 The subject of cyber security is of course running hot, and in fact that is going to confine the Minister time-wise this morning because she has obviously a very busy schedule. But cyber security is currently at the forefront of the media and public debate, and the recent events surrounding Optus and today Medibank private data breaches remind us just how valuable on the one hand data is, but also how vulnerable our personal information is for all of us. Cyber attacks affect the lives of all Australians and they are increasingly doing so on almost a daily basis. An effective response to this issue will require collaboration from both the public sector and from the private sector and of course from the community in the broad. All of this makes today's discussion even more important. It's my great honour and pleasure to introduce our two discussants this morning, the Honourable Claire O'Neill, MP, Minister for Home Affairs and Minister for Cyber Security. Minister, welcome. And Professor Kieran Martin, the Blavitt Dink School of Government University of Oxford. Minister O'Neill was first elected to the Federal Parliament in 2013 and represents the electorate of Hotham in Victoria, southeast Melbourne. The Minister holds a Masters in Public Policy from Harvard University and has held various roles across the private and public sector, including her appointment in 2019 as the Shadow Minister for Innovation, Technology and the Future of Work. And then of course early this year, Minister O'Neill was appointed to the Home Affairs and the Cyber Security portfolios. Kieran Martin is Professor of Practice in the management of public organisations at Oxford University. Prior to joining Oxford, Kieran was the founding Chief Executive of the UK's National Cyber Security Centre, a facility that some of you in this room I know are very familiar with. During that time, he led the UK from astonishingly the eighth position in the world to the first position in the world in the International Telecommunications Union's Global Cyber Security Index. That's quite an achievement. The UK's National Cyber Security Centre has been a model that's been studied by many and adopted by some countries, including Canada and our own country. And I had the great privilege while serving in government to visit on several occasions the British National Cyber Security Centre and draw inspiration from it. I'd like to call now on Minister O'Neill and Professor Martin to lead us in a discussion. They're going to take seats at the front here. The Minister will have to leave in a short while to confront some breaking issues, but Minister I really appreciate you being here and Kieran for travelling from the UK to join us this morning. Thank you. Well good morning everyone and it falls to me, Catherine from CyberCX to chair this dialogue this morning and I'm going to cut straight to the chase because our time is limited. Minister it is in some sense both the best and worst of times in cyber in Australia, worst for the obvious reasons, best because it gives us a chance to pause and think about how we can do things better. So my first question to you this morning Minister is as we think about the data breach deluge that we have experienced and as you think about it what can we be doing at a meta level? I'm not going to draw you on what you're going to be hauled through in the media today but at a meta level how do we think about responding to these types of incidents better in future. Okay thank you so much. Before we get on to that can I just acknowledge some very important people in this room. We've got the Secretary of my department Mike Pizzullo, Rachel Noble, two people with whom I work incredibly closely on cyber issues and great cyber leaders for our country and Duncan your service to our country is truly remarkable and we're so grateful for it and also personally very grateful for your friendship to me and thank you to Cyber CSCX for having us and Kieran what a thrill. Of course we all know Kieran is a major cyber celebrity if you're interested in this field of work he is the man and I was so looking forward to having a bit of a relaxed discussion with you this morning but that unfortunately is not going to be possible so I'm sure all of you in the room are aware that overnight the attackers of MediBank have started to release some data online so maybe if I can share a little bit of some thoughts on this. I don't have words to express the disgust I feel at crimes of this nature. We went through Optus recently where the things at risk were mainly financial and you can replace a credit card and you can refund money to people who have it stolen from them. The fact that people's personal health information is being held over their head is just disgusting to me and it just shows us that these cyber criminals who we are joined in a fight against between the Five Eyes and other friends and partners around the world they are just disgraceful human beings and we need to step up and do everything we can to fight back against them. I really want Australians to understand that this is not happening because MediBank did not pay a ransom. That is crucial for people to realise and I know that with great entitlement there will be millions of Australians waking up this morning angry and fearful about what will be done with their data. It didn't happen because MediBank didn't pay the ransom and Kieran it'll be really interesting to hear some of your thoughts about this but what we see so often with these incidents is that companies in desperation pay a ransom and then the data is used to revictimize and revictimize and revictimize. We cannot live in a world where people can do this sort of thing and benefit financially from it. This enables and empowers the very disgraceful human beings who are at the heart of this and we cannot allow that to happen. Now you asked about cyber incident response. The Australian government has been preparing for this eventuality for some weeks so as soon as it became clear that the MediBank attack involved the theft of data I activated something called the national coordination mechanism. So this is the first time in Australia that the national coordination mechanism has been activated in the event of a cyber attack. The former government created this as a crisis response mechanism during COVID and it was set up to deal with the most difficult, intractable, urgent problems that were being experienced at that time. It is an unbelievably effective way for us to elevate the urgency of a problem across all levels of government and community and business and to bring together people who need to work together to solve a problem who may not used to be working together and one of the things that's very unique about cyber incidents is that they each have their own specific character and impacts. So I know that for a lot of consumers they probably see a lot of similarities between Optus and MediBank and there are some similarities in what's going on there but fundamentally they're about very different types of information and the response from government has to be very different. So the national coordination mechanism has included state and federal government. It's included extensive interaction with the health system, with services Australia and with different parts of business as well. So one of the interesting engagements with the NCM has been with social media companies. So what's really important from my perspective and I say this as the Minister and as an Australian for media companies in this country, there may be very important health information about people being released into the public realm over the coming weeks. Please do not republish it. I know you will not do that because that would be enabling and supporting the scumbags who are at the heart of these crimes. Social media companies, we have worked with them collaboratively to see how they can meet their public obligations to make sure that wherever possible, information is immediately taken down because that information is private and it belongs to the person who is being victimised. Please do not help them by republishing and by failing to take down this information as soon as you can. So I will have a bit more to say about this incident as the day progresses. We are having an NCM meeting this morning that's been established as a process to deal with this exact situation. I don't want people to be fearful but a number of people have said this is a big wake-up call for our country. We cannot allow this to continue and so the discussion here this morning is very timely and we're very lucky to have one of the world's experts with me. Right here. Kiran, ransomware, tell us. Thank you for that. Thanks everybody for coming. Lovely to see so many old friends. I'll try and be as brief as possible because your time is even more valuable today than normal. So I think firstly in terms of response to this genuinely I would pay tribute to you and to the Government of Australia because political leadership does matter in these circumstances and you don't always get it and as someone who dealt with a couple of thousand incidents over six, seven years when you have cabinet level political leadership gripping a problem it does make a difference. It energizes state capabilities. We have the head of ASD here. It energizes the private sector capabilities. You have to have a team response so that matters. Ransomware, details matter when you're considering this and details are easily misunderstood. So you mentioned I entirely endorse what you said about this didn't happen because the company failed to pay a ransom. There are two types of demands for ransom generally in these cases. One is when you're locked out so that's an availability issue. I will sell you a key to let you back in. You can see why that can and I'm not talking about the ethics and morality here but you can see why that can work as a proposal by the criminals. You can't work, you can't operate your system, you can't run the healthcare system, you can't run the operating system for a pipeline etc. So I'm going to give you a key. Oh and look I've published on my dark website, I've published 25 other cases where I've provided a key and you've got back. So that is where that sort of moral hazard that you mentioned where in these awful situations sometimes individual organizations think perhaps wrongly, often wrongly, think it's in their interest to pay. This is not one of those cases, this is about data breaches, this is not about availability of the system. That difference really matters and you're absolutely right. There seems to me to be no possibility of buying any form of recovery here because you can never prove that the data has been disposed of so you can always come back for more. Now that's a little bit technical but it's not that technical and if we're going to have a serious and grown up conversation with our citizens across the UK, the Australia, other similar countries, we need to be open about these differences because a case where as in Ireland 18 months ago the hospital network of booking appointments isn't working, that's a different problem from this and that sort of detail matters. The final point strategically I think that we need to try to grip from this is about the nature of the threat we face, these scumbags as you eloquently and correctly put it and what we can do about them. So look, we do have a serious safe haven problem, a lot of it's to do with Russia and surrounding countries, not all of it but quite a lot of it is and I'm afraid we have to face up to the reality that there are pretty effective, well-organised, always technically sophisticated but in some of these cases strikingly more than in the past who are able to operate with impunity and we can moan about that or we can work out well what are the consequences of that? There are things we can do operationally across the five eyes to try and contain it tactically, there's diplomatic pressure that President Biden has led against Russia for well over a year now but we have to accept as companies, as governments, as society that this threat is here and it's harder to do something about it than it is to do for all the threat actors because it's based in unfriendly countries with whom we don't have law enforcement arrangements so we have to treat data as the valuable commodity it is and protect it properly and harden our defences that is a big lesson from this. Thank you that was a whirlwind to our Minister at this point I am advised that I need to give you a chance to to leave to deal with the issues of the day so unless you have any burning responses to to what Kiran, okay well I've got one more question for you so we know you're rewriting Australia's cyber strategy at the moment there must be a whole range of priority issues animating you there perhaps you could share for this group and the audience on YouTube what some of your priorities are as you review that strategy. Yeah fantastic so that's a really great question for me to answer before I leave because I want to talk about opportunity there is some pretty bad things going on in this country in cyber security at the moment and I think that's obvious for all to see as well as these probably the two biggest cyber attacks in Australian history happening within three weeks of one another we also have you know the National Australia Bank telling us that they're getting 50 million cyber attacks a month the Australian Taxation Office getting 3 million cyber attacks a month so I think we know we've got a step up here and if there is anything at all that's positive that's come from these incidents it's that there is universal interest at the moment in seeing what Australians can do to change the situation and when you know a lot of the cyber security discussion and during the time that you're at GCHQ Kieran you know the challenge was getting boards to engage and getting them interested and active in this stuff we don't have that problem in Australia at the moment and I see enormous enormous engagement from everyone who's got power to change this to to roll up their sleeves and get involved and the cyber strategy is about bringing all that goodwill and all that opportunity together and making sure that we do shift the situation and I can tell you really honestly I actually truly believe that Australia can be the most cyber safe country in the world and I'll tell you why we have a brilliant cyber security industry we're here this morning hosted by CyberCX we need to support that industry to grow but what's there at the moment is world-leading we've got really incredible skills in this country we need more of them and part of my role in response in response with responsibility for the immigration system is to help us do that we have amazing government infrastructure sitting there working so hard doing amazing things on cyber security so I mentioned the Australian Signals Directorate we're so lucky to have the Australian Signals Directorate the smartest cyber security people in our country work for the Australian government and most countries in the world can't say that and you know when I travel the world people are so envious of the ASD and they're envious of some of the great legislative things that Secretary Pazullo was leading in the last parliament so we've actually got the bones of something that's really special here and there's one more thing that we have that I don't see in a lot of other countries in the world at the moment and that is we have a parliament that actually works now I know everyone's very down on Australian democracy and I see that but I went to the Five Eyes home affairs ministers gathering in Washington earlier this year the legislation that we have to deal with cyber incidents is the envy of the world there's a lot we need to do to improve that law and I would like to see that as part of the cyber strategy but I know that we can create a legislative environment here that creates the best environment for our cyber industry and that really helps protect Australians in meaningful ways and if I can say one more thing you know something that I've really observed just in the time that I've been in this job just over five months the collaboration between the Australian Signals Directorate and the Australian Federal Police is so powerful and between the two of these organisations they have networks with police and equivalent Signals Directorates all over the world so I think the big message here is we're not going to stand back and think there's nothing we can do about this problem in fact when Secretary Pazullo was in Washington last week Australia was given the opportunity to host a global ransomware initiative where we are literally coordinating the ransomware activities of I think it's 37 other countries Mike yeah 37 other countries we are going to lead that that's the Australian Government's commitment to fighting this problem so we've got a cabinet minister for the first time with responsibility for cyber security and we are using that to step up the fight against this and it's a fight that I really believe we're going to win that is a very energising note to leave on minister and I'll leave you to your thank you my apologies I really wish that I could stay but I don't need to deal with this next question we'll give a few moments for the great minister and her her advisors to leave the room and then we'll change pace a little bit we've been very frenetic this morning and we'll relax a little bit now as we delve into the next phase of this morning which is a conversation with our very own cyber celebrity Professor Martin and the way we'll run this is we've got about half an hour for a conversation between me and Kieran and then we'll also have a chance for engagement and questions from the audience as well so if there's a burning cyber question in your mind we will have a chance to come to that but for now in terms of where we I would love to take this conversation there's a range of areas but I want to stay first with Australia and our responses and we've just heard a really energising message from the minister about her ambitions for Australia but on the other hand Kieran I've also heard you talk about the risks of catastrophising cyber if we get too worried too scared if we focus too much on the kind of the wicked problems we can't solve it might not encourage us to step up where we need it so I'm actually interested in your how you would approach almost the rhetorical balance of cyber between owning up to what a serious problem this is but also having a message of empowerment and emphasising where we can act as well so great questions and yeah I'll try and take it at a gentler pace I suppose to respond to some of the things the minister said when she talked about people talking about whether Australian democracy and government was functioning that depends on your starting point but it looks pretty good from my perspective up to the last few months so and genuinely I think it is striking just to see the sort of way in which this spate of incidents have galvanised the sort of government and private community in terms of catastrophising and response I'll break it down a bit so the catastrophising point it's been around for decades you know we've had the necessary at the time but probably in the long run strategically unhelpful rhetoric of cyber pearl harbours and cyber 9-11 and so forth and we had it all back particularly I don't know what it was like here but because I wasn't physically present in Australia in February but particularly at the time of the Russian invasion of Ukraine and I'm thinking back to a big article in one of the UK's most important Sunday newspapers double page spread across the main section saying paralysis this is how Russian hackers will cripple the United Kingdom and it was all about trains not working ATMs not working lights going out all at the same time and the total paralysis of a society and clearly that's the sort of thing that's been warned about for 40 years since the war games movie if you remember that or anybody of my generation in older where they accidentally start a nuclear war by hacking into a computing shop and so forth and it didn't happen in the last 40 years and it hasn't happened and wasn't likely to happen in the context of Russia-Ukraine what is likely to happen is the sort of thing we're talking about now the sort of disruptions we saw to healthcare which has been a huge problem in Europe and North America for years the wholesale loss of data the wholesale interruption of essential services the harassment the intimidation the misinformation and so forth cyber is a much more pernicious chronic set of harms than a sort of catastrophic one now it can be awful for individual organisations and so what's happening in Australia is a really good example of that it's awful for the organisations concerned and for their customers it doesn't physically hurt anybody let alone sort of kill them but it damages people's confidence in the data economy now things like that matter for all sorts of reasons but in particular if you focus at the catastrophic end of the problem A. you're probably chasing the least likely the less likely risks and secondly you're slightly infantilised you know there are big strategic threats to things like power grids and so forth there are targeted major nation-state attacks where a country will pick a hostile state will put a lot of time and effort into one operation and there's not a great deal that medium-sized organisations can do about that if you're unlucky enough to be the target of it so you're infantilised to think well there's nothing I can do but when you look at that sort of suite of pernicious harms and so forth there's all sorts of things we can do and I'll just pick on a few examples one is to say it all and I really wanted to pick up I should have picked it up while she was here on the minister's point about the agency of publishing leaked data that's a really powerful thing no one should host this on the open internet whatever comes out of this breach or any other breach no one should host it on the open internet and no one is likely to but that is a big mitigation of harm then we should look through law enforcement cooperation is where it's appearing in the dark web and see what we can do about it so already you can see there's some there's some agency here Secretary Pizulu's point he briefed me yesterday evening on what's come out of Washington from this ransomware task force 37 countries basically a coalition a voluntary coalition of the willing ranging from superpowers advanced digital economies all the way through to much smaller countries and they're agreeing to do stuff and you know what I'm not going to brief out the details because they're really boring but they matter and so stuff like this across 37 countries about tracking cryptocurrency payments about building a shared platform where you can work out who's up to what and where things are occurring it's deathly dull but it really sort of it really sort of matters to go back to publishing the information it's not just about healthcare but I remember in 2020 just before the presidential election the Washington Post published an editorial statement saying unlike in 2016 if we have suspicions about the source of a piece of about the source of a politically controversial piece of information we're going to apply different thresholds to publishing it that again shows you the agency society has in doing all of this and then you get back to things so you know I know there's a policy review underway because of what's been happening in in Australia there are policy reviews on cyber policy all over the place but it doesn't have to be confined to the simple does the government legislate or does the government not legislate there are other things what about a dialogue with the insurance industry that's a bit more intensive to say well hang on we've been trying to figure out cyber insurance for 10 years to try and utilize insurance's normal social good function of essentially incentivizing people to manage risk better but it's not really working in cyberspace in lots of different areas why not can we have a discussion about that what would work corporate governance reforms there are all sorts of things again often quite tedious but can just chip away at some of this problem and those are some of the things we should be looking at so if we just have this catastrophic picture of everything's going to blow up and there's not and a we think there's nothing we can do b we're chasing the wrong problem and we're ignoring the whole bunch of things that we can do a technical organizational societal level to reduce not eliminate but reduce the risks and the severity of the incidents that happen so boring can be good boring's excellent in cyber security and I'm going to stay on that thing for a moment so you've highlighted a couple of areas short of the big legal stick where we could potentially low-hanging fruit for moving the needle on cyber so insurance corporate governance if you were redrafting Australia's cyber strategy what are some other areas where you think there's a potential for really moving that needle whether it's in law enforcement whether it's in corporate governance areas what would be your kind of say top three measures to change what we're doing for the better well Australia has already put in place some pretty tough critical infrastructure regulation and I think that's really important and it's pretty sensibly framed in terms of managing risks to the sort of outcomes again it's not how it's implemented matter so just discourage a sort of compliance-based approach and actually try and regulate the sort of outcomes you know financial service has been quite good at this you sort of try and not least because for decades banks have been trying to eliminate the threats of or reduce the threats from rogue traders so you can't stop somebody moving around some money in a bank but you can stop them moving enough around that topples the bank and that's the sort of you know it's a good approach to cyber security so I think there's a way of implementing that type of critical regulation and onto the areas that most matter so that's that's one point I think a second thing is about getting the sort of cyber security market and capabilities sort of functioning better so one of the things that I think is going to be a real challenge for Australia now given the moment we're in everybody's paying attention to it raising awareness is not a problem in Australia at the minute of cyber security so here's a question for the community if you have a well-intentioned but largely technically an expert board of directors of a company but they say look we've got to get serious about this we're going to act in good faith we're going to put aside money we're going to put aside time and give a proper support what do they do where do they go what capabilities how do you help them understand what they need and then how do you help them understand in a very fast changing sort of marketplace what's good and what's not and there are things there I mean as technology changes governments partly through regulation partly through voluntary cooperation with industry are making improvements IoT is the classic so traditionally if you wanted to go more secure in the online world it was really hard because the economic model was I want a web-based service for free and essentially I'm going to give away my personal data or my corporate data in order to get free access to that service IoT changes that you buy something often that you can hold or see or touch you have a so you can inspect the hardware you can put trading standards in on it and you can regulate the service as well and consumers if properly informed can choose to pay more for security or and they can they can adjust their risk accordingly think of things and so you know there were some really serious IoT-based attacks five, six years ago where people hacked hundreds of thousands of CCDV cameras they were able to do that because the default password was password and if you spotted that you couldn't change it because of the way they were built so even if you were doing the right thing you just couldn't change it because you'd bought cheap stuff those in the UK, EU, Singapore I don't know about Australia it's now illegal to do that and there are other ways of sort of viewing how you do what sort of capabilities you buy so that's the sort of second thing think of the well-intentioned board and think do they have the right information is the market working properly and if not how do you get it working properly so that they can know what to buy the third thing at the risk of slightly repeating myself I do think we have to think about the governance of data and you know this has been a reminder and I'm not just saying you know coming from a country which although no longer in the European Union is still governed by the General Data Protection Regulation so if you like the world's flagship data regulation you know I think it's interesting I'm not going to be polemical or ideological about GDPR I think it's just interesting to look at the lessons of something like GDPR so in a good way it completely removed the previous practice of cover it up and hope for the best it just changed the legal balance around that and that was very very common where I grew up you know cover it up and hope for the best and now that you just said that's not worth the risk so it forced people to take data governance very very seriously on the other hand because it wasn't sort of holistic it meant that and if you look at for example again the Irish healthcare system until personal data was so the whole healthcare system for the entire state was wrecked and because initially it didn't violate any data protection laws there were no regulatory penalties or incentives for it as soon as personal data was in place a whole tonne of so you can see the mismatch here between we did data regulation so everyone's stampeded towards well governed data the whole set of other risks that you didn't do so you need to sort of think through it holistically so we need to think through data governance data regulation but in the context of other risks as well and it would be remiss of me if I didn't point out I think the ANU Professor Nick Biddle this week has put out a piece of research that says 90% of Australians are in favour of data protection regulation so we know it's a it's a topic that's in the mind of politicians but also in public's mind if I can take you to this well-meaning corporate board of Australia that you're painting maybe it's a very policy Canberra heavy audience in the room with us but there will be members of corporate Australia and broader society watching this recording and we talk a lot in Canberra circles about the impulse to reach for that regulatory or legislative measure but that's not the conversations in boardrooms often if I was sitting in one of those boardrooms thinking oh we're talking a lot about law enforcement action against ransomware we've got a ransomware task force governments doing more to get serious about addressing cybercrime we've got the smartest people in Australia in ASD I might be thinking well what's my role in all of this as a member of corporate Australia so perhaps could you shed some light there on the balance between what government's doing here and it is doing a lot but where that residual risk needs to be managed and particularly if I'm thinking about the threat of ransomware should I be waiting for government to ride in on its white horse and kick the offshore cybercriminals out of their safe haven layers or do I need to be doing something differently as well so it's a really interesting question and companies have to take ownership of their own risks and we do have this issue in the digital age it's always been there but it's profound and acute in the digital age of what I would call the privatisation of national security risk so I'll give you a very simple example from the UK this year a supplier that I'd never heard of and most people had never heard of it's supplied some IT services to the national health service it got done over in a ransomware attack and whilst the impact wasn't catastrophic the 111 service which is what you ring if you're not critically ill but you want some advice and millions of people use it plus some mental health scheduling services just didn't work so the government did step in a bit and people were saying why is the government helping this private company it's because there are things which could constitute national security risk including the provision of health care that are predicated among private provision colonial pipeline in the US is the classic example of this a dangerous shortage of domestic gas for cars in the east coast of the United States but all the decisions were taken by the private company so there are times when the government's incentivised to help and actually working out was something that was so complicated to the point that we in the UK just abandoned trying to develop a detailed policy for it was the precise criterion when the government should step in there was a sort of sense in very serious cases of a shared risk it was too complicated and too time consuming to sort of precisely work out how to allocate the risk but you could never take away a huge element of the risk from the public corporation in fact I remember I'm allowed to talk about this publicly by the company I had a really interesting partnership with Unilever in the UK during my time in office because although I suppose you could argue in the pandemic and lockdown they became more critically important they sort of were proudly sort of saying well we're a big company so we take cyber risk seriously but I'm not sure you should worry about us we make canned soup and you know hygiene products you know other alternatives are available you can cope without us so they were a really interesting example of trying to and this is why we worked with them of trying to work out how to manage corporate risk in a situation where the government might not actually care or be incentivized to care and there you know I think then it's worth thinking about well you know if the government makes laws we will have to comply with them but then I start thinking about you know what sort of discussion should you be having what sort of policies should you be having at organizational level and I know this is not a largely private sector audience but it applies to the leadership of universities it applies to the leadership and management of government government organizations as well there were two things that we tried very hard in the UK with some success but as ever limited two sort of conversations we would try to change one is about the identification of risk you know you cannot protect everything all of the time so you do have to work out what matters is it a piece of intellectual property is it a data set you know is it a connection to the controls of an operating system is it a combination of all of that so what are the crown jewels and what deserve special protection you know if you take the Optus example you know it's the distinction between the fact that there are maybe 10,000 passports and driving licenses which are much more valuable than the millions of other pieces of data so you know have a sort of forensic discussion about what sort of risks you're carrying and then and I feel really strongly about this I don't often talk about culture but I think culture is important here one of the most dangerous things in the global cybersecurity ecosystem is the polite executive who's afraid of looking stupid right I'm really serious about this it's the board that says right you know right this cyber thing oh god it's all over the news better better take this seriously okay get me some cyber experts come in powerpoint deck this this this this you don't understand a word of it but you're afraid of looking stupid I've seen this so many times less so in recent years but I used to see this all the time and they'd say right okay yeah go and do that yeah we'll have that program this that's terrible because you don't understand the risk my favorite anecdote about this I opened a security operations centre in a major infrastructure plant in in the UK I won't say which one it was and went in and there was one of those you've probably seen them huge maps digital maps of the world with what we call the Pew Pew part of cybersecurity you know this sort of dot zinging all over and somebody's attacking somebody else and there's this brilliant young analyst in his mid 20s I've been talking to him about all sorts of really interesting things he really knew his stuff and I said right and pointed to this map and something from the Kingdom of Jordan was firing something at the Republic of Chile and I said that point there what does that mean and he just laughed and he said you know perfectly well sir this stuff's just here for the tourists and the top brass you know and that is that's bad cybersecurity right don't buy the map that you don't understand don't buy the dataset of the dashboard you don't know how it works have the convert and actually for the information security professionals don't trade on all the people's ignorance and you know if you think you've presented the risks to the board and they don't understand it so you've got away with it and it was quite an easy meeting that you'll repent at leisure from that point of view you need them to understand what risks they've accepted what budget they've given you to do what and what capabilities and risk reduction they think they've bought from that and if you don't understand it just extend the meeting or reschedule a different one and I think those things are really important boring good Pew Pew Maps bad Pew Pew Maps bad meetings meetings in plain English where you come away with an understanding of risk and what you've done to mitigate it good it's the risk of getting a little bit philosophical we're talking about risk and you're saying I'm a corporate board I'm going to think about what my crown jewels are but it occurs to me that sometimes what a corporation thinks its risk is and it's most let's say it's most high value assets preserving shareholder value keeping the lights on etc doesn't always perfectly map over onto what the national interest is and I'm thinking for example a cyber risk like the likelihood and impact of nation states hoovering up data sets and then using that big data in a way that's adverse to Australia's national interest now if I'm just seeing a thin slice of that sitting inside corporate Australia I might not value that risk or see its impact in the same way as say the national security community in Canberra would do you have some thoughts on how and to what extent corporations should take into account the national interest and assuming that they won't or they can't how do we as members of the national security community help them understand the nuance there or whether that's for regulation or education so I think I have precisely two points and they're based on real examples and just sort of remember them ones about BT British Telecom and the others about the University of Oxford so the one on BT essentially is about regulation because there are parts of this conversation and you're right Catherine to root it and essentially in philosophical terms there are points in this conversation where you where it then is ultimately sensible to reach for regulation so again a conversation that we're allowed to talk about in public as the national cyber security centres you might expect had a pretty close and multifaceted relationship with British Telecom with BT on a number of levels and we did this precise exercise with them in a really collaborative spirit we said here are the 10 things that the government most cares about in BT can BT do the things that they most care about from a purely commercial shareholder value point of view and we'll see which ones match and so some of them did but actually at that particular point in BT's commercial history and it's not a joke it wouldn't be the same now but at that particular point the most important thing for BT was the maintenance of BT sports ability to broadcast because they bet the farm on the expansion of their sports coverage right online now obviously from the point of view of the government and national security I couldn't give a monkeys about BT sport right but that's what they were geared up to do so you ended up then having a conversation where you know and we had a conversation I ended up in 2018 chairing a meeting of the chief execs of all of the major British telcos where we had the BT type conversation and they said look the time for asking us nicely to do things that you think are important for national security it's run out of road you've got to bake it into the regulatory system because if I do it in my competitor it doesn't you know it doesn't make any sense and they ended up a telecom security bill that's currently in its final stages of clearing parliament so there are times and that was I think a reasonably good way of having that conversation where they said look if you want to do this and we support it but you have to make it a level playing field and that means regulatory reform so that was the example the Oxford thing is a bit different and oh yeah it's a university but it's not but you know I'm trying to I could think of other private company examples but this one is so stark and it's about the change and risk profile so BT was always going to be as the principal telecommunications company in the country it's always going to be strategically important but in 2020 and that was the year where I made the transition first half of the year in government second half of the university of Oxford and also you know the pandemic and that year a little known part of the University of Oxford slightly run down building not particularly up to date IT but small number of absolutely brilliant people known as the Jenner Institute became globally strategically important all of a sudden right so nobody was terribly interested maybe a few IP property intellectual property hackers were interested in some other previous stuff but all of a sudden these people were strategically crucial to the development of what became the Oxford AstraZeneca vaccine so then you know you can't have a regulatory framework that predicts that I mean maybe you could you sort of designate things but that's where you know the openness of the relationship one of the you know NCSC ACSC sort of founding principles is you have to have something which is essentially a deal where you rely and this is generally true in the UK and certainly from what I know of Australia it's true in Australia you rely on essentially the sort of good citizenship patriotism and common decency of most business leaders who will and as long as you present a sort of friendly incompetent face to them from the government they will say look you know I'm not sure what to do about this and we can then take a view and you have to have that and this is one of the weaknesses of the old system when it was behind the wire and you couldn't contact anybody you have to have things that are adaptable to that and then maybe over time if you know there's as and go back to the BT case maybe you do have to change the law in the long term but you have to have that discussion from and the deal is the government needs to be friendly, competent and treat it confidentially and sensitively and the private sector the deal on that side is don't sue the government if you think other people are getting help and that is really really damaging you know when I think of one of the things that I think allowed us to make some progress that wasn't available to the United States was if you take sort of the general sharing of information I don't mean all that sort of systemic you know put everything into a common pop but just the sort of dialogue with government the Americans tied themselves up and not for completely understandable reasons for years trying to get legislation through Congress to provide indemnity for people who shared information with the government or with other members of their sector from legal jeopardy and in the UK it just wasn't a problem and therefore that made life in the UK and this sort of is so much easier because we just said we would have meetings with the big banks and would say look as soon as one of you sues us or sues each other for working with the government all of this stops but any one legal you know the first legal letter we just walk away we cannot do this and you know they bought into it so I would there's something there about a deal between sensible leaders and both public and private and the benefits of not an overly litigious society yeah no absolutely and you know there's only a certain amount cyber security government leaders can do about that but we were blessed in the UK with recently pragmatic business leaders who wanted to do the right thing I'm going to take the indulgence of one more question for myself and then we'll open up to the floor and that is to take us to Russia Ukraine and I know this is something you've been watching really closely you've made public comments you've put out a lot of interesting articles to help us understand this and I wonder and you've already alluded to it this morning but I wonder if you can share with us a little bit you're thinking about the role of cyber in that conflict you've already told us it wasn't the one decisive domain as some anticipated but I don't think many anticipated that it would be because no domain is ever entirely decisive in war but also if you could put that in comparison with what we think might happen in the future imagine a crisis or a contingency in our own Indo-Pacific region here as we often do and we certainly do more than we ever have in the past what role might cyber play in that conflict and how might it actually be different from Russia Ukraine in the sense that we don't want to always be fighting the last war and thinking we've solved cyber because we saw how it played out in Russia Ukraine there may in fact be differences in future conflicts what should we be prepared for okay so this is very complicated and contentious stuff and I think when you're discussing this any aspect of the Russia-Ukraine war we should always have the caveat that you know for big strategic lessons it's too early to tell you know universally if you like on all aspects of it I think I make three points the first two sort of depend on the audience if you like and depends how sort of technical and geeky it is versus how sort of generalist geopolitical it is so the first point briefly recap what I already said you know there was this widespread commentary including from you know serious people and governments across the world of the catastrophic threat which as you say Catherine was never likely to materialize in that way you know there weren't going to be you know wholesale disruption of every aspect of life in major economies at national level all at the same time you know sort of shutdown of normal but that was predicted so that leads me to the second point which is then when you get into very technical geeky you know audiences and discussions on cyber security they say to people like me no you're misunderstanding this you know there's been a lot of cyber in the conflict and that is true it's just not being the type that you know some more sensationalist commentary predicted so to characterize it there's probably been you know three aspects of it one is a pretty what seems to be well executed operation by the Russians against satellite communications company Viasat which gave the Russians and an otherwise poorly executed start to the campaign a considerable advantage because the Ukrainians have said quite openly they found it quite hard to communicate amongst military commanders in the first days of the war that's a big deal you know if you can time a sophisticated operation against Viasat which is why Elon Musk came in with Starlink later because Viasat wasn't working and you can degrade Ukrainian military communications you can see the utility of cyber in war if you have a well executed campaign and you time it properly there were then sort of things about intimidating Ukrainians you know harassing government websites and so forth they've been doing that for years I'm not entirely sure what the strategic impact of that of that was and then there's just been this sort of massive information contest between you know and where Ukraine is giving as good as it's got and as a sort of army of volunteers and so forth that are doing things that are mostly propaganda value rather than strategic value so all of those things are very very interesting so in terms of lessons for the future I think there are things to sort of watch out for and things to be realistic about the things to be realistic about are you know what I think cyber will always be a sort of supportive capability and more rather than a primary capability and you know what's been interesting is that after the war from Putin's point of view thankfully went very badly at the at the start there were a few attempts to do you know quite sophisticated attacks but they all failed A because the Ukrainian defences were far better and had been improved beyond all recognitions since 2014 but B because you know you can't put these things together quickly you know if the Russians attacked the Ukrainian energy grid twice in 2015 2016 those operations took 18 and 31 months respectively from conception to execution you can't do them in two weeks as they tried to do and they were rubbish right so you know there's a thing there where you know and this applies when we're thinking about our own offensive capabilities you know cyber is not a red button that you can suddenly just say right we're going to point it at that etc etc so it's interesting when Putin was cornered at the beginning of last month and started to lash out he lashed out with actual missiles not cyber attacks so there's a thing so you know we're not going to have our magic red button that will neutralize adversarial capabilities in the words of General Sir Patrick Sanders the head of the British Army you know you can't you can't cyber your way up a river but so we need to be realistic about that but we have seen through the via sat hack that actually it can be a very very powerful tool when specifically surgically sort of planned and executed in a military campaign the final point and I'm sort of slightly careful about this in public forums the final point is there are things that the Russians could have done that were better reflective of some good capabilities so if they had planned more via sats in advance you know it could have been a lot it could have been a lot worse and secondly for whatever reason and you know even notwithstanding what's happening in Australia now just the general chaos that you can cause in cyber not through devastating attacks but you know of the via sat type but just by you know ransomware everywhere and all that stuff that hasn't happened to the extent that it might have so the things to watch for the next you know for any future conflict are you know beware having more than one via sat type quality attack because that's really quite difficult to counter because it's you know it's pretty technically accomplished stuff and secondly you know there is whilst it wouldn't be total paralysis of national life there is potential in the future conflict for just right you know a rogue leader to say to a bunch of unsophisticated hackers just go and do what you can to that country and cause as much disruption as possible it won't kill anybody but it'll make things very unpleasant and uncomfortable and those are the sorts of things we need to watch out for and I assume there's a psychological element there I think definitely we focus on the material aspects and forget about the psychological morale factors and qualities of war which to your second point there around DDoS of websites and disruption surely that has to be part of the strategic calculus there it's demoralising if nothing else yeah so I mean there is something in these conflicts in the Russians have you know been reasonably affected of exploiting this about trying to undermine confidence in people's undermine people's confidences in the in the competence of their own society in their own authorities and there is something we've got to watch out for in that quite quite significantly also that's the thing we've got to watch out for in peace time you know it's it's happening all the it's happening all the time but it does come back to this agency point there are things we can do about that in terms of defences and there are things about that in terms of you know the public discourse we have so actually you know I got I don't like to say this now because I'm not in government I got slightly annoyed in the Russian in the debate about Russian interference in the UK you know there were legitimate criticisms as articulated by a parliamentary committee about you know whether or not the state services took this seriously not fairly enough and you know accept some of the criticisms there what what I think was dangerous about that whole narrative was there was an almost equating of intent with impact and they're not the same thing so you know some of the stuff you know that the Russians have done and say destabilizing democracies in the United States 2016 you know has been sadly from their point of view enormously effective I mean I'm not talking about whether it changed the outcome of the election but the fact that six years on people in the United States are still arguing about the impact of Russian interference in 2016 made for sadly a very successful Russian operation in the UK and Sir Alex Younger the former head of MI6 and Duncan will know well you know has been really clear about this some of the stuff they did was absolute rubbish so it's right to disclose that it's there but if we say and Alex Younger has been really powerful about this if we say all right the Russians were having to go on an election therefore yeah it's all terribly unsafe we are doing the Russians job for them we're doing the Chinese we're doing the adversaries job for them if we allow without actually credible evidence if we allow doubt to take hold about things like the integrity of elections and political discourse and so forth then they don't have to try very hard they just need to launch a field attack and all of a sudden we're sort of saying oh our democracies aren't as stable as we thought they were no we've got to actually have more confidence look properly at evidence have confidence in the strength of our own institutions and systems until proven otherwise and that's a fantastic full circle point to come back to we started talking about rhetoric and the the penalty of catastrophising and now we're talking again about rhetoric and the need to ensure trust is maintained and we don't do the adversaries work for them and at this juncture we have time for a couple of questions from the room Michael Shubridge your hand was first up so we'll go to you and I think there's a roving mic that is coming on your left Kieran lovely to hear you run through things particularly with so many examples I was going to ask you how do you think the balance of cyber power is shifting and changing because I was struck by your comments about the more mature understanding of risk between government and private sector in in our countries and I just wanted how that fits with the logic of you know the all powerful connected autocracies particularly Beijing with its close but fracturing relationship with its tech community so how do you see the balance of cyber power and how's it changing so thanks and I see Michael that's a great question and actually partly because of what's happening and because of what's been happening in 2022 not just these breaches you know we've talked a lot about stuff that originates in Russia and we've talked relatively little this morning about China and I think the China thing is quite is really interesting and probably in the long term despite all the horrors of 2022 much more consequential there's every British senior security official that I know claims ownership of the phrase that when it comes to technological security Russia is bad weather and China is climate change and because it's a really neat way of putting it and you know Russia is hacking America's internet doesn't have its own China has its own and you're right about the fracturing relationship with the tech companies because you know I think it used to be more complicated than it now is because you know we I personally think we are pretty much past the point of no return in terms of the splits you know the split internet the the evolution of two technospheres one US led one Chinese led that require that was already necessitating the more or less complete co-option of China about of China's tech companies by its government which you know used to be a matter of interesting debates and now I think you know it's much less interesting because it's much more monolithic the Biden chips act we know it's only what a month old and so it's not really operational yet but if it works out as planned you know massively accelerates this this process so what does that mean for us I think it means firstly we are now it's a very different phase and it's a very different set of problems because it's not just about securing our own networks although it I'll come back to that it's actually about you know which model is better which model works better which model persuades the rest of the world to adopt it which leads to more economic growth you know it's essentially a race and you can see that you can see in the Biden chips act you know a pretty straightforward strategy to increase the pace of America in the race and slow down the pace of China and it does involve sort of major disruption so that's where we're at I think it means two more things one is that you know concepts of I won't call it cybersecurity because it's way broader than that but concepts of you know resilience sustainability in the technological world are now much much harder when I look at the challenge from China I almost hark back with nostalgia to the days where all we had to worry about was the 3PLA firing stuff at us in a pew pew way because although they could be quite good conceptually dealing with that's quite simple you just try and get some capabilities that mean that you have more good days than they do that's it attritional stuff now you're talking about you know I mean things like the 5G controversy at its heart was the collapse of the western technological industrial base you know the problem wouldn't have arisen if it whatever the rights and wrongs of various decisions which won't go into whatever the rights wrongs of various decisions and the artist's problem was the fact that you know western industrial capability collapsed how you do that how you safeguard that across democratic market economies is a really really tough problem you know if you think of a NATO summit you do a security agreement there's a standing bureaucracy there and you tell a bunch of defence ministries to go and cooperate with each other when you do something like the G7 2021 declaration on you know working together to keep technology free and open what happens bureaucratically what action you know economic departments trade departments aren't configured to do this sort of thing but so we need to we need to rethink that then the final thing to link it back to this conversation Michael is that if we're going to have two technospheres it's absolutely vital that we maintain public confidence in the security of our own and that does bring you back to boring matters of network security and making sure that people aren't getting letters e-mails every week saying your debt is gone people aren't turning up at shops that tells don't work because they've been ran somewhere etc etc so I think you know we're in it we're in a new year technological sustainability and resilience and security's got a lot more complicated Got time for one more question and Fergus Alright too long answer Fergus you also had your hand up before so we'll go to you Great, thanks Catherine thanks Kieran it was a great presentation I assume your ears might have pricked up when the Minister said that she wanted Australia to be the most cyber safe place in the world given that the UK also wants to be that and I'm just wondering given both countries would like to be the most cyber safe how do you do you have any sort of tips on how you measure progress in this area well it's really interesting because Duncan very kindly mentioned the ITU survey where we went from eighths when I started the first one I finished we're now back in second but you know we were first one I left the U.S. to go over I think it's a it's a it's a really immature issue and you know given that I'm in a university and I'm working in a university I think we can say more research is needed because actually one bit of one bit of research one bit of PowerPoint you could do in half an hour and I know the main measures is you can get spectacularly different results on this if you're measuring different countries so the ITU is essentially about preparedness one of the weaknesses of the ITU thing is you get a point for having a strategy it doesn't matter if it's any good you get a point for just having one because you go back ten years lots of countries didn't have one you get a point for having an institution such as the ACSC because lots of countries didn't have them you look at all the ones it's about incidences of malware they lead to completely mad results like apparently at one point Rwanda was the safest country in the world and you know it didn't adjust for things like mobile phone take-up etc so there are wildly varying ways of doing this I think there are some technical measures such as you know that we've relied on in terms of trying to measure our own process progress in terms of things like prevalence of maliciously hosted websites level and extent of data breaches etc incidences of ransomware so there are very sort of harm impacts there are very sort of if you like digital health measures and so on but I do think it's something we should be working more on and in particular I don't just mean it for the sort of satisfaction of working out whether you know Claire or I if we ever in the minister if we ever end up in five years time with this gig against in who won it's also you know it's really really important for things like insurers you know if I'm getting this to work properly you know if a company says right we've put in place this set of reforms and we've bought these capabilities and this is the way we're now working well how does that then translate into you know a healthy and sensitive by way of a lower premium in a way that's going to make the market work well so I do think one of the things we should be focusing on again it's quite boring it's quite technocratic is those is those measures you know you talked to politicians I've talked to talked to some legislators across the aisle here in Canberra yesterday I've talked to UK politicians over the years you know there is a point where sometimes politicians will say well you know show me what we got for this public investment and at the moment I'm not always confident we know how to answer that as robustly as we should fantastic I've learnt a lot this morning Kiran that boring is better that we need to be able to measure things and their impact regardless of of what it is so that we understand how much damage is being done to us and whether our counter responses are appropriate as well as the pessimistic assessment that we've we've lost the Western tech industrial base which we can get it back which was exactly how I was going to close to say that and we've got to work hard with our partners including the UK the US and others on absolutely getting that back and making sure that that tech sphere you were talking about brings our other partners in our region along as well which is something we didn't cover but I know is critical and a critical conversation in Canberra but also at the ANU as well