Speaker(s): Abigail Bradshaw, Head ACSC
Location: National Portrait Gallery, Canberra, Institute of Public Administration Australia
Date of Speech: 6 November 2020
Cyber Security in Australia - A Team Sport
Thank you, ladies and gentlemen.
I want to acknowledge the Ngunnawal people and the Traditional Owners of the land on which we meet today. I want to pay my respects to elders past and present and emerging. And I want to acknowledge their ongoing and continuing rich contribution to our land, waters and culture.
And this is especially important on the eve of NAIDOC week, when we will celebrate that the Aboriginal and Torres Strait Islander people were Australia’s first explorers, our first navigators, our first engineers, our first farmers, our first botanists, our first scientists, our first diplomats, our first astronomers and our first artists.
Always was – always will be.
I’d like to thank IPAA for welcoming the Australian Signals Directorate’s Australian Cyber Security Centre again to this excellent forum, and for the opportunity to speak about our really important cyber mission.
Our secure connectivity has been critical to maintaining our lives through COVID and it will be equally critical to facilitating our pathway to economic recovery.
I also want to thank this excellent panel for joining today’s discussion. There’s something special about today’s panel, and I’ll include Hamish in this remark. It’s full of fine women. Including our moderator. And that’s a really outstanding position to be in, in a field which isn’t always dominated by our gender. Collectively we represent a core component of ‘Team Australia’ – the combination of government policy, operational and law enforcement, and importantly industry capabilities, which are representative of the teamwork necessary to achieve our ambitious objective of making Australia the most secure place to connect online.
More broadly, I want to acknowledge other critical members of Team Australia in this room and online today. The ubiquitous nature of cyber means we all have a role, so I want to call out a few examples of the close collaboration we have enjoyed:
- With DTA, in ensuring cyber security by design informs government digital services and architecture.
- With Services Australia, in the delivery of government services hardened against prosecution from cyber criminals.
- With the ACCC, the e-Safety Commissioner and the Australian Information Commissioner, all of whom we work closely with to ensure Australians hear one voice – one strong singular voice and message - on how to mitigate the impact of online harms, scams and preserve digital privacy.
- With DFAT, who advance our global interests through diplomacy on cyber norms and standards offshore, and
- With the Department of Health, who have worked with us to ensure our advice and assistance reaches health providers most vulnerable to cyber attacks during the pandemic, and ensure that our most important health supply chains are best prepared for future challenges.
And I also want to acknowledge the Australian people as part of that partnership, who have inundated us with their curiosity and seeking advice over the last 12 months, increasing our call load by over 200 per cent in their aim to lift Australia’s defences against malicious cyber actors.
The ACSC cannot and does not prosecute its function without partners. It will take a broad church, and an even broader Team Australia, to achieve our mission. Emphatically, and perhaps obviously, that ‘team’ theme will remain central to our panel discussion today and our efforts into the future.
Recognising the rich history on the walls of this building, and the way they remind and speak to us of Australia’s past and future, I’m just going take a moment to reflect on how we got here.
ASD’s cyber security function is as old as ASD itself – in fact, we’re 73 years old on 1 April 2020. That’s not a joke. It’s just the way it is. ASD’s first incarnation, the Defence Signals Bureau, opened in 1947. It was responsible for exploiting communications and for communications security in the armed forces and government departments.
The Australian Cyber Security Centre, evolved from this history, through the ‘Q Branch’ or information security branch. The ‘Q’ of course, stood for ‘quartermaster’ or the keeper of the keys - the term given to generating the cryptographic material that encrypts our government and military communications to keep them safe. It’s a vital role which we still play today.
The Q Branch also performed our communications security role.
This coupling of exploitation and defence – or poacher and gamekeeper – is as useful today – and possibly even more critical – than it was even back then.
Our ‘protect and assist’ function continues to be enriched and informed by our insights into the motivation and intent of our adversaries, and the techniques used to successfully exploit foreign communication systems.
The next substantial evolution of our cyber security function occurred in 2010, when the ASD stood up the Cyber Security Operations Centre, or CSOC. In November 2014, the CSOC further evolved into the Australian Cyber Security Centre.
The 2016 Cyber Security Strategy recognised the rising threat and scale of malicious cyber activity, as well as the importance of cyber security and resilience for innovation, global connectedness, domestic prosperity and unity.
The strategy initiated the process of collocating all government operational capabilities into the Australian Cyber Security Centre. By 2018, the ACSC was joined and enriched by the Computer Emergency Response Team from AGD and cyber security staff from the DTA.
Joint Cyber Security Centres in Sydney, Melbourne, Brisbane, Adelaide and Perth were opened, reflecting the importance of strong collaboration and partnership with industry and community.
And the ACSC gained an expanded remit for providing technical advice and assistance to governments, to the private sector – big and small business, critical infrastructure, families and individuals.
An expanded 24/7 response team was stood up to service our customers. And, in amendments to the Intelligence Services Act in 2018, ASD gained powers to prevent and disrupt cybercrime undertaken offshore.
The 2020 Cyber Security Strategy builds on the strong foundations of the 2016 strategy, on the strong and capable leadership of my predecessors, and on our even longer history of providing excellent cyber security advice and assistance.
Like the 2016 strategy, the 2020 strategy continues to emphasise the shared responsibility for cyber security for community, industry and for government, and the criticality of close partnerships to realise our shared objective.
It’s with this context that I want to talk about going forward. The cyber landscape has evolved. It’s escalated and it’s expanded quite significantly. It is indisputable that the scale, frequency and sophistication of malicious cyber activity is on the rise.
Professionally organised and transnational cyber criminals, as well as state-based actors, are exploiting vulnerabilities and developing viruses, Trojans and more sophisticated ransomware for the purpose of stealing money and sensitive data.
New technologies like the Internet of Things will bring tremendous benefits. But they will increase the threat surface that our adversaries will seek to exploit. By 2030 an estimated 21 billion devices are expected to be connected to the global internet, with some estimating an eye-popping 64 billion by 2035.
Since the pandemic onset more than six months ago, the ACSC has observed a sharp rise in email phishing, message scams and ransomware attacks targeting COVID-19 services and stimulus and welfare programs.
Cyber criminals have demonstrated organised and informed capability to amend their scams to align with government assistance schemes, tailoring them really quickly with their lures to resemble messages from those we trust – like government welfare or health providers.
Over the last financial year our Report Cyber reporting tool received almost 60,000 cybercrime reports. That’s about one report every 10 minutes and each one of those was worth on average about $5,000.
Over the same period, we have observed sophisticated state-based actors targeting all levels of government, private organisations and industry.
Globally we have seen a rise in devastating ransomware attacks on businesses and services, and attacks on critical infrastructure, including devastating disruption to energy and health services.
The costs of these malicious activities are grave. There are the obvious financial costs of lost revenue and business, the loss of market position, opportunity and strategic advantage that arises from the theft of IP or sensitive commercial information.
The loss of amenities and essential services and privacy is real. Less obvious – but equally significant – is the potential to undermine the confidence of Australians to live life and prosper through digital means.
It’s why what we do now as Team Australia really matters.
This context has informed the 2020 Cyber Security Strategy. The vision of that strategy is ‘a more secure online world for Australians, their businesses and the essential services upon which we all depend.
Consistent with that vision and emphasis, the strategy is underpinned by the government’s investment of $1.35 billion in ASD’s Cyber Enhanced Situational Awareness and Response – or CESAR – package.
Speed, scale, volume and impact – and wherever possible achieving this through automation and machine speed – have all been objectives of my predecessors. They remain as relevant today as they have ever been. The operational investment in CESAR will assist us in achieving that goal.
So what is CESAR and what will it do for you?
The key components of CESAR that we will bring to life over the next decade include:
- A new partner portal coupled with a multi-directional threat-sharing platform. This will enable us to share indicators of compromise at speed and scale, and in machine-readable format, with all out partners. Importantly, the multi-directional capability will enable our holdings to be enriched by the insights of business, industry and our partners.
- We will expand and uplift our Joint Cyber Security Centres all throughout Australia, improving their capacity to receive and share classified information.
- We will roll out a national exercise program, expanded, focussing on our partners in critical infrastructure and ensuring that we are ready to respond when our worst cyber day happens.
- We will extend and expand our offshore cybercrime disruption, continuing to work closely with our law enforcement partners, and establish a countering foreign cybercrime capability within the ACSC.
- We will employ and progress technologies that block threats automatically – partnering with industry to mitigate at scale – like our protective DNS system that will enable partners to automatically block a range of malicious content, with the effort of a couple of lines of code.
- We will expand our customer engagement channels, extending our 24/7 cyber security help desk to service the needs of small business and families.
- We will develop and enhance our awareness and education communication, working with our government partners to ensure Australians have access to a singular authoritative and trusted government voice on cyber security.
- We will continue to bolster cyber resilience, particularly with critical infrastructure and government, through our uplift, Cyber Hygiene Improvement Program and vulnerabilities assessment services.
- Collectively, we will leverage our partnerships with federal, state and territory governments, with critical infrastructure providers and industry, to build a national situational awareness capability that we are able to share at speed, scale and, wherever possible, automatically, to assist in the protection of all Australians.
- And where entities are unable to mitigate threats, we will continue to deploy incident response capabilities and specialists to assist.
CESAR is not an investment in ASD or ACSC alone. The operational capability will belong to all Australians, available to defend, assist and to uplift the cyber resilience of government agencies, Australian businesses and communities.
Importantly – it will assist us to make our collaboration with the AFP and the ACIC more potent, impactful and frequent.
Together with ACIC and AFP this year, we have used our collective capabilities to successfully disrupt the business model of key foreign cybercrime syndicates targeting Australians through COVID-19-themed SMS phishing campaigns.
In doing so, we protected hundreds of Australian and thousands more foreigners from organised and sophisticated foreign cyber criminals.
Under the 2020 Cyber Security Strategy, and with the benefits of the operational investment in CESAR, we seek to replicate our recent exemplar partnership with Telstra and Services Australia which successfully identified and rejected illegitimate phishing text messages that are impersonating myGov and Centrelink, before they reach Telstra customers. This partnership pilot demonstrates how government and industry can work together better to protect Australians from cyber threats.
And knowing there are so many more valuable insights and examples my panel colleagues will share – I’m going to leave it there and I look forward to the panel discussion.