The Weekly Cybers #29
A cabinet reshuffle gives Tony Burke the cybers, the government ramps up its cyber rhetoric in the fight against scams and ransomware while its own report card looks poor, talk of a new Cyber Security Act, and much more.
Welcome
What a week! Apart from a cabinet reshuffle, the government has continued to ramp up its cyber rhetoric, calling on banks and online platforms to lift their game in the fight against scammers.
There’s also a foreshadowing of a new Cyber Security Act, and calls for Telstra and Optus to delay the shutdown of their 3G networks — calls the telcos are ignoring, at least at time of writing.
And there’s a lot more, trust me...
Cabinet reshuffle: Tony Burke takes the cybers
On Sunday prime minister Anthony Albanese announced a new ministry following the retirement of Linda Burney and Brendan O’Connor.
Relevant to this humble newsletter:
- In cabinet, Tony Burke takes over as Minister for Home Affairs and Minister for Cyber Security, with Clare O’Neil having been moved to become Minister for Housing and Minister for Homelessness. As part of this change, responsibility for the Australian Security and Intelligence Organisation (ASIO) has been moved from Home Affairs back to the Attorney-General, as was done with the Australian Federal Police (AFP) in 2022.
- Also in cabinet, Pat Conroy becomes Minister for Defence Industry and Capability Delivery.
- In the ministry more broadly, Andrew Giles becomes the Minister for Skills and Training.
- Patrick Gorman is now Assistant Minister for the Public Service and Assistant Minister to the Attorney-General.
- Ged Kearney is Assistant Minister for Health and Aged Care.
- Senator Tim Ayres is now Assistant Minister for a Future Made In Australia.
- Kate Thwaites becomes Assistant Minister for Social Security.
- And finally, Andrew Charlton becomes a Special Envoy for Cyber Security and Digital Resilience.
The PM’s announcement also includes a full list of the ministry. If you’re interested in a wider view, here’s Michelle Grattan’s analysis.
Government to ramp up fight against scams
The government’s rhetoric on online safety continues to get sharper, vowing to force banks to compensate victims of cyber scams, and calling on digital platforms to take more preventative action.
In an address to the National Press Club, assistant treasurer Stephen Jones outlined a three-prong attack.
We will require the banks to strengthen controls around bank transfers. This will attack the most common payment method for scams head on. Businesses will have a responsibility to report and respond to scams. For example, banks will need systems that identify dodgy payments and accounts and then take action to protect members. Telecommunication companies will be required to block known scam numbers. Social media platforms will need to have stronger anti-scam actions — including verifying advertisers and taking down scam pages.
“Digital platforms have a moral obligation to join the fight as part of their social licence,” he said.
In related news, a new Cyber Security Act would force Australian businesses and government entities to disclose ransomware payments or face fines, ABC News reports.
Speaking before the cabinet reshuffle, former home affairs minister Clare O’Neil said:
“We have a situation where people are paying criminals money and it is happening in the darkness... We need to bring this out into the light... Government cannot win this war alone. We need a whole-of-nation effort here.”
Further plans for the Cyber Security Act are detailed below.
Meanwhile the Australian Financial Complaints Authority (AFCA) has said they received 105,000 complaints in the 2023–2024 financial year, an increase of 9%, after a 34% increase the previous year. Scams were a “key driver”, they said.
“Limited progress” uplifting federal cybersecurity
Three out of five action items for improving the Commonwealth government’s cybersecurity show only “limited progress / yet to be commenced” in the 30 June status report on the 2023-2030 Australian Cyber Security Strategy Action Plan (PDF), although those items also have the annotation “Working to agreed timeframes”.
This information comes as part of the Department of Home Affairs’ answer to a question on notice (PDF) in Senate Estimates from Senator James Paterson.
The three items lacking progress are, in my paraphrasing:
- Develop a whole-of-government zero-trust culture, implementing defined controls drawing on the ASD’s baseline Essential Eight strategies.
- Identify the so-called “Systems of Government Significance” that need higher levels of protection.
- Address the skills shortage by improving the cyber skills of the Australian Public Service (APS) more generally, and through the establishment of the Defence Cyber College.
On the plus side, the office of National Cyber Security Coordinator (NCSC) has been implemented in full, and regular reviews of the cyber maturity of government agencies are ongoing.
In the category “Protect our most valuable datasets”, three of the four items are flagged “limited progress / yet to be commenced”.
According to the NCSC, Lieutenant General Michelle McGuinness, the government is currently eight months into the two-year action plan. Of the full list of 60 items, which includes support for the private sector as well as government, “four have been implemented largely in full, 29 have been substantially progressed, 11 we consider to be ongoing and 16 are yet to be commenced or are in limited progress”.
I’ll leave you to read the specifics for yourself. It’s not all terrible.
New Cyber Security Act by year’s end?
It seems that the government’s intention is to pass a comprehensive Cyber Security Act by the end of 2024, according to comments made by officials during a roundtable held by the Australasian Society for Computers and Law on Friday.
Home Affairs has been conducting a legislative review which includes creating new legislation as well as reviewing the Security of Critical Infrastructure Act 2018.
The department has been working with the Office of Parliamentary Counsel and hopes to provide “further details of the legislation in some form or another” in the coming weeks.
I imagine this might be in the form of an exposure draft for further comment, with the government’s current thinking being to introduce legislation to parliament by the end of the year.
That said, former minister Clare O’Neil did indicate in that conversation with ABC News that it would be introduced in the “next session”, which is mere days away.
The Cyber Security Bill will include security requirements for internet of things (IoT) devices; mandatory reporting of ransomware payments; and an obligation to provide information about other types of cybersecurity incidents — although it seems that the details are still under discussion.
There was also industry support for the creation of a Cyber Incidents Review Board along the lines of the Australian Transport Safety Bureau (ATSB) to investigate significant incidents and provide lessons learned.
Committee recommends delaying 3G shutdown
An interim report from the Senate inquiry into the shutdown of the 3G mobile network has called for an urgent meeting between the communications minister and both Telstra and Optus to “seek their agreement to extend the shutdown”.
The two telcos currently plan to shut down their 3G networks on 31 August and 1 September respectively. TPG/Vodafone already closed theirs in January.
The concerns are that some older or cheaper 4G mobile devices still rely on 3G to make emergency calls to Triple Zero, and that a wide range of non-phone 3G devices will simply stop working.
As an example, these include water and electricity meters, farming monitoring and diagnostic equipment, medical devices, emergency phones in elevators, in addition to safety and asset tracking devices.
The inquiry has called for a delay until “the 4G network provides coverage equivalent to or better than the coverage provided by the licensee’s 3G network”, that “best endeavours” have been made to audit the number of affected devices, and “reasonable efforts” made to contact affected customers.
For their part, both Telstra and Optus remain committed to the timeline.
Also in the news
- Elon Musk’s X silently turned on harvesting your posts and conversations to train its Grok AI, which may be in breach of Australian privacy law. The Office of the Australian Information Commissioner (OAIC) said the practice was a “cause for concern” but stopped short of launching an inquiry. If you’re still using X, use a web browser to go here to turn it off.
- Meanwhile, the Ninefax papers have a backgrounder on negotiations between the government and Meta ($) on the latter’s plan to block news content on Facebook and Instagram. One option is a “social media levy”. “In 2022, Facebook’s tax bill in Australia was $24 million, but the company funnelled nearly $1 billion in local ad revenue to its parent company overseas.”
- Government services minister Bill Shorten says Centrelink’s notorious waiting times are finally falling.
- As Guardian Australia reports, “Australia is stepping up its attempts to limit China’s influence in the Pacific, with the establishment of a new ‘cable connectivity and resilience centre’ designed to boost connectivity for Pacific nations.”
- CSIRO has partnered with Google to “accelerate and transform artificial intelligence (AI) adoption in science”. I do with PR people would drop this “accelerate” cliche.
- Treasury has released its Digital and Cyber Security Strategy 2024–26, which is about what it plans to do with its own systems.
- Australia recently signed a deal with Amazon Web Services (AWS) to build a sovereign Top-Secret (TS) Cloud for Defence. At the Lowy Institute’s The Interpreter, Cynthia Mehboob argues that trusting the country’s digital defence capabilities to one company is a potential threat to national security.
This week’s podcast: Cybercrime
In the latest episode of my podcast The 9pm Edict I spoke with Dr Miranda Bruce from UNSW Canberra about her work on the World Cybercrime Index and other matters. You can listen at The 9pm Geography of Cybercrime with Dr Miranda Bruce, or just look for The 9pm Edict in your podcast app.
Data breaches and hacks of note
- Western Sydney University has revealed that attackers had access to 580TB of data for over eight months, including a wide range of personal and sensitive information.
- The BianLian gang has hit IT services company Insula in a ransomware attack but Insula says they’re not paying the ransom.
Elsewhere
- ABC TV’s 7.30 has an interesting story on Adrian Katong, who ran a one-stop shop for phishing scams.
- According to a Monash Uni report, Australian public attitudes to facial recognition technology (PDF), only a quarter of Australians understand facial recognition technology despite its widespread use. “Only one in twenty people felt they knew ‘a lot’ about the technology, which is poised to play a central role in the country’s new Digital ID system.”
- Disgraced former Home Affairs secretary Mike Pezzullo may be out of the public service but he’s still giving us the benefits of his wisdom. Writing in The Strategist from the Australian Strategic Policy Institute (ASPI), he calls for an “all-star” group of experts to provide a “rigorous independent and public strategic assessment of the prospects of war”, so we don’t get caught in a Pearl Harbor-like surprise. He names 12 people who would “would bring a range of different perspectives to the project”. All are old and white, only one is of non-Anglo heritage (but still European), and only one is a woman.
Inquiries of note
- Nothing new. Be patient.
What’s next?
Parliament is still on its long winter break, but they’re back on Monday week, 12 August, so there’s just 10 days to go.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.