Gai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | Hansard source

As shadow assistant minister for cyber security and defence personnel I welcome this opportunity to speak on the Enhancing Online Safety for Children Amendment Bill 2017, because there are many competing voices in the cybersecurity and cybersafety space, and it makes it difficult for people to know where to go to for advice, tools and assistance when the online world gets particularly scary.

We had a very good example of that recently with the WannaCry incident which occurred just a few weeks ago. We heard about it overnight hitting the NHS and 200,000 other individuals and organisations in more than 100 countries throughout the world. We heard that this possible wave was coming to Australia, and my concern was the fact that there was no single voice here in Australia sending a message out to Australians, saying: 'WannaCry is on its way. This is what you need to do: you need to patch your systems; you need to back up your systems; you need to do an IT health check.'

We had the Prime Minister's cybersecurity adviser out there doing some media conferences and a few media interviews here in Canberra to a few media outlets that are not really communicators to the wider Australian community. We also had occasional communications from the minister, the Attorney-General's Department, the Australian Cyber Security Centre, the Department of the Prime Minister and Cabinet, and Stay Smart Online. They are the ones that I can think of off the top of my head; I am sure that there were other government agencies.

That is six that I can count already that were communicating different messages at different times out to the broader Australian community and—this is the big concern—to small business. How did it work in the UK? There was one government agency, the National Cyber Security Centre, sending messages about WannaCry out to the broader community, to the small business community and to government agencies. We had at least six.

This very recent example of the government's mismanagement, in my view, of communication on WannaCry potentially could have been a major disaster for hundreds and thousands of businesses and individuals here in Australia. It was just by chance that we did not experience what happened throughout the world in those 100-plus countries to those 200,000 individuals and businesses who fell prey to WannaCry. As I mentioned, we had 18 instances of reports of WannaCry victims; 12 of those that we know of were small businesses.

I have made this point to a recent Australian Strategic Policy Institute panel that I was on; I make this point again to the government: first-up, you need to get the crisis communication on cybersecurity in this nation sorted. We need one voice, we need consistent messages and we need a coordinated approach to communication, because from what I could gather there was no guiding hand on the communication that took place over the weekend of the WannaCry incident.

We also need to ensure that small businesses are aware they have a go-to place to find out, 'Okay, I'm hearing about WannaCry. I am hearing about this on a Friday night. I need to make sure that my business is okay,'—because we know that small businesses operate around the clock; it is not just a case of nine to five, Monday to Friday. Of the 2.1 million small businesses that operate here in Australia, 60 per cent operate from their kitchen table or from their home office. They do not have a shingle out in the high street; they do not have a shop on the main street. They operate from their home office, from their kitchen table. Sixty per cent of the 2.1 million small businesses in Australia are one person; there is no staff. There is no ICT department, no human resources department and no marketing department. It is just one individual trying to run the business, market the business, administer the business and secure the business online—one individual.

I have been one of those individuals. I was one of those individuals for 10 years. I had my own small business before I came into politics. I have been there. I know the importance of getting my IT security right, because that is my business. That is my reputation. If something is compromised there then the business is closed. The business is over. It is vitally important that small businesses understand, have the confidence and feel empowered to operate in the online environment. And it is vital that, when incidents like WannaCry occur, they know where to go. It is vital that those poor 12 business people—four of them were in the Northern Territory—that fell victim to WannaCry, and any other small business person or microbusiness person, can go to one site, one location, to work out what to do. They hear the news overnight; they wake up on Saturday morning and hear that WannaCry has hit like a wave, like a tsunami—200,000 individuals and businesses in more than 100 countries throughout the world. What do they think? 'I need to work out what to do. Where do I go to get advice?'

In the UK you go to the National Cyber Security Centre's Twitter page or Facebook page. In Australia you have to be very conversant with the bureaucracy. My recommendation is, if you are business wanting to secure your online environment, you need to get a big organisational chart of the Australian government bureaucracy. Because, if you are operating a small business, and you wake up Saturday morning and hear about WannaCry, you need to go to the Attorney-General's Department website, then you need to go to the minister's website, Twitter page and Facebook page and then you need to go to the Department of the Prime Minister and Cabinet website, Twitter page and Facebook page. You also need to go to the Australian Cyber Security Centre website, Twitter page and Facebook page and, just in case you have forgotten, you need to go to Stay Smart Online. Although, from memory, their first Facebook post was done about four days after we first heard about WannaCry—four days.

This is the real challenge that we have in Australia. The government needs to get serious about cybersecurity communications. It needs to get serious about establishing behavioural and cultural change in government agencies and it needs to drive that through a communications strategy. It also needs to get serious about crisis communications strategies, because what we saw on WannaCry was a complete and utter joke. I could not believe it, after what we saw with census fail last year, when people had no idea what was going on. They were compelled to take part because it was the census, but they had no idea what was going on. There was a great deal of review over census fail. Everyone realised that communication was probably one of the major issues. The Prime Minister's adviser on cybersecurity made it clear that communication had to be improved and that there had to be significant improvement in crisis communications and also in terms of behavioural change, attitudinal change and cultural change.

So you would have thought, after that significant failure, that with WannaCry they would have just gone to the one government agency and rolled out that communications strategy. You would have thought it would have been a really slick operation, given the lessons that were supposedly learnt after census fail. Given that everyone acknowledged that communication was one of the major failures of the census, you would have thought that with WannaCry there would have been an award-winning communication strategy rolled out.

As someone who had my own communication business, who is a fellow of the Public Relations Institute of Australia and who is an active member of the executive of the Australian Association of Business Communicators, I know when a communication strategy is working. I know, by looking at it from outside, whether the communication is being guided, or whether it is just mad and ad hoc, with one organisation running off with one message and another organisation running off with another message.

That was definitely what we saw with WannaCry. There was obviously no guiding hand managing the communication on WannaCry. There was no crisis communication. There was no general communication. There was no behavioural change, no attitudinal change, no call to action, no cultural change—nothing. There were just six government agencies sending out all their different messages at different times, except on Mother's Day. WannaCry happened on Saturday morning. We found out about it on Saturday morning. There was, from memory, no communication on the Sunday from government agencies about what people needed to do.

That is all you want to know. When you are a small business you just want to know what to do: 'Give me advice on what I need to do right now to save my business, to save my data, to save my intellectual property, to save my reputation. Just tell me what to do, and I will do it.' It was just a case of patching. It was a case of doing backups. It was a case of basically making a commitment to do regular IT health checks.

As I said, I welcome the opportunity to speak on the Enhancing Online Safety for Children Amendment Bill, because there are so many different voices in the cybersecurity and cybersafety space. Labor supported the introduction of the Enhancing Online Safety for Children Act in 2015 as part of our commitment to combating online child bullying and its impacts, including child suicide. Since then we have seen that age is no longer a barrier, and adults are also frequently the target of online harassment and bullying, with similar consequences for their mental and physical health. I often wonder whether, at its creation in 2015, the Office of the Children's eSafety Commissioner recognised then that its scope was simply not going to be wide or broad enough.

I am pleased Labor is supporting the amendments to the bill that will make it easier for all members of the public to identify where they can seek assistance. That is what is so vitally important: one place to go to seek assistance; one place to go to seek advice—somewhere they can seek assistance and advice in relation to a range of online safety issues, irrespective of their age.

This bill, as we have heard from so many of my colleagues today, amends the Enhancing Online Safety for Children Act 2015 to reflect the broader role of the Children's eSafety Commissioner in relation to online safety for, as I said, all Australians, not just children. It will amend the commissioner's title, and it will make a number of other amendments that are welcome.

Revenge porn and the online safety of young Canberrans has been a significant issue here. We had an incident last year at St Mary MacKillop College where images were released, causing significant consternation and concern amongst the St Mary MacKillop College and also other colleges throughout Canberra. This is a significant issue in not just my community but all our communities. Revenge porn is a whole different issue. We need to ensure that mechanisms are in place to address that and to ensure that the victims are not targeted. We also need to provide an environment where support and assistance is provided to both children and adults. (Time expired)

See this speech in context