Australia has a legislative and capability gap when it comes to economy-wide cyber attacks, as the private sector could not handle such an event without the government needing to step in, Secretary of the Department of Home Affairs Michael Pezzullo said on Monday night.
"Imagine a Bond villain ... [who had] motive, means, and capacity to, for instance, short a market to change market signals to take advantage of that from a profit point of view. In years to come, that might be as concerning to us as what certain state actors can do," he said.
Responding to reports from June that the government was looking to allow the Australian Signals Directorate to spy domestically, Pezzullo said it was about protecting national infrastructure.
"The very issue that was settled that was set in motion between Home Affairs Department, the Department of Defense, and the Australian Signals Directorate was the extent to which one day -- and hopefully we can close this gap in sufficient time before that day comes, the equivalent of a cyber Pearl Harbor -- that we can close the gap in terms of what the private sector can do on things like the electricity grid, our gas and water supplies, sensitive data holdings, traffic management systems, [and] other critical pieces of national infrastructure," he said.
"Most of which are held quite properly for economic reasons in the private sector."
Pezzullo said even if a private sector organisation threw almost unlimited resources at the problem, it would still remain vulnerable to attack from state actors or highly sophisticated non-state actors.
"Without pre-empting future government decision making in this regard, it's our hope in the department to bring forward considered, detailed proposals to address that high end of the risk spectrum," Pezzullo told Senate Estimates.
"That is to say, that end of the risk curve, that no amount of diligent, purposeful, and targeted investment by the private sector can deal with simply because the tools that you need to deal with those attacks are tools that properly should be vested in the state."
The secretary added that the defensive operations around critical infrastructure were in no way a form of "mass surveillence program on Australian communications".
Under questioning from Senator Rex Patrick, Home Affairs attempted to hose down the actions that have led to incidents such as metadata being accessed by ACT Policing without proper authorisation.
"When it comes to breaches in particular agencies -- and I can talk from the Department of Home Affairs perspective in the two recent reports in 16-17 and 17-18 -- the majority of the departmental issues that were reported by the Ombudsman were self-declared or identified to the Ombudsman," said Hamish Hansford, Home Affairs acting deputy secretary of policy.
"So where officers have breaches of the law, they self-identify and when the Ombudsman comes in year after year to review records, we make changes in the department -- in the case that I'm talking about -- and those changes could be further education of officers, it could be additional training, and it could be IT systems that are updated to centralise data and the majority of cases that the Ombudsman has identified when it relates to the department in particular, have been self-identified."
In response, Senator Patrick pushed to know about the consequences for officers that break the law.
"If there was no intent, and it was an administrative area or a breach of law by an officer, which is what we class as an administrative branch of law, then there's no particular criminal consequence," Hansford said.
Patrick eventually questioned the representatives of Home Affairs over whether they were pushing the point that there was no crime associated with accessing communications data illegally.
"Are there stated criminal penalties?" Pezzullo retorted.
"Maybe we can go to someone else and think about this," Patrick closed.
In a recent report by the Commonwealth Ombudsman on how agencies across federal and state government in Australia handled stored communications and metadata, Home Affairs remained at the rear of the field.
Despite seeing fewer problems for 2017-18, the Ombudsman issued one recommendation to the Australian Federal Police (AFP), discussed a number of previous recommendations with Home Affairs, and found eight of 17 agencies that were inspected had instances of failing to comply with destruction of stored communication requirements.
For the AFP, the Ombudsman found 23 instances where authorisation was made under missing person laws despite the case being related to criminal law, and another two cases where authorisations under provisions to protect public revenue also related to enforcing criminal law.
The federal police also disclosed 563 instances of authorisations made by authorised officers that were subsequently rejected by an internal quality assurance process, and 73 instances where authorisations were notified to telcos with errors.
At the start of 2018, Pezzullo advanced the idea of Home Affairs having a cybermoat around its IT systems.
- Home Affairs still the 'baddest' at handling Australian stored communications
- Department of Home Affairs extends cyber consulting contract with Archtis
- Home Affairs floats making telcos retain MAC addresses and port numbers
- Employees not the target of encryption laws: Home Affairs
- Home Affairs says no problems with encryption laws even though local companies suffer
- ASIO turning to AI to avoid missing things