Keynote address at the Australia-US Cyber Security Dialogue Center for Strategic and International Studies

Transcript
22 Sep 2016
Washington D.C
Prime Minister
E&OE

Ladies and gentlemen.

No institution or infrastructure is more important to the future prosperity and freedom of our global community than the Internet.

It powers, it punctuates our daily lives, supports our business transactions and joins our nations in what is truly a world wide web.

This is the modern world.

Yet, for all its ubiquity, it has — for the most part — remained free of government domination or control.

Of course I’m not looking at you in this regard Chris, because you appear to have been of an age to have actually founded the Internet - many have laid claim to that - but we know it had its origins in a government research project.

But the remarkable thing about the Internet, despite the magnificent role of the Department of Commerce overseeing it in a rather benign way, it has developed autonomously outside of government direction.

It is the most important piece of infrastructure ever created by mankind and yet it is not been created, as most infrastructure is, by governments.

A free and open Internet supports our democratic rights of freedom — of speech, religious expression, political thought and choice.

However, governments cannot be completely hands off.

They have a clear role to play in cyberspace in the more traditional roles of a nation State: protecting citizens, advancing national interests, and encouraging neighbours in this exciting digital age.

As I discussed this morning with NSA Director Admiral Rogers, governments also have a role in helping secure the Internet.

A secure Internet is essential, not only in e-commerce, but also in maintaining the relationships that support our society.

Government leads on counter-terrorism because these burdens can only be shouldered by nation-States.

Whereas a forward-thinking government knows it will always be intertwined with industry in the field of cyber security.

That’s why we must work together — private sector and nation States — to secure the Internet. The challenges the Internet faces are greater than can be solved by any of us alone.

And that’s what brings me here today.

To speak with you about how Australia and the United States can work to secure the cyber world.

I’d like to thank Toby Feakin from the Australian Strategic Policy Institute and Jim Lewis from the US Centre for Strategic and International Studies for jointly hosting this first 1.5  Track Cyber Security Dialogue.

I welcome academia and industry to this Dialogue. For all my enthusiasm for government’s responsibilities in cyberspace, good cyber policy requires the cooperation and creativity of academia and industry. 

Indeed, government needs to be challenged by academia and industry.

The nature of global telecommunications infrastructure is such that cyber incidents inescapably engage the private sector.

The person on the front lines of a cyber incident is almost certainly a systems administrator in a private enterprise or a government department.

The intersection of IT security and national security means that we find ourselves aligned with a dual common purpose — to avoid the perils of cyber threats, and to realise the benefits of cyberspace.

When I launched Australia’s Cyber Security Strategy in April this year, I said that Australia would be more open about future compromises of government systems.

While breaches damage reputations, in the long term only transparency can grow trust. K-mart Australia actively disclosed a data breach late last year, and that transparency helped insulate it from more serious economic loss. Government also intends to lead by example by initiating frank conversations about our success and also about failures.

Which is, of course, why this Dialogue has been termed ‘1.5’ — that space between formal, ‘one track’ diplomatic interaction between nations and the more open ‘two track’ engagement. We want to be transparent, we want to cooperate and we want to be invigorated by the new ways of thinking and faster ways of achieving that which the private sector and academia have to offer.

That thinking and doing is how we can change the cyber world and set the future course for our societies.

And we are here today to ask for your help to achieve this.

Australia is committed to standing firm for the values of an open and free Internet.

We will champion a cyberspace in which State actors, businesses and individuals abide by international law and behave in accordance with agreed norms - because existing rules of behaviour should extend into the cyber world.

I have committed Australia to promote the emerging norms of State behaviour in cyberspace — unilaterally, with allies and partners and multilaterally through the United Nations, the G20 and elsewhere.

In April this year, I announced for the first time that Australia possesses an offensive cyber capability.  A capacity to respond to State and non-State actors who attack us-
This option of offensive cyber response takes its place alongside options such as: diplomacy, law enforcement action, and sanctions amongst others.

Now, as governments, we don’t talk much about what this offensive capacity can do, nor how it can be carried out.  Much as we acknowledge we have warships, submarines and fighter jets, we don’t detail their specific technical capabilities.  Merely acknowledging their existence forms part of our national deterrence.

In the short-term, and in the absence of well-developed understandings about how to behave, there is a risk that unexplained cyber incidents could escalate into conflict between States.

That’s why Australia is supporting an emerging regional framework to raise awareness and reduce risks.

Jointly, with the United States, we are mapping our cyber incident response structures and mechanisms so that we can cooperate in the event of an incident affecting both our nations.

Online, incident response goes hand-in-hand with incident preparedness and with real world analysis of threats.

Our societies are increasingly reliant on faster telecommunications, secure data centres, satellite capability, and smart electricity grids.

That’s why fostering trust in infrastructure must be taken seriously.

Australia and the US have always been very clear that damaging critical infrastructure is unacceptable.  And we have maintained a strong line that cyber espionage for the purposes of commercial advantage is also unacceptable.

As well as countering any State sponsored malicious cyber activity, we are working to ameliorate the damage caused by cyber criminals.

Denial of service, hacking, phishing and malware, are disruptive to our economies, our social interactions, and — through their unwavering persistence — our sense of security.

This undermining of our online confidence means we are not fully leveraging the digital economy.

So transparency, ‘norms promotion’ and maintaining a national capacity to counter cyber threats must be part of governments’ contribution to ensuring Australia and the US are secure and dynamic locations for business diversification, for investment.

There is no point, however, simply being a digital stronghold in a network of insecurity.

Which is why nations like ours have both an obligation and clear economic benefit to engage in regional capacity building.

Consider our location in the Asia-Pacific and the forays into the online world that are being made on our doorstop.

New undersea cables have seen connectivity for our Pacific trading partners increase exponentially over the last decade. Their increase in connectivity has coincided with a doubling of mobile phone coverage and dramatically falling Internet and telephone prices — placing that connectivity in the hands of millions more people.

It’s an exciting economic prospect for our region.

However, the Asia-Pacific region is also the most heavily affected by cybercrime — losing one third more business revenue to cybercrime than either the EU or North America.

So, as well as being true to our view of ourselves as part of Asia, and a partner in the Pacific, Australia has an economic imperative to build regional capacity and to smooth the way for private sector involvement in self-sustaining economies.

It’s in our best interests.

It’s also in our best interests to be a good global citizen and to promote an open and secure Internet.

Every ideology and every philosophy in every language is represented online.

I said at the launch of Australia’s Cyber Security Strategy that the Internet has changed the world, changed history and indeed changed us.

It has changed how we communicate that which we believe, and some suggest it is now changing how we think and engage in conversation.

We have, all of us, in our pockets, all of us here today and most people in the developed world and shortly most people in the whole world have in their pockets a smartphone, which has the processing power of 1990 supercomputer and is connected to the Internet 24 hours a day, 7 days a week.

This is a remarkable transformation that has happened in less than a generation. So, Governments and businesses must be focused on the cyber sphere as a catalyst for innovation and growth and security is the key to that.

The cyber security sector could grow at faster than 10 per cent each year for at least the next 5 years — far exceeding expectations of the economy generally.

My objective is for Australia to become even better placed to use home-grown cyber security expertise to solve challenges and develop new business opportunities of global significance.

Already, we’ve established an industry-led Cyber Security Growth Centre. It will build on our expertise, promote greater collaboration and support our local cyber businesses to expand, to commercialise IP and to export innovative products.

I am here today to invite you and your expertise into the cyber-security frameworks of both our nations.

I want this Dialogue to be more than just an annual gathering – it must be active and I ask three things of government, industry and academia between this Dialogue and the next.

First, and most immediate - what early achievements are possible between now and the next time the Dialogue is held?

Second, in the short to medium term - what barriers can government continue to remove, either through deregulation or positive action?

And third - articulate robust, long-term and innovative goals in cyber security that we can agree at the next Dialogue and then pursue with tenacity.

To commence the thinking on early gains and enable real progress between this Dialogue and next, we must convince leaders, at board level and corporate sector and government levels, that cyber is one of their essential functions. That means people must be cyber ambassadors and carry that message.

Many companies have Chief Technology Officers and Chief Information Security Officers. Both have technical knowledge and business acumen. 

The most obvious reason to value the role of a Chief Information Security Officer in board-level decision-making is the risk of cyber threat to your budget bottom line. As we are all acutely aware, a cyber- attack or data leak from even a mundane business system — like e-mail — can have a dramatic impact on an enterprise.

In fact, to properly recognise the convergence of online and offline threats, consideration should probably be given to now replacing the title of CISOs with the more appropriate Chief Security Officer.

The cost impact of cyber-attacks on companies is complex, and not limited to just a loss of shareholder value although this can be as we’ve seen significant.
Listening to the risk mitigation advice of your security staff is therefore good business. But it is better business to also think broadly about the benefits of information security. Security staff could use their skills to contribute new business models that take a company into new products and markets. On that basis, we should unleash security staff to focus on both sides of the risk coin and to increase the value they add to their organisations.

Increasing the capacity for security staff to engage in conversations with senior decision makers is absolutely critical when it comes to responding to a cyber incident.

Many enterprises can effectively analyse attacks, build timelines of events, track data loss and restore systems, but without ongoing good communications and a working knowledge of cyberspace, your capacity to respond is hampered.

In one study, 80 per cent of organisations said they don't frequently communicate with executive management about potential cyber-attacks against their organisations.

CEOs and boards want succinct information, which is not always easy when presented with IT security data. Undoubtedly, the IT security function needs to work on how it explains risks to management, but it is also incumbent on management to be well-versed in cyber security language and the realities of responding.

How can consistent messaging travel from IT security to customers and the public when the IT professionals speak a different language and when the next spokespeople in the chain — the CEO, the board and the reporting media for that matter — can’t necessarily speak the same language?
How aware are Chief Executives and Directors of who have access, for example administrative privileges over the network of their own business? Do you know your Systems Administrator? Good question. Many people do not and we should.

Improvements to cyber incident response are on our minds in Australia, thanks to a denial of service incident on our national Census night.

Although it was nationally significant, it was technically predictable and not a unique situation for business and governments. However, we struggled with the laden meaning of the word ‘attack’.

‘Distributed denial of service attack’ is language that has begun to permeate the public consciousness. However, if a nation State says that it has come under attack, the meaning, and therefore the act itself, is weighted with terrific significance.

We need to be able to communicate an accurate level of significance.

We need to know collectively that a denial of service is equivalent to having a bus parked in your driveway so you can’t get your car out, that hacked data means someone broke into the garage and took the car, and that the solutions to these two things are very different.

Widely understood language in other fields has been hard fought for and won. If we hear of an air disaster involving a cabin fire or an engine fire on an aircraft, we understand the difference between, and different implications of, those two scenarios.

The general public also knows that a black box — that great Australian invention — is important to aircraft crash investigation but that finding it can be difficult and takes time.

If an air safety authority says that an investigation is focusing on locating the black box because it will yield vital clues about the aircraft’s final moments, the public accepts and understands that.

The conversation about cyber incidents has not reached anything like that level of understanding.

Those outside the cyber security world don’t readily understand the relative impact of different incidents, typical investigation timeframes, or likely response options — such as shutting down a site while investigating unusual traffic patterns.

On that basis, I call on academics to turn their minds to the problem of cyber lexicon.

How do we communicate clearly with each other?

How do we normalise cyber discussions so that they are held in the context of all threats, risks and opportunities? 

And the media too should be involved in that conversation and take care to understand what is being said by governments and businesses.  

Before I close, I’d like to talk briefly about fairness in relation to cyber security and how large companies can help themselves by helping others.

For each large enterprise, there are many small businesses putting a toe in the water of the online world. They are connected to you as suppliers, distributors and contractors.

Many are far less secure, far less savvy, far less resourced than governments and big business. Or at least, than governments and big businesses should be.

To widen the web of safety, the Australian Government is providing support for some 5,000 of our small businesses to have their cyber security tested by certified practitioners.

Businesses, and indeed universities, can further widen the net by engaging with their own supply and distribution chains, and with their social good programs.

Some — like those assisting women who are victims of domestic violence — hold incredibly sensitive personal information and are acutely aware of the physical safety of those they are protecting.

These organisations know their moral, and often legal, obligation to maintain personal information safely but, most likely, they are neither resourced nor skilled enough to be active, let alone, innovative online.

You would help secure the veracity of the Internet, the integrity of the Internet of each of the organisations here with an established Information Security Officer were to seek out a small or not-for-profit enterprise with which to share your knowledge.

By doing so, you’d embody the social and national values of helping others, of service that characterises both our nations.

In Australia and the United States, we are building cyber-smart nations through investment in education, centres of excellence and dialogues like this one.

We are working to keep the net safe for our citizens and their businesses, to protect the infrastructure on which we all rely and to elevate the safe use of cyberspace in our trading partners.

Government, by necessity, has asked and will ask a lot from business to ensure cyber security, but it is because business has the imagination and the people, to create the confidence that we are building.

This digital century is a time of remarkable opportunity.

Our response to those opportunities, and to the threat of people using it criminally and maliciously, will come to define the future course of our societies.

I would like to thank you for holding this Dialogue here and I urge you to use it to guide the web we all comprise towards both ambitious and innovative ideas, as well as practical solutions to secure the economic and social futures of both our nations.

I look forward to seeing you all in Australia next year.

Thank you very much.

[Ends]