KEYNOTE ADDRESS TO COMMSDAY MELBOURNE CONGRESS 2022
16 MARCH 2022
I acknowledge the Traditional Owners of the land on which we meet, the Wurundjeri Woi Wurrung people of the Kulin Nation, and pay my respects to their elders past, present and emerging.
It’s great to be back speaking at another Commsday Congress, and to be talking to room full of people once again.
With such a full house today, all of you obviously missed being at conferences as much as I did speaking at them!
It’s been two years since I last addressed a Commsday Summit in 2020, but we’ve managed to fit two decades of history into the intervening period.
The 2020 Commsday summit was just a few months into the Covid-19 pandemic.
I said then that the world won’t be the same after the pandemic and that we would divide the world into before Covid and after Covid.
As we are beginning to, tentatively, consider what our world might look like after the crisis stage of the Covid pandemic, it’s clear that we’re looking at a number of aspects of our modern society through a different lens.
Covid was THE great a stress test of our national resilience - our ability to respond to adverse external shocks, to prepare for risks, to minimise
human and economic losses, and to bounce back from harm.
It’s fair to say that our results in the face of this test have been mixed.
Our sector has delivered some of the high points of our national resilience during the pandemic.
Our reliance on the national broadband network grew exponentially overnight.
Our homes began doing double and triple duties, becoming makeshift offices and schools in additional to personal dwellings.
While Mum was on a Teams meeting with the office,
and Dad was on a Zoom call with a client
and the kids were on Webex calls for their classes,
and half the country was watching the Olympics on streaming services, our broadband infrastructure creaked under unprecedented demand.
But on the whole, it held up, thanks in no small part to the investments in the capacity of our national broadband infrastructure set in train by a previous government that was planning for the future, not just managing the present.
But the sad reality of the last two years is that Australia has been forced to confront the fact that from here on out, stress tests to our national resilience can no longer be expected to be rare and isolated crises, but rather will be increasingly frequent, interconnected and compounding.
In addition to COVID-19, the last two years have brought home the reality of what climate change will mean for our national resilience.
The Black Summer Bushfires and the Queensland and Northern NSW floods broke records, many of which were set just a decade before.
The global pandemic has also been accompanied by a dramatic worsening of geostrategic tensions, a trend that has seen its most extreme and tragic manifestation in the recent Russian invasion of Ukraine.
Each of these shocks – whether driven by the pandemic, climate change or worsening geo-strategic conditions – have challenged Australia’s national resilience.
We’ve seen the way external shocks can have cascading impacts in our increasingly interdependent and interconnected modern society and economy.
In this way, these shocks have threatened the viability of our critical infrastructure and national supply chains.
They’ve caused large scale losses of personal and commercial property, challenging insurance markets like never before.
And most importantly of all, they’ve resulted in large scale losses of life.
We can expect similar shocks to continue to hit Australia for the foreseeable future.
The hither and yonning days of the turn of the millennium are well and truly gone.
We need to confront this reality and start preparing for these shocks better as a nation and building our national resilience.
Telecommunications Infrastructure Resilience
A growing challenge for everyone in this room will be building the resilience of our critical telecommunications infrastructure.
I want to acknowledge everyone who has been impacted by the floods in New South Wales and Queensland as well as the emergency workers and members of the ADF who have helped in the clean up efforts.
It’s becoming an all too familiar pattern that our natural environment is pushing our communications infrastructure to its limits.
While we don’t know when the pandemic will be fully behind us, and with natural disasters set to only increase due to climate change, the time to start increasing the resilience of our communications infrastructure is now.
As Premier Dominic Perrottet acknowledged on Monday, a telecommunications outage during a natural disaster compounds the damage and hampers our emergency response.
At the height of the recent flooding, we also had over twenty communities that were isolated.
This means the residents of those communities had no fixed-line services, no NBN service and no mobile access, and were therefore unable to contact triple Zero.
This left many communities feeling distressed, and indeed very vulnerable.
The floods were a reminder of how the challenge of keeping networks available varies depending on the type of natural disaster.
One of the key issues was being able to access sites to restore power, or to diagnose the network fault.
As flood waters cut off conventional transport routes, and took many days to subside, this meant some mobile towers provided no service for between 5 to 7 days because their power could not be temporarily restored.
There is no doubting the genuine and significant efforts of the telecommunications carriers and the coordinating authorities during this very difficult time, and the front-line technicians, SES and ADF personnel who put themselves at risk.
It is often an impossible situation where everyone is doing their absolute best.
But what is also clear is that the community expects their telecommunications services to be more available, and more resilient, than they have been.
Clearly, more must be done to improve our responsive capability to access sites in the midst of natural disasters, and also our pre-emptive investments to embed deployable communications options in communities identified as high risk of becoming isolated during significant natural disaster events.
There is no silver bullet, but all layers of government, including the telecommunications industry, must remain steadfast is seeking ongoing improvements because these can be the difference between life and death.
The floods were also an important reminder about the benefits of passive fibre networks during floods.
The absence of active electronics in the access network provides one less point of potential failure, and relative to Fibre to the Node, and Fibre to the Curb, the benefits of passive full-fibre networks were apparent up the East coast.
And on the broadcast side, in 2020, both a Senate Inquiry and the Royal Commission into National Natural Disaster Arrangements known as the Bushfires Royal Commission - heard evidence of the need for site hardening of broadcast transmission Infrastructure.
During catastrophic natural disasters, emergency radio broadcasting can be the last line of communications.
Recommendations for site hardening included funding to clear fuel from around the sites, having backup power on standby, and having portable transmission equipment available to enable faster recovery of broadcast services.
Commercial factors determine which sites are hardened and there is a role for Government to ensure that sites with smaller population sizes in risk prone areas are resilient.
National Cyber Resilience
While our physical infrastructure will continue to be buffeted by the natural disasters that accompany climate change, the networks and systems that sit on top of them will be increasingly tested by the cyber attacks that inevitably accompany worsening geostrategic tensions.
While every organisation’s threat model will look different depending on a range of specific circumstances, the general cyber threat environment is now strongly shaped by underlying geo-strategic conditions.
As the geo-strategic environment has worsened over the past two years, so too have the cyber threats facing Australian organisations become more acute.
ASIO has described the threat of state backed cyber espionage in the current environment as ‘pervasive’.
Government networks are constantly being probed by state backed APTs seeking access for espionage.
And as a recent incident in which a vulnerability in the animal tracking software USAHERDS, was exploited by a state backed threat actor in order to gain access to multiple government systems in the United States shows, you don’t need to have a high profile to be a target.
Recent years have also seen state backed APTs increasingly using supply chain attacks leveraging access to smaller firms with lower product maturity levels and less scrutinised software offerings as an attack vector for a down stream espionage targets.
Ransomware groups too have began to exploit this form of attack, threatening not just the confidentiality of information shared on these networks, but their availability as well.
Ransomware groups have long sheltered in nation states that lack the will or capability to take action on them within their own borders.
And a number of states now use ransomware gangs like the privateers of the 19th century, deploying them as quasi-deniable tools of statecraft.
In a geostrategic environment characterised by heightened tensions across multiple fronts, it’s easy to imagine a scenario in which these quasi-state backed ransomware groups became more active as relations between states deteriorate.
In this context, the ACSC, CISA and the NCSC have all warned of the potential for cyber-attacks on domestic organisations within their jurisdictions either as unintended spill overs from Russian cyberattacks against Ukraine or from a general deterioration of the cyber threat environment.
In an interconnected and interdependent modern economy, it’s possible for these attacks to get out of hand and cause a systemic effect, as we saw with the notpetya wiper worm.
The former head of ASIO, David Irvine has warned that in the face of these threats
“We need... to have much more effort both by the government and the private sector and individuals into developing what I’ll call national cyber resilience to a far greater level than we have now”.
That’s why in a May 2020, Labor released a discussion paper exploring the sources of Australia’s cyber resilience and how well prepared we were for the systemic risks of cyber-attacks.
An objective assessment of our national cyber resilience as it stands today would give a mixed report card.
We’d get high marks for the calibre of our Commonwealth cyber security agencies who are home to some of the world’s best technical talent.
But true national cyber resilience depends on more than who has the best offensive cyber capabilities.
National cyber resilience is a whole of nation endeavour.
Indeed, the Defence Mobilisation Review found that in modern conflict, many of the targets of state sponsored cyber-attacks will be civilian businesses or individuals.
National cyber resilience demands that we lift the baseline of resilience against cyber attacks across an incredibly diverse set of networks – public and private, large and small.
For instance, while the capabilities of our central agencies are world leading, the cyber resilience of Australian Commonwealth entities – our government departments and agencies – remains persistently low.
The Auditor-General has examined the cyber resilience of Commonwealth entities in six successive audit reports over the last decade.
Nearly nine years after the Australian Signals Directorate’s Top Four cyber security mitigations became mandatory for Commonwealth entities, less than a quarter of those audited by the ANAO were found to be fully compliant.
The government’s own Commonwealth Cyber Posture report identified that even entities own self assessments of Top Four implementation “remains at low levels across the Australian government.”
This persistent failure to implement a crucial set of cyber security controls in the face of a worsening threat environment is a major vulnerability in our national cyber resilience that is crying out for leadership.
We see a similar pattern in the private sector.
Australia is home to a core of private sector entities with highly capable staff and very high levels of cyber resilience, principally in our financial services sector.
But you don’t need to move too far down the ASX50 before you confront organisations with disturbingly low cyber security maturity levels.
Over time, the government’s critical infrastructure reforms may move the needle in organisations that fall within the legislation’s remit but the cyber resilience of SMEs in Australia has been almost entirely neglected under the current government.
While the ACSC’s Small Business Survey found that 62% of SME respondents had been victims of cybercrime, almost half of small businesses spend less than $500 a year on cyber security and nearly 20% of small businesses spend nothing at all on cyber security.
It’s clear that Australian small businesses currently lack the time, capability and resources to make significant investments in their own cyber resilience.
In this context, Labor has argued that building National Cyber Resilience requires a new approach to cyber security policy in Australia.
We’ve argued that Government has an active role to play in building the resilience of Australian governments, businesses and NGOs and in mitigating threats before they harm vulnerable organisations.
I’ve spoken before about how I believe that there’s much for Australia to learn from the approach taken by the U.K. National Cyber Security Centre’s Active Cyber Defence framework.
This framework applies the resources and expertise of the NCSC to the challenge of “Protect(ing) the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.”
It does this by trying to identify the most common types of cyber attacks, generally low sophistication, high scale commodity type attacks and deploying automated, scalable tools designed to mitigate them.
It’s sought to help first government, then NFP and lately private sector organisations lift their cyber resilience by offering automated tools like Mail Check, web check, Protective DNS, and exercise in a box.
Under the framework of ACD, the NCSC has developed processes to actively identify and take down the supporting infrastructure of phishing scams targeting people in the UK.
Finally, it’s set up tools to engage the general public in building national cyber resilience through its Suspicious Email Reporting Service and Scam Message reporting services.
I’m pleased that since we began talking about the potential of Active Cyber Defence in Australia at the beginning of 2020, the Australian government has implemented some aspects of an ACD approach.
Elements of ASD’s Cyber Enhanced Situational Awareness and Response package and Telstra’s Cleaner Pipes offering have been welcome steps in this regard, but there’s more that can be done with genuine government support and engagement.
If you’ve worked in telco and IT for a long time – like I have – you’ll quickly become immune to the waves of buzz words and hyperbole that regularly wash through the industry.
I can remember attending one meeting at a major telco a decade or so ago where an old hand at the company had attempted to tally up the number of “revolutions” that the company’s marketing department had declared during his time there.
Noting that the definition of a ‘revolution’ was something that ‘overthrew a social order in favour of a new system’, he thoroughly enjoyed running through more than a dozen ‘revolutions’ that had supposedly been delivered by the company, before really sheeting home his point by finishing with the marketing collateral for the mobile phone ring tone revolution.
The point is, it’s easy to get caught up in the hype in technology industries.
But even the most jaded cynic would concede that the last two years has seen a series of revolutionary changes in our society.
While we saw two decades worth of take up of remote services in two years during the pandemic, I think we’ve also seen a slow burn revolution in the way societies think about the risks of shocks like pandemics, climate change and geo-strategic competition.
Over the last two years, the public has grown to expect these shocks to occur with increasing frequency and increasing intensity.
But as part of this, the public has also grown to expect the institutions of our society, governments and businesses alike, to plan for these shocks.
Make no mistake, resilience isn’t just a buzzword that will wash through the industry and be forgotten.
For better or for worse, it’s going to underpin all of our thinking for the foreseeable future.