Minister for the National Disability Insurance Scheme
Minister for Government Services

Speech: Opening of the Cyber War Games

4 September 2019

The Hon Stuart Robert MP

Minister for the National Disability Insurance Scheme
Minister for Government Services


Look, thank you for the opportunity to launch the third Cyber War Games. It's an important initiative that brings together a coalition of very diverse cyber security professionals to test your skills; to test our skills and in so doing so to collectively enhance our cyber resilience. It's all about how do we keep Australians safe.

But before we launch the Games, I think it's important to reflect on just how much we rely on the skills, effort, and commitment of people in the room. Let's cast our minds back a few years ago to 2017, in fact to June. In that time a major malware attack was launched against targets in the Ukraine. NotPetya was the actual cyber weapon or the malware that was launched. It was designed to spread rapidly; it was designed to be indiscriminate. It remains can I say, historically, one of the most devastating cyber-attacks of its kind on record. The cost was circa US$10 billion in damage. But dollars alone never quite grasp the full extent of what cyber assault does.

During the attack the radiation monitoring system at the Chernobyl nuclear power plant went dark, the world's largest shipping conglomerate lost all but one of its computers at a stroke: 76 ports - 800 ships and a fifth of the world's shipping capacity went dark, FedEx was affected; hospitals in the United States of America were affected; the multinational law firm DLA Piper was affected. NotPetya's efforts were felt directly in this country with global giant transport TNT affected and of course the flow on effects into courier systems and transport. The target may well have been one country, the Ukraine, but the impact was global and these were simply the consequences that are on record that we know about, that companies fessed up to.

Now, imagine a world of wave upon wave of coordinated attacks against Australian cities or across our network of critical infrastructure. In this room is some of the leading cyber security practitioners and I know that you more than most appreciate how intertwined our systems are that make our society work.

The great opportunities, the great conveniences we now enjoy have also delivered a raft of new vulnerabilities that frankly are waiting to be compromised by a malevolent actor. Be it traffic lights, electricity networks, stock exchanges, government payment systems heaven forbid. There are tech doorways into our homes, our smartphones, our gaming consoles, our digital locks, our Smart TVs, even the ordering on your local fridge can potentially provide gateways to spreads of malicious attacks.

Now, there is an expectation from the wider community that their government stands ready to address these emerging challenges. We are and we will be. An activity such as Operation Tsunami over the next few days posture you, our cyber community, to respond. These Games of course follow on from the Operation First Wave in 2017 and Operation Shell Breaker last year and it's great to see the game evolve each year and I'm proud about continuing, that we are continuing with the third iteration.

As many of you know, I'm deeply engaged with the cyber community for some time. I started my PhD in cyber security in 2002 back then with Professor Bill Caley. And in 2002 it was actually quite hard to find a supervisor to do a PhD in cyber security. Most of the time people asked: what's that and why do we need it? Suffice to say people aren't asking that anymore.

In fact, I was looking at my confirmation work in 2002 and I should actually go back and complete the PhD…


…but I got involved in business and in family and all the things of life that overtake. And I was reading this morning what I wrote for my confirmation thesis. I made the point: information technology can no longer be looked at in the old paradigm security model of an onion with various layers of security surrounding each other like a bank vault; the level of complexity now didn't exist when those traditional models were designed and implemented. Remember this is 17 years ago when everyone thought a firewall kept the bad guys out. The onion paradigm was dominant. Organisations had control of software development and there was generally only one well known and understood gateway into a network and things were centralised. The modern world - this is 2002 - is anything but that. It's highly complex, decentralised, internet-centric with multiple gateways and software almost exclusively purchased off the shelf. Security now is not about keeping everyone out but allowing everyone in within a secure infrastructure, and the brave new world requires a brave new method to enable modelling and posturing for this.

Well that brave new world is still with us. In fact, it's even braver. We need more and more people to connect with government, more and more people to connect with the organisations so many of you represent, and we need more and more of that to be secure. It wasn't so long ago, 2014, that I had the privilege of opening Australia's first cyber security centre at the University of New South Wales, that's only five years ago. How far the world has come.

Since then since 2002 and then since 2014 the threats have only grown and they will continue to grow with an ever increasing and exponential proliferation of digital systems that seamlessly managed to entwine themselves in our lives. So as Minister for Government Services responsible for all this, I see great potential that this new digital era promises for improving the customer experience and I echo the words the Prime Minister made recently in his address to the public service. The Prime Minister said: just as tech opens up new opportunities it also creates new vulnerabilities. Whether it's working to the ethical and privacy dimensions of the digital revolution or protecting our systems and national security from malicious cyber activity, the Australian Government cannot be anywhere but on the front foot on the frontier of that activity, and we are and we will be.

So I'm very proud that my Department has stepped up to host this important exercise for the third successive year. In chatting with my senior staff about what next year brings, I'm hoping we can do a serious step change in this fight. We are deeply invested in the challenge of cyber security. It is fundamental and critical to what we do daily and it's great to see Michael McNamara, the CIO of the Department of Services Australia, previously known as Department of the Human Services, here today. He knows more than anyone it is critical that our payments and services get where they need to go day in, day out, 24/7. $174 billion dollars is what we will pay out in the next 12 months. Hundreds of thousands of transactions occurring every single day. Services Australia is ostensibly a mid-tier bank and I don't know how many executives or how many security professionals from banks are here but they all should be because the reliability of our banking network is absolutely and utterly critical.

We are trusted by Australians with their personal data and trust is hard won in these sceptical times, and we take the citizens' expectations and obligations extraordinarily seriously as do the executives and security professionals in the room. As some measure of that commitment my Department was the first Australian Government service delivery agency to be rated cyber resilient by the ANAO. But I recognise that network systems mean my Department cannot act alone in dealing with cyber criminals or building our defences. This is why this event is all about bringing representatives from across government and the private sector, including leading organisations in energy, retail, finance and telecommunications together.

So today, we're asking our participants to put on the red hat of the hackers and to do their utmost to take down a simulated city's critical infrastructure. Today, our participants are the red team. You are the bad guys. The city is represented in a stand-alone IT system developed by my Department. The event plays out online but will be replicated on a physical model built over the last three years of these games. That model now contains more than 100,000 pieces of Lego, which I think is uber cool. Everything is indeed awesome.

Now, the city may be made of Lego and its inhabitants might be Lego mini figs but we should be under no illusions this is a game with deadly and serious intent and consequences. Simulations such as this one are being led and used by organisations including NATO, the European Union and the US Department of Homeland Security to keep their communities safe.

What we're doing today, and the executives leading it, is world-class and cutting edge. If we are to best protect Australians we need to provide training scenarios that are world-class and acknowledged of government working very closely with industry in doing this.

Participants will get real-time, valuable experience in identifying and responding to national security level threats. However, the qualities you'll demonstrate this week are not simply technical. You'll have to demonstrate enhanced planning, coordination, communication, anticipation. You'll need to be adaptive and crucially, deeper relations across the cyber security community will have to be built because a tighter cohort of cyber security professionals is a sure defence against those who would seek to do us harm. You'll be working in teams. I suggest you all get along.

At the end of the week, we will declare a winner. There will be a team here that will come up against the best in the world and we will have someone who will stand taller than the rest. And I look forward to seeing that outcome, connecting with them and their organisations. Can I thank all our participants, all our players, our judges. Can I thank my department and our partner organisations for sharing a vision of collaboration in this important space.

Best of luck for another very, very impressive begin or event, and can I say let the Cyber Games begin.




Page last updated: 16 July 2020