Home Affairs boss Mike Pezzullo and the Australian Signals Directorate’s Rachel Noble have spoken publicly about why China was singled out over cyber attacks.
When it comes to drug trafficking and child exploitation, Australia’s law enforcement and intelligence agencies assume criminals are behind it rather than nation-states.
But an inquiry has heard foreign governments have at least some role in large-scale cyber attacks.
Earlier this month, Australia took part in a tough-worded joint statement with international allies accusing China of exploiting vulnerabilities in Microsoft Exchange software, affecting thousands of computers and networks worldwide.
While several government ministers have spoken about why the statement was necessary, senior Australian intelligence figures have not given their side of the story – until now.
Australian Signals Directorate boss Rachel Noble told parliament’s powerful intelligence and security committee on Thursday the statement had followed action which she described as “like houses and buildings having faulty locks on their doors”.
“When the Chinese government became aware of those faulty locks on the doors they went in and propped all those doors open,” Ms Noble said.
“What then happens is there were opportunities for all sorts of criminals and other state actors to pour in behind all those propped open doors and get into your house or your building.”
Ms Noble said that action crossed the line, estimating around 70,000 Australian entities and businesses were exposed.
Home Affairs department boss Mike Pezzullo said when agencies considered international networks of drug importers or child exploiters they assumed criminals were behind them.
But in the case of modern-day cyber attacks, many of the tools were “adapted from or need to be deployed with at least implicit permission of certain state actors” and so it was assumed nation-states were involved.
Mr Pezzullo said the rise in cyber attacks required not only calling out those behind it through international forums, but toughening up Australian laws to provide greater protection.
He said if an Australian city’s gas, power or water was turned off in a cyber attack, the government would be faced with determining whether it was a criminal action or the equivalent of military action by another government.
This made it all the more important for legislation to be in place “which does not have to be invented or scrambled on the day” to deal with such issues, he said.
The committee is considering new laws setting out what are Australia’s critical infrastructure assets and new security measures to protect them from cyber attacks.
The laws will also give the government “necessary and proportionate powers” to be exercised as a last resort where a cyber security incident has, is, or is likely to impact a critical asset.