are now competing for the most skilled, producing the most sophisticated products - Internet users in Asia now account for half of all users worldwide.

The uptake in our region presents enormous opportunities for our country in the same time zone. Remember technology has abolished or annihilated longitudinal distance, but the human body clock makes it very hard for it to abolish latitudinal distance. It presents a number of new challenges such as privacy, data sovereignty and the need to maintain an open and free Internet.

Now, there is no global institution or infrastructure more important to the future prosperity and freedom of our global community than the Internet itself. And in what should be a humbling lesson for politicians and governments, the Internet has grown almost entirely without the direction or control of any government. This is not to say that it was developed, as some have said the British Empire was acquired, in an absence of mind, but rather that while it had its origins with the research programmes of the US Department of Defence which led to the ARPANET, the role of the United States Government since then has been admirably hands off.  

Ensuring that the architecture and administration of global cyberspace remains free of government domination or control is one of the key global strategic issues of our time.

At its genesis however, the Internet was built as an open system with security an afterthought. The challenge we face is that the same qualities that enable us freely to harness cyberspace for prosperity can also provide an avenue for those who may wish to do us harm.

Cyber presents enormous strengths therefore, but vulnerabilities. Nobody is immune.

Some intrusions are the work of foreign adversaries. Others involve malicious software used by organised criminal syndicates.

The scale and rate of compromise is increasing and the methods used by malicious actors are rapidly evolving.

In one well-known event last year, a criminal group exploited vulnerabilities in retail websites to extract customer information. KMART Australia was one of those organisations and reported this to the Privacy Commissioner. I want to commend KMART for showing leadership and being up front about the intrusion.

Only by acknowledging, explaining and analysing the problem can we hope to impose costs on perpetrators and empower our private citizens and government agencies and businesses to take effective security measures. 

In this spirit of openness, and the need for clear leadership to break down a culture of denial as to the scope and scale of cyber threats, I can confirm reports that the Bureau of Meteorology suffered a significant cyber intrusion which was first discovered early last year.

And the Department of Parliamentary Services suffered a similar intrusion in recent years.

Both organisations have worked hard with the experts at the Australian Cyber Security Centre to understand and fix the vulnerabilities.

Now, some victims know they’ve been targeted but most will not. Beyond government and business, the number of private citizens who have had personal information stolen online is estimated to be as high as one in five.

We all need to pay more attention to cyber safety – to cyber hygiene if you like - securing our devices and protecting them with appropriate credentials. We should regularly update our passwords and guard them as though they were our banking pin, and we must pay special attention to unusual looking links in emails and other communications - because, chances are, if something looks suspicious, it probably is.

Many cloud-based applications require two factor authentication for access and that should be used too wherever available.

The Australian Crime Commission estimates the annual cost of cybercrime to Australia is over $1 billion in direct costs, but some estimates put the real costs to be as high as one per cent of GDP a year - or about $17 billion.

The Australian Cyber Security Centre, which I mentioned earlier, responds to around a thousand significant events, involving systems of national interest or critical infrastructure.

Now as your Prime Minister my highest duty, and that of my Government, is to keep Australians safe. It is no different in cyberspace. Australians expect the Government to protect them from cyber-attack and defend our country against sophisticated national security threats.

So today I am outlining my Government’s cyber security strategy, a roadmap as to how we will keep Australia safe and competitive in an increasingly digital world. Our Cyber Security Strategy answers the call for national leadership. And it understands that Australia’s economic security is always placed at risk without strong national security.

We’re investing more than $230 million across 33 new initiatives to improve the cybersecurity of our nation. This includes funding for over a hundred new specialist jobs. This investment complements the $400 million over the next decade, and roughly 800 specialist jobs that we have committed to improve Defence’s cyber and intelligence capabilities through the 2016 Defence White Paper.

These new resources will increase the capacity of the national Computer Emergency Response Team, better known as CERT Australia, to work with Australian businesses who suffer cyber intrusions. They will also be used to boost the number of specialists in the Australian Crime Commission and the Australian Federal Police.

We will also improve the Australian Signals Directorate’s ability to detect cyber security vulnerabilities.

Now while cyber security measures sit at the forefront of our response to cyber threats, defensive measures may not always be adequate to respond to serious cyber incidents against Australian networks. The Government can draw on a range of options to respond, such as law enforcement, diplomatic or economic measures.

An offensive cyber capability, housed in the Australian Signals Directorate, provides another option for Government to respond. The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.

Acknowledging this offensive capability, adds a level of deterrence. It adds to our credibility as we promote norms of good behaviour on the international stage. And importantly, familiarity with offensive measures enhances our defensive capabilities as well.

Now today I am calling on senior business leaders to join me and my government in building a national cyber partnership, setting the strategic agenda; co-designing national cyber security initiatives; and committing to annual Cyber Security forums.

I will establish a position of Assistant Minister for Cyber Security to assist me in leading the Government’s work with business leaders. And for the first time I will create the role of Special Adviser to the Prime Minister on Cyber Security, responsible for leading the development of cyber security strategy and policy.

The Special Adviser will also provide clear objectives and priorities to operational agencies and oversee their implementation of these priorities. Importantly the special advisor will lead a cultural change in the way we approach cyber across government, and develop partnerships with the private sector, researchers and our international partners, and engage the media in the evolving debate around cybersecurity. Remember, awareness is one of the most important means we have to ensure a higher level of cybersecurity. So, I am pleased to announce that Alastair MacGibbon, with a long and distinguished background in cyber security, has accepted the role as my first Special Adviser.

The Australian Cyber Security Centre, led by the Australian Signals Directorate, will continue to coordinate our operational activities, but will be relocated out of the ASIO building, making it easier for industry to engage with it.

And in another first, the Minister for Foreign Affairs will appoint a Cyber Ambassador to lead our international engagement in advocating for an open, free, and secure Internet, based on our values of free speech, privacy and the rule of law. The borderless world of the Internet is a global challenge, just as it is a global opportunity. Some countries see an open internet as a threat to their authority and control, and would prefer to limit connectivity, but we are working closely with our friends and allies to counter those views.

Australia’s Cyber Ambassador will work with regional and global partners to advance internet freedom, combat cybercrime and share threat information.

I have committed Australia to promote the emerging norms of State behaviour in cyber space, unilaterally with allies and partners and multilaterally through the G20 and the United Nations.

Existing rules, principles and norms of behaviour should be extended into the cyber world. In the short term, and in the absence of well-developed understandings about how to behave, there is a risk that unexplained cyber incidents could escalate in to into conflict between states.  So we need practical confidence building measures between states, bilaterally and regionally.  We are working to support an emerging regional framework to raise awareness and reduce the risks.

We will also join with other countries to build cyber capacity, to prevent and shut down safe havens for cyber criminals, and terrorist organisations seeking to exploit cyberspace for radicalisation and other such activities. Our capacity-building assistance will help our international partners, particularly in the Indo-Pacific region, to tackle cyber security threats and provide a safe online environment so we that can all benefit from the opportunities in cyber space.

Now government and the private sector both have vital roles to play in promoting an open and secure internet. But both parties have often fallen short when it comes to sharing important information. We will establish Joint Cyber Threat Centres making it easier safely to share sensitive information quickly between organisations.  And it will be complemented by a secure online threat sharing network. This is all about promoting greater collaboration, delivering better outcomes, improving the security and performance of our online economy. We will jointly exercise our national response to be better prepared for cyber-attacks and co-design with the private sector, national simple voluntary guidelines promoting good practice to improve cyber security resilience.

The guidelines will be available for all organisations and will complement the international standards adopted already by many large companies.

ASX 100 companies will be able to improve their cyber security through voluntary governance health checks—enabling boards and senior management to better understand their cyber security status and how they compare to similar organisations.

In time, these health checks will be available for all public and private organisations—tailored to size and sector.

The Government will also provide support for some 5000 small businesses to have their cyber security tested by certified practitioners.

Now the role of the private sector in the success of our goals is as important today as it is has been in the past.

In the First World War, both the United Kingdom and the United States governments had arrangements with international telegraph companies to obtain drop copies of telegraph communications for intelligence purposes.

Authorised working relationships between government and certain private sector partners were unfortunately damaged in the release of stolen documents by Edward Snowden; and we recently saw in the exchanges between Apple and the FBI, the difficulty that modern encryption poses for law enforcement.

It is important, in healthy democracies, to have debates about the balance between civil liberty and national security. Few issues are more important.

In certain very specific circumstances, government will work with the private sector—within agreed legal frameworks and appropriate oversight—to fight serious online crime and extremism and to thwart terrorists and others who seek to hide their illegal activities online.

This will not diminish our responsibility to ensure we are protected from cyber security threats and to ensure that trust and privacy remain paramount in the online environment.

Now as part of the Government’s National Innovation Agenda we announced the establishment of $30 million industry-led Cyber Security Growth Centre. It will build on our expertise, promote greater collaboration and help to develop Australia’s cyber security industries.

This is about supporting our local cyber businesses expand and grow. It will create more opportunities for our businesses to commercialise and export innovative and secure Australian products.

Now discussing this with our business roundtable just half an hour ago it was clear that many of our innovative developers believe that large Australian firms and governments are less willing to invest in Australian products than those from firms overseas. This is a big issue, and one which I was quite familiar with from the days when I owned a software company myself many decades ago. It is a big issue. And one that the growth centres will address. Big Australian companies and Government agencies should be the most open to Australian innovation, not least because it will provide a strong demonstration of success with how technology exporters can use to market overseas. That is one of the areas which will drive jobs and growth. Australian innovation and Australian technology reaching out to the world taking advantage of the big markets that we have opened up for Australian business.

Now the initial co-chairs for the growth centre will be two of Australia’s leading cyber-experts, Doug Elix and Adrian Turner.

I spoke earlier about the ubiquity of the Internet - the Centre will take advantage of this by establishing a network of nodes across Australia, creating business opportunities for our cyber security industry and strengthening ties with leaders in cyber innovation such as the Defence Science and Technology Group.

The NSW node will be right here at the Australian Technology Park, joining Data61 to leverage their advanced cyber capability. I am also pleased to be able to announce that Victoria will house its Growth Centre node at Goods Shed with the recently announced Oceania Cyber Security Centre, Oxford’s Global Cyber Security Capacity Centre and Data61.

Locations will also be established in other states and territories to bring together cyber security innovation work from around Australia. State and territory cyber innovation centres, including those that are run from State Governments will be encouraged to join this network, further strengthening our cyber defences; growing business opportunities; and creating jobs. In this area more so than many others, collaboration is absolutely key. The more our best researchers can work together and work together with their customers with businesses, information offices. The more that they interact and engage the more innovation you’ll see. We are human beings we are after all very social animals, and the more we engage, the more we hang out together the more stimulation and innovation you’ll see.

Now improved cyber security will only come if we commit to being a cyber smart nation.

That’s why we are investing heavily in the foundation skills of science, computing and maths - to ensure that our children have the skills to not only confront these challenges but also take advantage of the enormous opportunities.

As part of the Innovation Agenda, that Christopher Pyne is leading, we’re investing $51 million to develop the digital skills of our children, and a further $48 million on STEM initiatives in schools.

Today I’m pleased to announce that the government will build on these investments by working with business and the academic community to co-design a model for Academic Centres of Cyber Security Excellence in universities. This is about ensuring that graduates have the right skills and expertise.

And we will take steps to enable people to develop cyber security skills throughout their careers.

Now ladies and gentleman cyber security and the security of the cyber sphere, ensuring this digital world, we often talk about, people talk about the digital economy and the digital world, the reality is our economy is digital. It is there is no longer a separation this is not a new media or a new technology this is where we are today. This is the modern world. It is central to everything we do and hope to achieve.

An open, free and secure internet is now essential not only in e-commerce but also in ensuring public and financial accountability; the fostering of democracy; freedom of expression; and indeed every element of what we understand a democratic and prosperous society to be.

I want Australia to lead the world in cyber security and we have the brains and the imagination to do so.

I want to thank you all for your commitment to ensuring that we will lead the world in cyber security and that they will together be the best.

I commend to you the National Cyber Security Strategy—it’s the Government’s blueprint for a safe and secure cyber future that will ensure we all continue to benefit from the vast opportunities, the remarkable opportunities, of this the global online economy. The digital world - the most exciting time to be alive, in the digital century, the 21st century. Thank you very much.