Question to the President: Parliamentary Computing Network

19 September 2019

Senator Patrick: Mr President, pursuant to standing order 72(2), I have a question for you. My question arises from your joint statement with the Speaker on 8 February and your statement to the Senate on 12 February concerning a security intrusion into the Australian parliamentary computing network. On 12 February you said:

I'm not in a position to provide any information regarding attribution of responsibility for this intrusion. It is also likely to be some time before the investigation into this incident is concluded. I will provide further relevant updates to senators as is appropriate.

On Monday this week, Reuters reported that our cybersecurity agency, the Australian Signals Directorate, concluded in March that China's Ministry of State Security was responsible for hacking the parliamentary network. Have you now been briefed on the findings of the ASD investigation, when did that briefing take place, what updates can you now provide the Senate and was China responsible?

The President: Thank you, Senator Patrick and thank you for the notice of this question earlier this afternoon. In the first instance, I am not going to comment on media reports regarding these matters. I do not believe that is appropriate in dealing with such sensitive issues. Consistent with my statement to Senate estimates hearings in February, discussion of specific or detailed and sensitive information in a public forum is not desirable. I will restate exactly what the Prime Minister said at the time regarding this incident and others in the House of Representatives:

I do not propose to go into the detail of these operational matters, but our cyberexperts believe that a sophisticated state actor is responsible for this malicious activity.

Second, senators will appreciate that it is important that the parliament speaks with one voice on such matters, and just as briefings and management of these issues involve both the Speaker of the House of Representatives and me, the decision to outline further information is something I will always confer with the Speaker about prior to any statement I make or information I provide. I've obviously had a limited opportunity to do so in the time since being notified of this question.

However, I can confirm that there have been numerous and ongoing discussions between the Speaker and me and the Department of Parliamentary Services and relevant authorities and agencies regarding the security of the parliamentary network. This remains a matter of the highest priority. I intend to provide a further update at Senate supplementary budget estimates hearings next month. I restate, however, that some of these matters are not appropriately dealt with in a public forum. I can, however, also state that I'm advised there has been no recurrence of the intrusion and the parliamentary network remains secure.

Senator Patrick: Thank you for that. I note you may not be able to answer this but perhaps may take it on notice. In your joint statement with the Speaker on 8 February you advised:

There is no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation.

Given the ASD investigation has been completed, can you now advise whether or not information was taken and what the scale of any breach was?

The President: DPS evidence supports the information provided by agencies, that a small amount of data was taken and that none of it was deemed sensitive. Individual parliamentarians would be contacted by DPS if there were an impact. However, I do commit to providing further information on notice that is appropriate for public dissemination.

Senator Patrick: Following your statement on 12 February, what further work has been undertaken by the Department of Parliamentary Services and ASD to ensure that malicious actors are excluded from the parliamentary network and that the information of senators and members is fully protected? What further briefings have or will be provided to senators to ensure that they and their staff are fully aware of what they need to do to ensure the security of the parliamentary network?

The President: Just as the Department of Parliamentary Services worked extensively with relevant agencies in managing this incident, work is ongoing to ensure the security of the network. This work involves both technical solutions and educating users of the network to exercise due caution in, for example, inadvertent exposure of it. As I said in my statement on 18 February, it is now everyone's responsibility to ensure the security of information.

DPS is currently arranging briefings for the staff of parliamentarians in October and November to improve cybersecurity awareness. New senators were provided with briefings at the commencement of this parliament, and dedicated briefing sessions for senators and their staff can be arranged on request. There will be further announcements in coming weeks regarding programs to assist users of the network in this regard. Some matters under consideration may require changes to utilisation of the network from members, senators and staff. The Speaker and I are currently considering these and other issues. An announcement will be made following consultation and the development of implementation plans.