Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Foreign Affairs, Defence and Trade Legislation Committee
24/10/2018
Estimates
DEFENCE PORTFOLIO
Australian Signals Directorate

Australian Signals Directorate

CHAIR: I welcome officials of the Australian Signals Directorate. I welcome Mr Burgess. Do you have an opening statement to make?

Mr Burgess : Yes, thank you, Chair, I do. This is the first appearance of the Australian Signals Directorate before this committee. I'm joined today by three of the senior leadership team from ASD: Lieutenant-General John Frewen, Principal Deputy Director-General; Alastair MacGibbon, Head of the Australian Cyber Security Centre; and Hazel Bennett, Deputy Director-General, Corporate and Capability. ASD's purpose is to defend Australia from global threats and help advance our national interests. ASD has both a war-fighting and national capability. Following the 2017 Independent intelligence review, ASD commenced as a statutory agency within the Defence portfolio on 1 July 2018.

CHAIR: Can I briefly interrupt, Mr Burgess. How long is your opening statement?

Mr Burgess : It is very short.

CHAIR: All right—continue.

Mr Burgess : Our transition to a statutory agency has been supported by a significant body of work undertaken by the Department of Defence and ASD to ensure that we are ready to meet the expectations and intent of the 2017 Independent intelligence review and the expectations on us from government. As part of this change, the Australian Cyber Security Centre now operates as part of ASD.

Our functions are clearly established in the Intelligence Services Act 2001, and we work within a strong internal compliance regime. Our operational activities have oversight from the Minister for Defence and the Inspector-General of Intelligence and Security. Much of what we do needs to remain classified—this is important to protect our capabilities, sources and methods. But my team and I are looking forward to working with this committee in answering your questions today. Thank you.

Senator GALLACHER: I'll put this to the witnesses, but I understand if you want to come back and give the committee a briefing or you want to take consideration of it. I presume everybody's aware of the Bloomberg article 'The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies'. I have a particular area of interest in respect to that, because my understanding is that that was used to compress really big video files and get them into servers. We have bought the Tritons, and they are to be used for all sorts of things like freedom of navigation, circumnavigating Australia, Border Force, Home Affairs and meteorology. The use of the data that they're able to collect is extremely widespread, but I'm really interested in how well protected we are. That's because, essentially—I'm not an expert in any way, shape or form—my reading of this was that there was a company that had made some software which made it really easy to compress really large video files, and the connectivity, I suppose, is there's an infiltration. I don't know how serious or how widespread that was, but the article puts it on the record that it's pretty serious. I was interested in how it connects with our Triton project and if, at some point in time, you could either give us a position back on that—that we're safe and we're covered—or offer a briefing to the committee. I'd appreciate that.

Mr Burgess : Certainly. I can say there's no direct connection, because, with regard to that article, there is, as we understand it, no substance to that article. Both the United States and the United Kingdom governments have said that that's the case, and the companies involved—Apple and others—have also said there is no evidence of this. So far, we have not seen any evidence, but I might ask Mr MacGibbon to add some more colour to that.

Mr MacGibbon : As the director-general said, there's no evidence from any of our allies that the assertions in the Bloomberg article are indeed correct. Our counterparts in the UK, the National Cyber Security Centre, and our counterparts in the US, the United States Department of Homeland Security, came out very quickly to say that they don't believe the article was correct. However, you raise a broader question, really, which is about the security of our supply chain. That is, indeed, a significant problem that has been increasingly identified over the last several years. That relates to the security of our hardware supply chain and software supply chain, and the professional services we use that often deal with multiple touch points, organisations, departments and companies. So, while we don't believe the article to be correct, the notion in the article is indeed a true threat to cybersecurity generally.

Senator GALLACHER: Thank you for that. I just have a few very specific questions. I know Senator Kitching has a couple of lines of inquiry, but my first line of inquiry is about the 2018 Stay Smart Online Week, which ran from 8 October to 14 October with the theme 'reverse the threat of cybercrime'. Is it clear who the minister responsible for cyber is?

Mr Burgess : Yes, the minister responsible for cybersecurity is the Minister for Home Affairs.

Senator GALLACHER: And he would be the minister responsible for that Stay Smart Online Week?

Mr Burgess : Stay Smart Online Week is run by Home Affairs and is assisted by the Australian Cyber Security Centre.

Mr MacGibbon : If I could clarify, it's primarily run out of the Australian Cyber Security Centre with support from Home Affairs. While the Australian Cyber Security Centre is part of the Signals Directorate and therefore within the Defence portfolio, the activities in that regard relate to cybersecurity and therefore Minister Dutton as the Minister for Home Affairs.

Senator GALLACHER: So, there was a reshuffle. Was the former dedicated minister for cybersecurity involved in authorising and/or approving the campaign material before the ministerial position was removed? Was it already in train?

Mr MacGibbon : I'd have to take that on notice. I am not sure if there were any such approvals, because it's considered to be a normal campaign for advising the public. It's the 11th year that the Stay Smart Online campaign has been in existence—across all governments.

Senator GALLACHER: It's been going since 2008, has it? So it wouldn't require sign-off from the minister?

Mr MacGibbon : Again, if I could take that on notice.

Senator GALLACHER: If you can take on notice who did sign off on it and whether it was the home affairs minister or the previous minister for cybersecurity.

Mr Burgess : I can say that, in regard to my minister, the defence minister: I informed the defence minister that a campaign was running, but I did not need to seek his approval for the content of that campaign.

Senator GALLACHER: How much was spent on the campaign material for the Stay Smart Online Week?

Mr MacGibbon : I would have to take that on notice.

Senator GALLACHER: Which budget or portfolio was it paid from?

Mr MacGibbon : I would say that it came out of the ACSC budget. This was a campaign that was traditionally run by the computer emergency response team that was in the Attorney-General's Department, and they were formally mogged—a machinery-of-government change—as of 1 July this year.

Senator GALLACHER: Which advertising or design company was used to create the material for Stay Smart Online 2018, in particular 'reverse the threat'?

Mr MacGibbon : I'll take that on notice.

Senator GALLACHER: Where did the key messages come from? Did the company do research to develop the key messages for the campaign, and why was 'reverse the threat' chosen?

Mr MacGibbon : I'll take that on notice.

Senator GALLACHER: What are the other possible key messages that could have been used?

Mr MacGibbon : Maybe I can answer that one, in the sense that I've been in this space for an awfully long time, both as a police officer and the former head of the Australian High Tech Crime Centre, then working in corporates on cybersafety and cybersecurity, then as the inaugural eSafety Commissioner and now as the head of the Australian Cyber Security Centre. What I will say is that there are many messages you can give to improve the safety and security of Australians online. There's been an increased maturity in the industry in relation to messaging—for example, there is a group, the SIT Group, which is corporates working together with government to help bring those messages to bear. I'll get back to you on exactly how the messages were derived, but I can say, in my far-too-long career in this space, that the ability for us to be more unified in our messaging, both as government and as corporates, is improving.

Senator GALLACHER: Given that it has been running for some 10 or 11 years, do you market test the campaign before it's launched, or is it an evolving thing? What happens?

Mr MacGibbon : The message has changed over the years. Again, as someone that has spent a long time in this space, I can say that there's always room for improvement. The message this year was to reverse the threat of cybercrime. It's a crime that impacts upon far too many Australians; about one in four are impacted every year from scams and other crimes, some minor, some quite significant. But I'll have to get back to you in relation to how the messaging was created.

Senator GALLACHER: We just want to see whether you ran a company's eye over it. Was the campaign tested before it was launched? If so, who did that? What were the results?

Mr MacGibbon : These are not multimillion-dollar campaigns. They are largely run online and with content created and distributed online—some physical. This is not a major campaign. I think that if you were to enter into a very significant advertising campaign, for example, which this isn't, then you would do significant market testing. If you're running a campaign that lasts for a week and that is largely done on social media and through free media, appearances and web content then it's highly unlikely that you would spend the year or so that it would take, I think, to do proper market testing for messages that you might do for some multimillion-dollar campaigns. But, again, I can get a time line for you.

Senator GALLACHER: I accept everything you say. But we're sitting on this side. We can't see what you can see, because you're doing it. We're just probing to see whether any of these activities—

Mr MacGibbon : Your interest in Stay Smart Online is good. We desperately want to get the message out to people on how to reduce the likelihood of falling victim to crime and to cybersecurity risks.

Senator GALLACHER: I have a few more follow-up questions before I hand over to Senator Kitching. Was there an identified communications objective of the campaign? Did the company evaluate the behavioural and attitudinal change coming from the campaign? Has the company been used by the government on other advertising or awareness campaigns? If so, which ones and how much did they cost? How was the company engaged? What was the procurement process used to engage the company? Was it advertised on AusTender and, if so, when? What was the AusTender reference number? I don't expect you to have all that to hand, but if we could get that on notice, that would be helpful.

Mr MacGibbon : Thank you. I will take all of those on notice and revert as quickly as I can.

Senator KITCHING: I want to ask you about Australia's critical infrastructure framework. It has eight sectors. Other countries, particularly some of our Five Eyes partners, have included more sectors—for example, the United States has 16, the United Kingdom has 13 and Canada has 10. Is ASD involved in the decision-making process about which critical infrastructure sectors are included in Australia's TISN framework?

Mr Burgess : The ASD is not directly involved in that. That responsibility rests with the Department of Home Affairs. But, obviously, the work that both the Cyber Security Centre does and we do on the intelligence side would inform decisions made.

Senator KITCHING: Do you make recommendations around which critical infrastructure sector should be included?

Mr Burgess : If we were asked for advice, we would, but that's not our normal job. We would have a view, of course, on things that would be considered critical infrastructure, but it's not for us to set what they would be.

Senator KITCHING: So you do have a view, but it's Home Affairs that would be making—

Mr Burgess : I believe it's with Home Affairs.

Senator KITCHING: Is there any informal communication about critical infrastructure sectors?

Mr Burgess : There are plenty of conversations about the security of critical infrastructure however it might be defined. There is plenty of conversation, especially in our lane on the road and Mr MacGibbon's with the Cyber Security Centre.

Senator KITCHING: Has there been any process whereby you have recommended—not just in the last little while but perhaps over a longer-term view—about the critical infrastructure sectors?

Mr Burgess : Currently, there's been advice given on 5G from my agency, but data centres would come to mind, as well as other things that we would give advice on.

Senator KITCHING: What I want to come to is: in comparison with other countries, including our Five Eyes partners, electoral systems have been included. They're not here. Are we concerned about the capacity of a third party to influence Australia's electoral system and therefore the integrity of our democracy?

Mr MacGibbon : The Cyber Security Centre has participated with other agencies in helping look at the Australian electoral system and specifically those of the electoral commissions around the country. There are no specific concerns and no evidence that anyone has been inside those systems. There are lots of ways, of course, that are outside our remit that people could try to influence the outcome of elections, et cetera. In terms of the electronic security of those systems, the electoral systems, we work with Home Affairs and other areas to look to the integrity of those systems. I don't think you would ever rest on your laurels; you certainly don't when it comes to cybersecurity.

Senator KITCHING: It seems that the technology is moving more and more quickly in being able to infiltrate—

Mr MacGibbon : Well, no-one ever puts up a 'mission accomplished' sign around cybersecurity, Senator. We would always be looking at new ways to secure systems. It's fair to say, of course, as you would know, that as we've brought technology into uses in ways that we've not done before, it increases the threat surface. We also know that we're dealing with both nation states and criminal groups that constantly look at new ways to ply their business, so we're in a constant struggle. That goes well beyond electoral systems and into every other part of Australian society.

Senator KITCHING: In comparison—let's just take the Five Eyes countries—is our electoral system protected to a greater extent than systems, for example, in the United States and France? I'm thinking of the last presidential elections in both of those countries. Would you say that our system is more robust, better protected?

Mr MacGibbon : I'll try to stick to exactly what the Cyber Security Centre would do, just so I don't get in trouble, of course, or give you advice that wouldn't be right.

Senator KITCHING: Mr MacGibbon, I'm always in trouble as well.

Mr MacGibbon : That's okay. We will get on just fine, Senator.

Senator KITCHING: Thank you. I appreciate your—

Mr MacGibbon : If you look at what happened in the United States with the US presidential election, that wasn't necessarily the compromise of electoral systems, of which there are several thousand in the United States. That complexity alone makes it a very different system to ours, where there is an electoral commissioner in each state and territory in the Commonwealth. That was a compromise of a political party's system. In January 2017, the former Prime Minister asked me, the then head of the Australian Cyber Security Centre, and other agencies to brief political parties and politicians from the crossbench and minor and opposition parties on what the threat environment was because the probably the more effective attack vector is against the candidate or a political party system. We give advice to political parties as we would any business. We publish that advice—not specifically for political parties but for any business that operates, whether it's a not-for-profit or for-profit business. We do then work with electoral commissioners, and we are doing that along with Home Affairs as part of a COAG agenda; we were asked to do that in 2017. We continue to do that in order to help look at the maturity and the technical capability of electoral commissions.

Senator KITCHING: Is it just advice to the AEC or to the various commissions to secure equipment and systems and software? If they asked you to, would you go into the systems? Is that what you can do?

Mr MacGibbon : Largely we would provide advice, Senator. It's a scale question. It's also best if organisations learn to protect their own systems. They know their systems better than us, of course. But we are always ready as the Cyber Security Centre to help any government organisation—state, territory, local government or Commonwealth—to help protect the jobs that they do; that's our role. But it is a scale question. Our preference is always to help give advice, and that can be sometimes quite intense advice and sometimes it's just general publishing of material for government agencies. Then, of course, we give broad advice that's published on the internet to any business, including in other countries if they want to follow our advice.

Senator KITCHING: Thank you. The ANAO has audited a number of Commonwealth agencies to assess their level of cyber-resistance and compliance with the ASD's top four mandated cybersecurity standards and the Essential Eight. The latest report, which is the fourth in a series dating back to 2013-14 showed that four years on, only four or 28 per cent had been found to comply. Have you assessed the AEC's compliance with the top four mandated cybersecurity standards?

Mr MacGibbon : Not to my knowledge. I will get back to you, if I may. I will take it on notice so I can give you the right answer.

Senator KITCHING: Yes, thank you. I appreciate that.

Mr MacGibbon : Perhaps generally, we could talk about compliance with the top four. I know the Director-General has very strong views on adhering to these controls.

Mr Burgess : If I may, Senator, in terms of your right to call out the findings of the ANAO report, the problem in the security world and audit findings such as that is when you just view it as a tick-and-flick compliance matter. Just because an agency does not necessarily follow our guidance, that is not in itself a measure of security or insecurity, plus there's the reality of what it takes to implement best practice advice. So, if you're an organisation using older IT or what we call legacy IT, sometimes our advice might be impractical to do. The key thing here is you identify your risk and you understand what risk you're taking and know when you can fix that, and sometimes you'll fix that in the normal life of IT investment, as in it might happen in a year or two, and there are other ways you can monitor the risks you're carrying. Security is risk management; it is not risk avoidance, and there is no such thing as perfect security. So, just to call out a government department that isn't compliant in itself is not really a sensible measure of the security of that department.

Mr MacGibbon : I can give a practical example, if I may, Senator and Chair, to extend the answer. If we use hospital systems, medical systems, as an example, you would have seen in the press last year the WannaCry global ransom campaign that hurt the UK National Health Service. Very expensive and critical medical devices were locked up by this malicious code. They tend to have very expensive machines attached to a computer and, when the machine is certified for its medical use, the computer is as well, so you can't upgrade the computer along with those very expensive MRI machines and the like. Some of that software gets old and there are no longer patches written for it, whereas we would say you need to patch these computers, which reduces the threat surface against known vulnerabilities or known attacks. You can't do that. So, technically, they're not compliant, but you can put them behind a firewall and you can air-gap them from the internet. You can do a whole range of things that, to the Director-General's point, is about risk management. An audit would say, 'You're not complying with the patching within X number of hours or days of a critical vulnerability, because you can't,' but I can effectively risk manage to achieve exactly the same outcome. To Mr Burgess's point, while there are compliance regimes—and compliance can create hygiene if it's done well and it can create good discipline—in and of itself that doesn't create security. But security without any compliance is as unlikely. So it's a combination of rules, behaviours and maturity of management, which is something that all of us—whether we're in the public or private sector—need to learn more, and then it's a risk management exercise. Unfortunately, with any connected systems, there is always risk. There's residual risk. Our aim is to reduce the likelihood of risk being realised and the harm caused when the risk is realised and then hopefully help people get up and running again to do their business, should risk be realised.

Senator KITCHING: For another committee, I went to Tuggeranong, to the DHS Cyber Security Centre. That's a department that has, I think, managed risk—

Mr MacGibbon : They have a wonderful CISO in Narelle Devine. I'll call out as a leader in government cybersecurity—absolutely. They've invested very heavily in their security operations.

Senator KITCHING: This is a public forum, but they've certainly made both software and hardware decisions that enhance that security.

Mr MacGibbon : Yes. They take it very seriously, as they should. They're a department such that, if they fail, a lot of Australians would suffer, so they take their responsibility for essentially distributing finances to needy Australians very seriously, and they provide those security services to a range of other departments as well. I'll say again: you never put up a 'Mission Accomplished' sign. I'd hate to say that DHS were completely secure only to find, touch wood, that at some later stage something bad happens, but they are a department that take this very seriously and they have a really strong security culture there. Not all decisions people agree with, but it is about risk management, as the Director-General said.

Senator KITCHING: I'm mindful that we are going to have an election at some point soon. Would you do a before and after risk assessment of the AEC or are you providing advice to ensure that the electoral system is secure?

Mr MacGibbon : I have regular contact with Tom Rogers, the Electoral Commissioner, and I have said to Mr Rogers that we are always available to assist the AEC. There can't be anything more fundamentally important to us as public servants or as Commonwealth officers—sorry, there's the definition of an independent statutory agency. As you know, we answer to politicians and, therefore, we need to make sure that the political process is as protected as possible, and we would always offer those services to Mr Rogers and his staff. I must say, I don't find a much better person to deal with in the Commonwealth than Mr Rogers in terms of wanting to make sure that the services he provides have integrity from an electronic security point of view, and that's all I can comment on.

CHAIR: What about the minister?

Mr MacGibbon : We like the ministers, too, Senator—of course! We serve the government.

Senator KITCHING: I take the point. You've commented as far as you are able about the—

Mr MacGibbon : My point is that I can only comment on the computer security of the AEC and that we are always happy to help. We have had good conversations with the AEC. We have seen what has occurred in other countries, and the last thing any Australian wants, the last thing any Australian public servant wants and the last thing any of our colleagues in the national security community want to see is the Australian electoral process compromised in any way.

Senator KITCHING: I agree. Thanks very much.

CHAIR: Could I quickly ask Lieutenant-General John Frewen what his role entails from the military ADF aspect?

Lt Gen. Frewen : Certainly, Chair. I'm the principal deputy director at ASD. In the transition of ASD from a part of the Department of Defence to statutory authority, a recommendation of the independent intelligence review was that there should be a senior military officer as the principal deputy in the Directorate to reinforce the enduring importance of the relationship between ASD and the broader Department of Defence.

CHAIR: Thank you very much. Ms Bennett, what do you do? You've been very silent.

Ms Bennett : I'm responsible for Corporate and Capability. My responsibility includes finance, people, learning, development, internal security and internal capability.

CHAIR: Thank you very much and welcome to future ASD Senate estimates with us. It was remiss of me not to know that it was your first appearance, but it's mine as well as chair. My apologies. Welcome and thank you very much.