Address to Nab National Cyber Security Summit

14 October 2019

An address to the NAB National Cyber Security Summit in Canberra.


Thanks for that introduction David [Fairman - Chief Security Officer, NAB].
I’d like to start by acknowledging the Ngunnawal and Ngambri people and pay respect to their elders, customs and traditions.
I also acknowledge Treasurer Frydenberg, who offered some good insights in his remarks earlier and from the outset I would offer Labor’s support in working with the Government on this really important issue.
I’m here with Tim Watts, my friend and the Shadow Assistant Minister for Cyber Security, who is an expert in this area and is making a great contribution to the public debate.
As Tim has pointed out, we do have substantial concerns with cyber security planning at the Commonwealth level and we think it can be vastly improved. 
But there could hardly be a more bipartisan issue than making sure our businesses and our financial system is protected from the real and growing cyber threats you all encounter every single day.


Today’s about the future but I thought I’d start my remarks with a brief trip back in time.
The year is 1995 – Paul Keating is Prime Minister, the storm clouds of the Super League war are gathering on the horizon, Coolio’s Gangster Paradise spends 11 weeks at #1 on the charts, and I’m sorry to remind Josh of this but Carlton wins their most recent AFL flag.
In December of that year, Advance Bank, subsequently acquired by St George, rolls out the C++ internet banking program, Australia’s first 24/7 online banking system[1].
In the first month 350 customers downloaded the program.
Almost 25 years later, and nearly 3 out every 4 Australians are using some form of digital payment alongside thousands of small and medium sized enterprises who rely on digital payments every day to do business.[2]
The internet has enabled significant economic growth and created entirely new industries.
It has changed the way the private sector interacts with consumers and the way government interacts with the public.
But it has also created the new vulnerabilities we are addressing today.
In 2016, security hackers used the SWIFT network to transfer close to US $1 billion from the Central Bank of Bangladesh’s account with the US Federal Reserve.
While only $101 million was transferred to accounts in Sri Lanka and the Philippines before the transaction was blocked, it ranks as one of largest bank heists in history.
Fortunately, for the vast majority of Australians, their bank is their most direct contact with best practice cyber security.
Our banks are on the frontline of fighting cybercrime and should be congratulated for the work and leadership they’ve shown in this area.
Through multifactor authentication and one time passwords, banks have delivered a safer internet for all Australians – including for resourced constrained small businesses and customers – and improved our knowledge of cyber security.
Despite this, much of the public conversation around cyber security is through a national security or data privacy lens – not an economic one.
That partly reflects the fact that responsibility for cyber security sits within Home Affairs, and the Australian Cyber Security Centre, responsible for cyber security operations, sits in the defence portfolio.
But the economic costs and consequences of cybercrime are immense.
Small businesses and their customers have a lot at stake.
Despite the best efforts of government agencies and law enforcement, the growth in cybercrime has skyrocketed in recent years, only increasing the size of the economic threat.
Since July, the Australian Cyber Security Centre has received a cybercrime report every ten minutes and research from cyber security firms suggests that small businesses are a major target.
The Department of Home Affairs has suggested that cyber security incidents cost Australian businesses up to $29 billion per year.
Globally, cyber losses are expected to hit US$6 trillion by 2021[3].
That’s over 26 times greater than the economic losses from natural disasters in 2018.
And it’s not just the cost of an attack itself.
Institutions and businesses now need to invest substantial time and resources trying to defend themselves against current and future attacks, and parts of this will be passed onto the consumer and to small business who are already under financial pressure.
We need to ensure that the burden of our cyber security doesn’t fall on those who can least afford it.
The shift in the nature of cyber-attacks also has big implications for our economic and financial stability.
While the vast majority of attacks use cyber infrastructure to facilitate attacks, we are also seeing more malicious attacks on cyber infrastructure itself, often designed to cause significant economic disruption.
We saw the potential for this in 2016 when Russian hackers unleashed the “NotPetya” malware attack in the Ukraine. The malware quickly spread beyond the Ukraine infecting everything from hospitals in Pennsylvania to chocolate factories in Tasmania.
By the time the attack was contained the damages bill summed over US$10 billion globally.
I saw firsthand from my perch in this building during the GFC how the inter-connectedness of our financial systems meant that economic shocks can be instantly transmitted around the world.
Ten years on and it’s not hard to imagine a scenario where a successful attack on a critical piece of cyber infrastructure could trigger another economic crisis, particularly given the recent growth and integration of digital platforms. 
It’s why the Harvard Business Review ranked cyber-attacks as the biggest threat facing the business world today ahead of terrorism and asset bubbles.
And it’s why Australia’s key economic regulators, including APRA and ASIC are so focused on it.
APRA in particular sees cyber security as a key financial stability risk, something I discussed with APRA Chair, Wayne Byers and his senior colleagues just last week.
But the fact is, our collective cyber security and safety is only as strong as the weakest link.
Cyber security suffers from the same problems most public goods suffer from – underinvestment and lack of coordination.
That’s why I want to congratulate NAB and the organisers of this summit.
Forums like this are critical, because cybersecurity isn’t my problem, or your problem, it’s our problem.
But just as we often focus on the costs, we also need to start thinking more proactively about how we can maximise the benefits cyber security as a growth industry.
AustCyber’s Competitiveness Report released last year noted that Australia ranks as the world’s seventh most committed cyber security country and second most ‘cyber-mature’ in the Indo-Pacific region.
With US$131 billion spent on cyber security in 2017 (a figure which is expected to rise by 88 per cent by 2036), we are well placed to become a global cyber security powerhouse.
However for us to reach our potential in cyber security we need to be a proactive player in building international laws and norms surrounding cyberattacks and domestically address the chronic shortage of cyber security skills in Australia.
AustCyber suggests we will need around 18,000 more cyber security workers by 2026 – big challenge, bigger opportunity.
So my hope for today is we identify ways that government, business and individuals can collaborate more effectively on this.
I look forward to your ideas and input.