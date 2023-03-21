Minister for home affairs and cybersecurity Clare O’Neil has put the public sector on notice that she expects the government to be an exemplar for good when it comes to defeating and mitigating cyber threats facing citizens, as part of a broader push to uplift corporate resilience.

Delivering the keynote address to the 2023 Australian Information Security Association’s Australian Cyber Conference in Canberra, O’Neil said that in just the 10 months since Labor came to office, a more coordinated approach combined with the elevation of cybersecurity to a cabinet-level portfolio had shifted the dial in terms of engagement.

“Australians face the most complex and difficult set of geostrategic circumstances that we have faced since the 1940s,” O’Neil said. “That is a huge thing for our nation. And it, of course, pervades every single conversation that we have about national security as a country.

“So what I’m trying to do is encourage Australians to understand the issues that they face with cybersecurity today, but really to think about in seven years that we are going to be living in a different world for this problem, and I want our country to be ready to confront it.”

The government’s fiscal commitment to cyber so far is $11.4 billion over 10 years headlined by a seven-year cybersecurity strategy that is now being thrashed out with stakeholders in terms of the specifics and legislation.

It includes the prospect of specific cybersecurity legislation to streamline the hairball of existing regulatory obligations and available government interventions ranging from taking over compromised or hijacked systems to heavy fines for corporate cybersecurity slackers.

O’Neil’s broad policy approach is that, under the current government, cybersecurity needs to be centrally coordinated from within cabinet with duties and delegations then farmed out in a more structured and disciplined way than the previous government.

Resisting the opportunity for a free kick at the previous government — perhaps because former prime minister John Howard was speaking after her — O’Neil talked-up bipartisan support for cybersecurity as one of Australia’s big strengths over other economies.

“I actually really believe that we can be the best in the world,” O’Neil said. “What we have in Australia that’s really unique is the ability of our government and our parliament to legislate really effectively.”

Galvanising this unified push was the harsh wake-up call that both the Optus and Medibank hacks delivered to everyday Australians.

O’Neil made it clear a good crisis will not go to waste.

“Four months after I took on this role we faced the Optus data breach, and then three weeks later, the Medibank Private incident – the two biggest cybersecurity attacks that have ever occurred in Australian history. And they occurred within three weeks of each other,” O’Neil said.

“These were absolutely terrible events [but] what the breaches did was wake the country up from a cyber slumber. I think it did it politically. But I think it also made a huge difference to how Australians think about these issues.”

The difference in attitude and response is already being noted overseas, O’Neil pressed, while still noting there was a lot of work to be done, before taking a dig at her predecessors.

“I don’t think anyone would argue with the fact that we probably weren’t particularly well positioned on this problem when we came to government in May last year,” O’Neil said.

“But some of you will have noticed that, a few weeks ago, Australia was ranked number one in the world by MIT on the cyber defence index. And the reason MIT gave us that number one global ranking was because our country showed great progress.”

O’Neil said the areas that made up the MIT score where Australia scored top marks “were critical infrastructure, organisational capacity and policy commitment”.

“So that is a huge credit to everyone in this room and everyone in the sector.”

But it also shows Australia’s early cyber protagonists were on the ball as long as 20 years ago.

Despite the fissures over finite funding and ministerial and agency rivalries over the years, Australia managed to come up with a broad cyber agenda that included critical infrastructure and addressed issues like once separated SCADA networks being connected to the internet.

Many of those initial critical infrastructure linkages were initially forged out of the Attorney General’s Department by the late Mike Rothery PSM, a skilled and respected counterintelligence practitioner who was prepared to make himself unpopular with the likes of banks to get the message across. He also insisted, in private, the government needed to lead by example.

O’Neil is now calling out that role of government is an exemplar of a necessity after years of relatively free-range policy.

“When we think about the cost of cyber breaches, or what we saw with Optus and Medibank, the organisation in Australia that folds the most valuable and important data about Australians is the Australian government,” O’Neil said.

“So it’s really important for us to be thinking hard about how we manage these issues. What we saw was the Australian government, across all the departments and agencies and organisations, spending quite a lot of money on cybersecurity. There was no attempt to build a cohesive approach.

“And I just want to let that sit with you for a moment. Government is a third of Australia’s economy and there was really no attempt to make sure that we had any consistency across government whatsoever about how that those dollars were being spent.”

Now there’s $11.4 billion and a hornet’s nest of stakeholders trying to influence a cybersecurity strategy that cannot possibly please everyone.

But in the wake of two major incidents just months into her appointment as minister, Clare O’Neil is spending political capital while she has it — one of the only proven ways to achieve reform.

