Risky Business - Feature interview: Australia's Cyber Security Minister Clare O'Neil
Episode Date: July 26, 2023In this interview Patrick Gray speaks to Australia’s Home Affairs and Cyber Security Minister Clare O’Neil and NCSC founding director Ciaran Martin about the governm...ent’s upcoming cybersecurity strategy, releasing the hounds and more.
Transcript
Discussion (0)
Hey everyone and welcome to this special feature interview edition of Risky Business. I'm Patrick
Gray and I got a call last week from someone at Australia's Home Affairs Department asking me
if I'd like to interview the Home Affairs Minister Claire O'Neill alongside Kieran Martin, the
founding director of the UK's NCSC. They were both going
to be at an event and would have a bit of time to chat to me and I've been trying to pin down
an interview with Claire O'Neill for a while so obviously I jumped at it. So on Friday I spoke
with Kieran and Claire for about 40 minutes and that's what you're about to hear today. So a bit
of background on Claire O'Neill to start with. She is the Home
Affairs Minister in the Australian Government and this is a position that would be referred to in
some countries as the Interior Minister but she's also the Minister for Cyber Security and the first
Cabinet member to hold that position. The funny thing is, as the line from clerks goes, she wasn't
even supposed to be here today.
Tim Watts was the Labor Party's shadow cybersecurity minister and was supposed to be the cybersecurity minister in the current government. But after the election, he wound up being shifted into the position of assistant minister for foreign affairs.
And Claire O'Neill was given the responsibility for the cyber portfolio. And so here she is in a portfolio she wasn't supposed to have
when all hell broke loose in the Australian cybers.
There was the Optus hack, the Medibank data breach and extortion attempt,
the Latitude finance hack, and so on and so on and so on.
It became a front and centre political issue.
And then something kind of unexpected happened,
which was Claire turned
out to be very good at being the cybersecurity minister, considering, you know, it's a discipline
in a field she didn't have prior exposure to. She also made a lot of fans in the InfoSec community
here for calling Optus out for using a very tired corporate PR response to its troubles.
And Claire called them out on the ABC's flagship current affairs show, 7.30.
Here's that clip.
Well, you certainly don't seem to be buying the line from Optus
that this was a sophisticated attack.
Well, it wasn't, so no.
She also embraced the Release the Hounds doctrine,
standing up a joint federal police and ASD team
tasked with disrupting
ransomware crews and high-impact cyber criminals. I'll give you less background on Kieran Martin,
but he was indeed the founding director of the UK's NCSC and is consulting to the Australian
government as it develops its new cyber strategy, which is obviously a topic that we talk about in
this interview. So I'll drop you in here and I started off by
asking Claire and before anyone gets mad she did actually ask me to call her Claire. I started off
by asking her what we actually know about what happened at Optus and Medibank because the public
doesn't really have much detail on what happened in these incidents. But does the government know?
And here's what she had to say on that. And just a quick note before we get going, Kieran and Claire were both sitting in front of a laptop to record this interview.
So the source audio wasn't, you know, splendid. I did feed it into Adobe's audio enhancer and it
did a good job, but this does sound a bit weird in a few parts. But yeah, here is Claire O'Neill
to kick things off. The Australian government is far more involved in national level cyber incidents than the
public probably realises.
And in fact, you know, a lot of your listeners would know, Patrick, one of the first phone
calls that's usually made by a company in distress is to the Australian Signals Directorate,
which is home to really, you know, the best cyber professionals in the country. So we know a lot, but I just want to address something really important here,
which is that should government be the only holders of that knowledge?
And one of the things that I really feel strongly with Optus and Medibank and Latitude and Epsworth
and many other national events that perhaps didn't make the headlines so much, is that
these are not private events that affect private companies.
And one of the really amazing things about cybersecurity is the way that we see things
that would have been regarded as the domain of private sector companies now becoming very
much of public interest because they are holders of data or runners of
systems of national significance that are so powerful that if something goes wrong,
it is a national security incident. And that is how I would classify Optus,
Medibank, Latitude and Nanceworth. Yeah, sure, these are cybersecurity incidents in private
companies, but when you are holding personal information about literally half of the
Australian population, you own a data set which is not just of concern to you
and not just of concern to individual customers
but of national interest.
So I just say that one of the things we're thinking about
in the cyber strategy that we're developing at the moment,
which is trying to lay out a framework and a pathway
for Australia to become the most cyber secure country
in the world by 2030, which is my goal and aspiration for us.
Part of that is thinking about how we are going to make sure that we actually learn
from these incidents, not just so Optus can learn from their incident and have better
cyber security, but so the whole country can.
And bringing some more transparency to those conversations is something that's really
important to me.
I mean, that's specifically why I asked you about that.
My colleague, Tom Uren,
who writes a lot about government affairs for us,
has been banging the transparency drum very loudly
for quite a long time now,
because it's great that the government has some insight
into what actually happened in those cases,
but there is obviously a benefit
in sharing that information
with the wider business community
so that people might learn from the mistakes of others.
Yeah, yeah.
So, you know, at a principal level, 100% agree with that.
So I think there's some work we've got to do around post-fact cyber events
and how we can all learn from that.
If I can just mention something else that's really important
to how the Australian government's lifting its own performance
and management of these issues is the appointment
of the National Cyber Coordinator.
So that appointment was just made a few weeks ago
and we've got a really brilliant guy, Darren Goldie,
who's performing that task.
One of his main jobs is actually making sure that we as a country
learn from cyber events and they're not always just, you know,
events that occur against one company.
Sometimes you've got
a long 4J example or one of those where we're going to need to learn across the whole economy
on something that affects many businesses. But we don't really have a feedback mechanism at the
moment. What we've got is a cyber industry that kind of reflects the old school thinking about
cybersecurity, which is it's about individuals and companies, not about the nation and not about the economy
across the country.
And so Darren is working at the moment on how he's going
to make sure that we get really clear feedback for citizens,
for companies, for organisations on things that go wrong.
Like right now, if you just look at the Optus example,
they've done a review of what happened at Optus
that no one else is going to get
to read. And I'm just not sure if that's the best way for us to manage this issue.
Well, but it's also a difficult problem for a government to fix, isn't it? Because, you know,
if you start putting mandatory reporting requirements into law or regulation,
that can also have second order impacts that aren't great in terms of forcing companies to
reveal too much about, you know, how their networks are structured and things like that.
You know, it's something that sounds terrific, more transparency, but when you get into the weeds on it, it is actually quite complicated, I would imagine.
Yeah, yeah, it is complicated, but, you know, that shouldn't stop us.
Yeah, well, that's, amen. All right. I would say, Patrick, it's like just moving away from the somewhat controversial matter of specific cyber events
and what happened and who did what and when.
If I can just broaden it out, we actually don't have
a very good picture right now of the nature
of cyber security in our country.
So we don't have, we've got a voluntary reporting mechanism
through ACSC for when you're under cyber attack.
But what we know
from talking to individual companies is that this is a much bigger, more widespread problem than any
of the current evidence would suggest. So we've got National Australia Bank last year told us
they're subjected to 50 million cyber attacks a month. The ATO, the Australian Taxation Office,
subjected to 3 million cyber attacks a month. That is worlds apart from what are the publicly reported figures.
So if we don't have a real clear picture of what this problem is in our country,
I don't think we're going to be able to solve it.
So part of it is building that up and making sure that when things do go wrong,
we take those opportunities to learn from them because they are nationally significant events,
not just events for single corporations.
I mean, those metrics that companies tend to cite of, you know, 50 gajillion attacks
in over a certain period. I mean, those metrics tend to be quite problematic. I just can't,
you know, I can't move on without actually saying that, mentioning that because, you know,
quite often that might be, you know, alerts triggered by automatic, automated attacks and
whatever. It all depends how you define an attack. But nonetheless, there's a lot we don't know
and there's a lot we don't see.
Yeah, yeah, I agree.
Yeah.
So look, one more thing I wanted to speak to you about quickly.
Well, a couple of things quickly,
and then we can move on to talking about the strategy.
Obviously, there was the big announcement
in the wake of the Optus and Medibank stuff
that there would be a joint task force stood up,
which would consist of the Australian Federal Police cooperating with ASD to target and disrupt cyber criminals.
We've seen actions from the FBI and the United States since then.
They were probably doing more than they said,
but you were very much at the forefront of governments coming out and saying,
no, we're going to go kick some
teeth. Since then, though, we haven't had any follow-up from the Australian government saying,
well, here's how it went. We were able to do X, Y, Z. I mean, in the case of the FBI's disruption
of the Hive ransomware group, we got some detailed reporting on that. We got some transparency.
So my question is, what can you tell us about
the success or lack of success of this task force that was stood up in the wake of these events?
Yeah, thanks. So I think your listeners would have heard we've engaged the ASD and the AFP
in a proper institutional manner now in hacking the the Hackers and what you're talking about there is correct.
The goal and objective is pretty singular
and that is to impose costs on people
who might try to do Australians damage.
So that project is going very well.
I mean, I get obviously really detailed reporting
on what it does, which I can't share with you
and I'm sorry about that.
It's just these are intelligence operations that are quite secretive.
I guess I'm just wondering why that is, because they are, as much as they are being conducted in concert with an intelligence agency, they are law enforcement actions.
And I understand that it would be difficult to find the right balance between secrecy and transparency on this.
But, you know, we have not heard anything really.
And it was an announcement that was made, you know,
with great fanfare and fair enough.
But when will we actually get to learn,
at least in a broad outline sense,
what has actually been achieved?
Well, I mean, I can provide a bit more information
into the public realm about it, Patrick,
but it's probably not
going to ever meet your potentially insatiable desire to detail on what these people are up to.
I mean, we can certainly talk about the resources that are going into that, and it is a very
significant effort, and it is going to be ultimately, I think, really meaningful for
the presentation of the threat for Australia. It sits up in my
mind alongside something else that we've seen that's really important, which is some very big
Australian companies refusing to pay ransoms when attackers have come for them. But, you know,
take the point there, we can provide a bit more transparency about what's going on. But,
you know, these are genuinely extremely professional world-class intelligence officials that are doing this work.
They are very busy and I'm really proud of their efforts. And let me see what I can do in terms of
giving a bit more specifics. Well, that would be wonderful. So let's talk a little bit now about
strategy stuff. Oh, actually, there was one more question. This kind of dovetails with the strategy
a little bit, actually. I'm not sure if you saw, but in the United Kingdom,
there is a new regulation coming into effect soon, which will make banks liable for fraud losses,
right? And obviously, there are all these operations. I mean, you know, you would probably
call them cyber adjacent. So these might be telephone scams and various, you know,
internet based scams, business email compromise, things like that.
Regulators in the UK have just said, that's it. From now on, banks are going to be responsible for these losses, which will force them to address the problem. And they are best, probably,
probably best placed to actually fix this issue. Is something similar being considered for Australia?
And I ask you this question knowing that this is perhaps outside
of your portfolio, given that it would be a financial regulation. Well, terrific. It is a
bit outside my portfolio, but thankfully, you know, other ministers and I do are conversant
and do talk about these things. So the part of this that does belong to me is perhaps the more cyber security end of this conversation.
And one of the principles that we're using to drive the work that we're doing in the cyber strategy is trying to push responsibility for cyber protection onto the actors in the economy who can most manage them.
Well, this is why I asked this and said, well, it's kind of about the strategy, but not really.
Yeah, yeah, yeah.
So in terms of responsibility for fraud, not so much.
But you're right in that these companies do have much more power and control over this problem than the customers that they serve.
And we should be forcing them, I think, to take more responsibility for what goes on from a cyber security point of view on their networks. So one of the really important conversations that we've been having,
and Kieran's here with me and he's been helping us a lot with this, is thinking about how we,
so the people in Australia who have more information about cyber threats are, you know,
the big providers of telecommunications, of banking, of other, you know, the big providers of telecommunications,
of banking, of other, you know, big providers of infrastructure.
And they also had the most capacity to do something with that information.
So we're really having a good conversation with some large Australian companies
at the moment about what they believe their obligations should be
with regard to aggregating information about what's going on in cyberspace
and then acting on it.
So this is something that I think we'll, maybe I'll come back on once the cyber strategy is
launched and talk to you a little bit more about the specifics, but these are the sorts of things
that we're thinking about in the context of the cyber strategy. That's an interesting one to start
off with because, you know, something that keeps coming up when I've spoken to people at Home
Affairs about this is there's a lot of consultation happening in terms of what should be in the strategy
and some actually quite useful suggestions coming forward.
Yeah, I mean, hopefully more than even useful suggestions
and actual policies.
So yeah, we're actually kind of getting
to the pretty late stages of work on that strategy
and it is thinking about like a very diverse range of topics, but things spanning, you know, small business and how we're
going to help small actors in the economy confront these challenges over to how we deal with the
cyber skills problem. How do we create a better ecosystem for cybersecurity firms here in
Australia, which we, you know, very fervently want to support and grow. And then, you know,
one of the really big things is thinking about the nation itself. Cybersecurity is not a problem
that we are going to resolve by teaching every, you know, teenager and grandmother in the country
what two-factor authentication is. We need to get people to take responsibility for their own
cybersecurity, but there are lots of risks and challenges that they just can't manage themselves.
And so what are our expectations for what big companies should be doing in Australia about this problem and how can we make sure that they're properly laid out in
regulation and law and adhere to? Now, sitting next to you is Kieran Martin, the founder of the
UK's NCSE, turned currently International Man of InfoSec Mystery and Potato Crisp Connoisseur.
Kieran, thanks for joining us.
I just like cyber security celebrity.
That's my, you know, global cyber celebrity.
If there's such a thing, Kieran, you're a bit...
Now, the Minister just mentioned that you are advising on this.
I wanted to ask you, though, and I think you're very well positioned to answer
this question, in that you have been exposed to regulations and government activities in a number
of different places. I imagine that Australia has both some opportunities and some limitations
in what it can do, given that by population we are such a small country. In your mind, how is trying to
construct a cyber strategy for a country like Australia different to, I mean, you know, the
United States has an awful lot of might in terms of being able to regulate a lot of the technology
industry because that industry is based in the United States. It also has massive procurement
power, which is a lever it can pull. But when it comes to Australia,
what are our unique strengths and weaknesses, do you think,
when it comes to being able to execute on a strategy like this?
There are a lot of strengths.
It is, by international standards, wealthy, highly digitised,
well-educated, English-speaking country.
It's part of the Five Eyes Alliance. It's of the five eyes alliance it's got world-class
um australia's got world-class security services as mrs already uh said it's got some brilliant
cyber security skills and uh talent and a very um credible set of agencies that are
hugely credible in the five eyes community um you know yeah it's not the us
but that's having dealt with uk public policy and cyber security for a very long time you know we
go through the same every other western country goes through the same problem of not being able
to regulate the main providers of the of the technology and in in in that way but you can
build partnerships and of course of course, both countries,
the UK and Australia, have a deep and enduring security partnership with the US. I think,
frankly, some of the strategy, if I look at the pace with which Australia's developed the strategy
and the smoothness of it, it may not feel like that always. I'm sure to political leaders,
I mean, the US have just published a strategy and we know because
it's all uh you know recently out in the open that's a really really complicated process because
you know the size of the u.s government has its drawbacks as well as its um yes as well as its
strengths i mean the u.s government is not known for being particularly agile let's just put it
that way no and and of course so you know it can be and i think you know the westminster system
has its advantages in that for example if you're trying to do things, one of the big pillars that Claire's working on about improving the security of government and public authorities, you know, it's just smoother to mandate things to develop best practice and so forth.
So there's an awful lot of things that Australia can do.
Also, I think actually, you know, the way the tone is being set in recent months
is really helpful.
I think right now, the way, I mean,
whatever led to Medibank in particular,
which I think is, for me,
is by far the most serious of all of the big incidents
that have happened here in the last year or so,
I think the world, I genuinely mean this,
owes Australia a debt of gratitude
for the way the country collectively,
the company, the government, the media, the whole sort of civic society held its nerve over the Medibank ransom.
Because if there was ever a temptation to pay up and try and make it go away, it would have been then.
I think if you're seeing now, we haven't talked about Move IT and CLOP and all of that. But we see, I think at the last count, I saw 378 organisations with 20 million personal data sets
in dozens of countries.
I mean, the first victim disclosed was the BBC.
I remember explaining on the BBC
and interestingly to BBC producers
who were booking me and so forth,
when the question about should you pay came up,
it was incredibly powerful
to be able to talk about MediMac and say, look there's the data set and what australia did when we all um owe you
a debt of gratitude for this australia successfully devalued literally devalued drastically the value
of that data set as an extortion weapon just by the way it was managed and saying you know very
clearly about how it would be how the data would be dumped.
It would be on the dark web, not on the open internet.
The responsible way in which the discussion was had about,
you know, it's completely in the public interest for the media
to report on the severity of the breach,
but it's not in anybody's public interest for anybody to go there
and looking at individual data sets.
You made that point extremely powerfully, Claire.
And I think,
you know, the criminal thugs who did this, their bluff was called successfully.
Well, I think it goes beyond that. And as I understand it, there was limited, but,
you know, there was a vague hint of a bit of bureaucratic infighting when, you know,
the government was scrambling to respond to this. And that evaporated the moment that this group decided to publish the personal
details of women who had terminated pregnancies and that was it everybody was on board at that
point the government all of its agencies were a unified front because collectively the entire
country just decided these people were assholes who needed a kick in the teeth and i think that's
really really powerful so then i was sent to the bbc for example so if australia can hold its nerve over that you can hold the nerve over a bit of payroll data i
mean quite simply you know um so i think it was it was really really good just to pick up on a
couple of the other points that have come up as well i think it is transparency around a disclosure
of incidents there is good practice there i mean i think you can yeah it is complicated as claire
said but you can find ways of making this work without compromise without being a sort of hacker's guidebook i think
ireland did that very well over its health services executive if you look at that report
it's a really really rich review for other organizations my colleague uh tom is a massive
fan of that report and has cited it multiple times so It's brilliant. So you can do this. I do think that, you know, on the offensive side, you know, I mean, quite a lot of what
the U.S. does is not disclosed.
Occasionally, and that's because, you know, the FBI have been at this for a very long
time, you know, occasionally there's a big operation.
But, you know, the U.S. doctrine is called persistent engagement.
They do it all the time and they don't talk about it.
Well, but I i mean the targeting has
shifted around a little bit and there's a little bit also the tradecraft that they're using is has
has shifted right because where it might be okay we take over a c2 now it's like okay we're prepared
to execute code we're prepared to execute commands like there has been i think in one of their their
botnet takedowns they they actually identified victims in the US and
then snail mailed people to ask them for permission before they removed malware from their devices.
And so there have been some changes there, but that brings up an important question for Claire,
which is, you know, what you did in terms of publicly announcing this sort of hackback policy
was, it was the first time we'd seen a political leader do this so unambiguously. Previously,
like as Kieran points out, this is the sort of stuff that was happening. But more in the shadows,
a little bit quieter. You know, did you at that, at the point that you sort of made this declaration
that state resources would be employed in this way, did you, and it's a strange question, I know,
but did you realise the significance of that when you were doing it?
Yes, because the first six months I was in this role,
I feel like the country went through a complete transformation
in how we think about cyber security.
And I feel like because I happened to be the first cabinet minister with
responsibility for cybersecurity, I had this very special role of trying to lead what the new
approach needs to look like, given how fundamentally unprepared we were for Optus and for Medibank and
how profound the effect on the Australian community was. So I think I very much felt at the time that this was new.
And certainly, you know, when I look at the previous five years, say, I don't see a minister
ever having been as involved in cyber incidents as I needed to be in Optus and Medibank.
And I can talk a little bit about why that wasn't.
You know, Alice Dermot Gibbon, actually, as an advisor to Turnbull.
So it wasn't a minister in that case.
I mean, one thing we do have to credit the previous government for, though,
is the changes they made to laws that allowed ASD to be used
against criminal syndicates.
I mean, those laws were actually kind of important in these cases, weren't they?
Yeah, that's exactly right.
So I think there's some things that the former government did, which I would absolutely credit. I mean, it wasn't that nothing happened in cybersecurity. I think we were about five years behind when we took office. But I say that knowing that some important things did happen. actually, Patrick, to your question before about how Australia and the US are different here. And
I just want to come back to what I think is actually our most unique offering to the world
in cybersecurity. And that is the ability of the Australian Parliament to regulate
in quite important ways about how we manage this problem. When I explained to my equivalent
ministers, even in the five eyes, about what the Security of Critical Infrastructure Act,
for example, allows me to do, allows the ASD to do,
they just about fall off their chairs.
Yes, you can compel them to do a certain act or thing,
which is the legislation.
And I love this.
And it is such a uniquely Australian thing
when there's pushback from industry and then they say,
no, we're just going to write a rule that says we can compel you to perform a certain act or do a certain thing and
that's going to be the wording of the bill and it does make people fall off their chairs but
i guess i would have i could have done i could have had some i could have had some
there's there's that so so when we as you can imagine of course work a lot with our five eyes
partners and we work in particular with the us because they, you know, since the Biden administration has been in, they have so many incredibly senior people who are pushing, pushing, pushing on the security front.
So we work with them a lot.
And the way that I think about it is in a simplified way, the US has got procurement power that we could only dream of.
They are probably the only Western country in the world with genuine ability to reshape
the technology market.
They can't legislate in the way that we can.
Their system of government is just completely different.
And we think a lot as two countries about how we can use their power to get the outcomes
we need and for Australia, how we can use our laws to get things that they couldn't
possibly legislate for.
Just one thing, Patrick, that your listeners, for those of you that know the Security of
Critical Infrastructure Act well, it's important for me to explain to people how that was useful
and not useful in Optus and Medibank in particular.
So yes, the Security of Critical Infrastructure Act gives the government great powers to engage
in a cybersecurity incident.
The problem with the act is at the moment, the way that it defines a cyber incident is
just a technical event.
And once the technical event is over, basically those powers pretty much evaporate.
Which doesn't cover things like blackmail, I'd imagine.
Yeah, exactly.
Exactly.
And so I think this is, you know, like there's a number of very important conceptual shifts
in cybersecurity that have occurred over the past couple of years. One of them is just
how we think about cyber. Previously, this was the domain of, you know, people who knew a lot
about technology and it was considered a very niche technical area. Cybersecurity isn't really
about that anymore. If you think about the incident response role that I've played with
Optus and Medibank, the technical bit is like the first 10%.
The 90% beyond it is about logistics and government systems and how we're going to continue service provision for our citizens while systems are down.
And so SOCI is sort of walls and powers are we going to need
to deal with cyber incidents beyond the technical event
and how might we be able to make legislative reform
which helps us manage that better.
So I imagine this will be incorporated into the strategy.
When are we going to see a first draft?
Over the next few months.
We are working really, really hard at the moment,
very genuinely into Kieran.
Kieran Freestyns has a hard day.
I can verify that people I can independently bear it.
People are working extremely hard.
Sometimes the time zone difference in the UK doesn't matter
because they're working very late.
So it's a great thing.
Looking forward to it.
Yeah.
I have to ask you the question, too,
if you have anything to say to the people who are losing their minds
over the fact that $2.4 million has gone to KPMG
for consulting on the strategy seems to be controversial.
Yeah, I mean, I actually, the department decides about contracting and that sort of thing.
It's actually not something that I have power and control over.
All I can say is that this is a problem that is worth throwing a couple of million bucks
at.
Literally tens of billions of dollars.
I'm not kidding.
Like if someone wants to go through the agony of adding up the cost to government, consumers
and the private sector of one Optus Medibank latitude event, go right ahead.
But I think you'll find that whatever the cost of this strategy is going to be, it's
going to pay for itself hundreds of times over.
Patrick, just before we move on to other topics, I just want to quickly jump in on the ransomware
point that we went to a little bit earlier. I don't think that Australians actually really
understand as well as they could, Kieran, the point that you made before about how significant
it was that Medibank didn't pay the ransom and how, you know, really, I don't think there was a
legitimate voice in Australia arguing that they should have paid the ransom. how, you know, really, I don't think there was a legitimate voice
in Australia arguing that they should have paid the ransom.
And that was really significant.
We had such uniformity that these people were horrible human beings who should not get any
rewards.
And for people who aren't as close to these subjects, you know, so often in these ransomware
incidents, we have gangs or hackers who invest enormous amounts of time and money in ransomware attacks.
It's not like they just jump in one day and demand a ransom.
The next, they're often on the network for months at a time, devoting dozens and dozens of people to the effort.
So the cost that we impose on them when we don't pay the ransom is certainly in the millions of dollars.
And it's very damaging for them.
They've just wasted so much time and energy and money.
So let me ask you just very quickly, you know, this is a thought bubble that tends to pop
up quite regularly at a fairly regular clip, is that governments should ban the payments
of ransoms.
What do you think of that?
I mean, personally, I don't think that's a good idea
because if we look at certain ransomware campaigns in the past,
particularly the example I always use is Garmin,
the wearable smartwatch and devices company,
which would not exist now if they didn't pay their ransom.
They even paid a sanctioned entity to get their computers back
because the situation for them was extremely dire
but I definitely want to hear your thoughts on whether or not you would support a ban in
in ransom payments or a conditional ban or you know what just what's your thinking on that
yeah so I just just before I answer your question can I just mention quickly to you just in the
the Emsworth cyber attack that's sort of been in the news recently,
just talking with that company about they've publicly said
that they didn't pay a ransom, that it was demanded of them.
Just the actions of Medibank and the way that the country handled that
has basically created a pathway for Australian companies to not do it
and to know that that's the wrong thing to do and that there is a right thing
to do and that the public, in a sense, will kind
of incur some costs themselves personally to help the country in a situation like this.
So I think it's very important.
So on your point about ransoms...
But that's why I ask, is I wonder if that sort of cultural moment means that outlawing
these payments isn't really considered necessary by the government.
I mean, that's exactly why I was asking.
We did a huge amount of consultation on this question as part of the cyber strategy.
And I have to say that it's pretty hard to find a credible person in Australia who believes
in an outright and on ransom payments.
And Kieran, I know you've had strong thoughts on this.
Feel free to disagree with me.
I'm very interested to what you have to say. One thing I would just say is i think there's a few steps if we're
to look at that question there's a few steps that we've got to undertake first one of them is that
we do not have a picture of the ransomware problem in australia at the moment we don't have reporting
compulsory reporting of ransomware payments we don't know how much people are paying ransom
payments and i think we need to do that.
I think a conditional ban is something we should keep an open mind to.
But I think the first word of call for us is let's try to understand what's going on
here, provide as much support as we can to companies to not pay ransoms and perhaps see
where that gets us.
So first of all, to go back to Medibank, I think it was transformative, not just in Australia.
It didn't just give, as Claire said, a pass to Australian companies not to pay.
I think it was a global thing.
The underlying mood matters.
I think in terms of data extortion, I mean, when systems don't work and you are, you know,
a hospital can't admit patients, that's a different problem.
But when it's data extortion, I think, you know think it's been transformative and that matters.
In terms of the public policy and should they pay, I think it's a really, really difficult call.
What frustrates me, and this is why I'm pleased at what's happening here,
what frustrates me, frankly, is that serious policy reviews haven't really been done in many countries.
I mean, the US just suddenly said after it was pummeled in 2021 with colonial pipeline and jbs needs you know at a press conference in september 21 the year just said now we don't think it'll work whereas you know here there's a consultation
there's analysis and and so on i'm very firmly of the view and not just morally but i think
practically the government shouldn't pay i noticed new zealand has just said that you know it's a
matter of policy they didn't pay uk public authorities don't pay but that's quite interesting why does it work for
government authorities not to pay it's because government's big and it's got resources which
you know smaller companies don't have so again you look at the irish health care the thing when they
held their nerve why was ireland able to hold their nerve all sorts of problems leading up to
that attack but they actually they handled it quite well because they said right we're a national
government we're quite wealthy we're going to hire everybody
we're going to get all the experts in and it's going to be more effective to get it back that
way because we're going to bring in crowds right we're going to bring everybody else and uh and and
and so on we're going to bring in the army uh and they threw everything out at now a small company
can't do that so the one thing i'm convinced of that a standalone ban on private
entities and that and nothing else would not work you have to have for it to work you have to have
some sort of form of support mechanism which may prove unduly costly and clunky and and so forth
so um governments shouldn't pay because governments can sort themselves out they've got the resources
and where was all to do it and i think one of the things we should learn from is how governments
actually get themselves out of trouble so how do
you manage to get a network back up and running smoothly uh if you haven't paid and government's
a good sort of test bed for that so that's kind of where i am at the minute i think that practically
on balance it mostly won't work without a sort of package of support measures for affected organizations that we haven't
yet managed to develop if that answers the question yeah it does kieran do you have some
final thoughts for us before we uh wrap this up so i think um just on the bit about um the uk
and payments um banks underwriting are being forced to effectively underwrite fraud
as with all headlines it's worth looking at the detail of that.
So, you know, it's not...
So, for example, it doesn't cover this
awfully named pink butchering, you know,
where international scammers
research, you know, well-off individuals
and persuade them to part with investment.
It's about when well-known public authority brands
are spoofed and so forth.
And I think it will be interesting...
I think there's some scepticism in the UK about this regulation, you know, about the moral hazardoofed and so forth and i think it will be interesting i think there's some skepticism in the uk about this regulation you know about um the moral hazard of
it and and so forth and we still need to make sure we find ways of incentivizing people uh to um you
know ensure devices are up to date and that sort of thing you know the easy sort of new calls and
also that um organizations like the tax authority and so forth, because if you fall for a scam
of somebody pretending to be HMRC or tax authority,
then you get refunded,
making sure they're still incentivized
to protect their brand.
I think that's really important.
But just, look, I think what's happening here
is really exciting.
I think, you know, in the UK,
sort of it's getting on for 10 years now.
We look very sort of closely at how the country as a whole did cybersecurity.
We asked some questions about, look, where's the bit that isn't working that the government can step in?
And part of that was about incidents.
And I think you're already seeing from Claire and her department and others, you know, a much more activist approach in that.
Where's the market not working
in terms of product security and so on?
I think there's huge opportunities there.
And I think with the US strategy,
it's actually quite a good time
to be thinking about these things
because the US approach is changing.
And as you've said in your questions, Patrick,
that really does matter.
And there is a cyber subset to AUKUS and all of that. changing and as you've said in your questions patrick that really does matter and you know the
there is saying you know there's a cyber subset to august and all of that you know there is a
there's a deep partnership between the uk australia and um uh and the us on these types of
matters and if we can try and find ways of harmonizing that given that you know both the
uk and australia are significantly smaller than the US, I think it could be really, really important. So I'm very optimistic about it. Minister O'Neill, final thoughts?
Pat, just one thing I think I have really learned about cybersecurity since I've been in my job
is that the bit that happens after the cyber incident is often the bit that's not being done well.
And so we have thought long and hard about cyber incident response.
And the thing that I just could not fathom when Optus and Medibank hit was that we did
not have a workable cyber incident response function in the Australian government.
Like knowing as was known for many years that a huge company could have a bust up of this
size, there was no mechanism for the government as a whole to coordinate their response to
something as important and huge as that.
So that's something very important to me that we've kind of worked up a lot.
And you would have seen the national coordinators started to run these big cyber exercises,
which is bringing together critical infrastructure providers, regulators, and everyone who needs to be in the room to talk about what do
we do if one of the major banks goes down in a cyber attack, how are we going to provide financial
services to citizens and that sort of thing. So I think that's a really important thing that we're
doing that's underway at the moment. And the final thing I just want to mention is I have been so struck since I took on this job, what a unique asset the cyber security community itself is in
all of this. I don't think I've ever come across a stakeholder group where people are as problem
solving oriented, enthusiastic, excited, collaborative as this community of people.
And I meet them always in airports.
I always get stopped at airports by some people.
Well, I mean, oddly, I mean, you're popular.
Like I've been covering this stuff for 22 years, right?
And I've never seen InfoSec stan a politician before.
You know, it's, I mean, full credit to you for actually winning over a group of people
who are very hard to win over.
What I really do hear, honestly, mostly from people is they stop me and they say, we have been trying to get this problem on the agenda of our board and our senior leadership for 20 years.
And now it's there.
And for better or worse, seeing me is helping get it there, which I hope I am doing and I'm desperately trying to do. But one of the things I just see, like, I mean,
what's happened in Ukraine, and we haven't really touched
on that because we'll do that in our next chat, Pat,
but where do you find a sector where people just muck in?
You know what I mean?
There's such a vibe of national interest and contribution here
that's just so important to us solving this problem.
So I just want to say that to your listeners, Pat. I love this community so much and I really want to work with you to try to make a
big difference to this problem if we can. All right. Well, Claire O'Neill, Kieran Martin,
thank you both for joining me for this interview. It's been a lot of fun. I really appreciate your
time. Thank you. Thanks, Patrick. Thanks, Patrick.