Cyber Crime: Keeping identity data safe and secure

Release Date: 
24 April 2017
Speech

Good morning, I’d like to thank the British Chamber of Commerce for organising this important forum.

On 21 April 2016, exactly a year ago today, Prime Minister Malcolm Turnbull launched Australia’s Cyber Security Strategy.

The $230 million Strategy, its 33 initiatives and its key themes were heavily influenced by the UK’s experience.

  • In fact, Sir Iain Lobban the former head of GCHQ, was a member of our expert panel.
  • Consequently, there are striking similarities between our current strategy and the UK’s current and previous strategy.

And in cyber, like so many other policy areas, Australia and the UK have so much in common we can continue to learn from each other.

This is especially so in the cyber area, where if you are standing still you are going backwards.

We face the same cyber adversaries, share the same risks and share the same opportunities of the digital era. 

Earlier in the year, we saw both our governments brief their political parties on cyber security in response to developments in statecraft, which saw cyber used to influence democratic processes.

It was widely reported here in the UK that 2016-17 marked a “step change” in Russian cyber aggression.

And subsequent events - including the very recent public reporting on the compromise of managed service providers, allegedly by Chinese actors, indicates that cyber security is not going away.

Australia and the UK are attractive targets for state actors and cybercriminals due to our membership of the five-eyes, high use of technology and our relative wealth.

When it comes to cybercrime, the combination of technology and financial incentive means there are many people to target and large illicit profits to potentially be obtained.

Now more than ever, cybercriminals can reach into our lives through the multitude of connected devices we all hold in order to make an illicit profit.

Many of our citizens and businesses, especially smaller or emerging companies are most at risk because they don’t realise the value of their data.

Cybercrime is estimated to cost the Australian economy up to $1 billion annually in direct costs alone.

We have received more than 100,000 reported cybercrimes against individuals and business in just over two years.

A big part of this, is the lower perceived risk that cybercrime poses to organised crime.

Fortunately it is relatively rare now to hear of someone walking into a bank or even a shop with a weapon and demanding money, yet every day individuals and businesses are being hit with ransomware and phishing attacks to generate illicit gains.

Only a couple of weeks ago, I hosted a roundtable with small business where one individual spoke of a piece of ransomware that hit their legal firm.

  • These criminals asked for $AUD250, 000 to unlock their network.
  • It was just the right, calculated amount that the business concerned could pay it and still recover.
  • And so they did just that.
  • The criminals got paid, returned the information and then just moved onto the next law firm down the road. And did the same thing.

It’s a story that I sadly hear all too often in this role.

And always “In Confidence”. No one is willing to come forward and speak out about these criminal acts for fear of reputational damage. 

But it is occurring at such a scale and at such a cost that we must act.

Yes, keeping identity data safe and secure needs to be at the forefront of all businesses and

I encourage you all here to consider what cyber security measures you have in place– do you back up your data? Do you know where your data is stored? Have you restricted administrator privileges and what have you done to educate your staff on cyber security?

Education and awareness has a huge role to play.  But not only can we in government do more, we need to do more.

We would love to have a digital cop on every corner of the internet but that’s simply impossible, the internet is too vast.

But to steal a line from the UK’s National Cyber Security Strategy, we can be ‘secure by default’.

Here in the UK we have seen a shift from a policy focusing predominately on awareness raising and partnerships with business to address cyber security, to one of active cyber defence.

This policy shift was announced in the recent release of the National Cyber Security Strategy.  And it is one that we in Australia will also adopt.

Now active defence is a loaded term – it means different things to different people – so I will clarify what I mean.

Active cyber defence aims to disrupt malicious cyber activity using measures, such as blocking or diverting malicious traffic, to prevent problems before they occur.

It represents a step change from the current passive approach followed in Australia, which traditionally involves logging and monitoring to detect malicious activity as it happens.

Active cyber defence will combat high volume cybercrime, such as malware and ransomware attacks, that are all too common online.

It will minimise the most common forms of phishing scams, block known malicious IP addresses and actively stop ransomware before it reaches the end user.

Let’s be clear, it is not an endorsement of business and individuals taking the law into their own hands and taking action against cyber criminals.

Laws must be respected.

And I’m not saying that we should abandon partnerships with business in favour of active cyber defence.

In the age of interconnectedness - cyber security is a team sport. We must continue to work together to address our shared vulnerability.

As cyber exploits become increasingly sophisticated, we in government want to support the private sector to step up and provide their customers – both business and consumers – with products that reduce the risk of malicious cyber activity and gives users the choice to purchase additional security services. 

Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies and ICT providers to protect our information from threats. 

There are more than 2.1 million small businesses in Australia and 93 per cent are connected to the internet. We no longer talk about the digital economy because the economy is digitalised.

I’ve met with representatives of Australia’s small business community and it is clear that being able to obtain additional security products through their internet service providers (ISPs) will help them manage cyber security risks. 

The private sector drives innovation and product development, not Government.

Industry must be empowered to design and implement solutions the public want while Government can provide expert support through its commitment to information sharing.

Telecommunications companies and ISPs can and should develop products which users can embed to build-in cyber security measures and reduce the risk of malicious cyber activity before it ever reaches the end-user.

I am not advocating that we should filter online content.

This would be a commercially-available product, which would allow users to embed a service to improve their online security.

It would allow users – many of whom do not have sufficient technical knowledge to know malware when they see it – to access services where their provider takes greater responsibility for security and gives the user peace of mind that they have reduced their risk of being exposed to malware and other malicious activity.

Technology should improve our online experience, like stopping SPAM emails and providing SMS authentication for your banking services.

The Government will work with businesses to provide enhanced cyber security services to provide greater choice for users who wish to protect themselves online because the Government also has a role in active cyber defence.

We will continue to work with business to enhance the identification and patching of vulnerabilities that online criminals are exploiting.

We will also enhance our scanning of government networks to identify vulnerabilities before the criminals do.  

We will look to see how we can better protect government employees from visiting sites known to be malicious.  Key learnings would be shared with the private sector and broader community.

We will improve the monitoring of data as it moves across Government networks to support an active cyber defence. This will enhance our ability to detect unusual activity and stop it in its tracks.

The Government will investigate existing legislation and, where appropriate, remove any roadblocks that may be preventing the government and private sector delivering such services.

We will continue to work closely with our UK counterparts in countering threats – including working collaboratively with the UK as it implements active cyber defence. 

Cyber transcends boarders.

Only by working together with business and with our international partners will we be able to combat cybercrime and enhance cyber security for all our citizens.

Can I conclude on another note.  As someone who worked in a previous life for the Australian Camber of Commerce and Industry, can I commend again the British Chamber of Commerce for holding this Forum.

Both Chambers of Commerce in the UK and Australia have a real opportunity in a post Brexit Britain to lead and drive a closer economic partnership between our two countries.

It is a historic opportunity and one that needs to be grasped. Just like we look forward to welcoming your cricket team to our shores later this year, we also look forward to welcoming a Free Trade Agreement between our two great countries in the near future.

Thank you