Tim Watts (Gellibrand, Australian Labor Party, Assistant Minister for Foreign Affairs) Share this | Hansard source

I'm very pleased to take the opportunity to speak on the Cyber Security Bill 2024 today. I first raised the issue of ransomware in this parliament more than seven years ago, in 2017. It has long been an area of interest and concern to me—including during the last parliament, when I was the shadow assistant minister for cybersecurity. I should also acknowledge that it's an area of interest for others here in this chamber today. In that term, I introduced a private member's bill dealing with these issues, the Ransomware Payments Bill 2021, which would have formed a policy foundation for a coordinated government response to the threat of ransomware.

As Assistant Minister for Foreign Affairs, I was pleased to work with the then cybersecurity minister, the member for Hotham, on the international chapter of the 2023-2030 Australian Cyber Security Strategy, launched in November last year. This recognised that the evolving challenges of cyberspace required us to work with our international partners to uphold international law and norms of responsible state behaviour in cyberspace and to impose costs on bad actors that make cyberspace less safe and less secure. The strategy sets out how we will improve cybersecurity, manage cyber-risks and better support Australians and Australian businesses in cyberspace. This includes reinforcing our cyberdefences; strengthening our resilience, or our ability to bounce back from cyber incidents; deterring and responding to malicious actors; and working closely with international partners—reducing the returns to bad actors targeting Australia with cybercrime and increasing the costs to them of targeting our businesses.

This bill delivers on measures promised by our government in that strategy. It takes necessary steps to ensure that Australians and Australian businesses can enjoy the full benefit of the internet, while keeping us safe. There's an urgent need for this bill. The previous government did little to address these threats. When I introduced the private member's bill on ransomware from opposition, the Australian Cyber Security Centre had identified ransomware as the greatest cyberthreat facing Australian business, but the current Leader of the Opposition—the previous home affairs minister and defence minister—has never even used the word 'ransomware' in parliament.

Last year, ransomware was still the most destructive cybercrime threat to Australians, causing up to $3 billion in damages to the Australian economy, and ransomware attacks are only becoming more prevalent in our world. This bill will lay the foundation for a co-ordinated strategy to fight ransomware. It will introduce a mandatory reporting obligation for entities that are affected by a cyber incident, receive a ransomware demand and elect to make a payment or give benefits in response to that demand. This is essential for us to be able to develop a fuller picture of ransomware attacks in Australia and the scale of the threat, enabling a more coordinated government response.

Even prior to this bill, the Albanese Labor government was already taking steps to tackle ransomware. Australia has led the International Counter Ransomware Task Force since January 2023, driving international cooperation on countering ransomware, including through information and intelligence sharing, and facilitating collaboration with law enforcement. We provided an additional $75 million to the AFP to boost the Hack the Hackers program. This is an investment that will equip the police, who are responsible for fighting cybercrime, with the skills and capabilities needed to disrupt these actors and protect the community.

The Australian Federal Police and the Australian Signals Directorate established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates. Ransomware threat groups were a priority, and under Operation Aquila the AFP and ASD, with other agencies and international partners, were able to link Mr Aleksandr Ermakov to the breach of the Medibank Private network. Following very substantive efforts across these agencies, in an Australian first, we used Australia's cybersanctions powers on Mr Ermakov for his role in the cyberattack earlier this year.

Our cybersanctions framework was established to deter and frustrate cybercriminals, to impose costs on them for their activities. It enables us to sanction a person or entity in relation to a significant cyberincident with a targeted financial sanction and/or travel ban. This disrupts their ability to conduct their business by limiting their access to the financial system, including crypto exchanges, and their ability to travel overseas. It also reveals their identity and their tradecraft, exposing cybercriminals who trade in anonymity, and makes it more difficult for them to conduct their activities. Frankly, being sanctioned is bad for business. Cybersanctions are now a key tool for us to consider when responding to significant cyberincidents.

I am pleased that since sanctioning Aleksandr Ermakov we have also sanctioned a further four Russian cybercriminals and imposed cybersanctions on three people for their involvement in the Evil Corp cybercrime group: Maksim Viktorovich Yakubets, Igor Olegovich Turashev and Aleksandr Viktorovich Ryzhenkov. They had senior roles in Evil Corp. I called for Mr Yakubets to be sanctioned during debate in this place during the introduction of the Magnitsky legislation in 2021. I said at that time:

… Maksim Yakubets, the leader of the Evil Corp ransomware group in Russia, has been sanctioned by the US government. He drives a fluoro camouflaged Lamborghini with the licence plate 'Thief'. That kind of impunity needs to end.

So it was particularly satisfying to see the Australian government sanction him last month. We have also sanctioned Dmitry Khoroshev for his senior leadership role in the LockBit ransomware group.

We have taken clear steps to deter cybercriminals from targeting Australians. The Australian Cyber Security Centre also provides ransomware guidance to help Australians and businesses protect themselves and respond to ransomware attacks. They are available to provide assistance 24/7. One key piece of advice from the ACSC, and something that I have said here in this place before, is that you should never pay a ransom, ever. Paying a ransom does not guarantee that you will regain access to your information or prevent further disruption. It doesn't guarantee that your data won't be sold or leaked. But it does provide criminal organisations with further resources and incentivises further cybercrime, putting even more Australians at risk.

This is why we need a coordinated approach to tackling ransomware. We need a whole-of-nation effort to improve the government's threat picture to inform additional protections, current incident response procedures and future policy. That is what this bill does. It will not completely solving the ransomware issue. There are no silver bullets here. But it is a critical step. We understand that cybersecurity incidents can be sensitive issues. Targets of cyberattacks may be reluctant to report them. But we need to understand the cyberthreat landscape so the government can more effectively assist organisations with their incident responses as well as providing them with the information they need to protect themselves before these incidents occur.

The reporting of cybersecurity incidents by members of the public and Australian businesses is crucial in this respect. That is why this bill will establish a limited use obligation that will restrict how information provided to us during a cybersecurity incident will be used to give Australians and Australian businesses confidence that the information they provide will be used appropriately. We are committing to protect the information that these businesses and Australians share with government by using and sharing it only with the government agencies and regulators where necessary and only for the purpose of assisting the incident responses. This is because the Albanese Labor government wants to work with you to protect you.

This bill will also establish the power to mandate security standards for smart devices that are internet or network connected. These devices, like smart TVs, smart watches, baby monitors and home assistants, have become integral parts of our everyday lives, and our usage of and reliance on them continues to grow. Indeed, there are estimates that there will be more than 21 billion IoT devices connected to the internet globally by 2030. We want Australians to be confident in the safety of the digital products they buy, but at the moment there aren't any mandated cybersafety standards applied to IoT products. We saw the destructive capability of these IoT products during the Mirai botnet incident some years ago.

So it is essential that the government makes sure that they are safe for Australians.

Australian households and businesses are bearing the financial costs and negative societal effects of persistent and preventable cybersecurity incidents. We want to build trust in digital products so we can live in a country where safe digital products are the norm, and that's what this bill will help to build. The establishment of a cyber incident review board to conduct postincident reviews of significant cybersecurity incidents will help ensure Australia is well placed to better prevent, detect and respond to incidents in the future, and that mechanism will assess what happened in cybersecurity incidents of national importance. It will improve public understanding about what occurred and, by doing so, it should encourage the rest of the community to learn from the incident and uplift all of our cybercapabilities together, proving our national cyber-resilience.

Now, building cyber-resilience is a shared global challenge, and Australia's security and prosperity are linked to our regions, so our efforts do not end at our national borders. Our flagship Cyber and Critical Technology Cooperation Program works across the Indo-Pacific to help countries maximise the opportunities and mitigate the risks related to cyberspace and critical technologies to enhance the resilience of the region. Last year I announced the establishment of the Pacific Cyber Rapid Assistance for Pacific Incidents and Disasters, the RAPID teams, to help respond to cybercrises in the Pacific when Pacific governments request the assistance of the Australian government. It's been a resounding success and warmly welcomed in the region.

In many respects Australia is already a leader in cybersecurity, but this bill will ensure that Australia has a world-leading, robust cybersecurity regime going forward. The time to act is now, and I commend this bill to the House.

See this speech in context