Plans for a national ID card are progressing urgently, according to the prime minister in a closed-door meeting, as Minister for Cyber Security Clare O’Neil warns that companies can’t escape their legal duty to protect customers. By Karen Middleton.
Inside Labor’s cybersecurity overhaul
Prime Minister Anthony Albanese has told business leaders he believes he can introduce a national digital identification card, which would ultimately rely on facial recognition, without the controversy that derailed the Hawke government’s plans for an “Australia Card” in the 1980s.
In private remarks to a business roundtable on cybersecurity this week, Albanese confirmed plans were proceeding urgently for the national digital ID card. The roundtable also canvassed compelling Australian businesses to meet higher system protection standards and granting the government’s cyber-defence agency access to their systems in the event of an attack.
The prime minister said he did not expect a repeat of the public backlash that saw the Hawke government abandon the planned Australia Card in 1987, because the Optus and Medibank data breaches of October last year have highlighted the need.
Albanese’s public opening remarks at the roundtable emphasised the pressing requirement to protect against the barrage of cyber attacks that individuals, businesses and government agencies now face.
“We want all Australian businesses to be able to protect themselves but also to protect their customers,” Albanese said. “And I don’t underestimate the challenge that we’re facing. This is an ever-evolving threat and it will need adaptation from us – from business and government – to make sure that we keep on top of this.”
He made his comments about the digital ID card behind closed doors. They followed a separate meeting that Finance Minister Katy Gallagher convened with state and territory data and digital ministers on February 24, which endorsed “a nationally co-ordinated approach”.
The resulting communiqué described “an easy, voluntary and secure way for Australians to prove who they are once when accessing government services online”.
Within government, a national digital ID card is seen as the solution to a range of problems. It could provide a way to tackle identity theft and fraud in the tax, welfare and health systems. It could also eliminate the need to collect and store large amounts of personal data in many places across the private and public sectors, thereby reducing risk. Previously seen in the corporate world as an asset, that data has now become a liability.
The government aims to embed biometric data in the proposed ID card and, ultimately, make it accessible via facial recognition and recognised as the core means of identification for Australians. Expanding on the opt-in digital ID arrangements introduced last year for the myGov government services portal, Labor envisions introducing the credentials voluntarily but encouraging uptake, eventually allowing people to attach other personal documents, such as Medicare cards, vaccination status and university transcripts.
A spokesperson for Gallagher told The Saturday Paper that 10.3 million Australians had already created a myGovID and 3.6 million of those had been biometrically verified. The spokesperson said identity fraud affected one in 20 Australians annually, costing about $3 billion. A national digital ID system could help combat that.
“Individuals will control how their ID information is used, and when they prefer to use a digital ID,” they said.
Corporate Australia is open to the proposal as businesses review their data holdings in the wake of the high-profile hacks. In some sectors, companies have already scaled back the old 100-points ID check and reduced the number of forms of identification required, in order to limit the data they collect from customers and then store.
Australian Chamber of Commerce and Industry chief executive Andrew McKellar says businesses will need to evaluate the proposal but that eliminating the need to store large amounts of data could significantly reduce risk.
“Obviously it’s got some political questions and risks attached to it,” McKellar tells The Saturday Paper. “Ultimately, business will play an important role in building community confidence that this is the right way to go.”
He says making it voluntary is key. “I think there’d be a large target on your back if you were seen to be pushing it on people.”
The digital ID proposal is among a suite of measures the government is considering to tackle the growing challenge of cybersecurity, which exposes public and private sector IT systems – and individual devices such as laptops and mobile phones – to sabotage, espionage, data and identity theft, blackmail and extortion.
The measures encompass the findings of a report Albanese commissioned from former senior bureaucrat Mike Mrdak into how to better co-ordinate responses to cyber attacks, and another that Minister for Cyber Security Clare O’Neil commissioned from cyber expert Rachael Falk into broader issues of regulatory reform.
The results will inform a new proposed cybersecurity strategy, which will also aim to address, as much as possible, other issues plaguing technology users, such as scam text messages and software security, including in games apps.
O’Neil says it is not realistic to expect individuals to be able to protect themselves well enough against sophisticated attacks.
One of the principles underpinning the government’s approach is that responsibility for cybersecurity is best undertaken by those best placed to manage it.
“We’re not going to solve the cyber threat by getting citizens to take ownership completely for their cybersecurity,” O’Neil tells The Saturday Paper. “They can’t do it. We’ve got to get software companies to design security into their software. We’ve got to get telecommunications companies to do what they can do at the back end, effectively to reduce cyber risk.”
The government also wants to revisit and expand a law the previous government introduced to protect critical infrastructure, which allows its cyber-defence agency, the Australian Signals Directorate (ASD), to access the computer systems of entities in 11 essential sectors if attacks threaten service delivery. These sectors are: communications; data storage or processing; financial services and markets; water and sewerage; energy; health and medical; higher education and research; food and grocery; transport; space technology; and defence industry.
The Security of Critical Infrastructure Act (SOCI) only provides the step-in powers to address direct service disruption, not data theft. The government wants to add the data provision. It is considering redefining critical infrastructure and legislating separately to empower the ASD to step in to any business, large or small, whose systems are attacked and compromised, aiming to minimise the damage, track the culprits and improve protections.
This proposed process was the subject of a 2018 news report by journalist Annika Smethurst in The Sunday Telegraph, which resulted in security agencies raiding her Canberra home the following year and threatening charges.
The previous government restricted the law’s application to critical-infrastructure companies only.
But escalating attacks worldwide – and their legal and financial implications – have forced a rethink, with businesses reviewing and upgrading their systems and practices and reconsidering their previous resistance.
“It’s getting harder every day for business to defend and protect themselves,” says Innes Willox, chief executive of manufacturing peak body the Australian Industry Group.
“What used to be an IT issue is now a board issue. In the same way that five years ago climate and energy weren’t board issues but now they are, cyber is now a front-of-mind issue for boards and companies large and small. There’s a recognition that right through business supply chains they have to be cybersecure because the consequences, both financial and reputational, are potentially catastrophic.”
But the corporate sector is pressing for greater protection from government as well as by it. It remains concerned the existing SOCI Act does not adequately protect businesses from having the ASD gather information while accessing their systems and passing it to regulators or other authorities – and a proposed new cybersecurity act might not either. It wants such guarantees, known as “safe harbours”, added to both the existing law and any new one.
Clare O’Neil says the government needs to weigh potentially competing concerns. “The balance for government here is ‘how do we create a space where business and government can manage a national security crisis without anyone basically rolling up the shutters and bringing in the lawyers because they’re concerned about liability?’ ” O’Neil tells The Saturday Paper. “So that’s important.”
But she has “a red line”.
“We will not set up any process that in any way absolves companies of the responsibility, legal responsibility, to protect their customers. We need to design appropriate confidentiality provisions that still ensure that companies are held accountable if they have been negligent.”
O’Neil acknowledges that such fears may make companies reluctant to call for help and share information. “We’ve got to get [companies] in a certain place where they see the government as a trusted partner so we can get in and help them – which we were able to do in particular with Medibank, but also with Optus,” she says. In the event of a national security incident, she says, there must be a partnership between government and companies that allows them to “link arms and walk together and manage it together. There’s no institutional structure for that to happen today.”
She criticises the former government for not establishing a clear process for responding to such attacks. This week, Albanese announced the appointment of a new cyber co-ordinator to manage major incidents across government and to liaise with affected companies during the emergency phase.
The government’s proposals are canvassed in a discussion paper released this week by a government-appointed advisory panel headed by former Telstra boss Andy Penn. The panel wants feedback by April 15.
The proposals also include requiring software and systems designers to build anti-hacking provisions into their products – which the discussion paper suggests is akin to ensuring cars come with seatbelts – and adding minimum security standards to the obligations of company directors.
Penn says it’s important to find a way to gather the valuable information from a cyber attack and share it with other companies and agencies to help prevent repeats.
“You want to give people trust that when they’re providing information, threat information, for the purpose of trying to share and protect the nation and get others to block, then they [can] have the confidence that that information is going to be treated confidentially.”
The proposals will be assessed alongside the findings of a review of the Privacy Act, commissioned by Attorney-General Mark Dreyfus.
Penn says protecting privacy is vital, but it also limits what security agencies can do to identify patterns that might reveal, for example, phishing emails or scam texts, and allow them to be blocked.
“We can’t look inside the content of messages and emails and things like that, to try and deduce whether it’s malicious or not,” he says. “We have to look at the clues around it, [to] try and deduce whether it could be malicious.”
He says government is seeking ways to make that less expensive and more efficient without compromising privacy.
He believes more can be done “recognising we will never be able to do that 100 per cent, in the same way you can never police the physical world [and] guarantee that houses are not going to get burgled”.
The digital ID proposal is the other key element in the process of overhauling cyber safety.
Historically, Australians have been suspicious of centralising personal information in federal government-held repositories. But the Albanese government believes the internet is now so embedded in ordinary life that those concerns have diminished, and people will be happy not to constantly hand over a driver’s licence, passport or utilities bill to verify their identity. The government is hoping, essentially, that when it comes to deciding which is the lesser evil – anonymous criminals or Big Brother – Australians will opt for the latter.
This article was first published in the print edition of The Saturday Paper on March 4, 2023 as "Inside Labor’s cyber overhaul".
For almost a decade, The Saturday Paper has published Australia’s leading writers and thinkers. We have pursued stories that are ignored elsewhere, covering them with sensitivity and depth. We have done this on refugee policy, on government integrity, on robo-debt, on aged care, on climate change, on the pandemic.
All our journalism is fiercely independent. It relies on the support of readers. By subscribing to The Saturday Paper, you are ensuring that we can continue to produce essential, issue-defining coverage, to dig out stories that take time, to doggedly hold to account politicians and the political class.
There are very few titles that have the freedom and the space to produce journalism like this. In a country with a concentration of media ownership unlike anything else in the world, it is vitally important. Your subscription helps make it possible.
Select your digital subscription