08 August 2023

I also acknowledge the Ngunnawal and Ngambri peoples and I pay my respects to their elders past and present, and extend that respect to Aboriginal and Torres Strait Islander people present.

Thank you for the opportunity to address this gathering of professionals from across the government and private sectors on a topic that grows in prominence and relevance every day – how do we protect Australians from cyber crime?

There is no silver bullet.

This is a multi-faceted challenge.

So today I want to look at the growing uptake of digital services by Australians, and their eagerness to have more online service options.

How Government Digital ID is the foundation of a secure cyber ecosystem – the foundation upon which we need to build in a coordinated and strategic manner.

How Government Digital ID can be an important and is an underappreciated addition to the defences against scams and hacks.

And how, as the migration to government services grows, it affords us an unprecedented opportunity to lead on digital reform.

In 1989, the seat of Adelaide was vacated by longstanding ALP member, Chris Hurford.

It was a blue ribbon Labor seat.

The Hawke Government was headed to an unlosable by-election.

Guess what? They lost.

Guess why? Timed local calls.

Within an hour of the polls closing the Prime Minister told the voting public he got the message – don’t mess with Aussies’ 25c local calls.

But today, we can call anywhere in the world – even make it a video call – for next to nothing on our mobile or messaging platform.

The point of this story is that sometimes political roadblocks simply evaporate as tech solves political impasses.

The democratisation of technology has meant that things that were once inconceivable are now – maybe not simple, but definitely no longer in the too hard basket.

So with the ubiquity of tech plus the onslaught of the pandemic, the world saw an acceleration in digital uptake.

Businesses, schools, universities, GPs – even relationships with families and friends – moved online.

As parents of school and university age children, my wife Chloe and I accepted the need for our kids to learn online, especially during Covid.

This was not without reservation, given the massive rollout of Edtech happened at a pace that outstripped oversight of privacy safeguards.

Chloe has extensively researched and written about this topic.

As a family, we are alive to the mixed blessing of digital tech for our kids.

So I see the complexity of digital reform from a personal perspective and now, a year into my role as Minister for Government Services, I see it from a whole-of-government perspective.

And from my vantage point, I see there is a ‘whole of nation’ responsibility to get digital reform right.

Australians are embracing digital government services as never before.

We were on a steady trajectory over the decade before the pandemic, but, as is often the case, crisis forced a quantum leap.

More people had to access government services, healthcare, and financial solutions, virtually, during lockdowns – and realised how convenient it was.

Global digital transformation consulting company Publicis Sapient recently released its Australian Digital Citizen Report 2023.

They surveyed more than 5,000 participants from a broad range of demographics in December 2022.

This was the third such report for the private company, and it had some fascinating insights into how Australians are using digital options by choice.

And in this hyper-partisan world, I want to acknowledge the work of my predecessors in advancing digital reform.

The findings of this research dispel any doubt about the Australian public’s readiness to go digital.

The first finding was that 94% of us used at least one digital government service in 2022.

The most accessed services were myGov, with 56% of respondents saying they had used the platform in the past year, healthcare with 55%, and financial services/taxes, 45%.

I’m pleased to find that MyGov services were also among the top three highest rated digital government services with a positive rating of 89%.

The second insight from the research was that Australians want more digital services – voting, mental health services and digital driver’s licence the top three.

The third insight was that Aussies are keen on digital IDs and wallets, but our worry about privacy hinders wider adoption.

Fourth was that minority groups and older Australians want better access to digital government services and it was pleasing to note that there was a significant rise in digital services among the elderly – with 85% using at least one digital service.

And the fifth insight was that Australians are enthusiastic about emerging technologies – like AI, VR, XR and Web 3.0 – and want to be digitally equipped to take advantage of them.

The research concluded that Australia’s digital government ambitions are heading in the right direction but better collaboration across tiers of government is crucial to understand the scope and quality of service delivery.

The report stressed human-centric designs must be at the core of further improvements to public service delivery a non-negotiable element that must underpin all our offerings and a point I emphasise to my own agency of Services Australia.

Siloed thinking between policy and implementation can act as a barrier to putting the user first.

Policy is important. We need people to think about how to deliver a government’s agenda.

But implementation is equally important or government simply doesn’t work.

Somewhere along the way, the intellectualism of policy development has been elevated to a position of superiority over the practicality of implementation.

In the public service, I feel the policy people have had an aura of superiority over those with the mechanics of implementation.

That thinking can lead to disaster.

And yet, starting with implementation means starting with the user.

It then follows that government needs to invest, not just in tech, but in tech people.

If we don’t have people who speak the language, who have the knowledge to know the benefits and limitations of a particular software program we can end up with our tech uptake being vendor-driven, when our tech should be mission-driven.

Because vendor-driven does not always equate to user-centric.

Big tech can hold government departments hostage to long contracts that build complexity into customer service.

I’m reading a book called Recoding America, by Jennifer Pahlka, former deputy chief technology officer of the United States.

Pahlka tells the story of being brought in by the Californian Government to help with the processing of unemployment benefits during the pandemic.

In speaking with one claims assessor, she asked about how they might improve the process to clear the backlog of 1.2 million claims.

The assessor said he wasn’t sure he could answer all her questions because, and I quote, ‘I’m the new guy’.

He’d been there 17 years. He said she’d have to talk to the staff who’d been there 25 years.

Pahlka described it as an archaeological dig to find the origins of some processes, there are so many layers.

We know complexity and poor user experience can colour people’s impression of the government and ultimately our democracy.

David Thodey’s 2019 review of the Australian Public Service found that people who are satisfied with government services are twice as likely to trust government.

The determination to streamline and modernise government services coupled with revelations about the lack of integrity shown by big consulting firms has brought us to a moment in time where government is more trusted than private industry.

Anyone who watched last night’s 4 Corners will still be shaking their head at the sheer audacity of these firms.

The Publicis Sapient [poob-leh-siss say-pee-ent] research results indicate the time is ripe for government to optimise the level of trust we have built.

In this vein, my Ministerial Colleague, Senator Katy Gallagher, has been working tirelessly – across government and with business – to establish a Digital ID.

At the recent AFR Government Services Summit – where both Senator Gallagher and I spoke – the Minister for Finance flagged that this could be a reality within the next 12 months.

I fully support this ambition and am working to ensure my own portfolio is prepared.

Government Digital ID is, without a shadow of a doubt, the fulcrum of Australia’s digital reform transformation.

It is much like the foundation of a house. And as we know, a solid foundation is the basis of a sturdy structure.

Digital ID has engineering integrity.

But a structure is only as strong as its weakest links and at the moment the public and private sectors are doing ad hoc patch-up jobs which equate to slapping up a bit of chipboard or adding a dab of putty.

We need as many people as possible using this solid foundation so we can remove the authentication weak points.

We are seeing the criminal damage increasing – Optus, Medibank, and the latest from HBL Ebsworth.

Australians reported at least $3.1 billion in scam losses in 2022 which was an 80% increase on 2021.

But just this morning, my colleague Michelle Rowland, Minister for Communications announced that more than one billion telco scams had been blocked in the last year.

Testament to the determination of the Albanese Government to disrupt the scammers.

Services Australia also battles a barrage of scams and large scale phishing campaigns focused on myGov.

They range from text message, phone and email scams, to fake social media accounts.

The solicitation of customer credentials via social media platforms has also seen a sharp increase, leading to significant harms to victims.

Many felt emotional distress, fear and shame on top of financial loss wasted time and resources to fix the problems and feelings of distrust within the community and with government.

In one instance offenders advertised services on social media platforms SnapChat, Instagram, and Tiktok inviting Centrelink recipients over 17 years of age to contact them if they wanted to earn $200.

Young university students and casual workers obviously jumped at the chance to make easy cash but, of course, never saw a cent.

There are even tutorial videos with step-by-step instructions on how to carry out this type of offence.

In another instance, messaging apps were used to obtain identity information of third parties to claim COVID-19 Disaster Payment and Pandemic Leave Disaster Payments.

They charged victims a one hundred dollar fee, but those affected by the disaster – the ones who actually needed it – did not receive any money.

The problem with these hacks, and the proliferation of phishing scams we now see, is that increasing amounts of stolen, identifying details end up on the dark web.

And the more information that goes on the dark web, the less secure proof of record ownership is and the more difficult to prove people are who they say they are.

We want to know exactly who has walked in our front door and stop criminals as soon as they set foot in the foyer.

We want to get to a point where a curated service – say with the birth of a child – is ready made and waiting for you as you enter.

Or even better, myGov comes to you.

If you opt for ‘suggestions services’, myGov could identify you as, let’s say, someone who has been treated for an injury.

You would be presented with a list of services that may now be available to you – and could even have a signed medical certificate ready to go.

Digital ID will give us robust proof of record ownership – or PORO as it’s known.

The once-off PORO would still need to happen, but we would know it is a real person who owns the myGov account and is the same real person who owns the ATO account.

When the Digital ID legislation passes Parliament, it will allow people with a driver’s license or proof of age card to get IP3 level of proofing.

As is stands, to get that IP3 level of proof, you have to own a passport.

Only around 51% of Australians have a passport – those with enough money to travel outside the country or who need to do so for work.

Those without are currently unable to obtain the strongest possible digital identity system.

And that makes it a class problem.

Once we add licences in 2024, we will get to 80% of the population with access.

But we cannot allow the other 20% to be victims, not only of a two-tiered system, but potentially a hack.

We will need to address this.

In the meantime, the Albanese Government is moving ahead with other initiatives.

We’ve already made good progress with little expense.

Just by low-cost encouragement, Australians, 2.9 million of the 25 million people who use myGov have a Digital ID and we will hit 3 million myGov app downloads within the next week.

My agency of Services Australia has millions of people who, to receive income support, aged pension, or the child care subsidy, for example have shown enough proof of record ownership and passed the ‘liveness’ test to have the equivalent of IP3.

A liveness test, by the way, is a bureaucratic way of saying you’re standing in front of a Services Australia officer, very obviously alive.

Ultimately, we want to get to a point where you cannot perform a high risk transaction with government unless you have that IP3.

If we do that, it will be way, way, way harder for the scams and hacks to succeed.

The storage of data is a double-edged sword. We all know that.

Organisations need enough to verify an identity but collecting unnecessary information and having poor storage integrity means it can become a liability.

You would have to surmise that Optus, for example, had way too much information, kept for much too long, and in an unsecured environment.

The triple threat.

On the other hand, and despite the very sensitive nature of the data hacked in the HBL Ebsworth case some of which affects NDIS participants it was probably quite legitimate for them to need the amount of information in their possession.

The security of its storage is another matter.

The world’s toughest privacy and security law, General Data Protection Regulation, has quite the deterrent for organisations that are lax with the personal data of European citizens in the form of significant fines to businesses that fail to comply with its rules.

Social media platform, Meta, was the most recent tech giant to be found contravening the rules and has to fork out $1.95 billion for their transgression.

I had the fortune to discuss GDPR with the EU’s Commissioner of Justice, Didier Reynders when I led a delegation to the European Commission, Denmark and Estonia late last year.

I wanted to learn from institutions that are at the top of their game in government service and data security.

One of the things that deeply impressed me in Estonia was the distributed data layer and the security outcomes it enables that and the interface between the public and private sectors.

Each piece of a citizen’s personal information is only stored in a single location, so they have achieved the ideal situation of customer’s only having to “tell us once” a standard I’d like to see in Australia.

Only information required for the services provided is recorded and must be deleted when it’s no longer needed for that purpose.

Data being compromised makes Australians hesitant to hand over their information and stalls our attempts to have their credentials in one spot.

And yet, that is the very scenario that will make life easier for government and for private enterprise alike – before, during and after a breach.

Threats are increasing.

Hackers are more sophisticated.

People live more of their life online.

Australia’s processes and systems for managing identity information must keep pace.

The National Strategy for Identity Resilience was released in June and sets out how the Commonwealth, state and territory governments will work together to deliver identity resilience across Australia.

The strategy provides 10 principles of identity resilience, and, although they were developed with government agencies in mind private sector organisations, particularly those providing identity related services to – or with – government agencies can adopt these as a useful benchmark.

I urge everyone in this audience to familiarise yourself with the strategy.

No more siloed thinking.

No more public lens; private lens.

Perhaps even more left/right lens.

We have to make a collective decision to do things differently.

Digital reform can drive greater efficiencies, more choice, better data and information, and increased economic and social inclusion.

The only way we will build the resilient digital environment we desire is to work as one.

The human element must be the priority in any reform but we cannot ignore the economic gains for a digitally transformed nation.

Amit Singh, a member of the myGov Audit panel and globally recognised for his expertise in digital marketplaces earlier this year prepared a paper on what digital transformation could mean for the Australian economy.

He has suggested digital reform could drive our nation’s next wave of economic expansion just as the national competition policy, regulatory and tax reform, and investments in physical and human capital did over the last 40 years.

In his paper, Amit cited research that found Australia stands to gain $56.7 billion in annual economic value in the year 2030 by adopting digital technologies to manage the three emerging societal challenges: labour productivity, climate change, and cybersecurity.

Cyber security is a priority for the Albanese Government.

That is evidenced by the appointment of Australia’s first Minister for Cybersecurity, Clare O’Neill.

And I want to acknowledge the work being done in this area by my Ministerial colleague, who has said she wants to move cyber security ‘beyond a niche technical field to a strategic national security capability that underpins our future prosperity’.

Minister O’Neill has noted that the many voluntary measures and patchwork approaches to cyber security will not get Australia where it needs to be if we are to take advantage of the huge opportunities of the digital age that a thriving economy like ours can exploit.

The Minister is overseeing Australia’s new Cyber Security Strategy with the ambition of making our nation the most cyber secure in the world by 2030.

We have to be pragmatic.

We’ll never reduce our cyber risk to zero.

Technologies evolve and new ones like AI emerge and threats increase.

The key issues being considered in the strategy are ransom payments, how to support small business, and responding to incidents in an effective and coordinated fashion.

So far there are four big themes emerging from within the developing Cyber Security Strategy:

  1. We need to develop a powerful cyber-security ecosystem.
  2. We’ve got to be a hard target.
  3. We’ve got to take the fight to the threat.
  4. And we’ve got to bounce back quickly when we get hit.

You’ll be hearing more on the strategy in the coming months and I know Minister O’Neill is grateful to those of you who contributed to its development through submissions.

The Strategy is also part of the alignment of direction across Commonwealth, state and territory governments to promote a cohesive approach to cybersecurity so no more trips to virtual Bunnings for the chipboard and putty.

For the first time, we also have a National Cyber Security Coordinator, Air Marshal Darren Goldie who will lead on matters such as national cyber security policy, the coordination of responses to major cyber incidents, and whole of Government cyber incident preparedness.

The ambition to make cyber part of initial policy discussions rather than an afterthought, has enormous merit.

I congratulate Minister O’Neill on tackling this nationally vital task.

Getting to where we want to go with cyber security, data security and Digital ID will take a concerted effort by government, business and individuals.

Government will ask the private sector to make some changes but it will be with the intent to make it harder for criminals to steal data – but if they do, it will be easier to recover from a breach.

We need to approach the future in new, non-traditional, flexible way that eliminates the silos and the jockeying for supremacy.

We are at the apex of global digital transformation.

Australia is on the cusp of having the Digital ID that will not only thwart the scammers and hackers but provides the foundation for a robust, resilient, cohesive digital ecosystem that will protect our country and our community as we navigate the digital future.

It’s a unique moment in Australia, where citizens trust government over private companies to protect their most valuable asset – their personal information.

The Albanese Government is ready and willing to lead on cyber security and digital reform and to work across sectors to achieve our ambitious agenda.

It is the perfect time for us to work as one and take the Australian people on this journey.