Telstra media conference: Minister Reynolds, Minister Robert and Andrew Penn (CEO Telstra)

Topics: Telstra, Services Australia and ACSC’s pilot program, cyber security in Australia

***Check against delivery***

STEVE CAREY (TELSTRA): Thank you, Ben, and welcome everyone. Thank you for joining us at today's joint announcement between Telstra, the Australian Cyber Security Centre and Services Australia of a new pilot program we're launching that will block cyber criminals impersonating Services Australia. Today's media briefing will run for around 30 minutes and you will hear from Telstra CEO, Andy Penn; the Minister for Defence, Senator Linda Reynolds; the Minister for Government Services, Stuart Robert. And we will break it into two parts: the first part being presentation from all three parties and then we will have a Q & A session at the end.

I would like to take this opportunity to obviously welcome the media to the event. All of our materials which you will have received at this point are embargoed until 2.30 pm today. You will have all received registration instructions on how to register for questions on this call. So please follow these if you do wish to ask a question from around 1.30. But without further ado, I will hand over to Andy Penn for opening remarks and thank you all for joining us. Thank you, Andy.

ANDY PENN: Thanks very much, Steve, and can I also pass on a particular thanks to Minister Reynolds, the Minister for Defence and Minister Robert, the Minister for Government Services for not only being here today but helping us and supporting us in relation to this initiative. I think one of the things that COVID in the recent months has underscored is not only the critical importance of connectivity but also how we protect ourselves online. And with so many of us now working and studying from home, the level of risk has never been higher and scammers are targeting personal information more than ever before, which has contributed to an increase in financial losses across all scams up to nearly $100 million already this year.

So today we're delighted to be announcing our pilot in conjunction with Services Australia to identify and reject illegitimate text messages that appear to be sent from myGov and from Centrelink to Telstra customers. The capability is only available to customers on Telstra's network, obviously because we can only manage the traffic that's on our network, but it does align with the government's 2020 cyber security strategy and one of the recommendations that we made in the industry advice panel, which I chaired.

We've been working closely with the Australian Cyber Security Centre and we completed a technical proof of concept using essentially metadata to identify and reject illegitimate SMS traffic that's spoofing using Telstra centre IDs on our network. The type of scam that we're focusing on with this initiative are SMS scams where scammers impersonate known and trusted brands like Telstra, like Centrelink to redirect people to malicious websites.

Currently, SMS systems specifications mean that malicious actors can spoof or impersonate the centre field, that's the little address that you see at the top of a text message, and what they do is they put in there the name of somebody that you might ordinarily trust, to trick people into thinking that it's a legitimate message and, therefore, clicking whatever link that there is in there.

The proof concept has been successfully trialled, rejecting messages with Telstra centre IDs coming from unapproved sources for breaching our customers. So we're really pleased, and so we're now at a point of scaling up this activity and hope to have this in full operation by the end of the year. It will not completely eliminate the risk but it does eliminate a lot of the activity. And it's very much analogous to that Cleaner Pipes initiative that we announced earlier in the year where we were effectively seeking to mitigate the amount of malicious activity that is redirecting customers to, via phishing emails and other types of traffic, to illegitimate IP addresses or IP addresses from where they are receiving malicious activity.

And one of the advantages of trying to clean up a lot of this malicious activity on the network is, one, it protects customers, but two, what it does also is it makes the really hard stuff a little bit easier to find as well. We're already blocking about a million scam calls a month. We're blocking about 20 million suspicious emails every day, and so you can see that the level of activity that we're experiencing in relation to cybercrime is very, very significant. And so this is going to be very, very important.

And I go all the way back to the Prime Minister's speech to the National Press Club last November when he announced the aspiration for Australia to be a leading digital economy by 2030. What goes hand-in-glove with that is a safe cyber environment for all of Australians and, therefore, we're particularly pleased and acknowledge the government's strong leadership in relation to their 2020 Australian cyber security strategy playing a major role in ensuring not only do we have a digital economy but we have a safe digital economy as well.

So, with those comments, I might hand over to Minister Reynolds who I know has a couple of things to mention and we will also hear from Minister Roberts as well. So, Minister Reynolds please.

MINISTER REYNOLDS: Thanks Andrew, it’s great to be here via video with both you and also Minister Robert to launch this really important pilot program today. But first of all can I first congratulate Telstra, not only on this collaboration but as you’ve said also on your Cleaner Pipes initiative. Both are very important.

Cybercrime is a national challenge that does require a national response. And to provide some context, in the past 12 months alone, the Australian Cyber Security Centre has received 60,000 cybercrime reports both from individuals and also from businesses. And that’s one report every 10 minutes. And this criminal activity as we know can affect anybody in Australia.

One of the things I’d note upfront is that the methods used by cybercriminals are not new. And their level of activity has not actually increased significantly during COVID-19. But what has changed is cybercriminals are getting better at adapting their tradecraft and they’re doing that in very malicious ways. They’re exploiting people’s concerns and also their desire for information during COVID-19.

So during this pandemic, we have seen a rise in COVID-19 themed phishing scams and also ransomware attacks. And this includes criminal SMS phishing campaigns that Andrew has just talked about against our mobile phones and indeed against all other personal smart devices. These messages redirect victims to malicious websites that both install malware and also steal their personal information. The messages often appear to be from trusted and legitimate sources – including Australian Government services like MyGov and Centrelink. These services are providing really important lifelines for millions of Australians today. And cyber-criminals are really cruelly capitalising on Australian’s use of these services during the pandemic.

So, the aim of this pilot program is to trial a joint technical solution to stop these malicious text messages from ever reaching Telstra customers. And I think this collaboration is really an exemplar for the Federal Government. In particular, I am very proud of the role the ACSC has played.

The ACSC has used its insights into the tradecraft and also the motivations of cybercriminals to help Australians fight back. While the pilot itself won’t stop all malicious text messages – it is an important next step towards broader industry-wide protections for our smart devices.

What I’d say in conclusion Andrew is that the Morrison Government is absolutely committed to supporting and also enabling this type of Government-led collaboration with all Australian businesses. We are doing this through our $1.35 billion dollar CESAR package that the Prime Minister and I announced in June. This package is the single largest investment in Australia’s cyber resilience in our nation’s history. But as I’ve said many times now publicly, cyber security is a shared responsibility for us all.

And we have to tackle this threat together. Thank you and well done.

ANDY PENN: Thank you very much, Minister Reynolds. And, Minister Robert, some comments from you?

MINISTER ROBERT: Yeah, thanks Andy and thanks Linda, my good colleague, the Minister for Defence. Linda is spot on: the government is absolutely committed to the cyber protection of our citizens and for really good reasons. Services Australia, one of my agencies, pays $210 billion of taxpayers' money to citizens every year. We have a transactional flow greater than the four big banks put together in terms of billions and billions of transactions annually.

Last year, for example, we sent 23 million SMS’ and something like 209 million myGov SMS’s. So it's an enormous transactional flow, and now that all of our major payments are online, there's a very strong transformation and a digital-first strategy: the idea of keeping Australians safe when they engage with Services Australia is absolutely fundamental. And it's why this initiative working with Telstra is so important. We take cyber seriously. Services Australia runs an extraordinarily advanced Cyber Operation Centre that works very closely with Linda's Australians Cyber Security Centre and we want to do everything we can to further enhance and further improve that.

We know, in the last financial year, that about 920 Australian citizens had a Centrelink payment defrauded. We know that over 27,000 individual pieces of information were stolen from Australian citizens because someone was masquerading as Centrelink or as myGov or as an Australian Government partner in some way, shape or form. So this idea of seeking to work with Telstra using their technical smarts to knock out in the background at the network layer the capacity for malicious intruders to try and spoof, act like they're Services Australia or act like they're myGov, is extraordinarily welcome. I'm looking forward to the pilot. I think it's going to be very, very successful.

All testing to date has been excellent and then I'm looking forward to extending it wider across the country because it is so important that people continue to have faith and trust in government and we'll maximise that by using technology to defeat those who seek to use technology against us. Great initiative. Thrilled to be working with my great friend and colleague, Linda. And Andy, well done. All power to you. Looking forward to seeing how the next 12 months goes.

ANDY PENN: Thanks very much, Minister Robert. Steve, I might hand back to you and we can open up for any questions.

STEVE CAREY (TELSTRA): Sure. Thank you, Andy, and thank you Ministers for your presentations there. We have a couple of questions standing by. We might just cross back to Ben to reinstruct on the steps in relation to how to register questions and then we can go to the first question which I believe is from Annabelle Hennessy from the West Australian.

TELSTRA OPERATOR: Thank you. And once again, if you wish to ask a question over the phone, please press * and then 1 on your telephone keypad. You will then be prompted to enter in your name, followed by your company name, followed by the # key. This will then register you to ask a question. Your first question comes from Annabelle Hennessy from the West Australian. Please go ahead, Annabelle.

ANNABELLE HENNESSEY (WEST AUSTRALIAN): Hi. Thank you for your time. I just want to ask, in regards to the phishing scams, do the cybercriminals normally come from within Australia or are they quite often coming from countries outside of Australia? And also is the rise of apps that allow messages to be encrypted contributing at all to the rise of this kind of cybercrime?

ANDY PENN: No. Well, thanks very much, Annabelle. Maybe I'll make a comment and see if others want to as well. There is a lot of activity coming from overseas. One of the additional challenges with activity that comes from overseas is it's much harder for Australian agencies obviously to track down and to prosecute and so, therefore, that's why we do see a lot of overseas activity. We're not actually in this particular method looking into what's in the messages. So, in a sense, whether they're encrypted or not is not an issue in this situation.

We can identify effectively from the metadata around the message whether or not it's coming from a legitimate source. So, in this particular occasion, that is not the issue. And, in fact, in our Cleaner Pipes initiative, similarly the encryption has increased obviously, but the way in which we do Cleaner Pipes is that we identify, through multiples of different technologies and sources, IP addresses where we know - where we know are the source of malicious activity and we just block customers accessing those IP addresses.

So, again, we don't need to actually get into the message itself. We just go straight back to the source and this is analogous with this - with that. So it's really dependent on trying to make sure and find techniques to identify what the source of origination is of this malicious activity. But Minister Reynolds and Robert, I'm not sure if there's anything that you want to comment on, particularly in relation to the overseas point. You're probably in a stronger position to comment on that than me.

MINISTER REYNOLDS: Well, thanks Andrew. I think you've pretty comprehensively covered it, but I can certainly confirm that the threats to Australians not only originate here in Australia but they certainly originate overseas and that is one of the many roles that the Australian Cyber Security Centre monitors and works with the Australian Signals Directorate of which they're a part, but also with other trusted partners overseas. So we do work very collaboratively here in Australia with law enforcement and other agencies but we also do work with many trusted partners overseas because of that.

STEVE CAREY (TELSTRA): We might go to the next question, then.

TELSTRA OPERATOR: Thank you, Annabelle. Your next question comes from James Fernyhough from the Australian Financial Review. Please go ahead James.

JAMES FERNYHOUGH (AFR): Hi there. This is probably more one for the government, for the Ministers. Just picking up on that - where they're coming from, can you talk about what sorts of - who are these criminals? Do you know anything about what sort of organisations they are? And are there any particular countries that you are looking at. Obviously, you know, people talk about Russia and China is a hot topic, are either of those countries coming up?

MINISTER REYNOLDS: Thanks very much, James. I will go first. They come from many and varied countries. So I couldn't just stick with one but there are two types of - two broad types of activities. Both are state-based actors that operate in the cyber domain and also common garden variety criminals who are very sophisticated, and again they come from a number of countries. I don't know whether, Andrew, you wanted to pick up from a Telstra perspective?

ANDY PENN: No. I mean, you know, I think there are some known hot spots. I think it's probably not for me to comment on the source, James, but I think again the dilemma is where a lot of this malicious activity bases itself is in jurisdictions where it's very difficult to ensure a prosecution or to track them down. And that's the fundamental issue. I mean, obviously, activity does originate in Australia but the Australian security agencies have much greater powers and ability to track that down and actually then prosecute where that's the case.

So you can see how there's an incentive for criminals and for other perpetrators to locate themselves in jurisdictions in places where they're more able to effectively protect themselves from ever getting sort of pursued. And that's one of the big challenges with cybercrime, is that if the consequences for the perpetrators aren't significant, there's not a disincentive on that side to reduce the activity and the incentive, because the rewards, unfortunately, can be great, given my comment earlier that we've already seen this is just the sort of consumer level of about $100 million worth of scams to date. So, Minister Robert, I don't know if there's anything you wanted to say?

MINISTER REYNOLDS: I might just pick up there, James, another - this is really where this trial is so important because given what Andrew has said, in terms of the sources of many of these scams and phishing activities is, we have to protect people from it. So not only do people at home or in their businesses have to take greater measures to protect themselves from these, but also these sorts of initiatives are very important so that we can stop them getting to people. So it's that intermediary role that is so important. Stuart.

JAMES FERNYHOUGH: Can you still hear me, sorry? Am I still on?

ANDY PENN: Yeah, James, you're still on.

JAMES FERNYHOUGH: Yes. Can I just ask, just follow up, when you said the state-based actors are also involved, are states actually sending these particular things impersonating Centrelink, etcetera?

STUART ROBERT: James, this is Minister Robert here. In terms of Services Australia, because of the globalised nature of comms, everyone in terms of seeking to hack us are a pack of bastards; whether they're sponsored by a state, which means an overseas nation gives them money, whether they're a criminal syndicate gang, whether they're a bunch of local hoodlums or kids or whether they're, frankly, just a bunch of bullies in the backyard schoolyard.

The challenge online, of course, is you don't know who is behind an assault. You don't know, you the consumer, who has sent the scam email, the phishing SMS, who is trying to impersonate and put a rogue code in your computer, who is sending malicious emails that are trying to attack your firmware. You've got no idea.

So the key message for the consumer, of course, is the Federal Government is never going to ask you for user ID and passwords online over the phone: never, ever. We're not going to send you URLs online to go and connect into. We'll simply say: log on to myGov. Log into your Centrelink Express Plus app. Log into Medicare. Go to myGov. We're always going to send you to the source where you will put in your credentials and where you'll sit.

And, of course, if people do that, if people continue to focus on just going always to the trusted source and using their trusted credentials, they'll be just fine. We'll continue in the background to block. And as Linda said, this initiative is superb in stopping people spoofing or trying to emulate us in terms of SMS messages. We look to do as much as we can including blocking overseas actors, based on their IP address or their domain names, as Andy was saying.

But they're not going to go away. They're going to get more and more emboldened as technology gets cheaper and cheaper and cheaper. And we need to spend a lot more time, effort and money, and this trial shows we're doing that on allowing citizens, protecting them in the back technical areas as well as giving them information so that they know don't follow the malicious link on an SMS. We won't send it to you. Go to the source. Log in with your credentials.

JAMES FERNYHOUGH: Thanks.

TELSTRA OPERATOR: Thank you James. Your next question comes from Jennifer Dudley-Nicholson, from News Corp. Please go ahead, Jennifer.

JENNIFER DUDLEY-NICHOLSON (NEWS CORP): Thank you. So it sounds like this is really about blocking the known IP addresses of problematic sources. Have you been able to do this before? Is this a result of cooperation, greater cooperation between Telstra and some of the security agencies? And also could it be employed in future to stop other sorts of scams and potentially phone scams, phone call scams as well?

ANDY PENN: Yeah - no, look thanks Jenny. It's Andy. You're right. Again, whether it's emails, whether it's SMS’, whether it's a phone scam, the principle is the same: trying to find the malicious activity, pinpoint where the malicious activity is coming from, confirm that it is malicious and it's not legitimate traffic, and then block it at its source. And that then stops customers from ever actually landing, and that's exactly what we're doing.

And obviously to do that we need to know both the illegitimate sources but we need to know the legitimate sources as well, because everybody configures their IT environment in different ways and some people outsource some of this activity. It's not always as simple as you may think, or it may seem, to get a list of the legitimate sources. But that's what's involved.

It's working with key organisations and in this case, it's the government, to identify the legitimate sources and then identify the illegitimate and malicious traffic and then block, block out the malicious stuff relative to the legitimate stuff. It conceptually doesn't sound hard to do. What makes it hard to do is a few things.

One is just the scale of traffic and the scale of activity that we sort of are dealing with. And you already heard Minister Robert sort of refer to how many SMS’ his government is sending out. I mean, just on our network we have 60 million SMS’ a day every single day: 60 million.

So, one, it's the volume of traffic that we're needing to deal with. Secondly, that the scammers and the perpetrators of this are very good at trying to look legitimate and so they don't make it easy to find, and every time you find it, they'll find a different way to try and disguise. And, of course, every time you find the illegitimate source they will quickly pivot to another source. It's one of the issues that we get with scam callers. We can - as soon as we identify the origin of scam calls, we lock it down, but in a heartbeat they've opened up another one.

And so they're some of the challenges we're doing and that's why working with clients should be very important. But to your point, you know, this trial, you know, we can now work with other partners - banks and, you know, other organisations that tend to be those that are - which people tend to imitate to try and sort of trick people into clicking the wrong link.

MINISTER ROBERT: Jennifer, its Stu Robert here. It's a pretty sophisticated operation Telstra have got. It's not just blocking at IP address level, it's an entire layer three, or network level blocking that they're putting in place. And can it be used wire a foot? When it comes to cyber security it's a multi-layered approach. So if I could speak to Services Australia, and then Minister for Defence will speak wider about the rest of the country.

But Services Australia, when it comes to telephony, we've implemented a full voice biometric. So when you get on to the telephone calls - and 150,000 Australians call us every day - about 30% of them now have a voice biometric, almost 4 million.

We're encouraging more and more Australians to authenticate themselves securely by their voice and that ensures that no one can impersonate them on the phone.

Digital identity is the next great move and we'll have announcements regarding that shortly in terms of where governments go with digital identity and how it will work with the private sector and the states and territories.

So there's a little bit of horses for courses, and there's a little bit of multi-layered security that rolls across how we operate. But certainly what we're trialling here has got great approximately to be used elsewhere.

MINISTER REYNOLDS: Look, thanks very much Andrew and Stuart. In relation to the Australian Cyber Security Centre, we work not only very closely with Telstra but also with other - with all other telecommunication companies and we do that primarily through our partnership program. For further information on that go to the brilliant site, www.cyber.gov.au and that is a brilliant source of information for individuals, for companies and also for larger organisations on how to protect yourself.

But what the ACSC does with Telstra and with its other partners is it really does provide very unique insights into the tradecraft of cyber criminals who are seeking to exploit Australians. So it's the tradecraft but it's also having a better understanding of their motivations which is very important. So, again, that's really our role in this.

JENNIFER DUDLEY-NICHOLSON: Thank you.

TELSTRA OPERATOR: Thank you, Jennifer. Your next question comes from Josh Taylor from The Guardian, please go ahead, Josh.

JOSH TAYLOR (THE GUARDIAN): Thanks very much. Just a couple of questions on - I think you went into it a bit before - but how do you avoid sort of the hydro effect? How quickly can you identify these scams as they're coming through and how quickly can you sort of stop them, you know, regardless of how many times they pop up?

And, secondly, Andy I remember you mentioning with your industry advisory to government on cyber security that there was a bit of legislative uncertainty around some of these things, in particular I think blocking websites and blocking SMS. If the pilot is successful, will you need legislative change in order to, I guess, that you can go about doing something?

ANDY PENN: Thanks, Josh. I mean, needless to say, it's all about how you automate this, because, as I mentioned before, one of the challenges is just the scale and the volume of activity which occurs. And so therefore you need to automate it but because you are automating it, you're effectively doing it almost immediately. So that's the real trick.

As regards to whether or not we need legislative change, you know, no, we don't. Were we seeking to actually look into the message and the content that would require some form of order from one of the security agencies and the need to go through appropriate legal process? But because we are not doing that, we are entitled to block what we believe are sites which are originating traffic and that could be harmful to our customers, as long as we're not actually looking into the messages which we're not. As I say, we're just - we're identifying the sources.

TELSTRA OPERATOR: Thank you, Josh. Your next question comes from Chris Duckett from ZD Net. Please go ahead, Chris.

CHRIS DUCKETT (ZD NET): Hi. I've got a couple of questions, probably for Andy. First up, how long will this program last as a pilot before it moves on to whatever the next stage is? And, secondly, why is it that the ACSC is bringing to the table that Telstra could do off its own bat with its own cyber services arm? Is it that foreign intelligence and that sort of stuff from overseas? Thanks.

ANDY PENN: Thank you. In relation to the first piece, basically we've been trialling it as a pilot. We're now sort of rolling it out to the next stage. We've done proof of concept and we expect to fully roll it out by the end of this year, so literally in a matter of weeks, if not a few months. So we're very confident of being able to do that. Look, the ACSC is a tremendous government resource and one which featured highly in our industry advisory panel because it plays a crucial role in the collaboration between industry, government, state government and Federal Government, because the one thing that you learn is that cyber security is a team sport.

And we all have a role to play, and the ACSC plays a crucial role in supporting that partnership between industry and government. And I gave just one example there which is, you know, really to know which are the legitimate sources - we need to work with the ACSC and through the ACSC with government to understand what's legitimate and what the legitimate sources are. Similarly, one of the roles the ACSC plays is actually sharing of data and we share data that we have in relation to malicious activity. So it's not so much that ACSC has got something that we don't or we've got something the ACSC doesn't have.

We both look at the world through a different lens and we both have access to information probably that the other party doesn't have and it's actually by bringing that together and the good guys in this game working together, that we have increased our chances of eliminating or mitigating the risk of being sort of subject to attack and to the sort of malicious actors getting through. But Minister Reynolds, I don't know if you want to comment further on the role of the ACSC?

MINISTER REYNOLDS: Well, look, thanks very much. A couple of points. First of all, the Federal Government through the ACSC is working with Telstra on this pilot program which is, as we've said, is to validate the effectiveness of these protections. And if it is successful, we will work very constructively with all the other telcos to explore options for industry-wide protections and adoptions of these type of protections.

And, look, I think Andrew has covered it very well. The Australian Cyber Security Centre, as you can see sort of on their website, is and through their partnership program, is they share what they know.

So they provide early advice when they see another threat or there's something that needs to be patched or managed. They have extensive advice on that, on their website. So they've got a number of roles. And, as Andrew has said, it is a very collaborative relationship with Telstra and all other telcos because, as I keep saying, this is a national problem that requires a truly collaborative national approach.

TELSTRA OPERATOR: Thank you Chris. Your next question comes from Tom Burton from the Australian Financial Review. Please go ahead, Tom.

TOM BURTON (AFR): Can you hear me ok?

ANDY PENN: Yes, thanks Tom.

TOM BURTON: A dumb question but I'm just trying to understand the privacy issues if you can't look into a message [inaudible] metadata, how do you know that it's someone trying to pretend that they're someone from Services Australia?

ANDY PENN: Well, because we know what the legitimate sources are for Services Australia. And if we see a message that is imitating something coming from Services Australia, then we basically identify where that message is coming from, where's the source of that. And if it's not from one of the legitimate sources then we block it and stop it.

MINISTER ROBERT: Tom, Stu Robert here. The last 18 months we have transformation. We've been fundamentally rebuilding our architecture of how we deliver services. MyGov has got 18 million accounts and Medicare has got 24-plus million. And there are substantial data lakes built, data exchanges built. So we're limiting the amount of exchanges where data is sent from. So if we're going to send a message data, anything, it comes from a small group of source areas, source servers as part of its exchange, and obviously goes to telcos and off we go.

So Andy at Telstra knows exactly where he should be receiving anything regarding myGov or Centrelink or Medicare from. And the beauty of this pilot is that because he knows with absolute certainty where we're going to be sending data to Telstra from for Telstra to send on out, anyone else that tries to send similar data out not from that origination in our data exchange area, he knows he can block. In its very simplest, it's a lot more technical than that, but simplistically speaking, that's what it looks like. It's pretty clever.

ACSC have done a lot of work ensuring that the architecture is fine and now that network layer for Telstra to execute on it and trial it, I think is really exciting. And the opportunity then to extend that, not just across other service providers that government may use, but if you think about the opportunity for telcos to provide that to their other major clients in utilities, in banking and finance, it could be quite extraordinary because SMSing is at least the top five of the cyber vehicles that those ubiquitous bastards that seek to steal, harm and destroy out there use. So this is a big win, if we can get it right and I'm confident we can.

TOM BURTON: Thank you for that. So if I understand correctly, it's because in this case Services Australia has given Telstra the information needs to be able understand what legitimate SMS’ are and therefore all others are illegitimate is that the core logic in simple terms?

MINISTER ROBERT: Not just the IP address. It's quite technical but it will go down to exactly the originating IP, the originating, I suggest package restructures. There's a whole bunch that sits in a middle layer 3 network layer to authenticate that the originator of the messages from Services Australia is indeed who it says it has to be.

TOM BURTON: Ok. Thank you, Stuart. And I think the next question which is probably almost answered but can this now scale for other government agencies other than Services Australia?

ANDY PENN: Yes. The short answer is yes. I mean, it's the same - it's the same principle as Minister Robert said; is that we know by working in partnership with the Minister and with the ACSC what the legitimate sources are. So if we see a text message that purports to be from one of those legitimate sources and isn't, then we block it.

TOM BURTON: Right. And those large commercial organisations, Qantas or something like that, who might have an SMS campaign.

ANDY PENN: Correct. We can work with pretty much anybody to do it. As the Minister said, he's done a lot of very substantial work improving the architecture of Services Australia. So you've got to have that back end has got to be easily identified and manageable, and some organisations aren't quite as well organised in the back end as Minister Robert's Services Australia which then makes it actually harder to try and pinpoint who the legitimate sources are. But conceptually, that's what you need to do.

TOM BURTON: Thank you very much.

TELSTRA OPERATOR: Thank you, Tom. Your final question comes from David Swan from the Australian. Please go ahead, David.

DAVID SWAN (THE AUSTRALIAN): Thanks and thanks guys for the briefing. A question for the Ministers. There was a report out today, it was the National Cyber Power Index found Australia has come into 16th place overall for our cyber security capability. I just wanted to ask both of you for a bit of colour in terms of, I guess, taking cyber security seriously as a government. Obviously, you've got the strategy but, you know, what are you going to do to make sure we climb up those ranks and have really strong cyber capabilities going forward?

MINISTER REYNOLDS: Hi. It's Linda Reynolds here. Well, as I said, we've invested the largest single ever investment in cyber resilience, which is the CESAR package, the $1.35 billion. But I think more broadly the government, when I and the Prime Minister announced the defence strategic update, we've made an unprecedented $15 billion investment in cyber but also in our information warfare capabilities through the Force Structure Plan which we now understand is sort of publicly released. So this package is all about boosting protection and our nation's cyber resilience at both ends.

So one end is the cyber security, the grey zone, foreign interference level of attacks which frequently are state-based actors, right through the spectrum through to what we're talking about here today is the exploitation of cyber for safety and security and cybercriminal activities.

So, as I said, $15 billion investment is very significant and it demonstrates, I think, also why the ASD and the Australian Cyber Security Centre are within the Defence portfolio, because they're sort of two ends of a rapidly narrowing spectrum of threats in terms of where they're from and how we need to respond to them.

MINISTER ROBERT: Thanks, Linda. We've come a long way in 20 years. Linda and Andy and I were surmising before we started about how quickly cyber security disciplines come along. 20 years ago I struggled to find a supervisor to start a PhD in what was then information systems security and ended up working with Professor Bill Cayley out of QUT. Now, unfortunately, life got busy, I didn't finish it halfway through. But now we've come along and it's a discipline in its own right as it should.

And Linda's gone through exactly what she and the government have done across the wider country with the ACSC. And it is world leading stuff and provides a really good basis for Services Australia to work with and come under. Now, we run our own Cyber Operation Centre. We've spent a quarter of a billion on it, to give you an idea of the scale of just Services Australia, 24/7 op centre, let alone what Linda's talking about in ACSC and ASD. And it's really important because we're moving now, the digital technology strategy for government has all governments or all citizens' interactions with government digital by 2025.

Services Australia major payments are all online now as it is. And with the transactional flow greater than the four big banks put together, you can see how much of a target we are. And now we're building out myGov. You'll see there's a myGov beta there. There'll soon be a second myGov beta on the 20th of this month as we continue to build out the single front-end for government, and that's been built out with cyber security built into the centre, with ACSC involved. You saw it with the COVIDSafe app now regarded amongst the 34 apps in the world as the safest. And again, every step of the way, every single NSC discussion, because Linda and I were in them all together, ACSC and ASD were there every step of the way.

So it's a very integrated journey government is now taking with cyber at the heart of it. And I've got enormous confidence with how government is progressing on this and how government is protecting its citizens through it, and we're only getting better every day. We are well and truly funding it appropriately. There's an enormous resource base going to this, as it should be. And I think Australian citizens have got every right to be secure that government is actually going about this the right way. But the citizen also needs to remember that the ultimate security for their own data comes down to themselves. They have to be responsible for their data. They have to secure their data. And they have to make sure that they don't let their credentials get out of the way.

If there's an issue, they need to call us in terms of let us know if there's an issue. If people believe that they've lost control of their identity or lost control of any information at all, they need to call us so we can help them out. We did about 2,200 referrals to IDCARE last year in terms of customers who have let us know that they've been compromised and their information has been compromised. And there's a full scam identity theft helpdesk, 1800 941 126. 1800 941 126. That's a Services Australia scam and identity theft helpdesk. I would encourage people to call that if they have lost control of any of their credentials or any of their data because when it's all said and done, the individual needs to take responsibility for their own credentials and their own identity and government will take responsibility for the information we hold on behalf of its citizens.

STEVE CAREY (TELSTRA): Thank you, Minister Robert. Thank you, Minister Reynolds. And thank you, Andy, for your contributions today. We'll wrap up the Q&A there. Thank you to the media for joining us on today's call. We sincerely appreciate the time you have taken out. If there are any follow-up questions, you all have my details. I would encourage to either email me or call me post this and I would just like to reaffirm our 2.30 pm embargo lifts on all the materials and reporting. So thank you very much and have a great day.

MINISTER REYNOLDS: Thank you.

ANDY PENN: Thanks everyone. Thanks Minister Robert, thanks Minister Reynolds. Cheers all.

MINISTER REYNOLDS: Thanks Stuart.

MINISTER ROBERT: Andy. Thanks Linda, you're a rock star.

END