A (3:01)

Well, I don't think. I certainly didn't Put cyber security in a box. You know, there used to be a time, you know, I don't know, say 10 years ago when people would talk about the digital economy. And I used to make the point at the time that there wasn't a digital economy, the economy was digital. Right. But, you know, there was this idea that there was the sort of normal economy and then there was this weird digital economy on the side. And I guess what you're, the point you're driving at is that some people see cybersecurity as a distinct domain, but in the reality is because everything we do is enabled by, you know, digital platforms, most of which are, you know, connect, almost all of which are connected to the Internet. The, you know, cybersecurity is a risk, an issue for everything. So I mean, it's part, you're right. I mean, it is part of statecraft, it is part of sovereignty. It is, it is a completely. Yeah, it's a universal element. I hope that wasn't the impression that was given from the cyber security strategy. I mean, I mean, look, it was 10 years ago for a start, but I mean, just to put this into a bit of context, I became prime minister in 2015. You know, unlike a lot of people in politics, I had had quite an extensive career before I was in Parliament. I got into Parliament when I was 50, so I wasn't, you know, a boy. And I had been involved with the Internet and telecoms companies and businesses for a long time before that. You know, I was one of the founders of a company called Aussie Mail, which, you know, your grandparents probably have an account with. But it was the first sort of big ISP in Australia. And so, you know, it's a world I'm, I was familiar with. I'm not, not a, not a technical person. And I, I've had a reputation for being tech savvy. That is very flattering, but it is, you know, it's way beyond my actual knowledge. But, you know, going back 10 years ago, most of the people in Parliament, and I would say a lot of the senior civil servants were very unfamiliar with the digital world. You know, they sort of did. Even struggled with concepts. And so the Cyber Security Strategy was the first one Australia had. I mean, that was an initiative of mine and the idea was to really raise awareness of these issues. And clearly it was important for government. And, you know, the. We, you know, part of what we did was expand the role and budget and authority of the Australian Signals Directorate, which is the. Australia's equivalent of the NSA in the US or GCHQ in the uk and, you know, obviously big part of the Five Eyes Signals Intelligence partnership, but also, you know, created, you know, the Australian Cyber Security center, which is designed to be the, you know, public interface between the Signals Directorate and all of its expertise and the corporate world. Because one of the most important objectives in the cybersecurity strategy was in addition to promoting Australian cybersecurity innovation and Australian cybersecurity startups, for example, it was to make business aware of it, you know, and I, you know, one of my kind of stock questions used to be when I was talking with CEOs and directors of big companies and law firms and so forth, is to say, do you know who has administrative privileges over your network? Who can actually get in, you know, who can control, you know, who manages the identity of all of your employees, you know, which of course, is, you know, relevant to Semperis, the company. I'm a. One of the companies I work with is a, an advisor, investor in the, you know, this cyber domain. And, you know, most people didn't have a clue. And you, you know, you've had a long experience in this area yourself. And one of the problems was that too many of the people in the C suite, and this didn't just include the executives, but also the directors, they would say, I have no understanding what all this is about. I'll just leave it to the, you know, this nerdy person, the, you know, the sizer, you know, the, you know, the Chief Information and Security Officer. And that's actually not good enough. I mean, everyone's gotta be alert to it because awareness is the big issue. Because, you know, you can have all of your government systems well protected, or think they are, but the government is dealing with people all the time, you know, and so there's so many different vectors and angles. So, you know, a lot of this is, you can see, again, things have moved on and evolved and improved enormously since, since that strategy was published. But, you know, you look at the way the Australian Signals Directorate, you know, reaches out to, you know, the rest of Australia, to the private sector, you know, with all of its hygiene rules. And this is all basic stuff, but at the end of the day, you know, most compromises come about because of a compromise of identity, as, you know, so it's often basic things. Often it's just someone with administrative privileges doing the wrong thing, you know, I mean, you know, look what happened. Well, you know, the NSA has suffered that. So what chance do law firms and businesses have? Awareness is the Key awareness is the key and sharing, I mean the ISAC sort of structure in the United States is absolutely world leading. We are doing more of that in Australia. But you know, I think there's a, I think there's a way to go. So it's a very dynamic frontier and our adversaries are very smart. You know, they're not good people, but they're very smart and we've gotta be as smart as them and it's constantly evolving. So.

C (9:14)

Okay, so there's a couple of things in there which stood out for me. Going back to Your comment in 2015, people not being as digitally as astute as perhaps they should be, how did you really react to that? And I asked this because, I mean look, if you were saying like in the 80s KB people weren't digitally astute, I get that. But 2015 whilst in the tech world, it seems a lot longer but this is still the problem that people are having. You made a great point before around, you know, it's the SISOS problem. Well, sure, but everyone is now being held accountable. There's all these new regulation out there that everyone's responsible and people have, you know, panicked about it, which I understand. So are you, were you sort of taken aback by that? Because I mean, look, 2015. Yes. Whilst it was a long time ago, still not ages ago.

A (10:02)

No, but you would, you would be amazed, right? I mean you would be absolutely amazed. There was a quite a lot of unfamiliarity. I'll give you, I'll give you an example. I mean this is before 2015, but just. So the Internet basically went mainstream. I'm gonna say 1995, you know, became, started becoming. I'm not, you know, you'd have a better understanding of this than me, but I think it was becoming mainstream by 1995. I joined Goldman Sachs, became a partner of that firm in the late 90s. And I of course, you know, I had the Aussie mail background and you know, familiar with, you know, the Internet technology such as they were at the time. And I remember sending, I was at Goldman and they had voicemails Goldman Sachs ran on voicemail, they very sophisticated voicemail system. In fact it was, it was awesome, was really incredible. But I remember I'd sent an email to a colleague in New York and hadn't heard from him and I, you know, sent him voicemail message and said, you know, hi, sent you an email about xyz, you know, what's doing, can you let me know what you think? And he came back and he said, oh really? Sorry, I haven't looked at my emails this week. It blew my mind. Absolutely blew my mind now. So, you know, one of the things that you, with technologies, as we all know, is that both adoption and awareness and, you know, interest is very, very. It doesn't proceed at the same pace with everybody. You know, it's the old story, you know, you get the early adopters and then it can take a while for others to catch up. So it was a, you know, it's a while. I mean, I know, I know 15 years ago, even 10 years ago, I know, you know, senior people, senior business leaders, government leaders who would get their secretary, quote, unquote, to print off all their emails because they didn't like reading anything on a screen. Well, you know, again, that's, that, that would seem to be almost eccentric today. So you can't. Yeah, you can't. And the other thing, you know, the other thing too is, I mean, you had, I mean, I remember we had a company called Web Central. We were, we, you know, major shareholder and company called Web Central, which was affiliated with Aussie Mail and we, you know, retained our interest in it after we sold Aussie mail to, in 99. 99. That was a web hosting company and was one of the first providers of, you know, Microsoft sort of managed Exchange product, which was just, you know, a hosting product. And the, and you know, so naturally you were, you know, the salespeople were trying to persuade people not to, you know, have their Exchange server sitting, you know, in a box, you know, in their office, but rather, you know, at the Microsoft data center, you know, in the cloud, as it were. You know, one of the pushbacks was, oh, security. And you're saying, well, look, okay, you've got this little server sitting in your office and it's got, right next to the coffee maker, between the coffee maker and the fridge and the back office and you know, and you know, there's a tin of biscuits sitting on top of it. And you think that's safer, you think that's safer than being in the managed data center run by Microsoft who's got people work focused on this 24 7. And they sure as hell aren't leaving tins of biscuits or coffee makers next to the racks of servers. Yeah, so it was a, was a different, a different world. We used to have a term then called box huggers. So, you know, the people said, no, you can't take away my, my, you know, my little server.

C (14:03)

Well, I was laughing in the background on mute when you were talking. For those who can't who are listening and can't see because it's all too familiar. I'm super familiar with this. I've worked in this space. I've seen it like I literally saw someone with a password on a post it note not that long ago in a big company. So these things literally are happening. So I just, it was just so familiar the way you're describing it.

A (14:25)

Well, did you know what the most common passwords at Aussie Mail when we got started?

C (14:29)

Password one.

A (14:30)

Yeah, yeah, we had password one. Computer was very popular, Internet was very popular. And I mean this gets, you know, we're now moving into the signals intelligence area which I've got to be very careful talking about. But that you would be amazed, you know, how many devices on networks still have, you know, the administrative password is still 1-234-0000 or whatever it was set, you know, the factory before it was set up. People don't change things. So. Yep.

C (15:04)

And that's why it's important to hear it from someone like yourself given your former role. Right. So I think that that's what's important because I think there's this assumption in the space as you're probably well aware of, that all people understand these things. I don't think that they do. And I think it's really important to have these discussions people of your caliber to be able to disseminate this information because unfortunately we are so much in our own echo chamber in this space. So that's why it's imperative to hear that one of the things you mentioned before Mr. Turnbull would be sharing now this one is interesting. So I'm familiar with the ISAC folks in the US but also in Australia when the Medibank breach occurred. The sizer working at the coming of time. I know him and we've actually conducted a podcast interview off the back of the that breach to really get inside what was happening for him. His stuff that got a lot of pushback internally like you know, corporate comms and internal, you know, affairs and all these sort of people, external, internal lawyers, like I don't know how many people probably listen to that for hours on end. But the thing is people say and you make a great point so I really want to get into this sharing but then when people like me go and knock on my door, it's like they don't want to be seen. They don't want to look like oh well, I potentially fail balls in the job. Well, I can't get another job because I was the guy that had the breach attached to them.

A (16:27)

Yeah, of course, sure. Well, you know, it's like it's human nature, right? Nobody wants to own up, but you've got to have a regime. And you know, we've, we've addressed this in Australia with the Sochi, you know, the security of critical infrastructure legislation, you know, where there is mandatory reporting, that's very important. You know, companies are, I mean, still, companies are very loath to fess up and they don't want to tell their customers about it. But it's really important. I mean, because you, unless you, you basically, I mean, you've got to say we're all in the same. You got to say, whose side are you on? Are you on the side of the, the ransomware gangs or the, you know, the foreign actors that are trying to penetrate our networks? Criminal. Cyber criminals or you're not. If you're not on the side of the criminals, then basically we've got to share intelligence between each other. It's very, very important to do that. And that's, you know, it's as simple as that really. So, yep, it's a, you know, I mean, as we all know, you know, the cost of cybercrime keeps on going up. Yeah, you, Carissa, and everyone on your listening to this podcast knows that. So it's no point going through the, the basics. But I think, you know, again, getting back to Semperis, which I guess is how this discussion came about, it's focused on the most common vector of, you know, interference or, you know, infiltration of malware, etc. Which is through the identity, through identity, through compromised identity systems. I mean that's, that is 93% of ransomware attacks in Australia come from compromised identity systems. So, and that's, you know, that's very often people clicking on the wrong hyperlink or, you know, having a dumb password or whatever. And of course, you know, the ability to just crunch most passwords can be found with enough effort. So, you know, hence the need for other ways of securing identity. You know,

C (18:31)

in fintech, trust is everything and proving it shouldn't slow you down. Whether you're dealing with ISO 27001, SOC2, CPS234 or GDPR, Vanta helps you demonstrate security and compliance without derailing your roadmap. Used by thousands of fast moving regulated companies, Vanta automates the hard part so your team can focus on shipping features, not gathering screenshots. Visit vanta.comkbcast that's V A N T A.com kbcast to learn more. So I want to move on now and talk about. During your government, Australia moved earlier than perhaps many peers around sovereignty or even foreign interference, vendor risk, et cetera. So when you look at Australia today, where do you think our deepest strategic exposure really now sits? Like telco cloud? This depends who you ask, but I really want to understand from your perspective.

A (19:35)

Well, look, if. I mean, people always say to me, you know, what keeps you awake at night? And the answer is, I tend to sleep well, so nothing much keeps me awake at night, thank God. But if I was of a disposition to be kept awake at night, I would be mostly worried about industrial control systems. I mean, I am concerned about, you know, ransomware attacks and stealing data. But it's the threat that you don't know about the malware that has been infiltrated into the, whatever, I mean, the electricity network, the telecom network, you know, the hospital network that is just sitting there and, you know, is burrowed into your system. And some of these are pretty old, particularly with utilities, and is, you know, just waiting to pull the trigger and shut things down. So that's, you've got to, you've got to actually be able to hunt out what is, you know, what could be there. And you've got to say, you got to pay a lot of, a lot of attention. You can't just assume that an incursion into your network will be found out because someone's going to then demand a ransom.

C (20:51)

Okay, so talking about critical infrastructure for a moment, this is interesting. So a lot of the people that I interview on the show talk, especially if I focus on Australia, like how quickly like telco goes down and then, you know, the power grid and it's a domino effect quite quickly. The part that I'm interested in, and you would have a lot more insight than this than I would, is, is Australia's reaction. Look at through Covid, the toilet paper people gone nuts over it. People still raise up with me today. Living in the States now with the fuel crisis Australians seem to really react to when they can't get something, as opposed to, you know, I live in the United States now. Like, yes, there is a reaction there. It does seem heightened, though, across the Australian people. Do you, do you have any insight

A (21:30)

as to what do you think Australians are more inclined to panic than Americans? Well, you're an Australian living in America, so you'd be the best one to judge because. Because I would love to say Australians are stoic and, you know, phlegmatic and keep calm and carry on, but you're Carissa, you are much better able to make that comparison than me because you've lived in both countries. But I would say. The only thing I'd say is the media does tend to beat up the. You know, they tend to generate the panic. Right. I'm sure there are some people that still haven't got through the toilet paper stockpile they accumulated during COVID It'll be. Thankfully, it doesn't go off, so they'll be okay. But, yeah, I mean, there is a. It's. Everything's connected, right? So there is a. You know, there's a great deal of. Great deal of vulnerability. And you see, you get. I mean, if you look at it sort of in a. In the area of warfare, conflict, I mean, if a foreign country or, you know, a terrorist group fires a missile and blows up, takes down your power station, you know, and whole lot of the electricity network goes down, that's, you know, obviously bad. But it's very clear. You can attribute it. You can see where the missile came from. It's very clear. If it is done by cyber means, it can have exactly the same effect. But it's often harder to attribute. And even if your agencies know who is responsible, and even if you say, right, this was, you know, the North Koreans, we know it was the North Koreans, they can just say, no, wasn't us. No, you were fooled. Somebody else. And it is, you know, it is that there is always. With cyber attacks, there's always an element of plausible deniability. Sometimes you might say it's implausible deniability, but it does create these challenges. And so if you find yourself, you know, we're looking at what Donald Trump and Israel are doing to Iran at the moment, you know, and taking out so much of their infrastructure and threatening to take out even more, you know, with missiles. And that's. There's no question who's doing it. I mean, Trump's boasting about it. But imagine if all that was being done with cyber means. And then, you know, the Iranians would say, well, we know it's the Israelis, you know, or the Americans, because they're our enemies. They could easily say, and that wasn't us, look further afield. It creates a. Creates a lot of ambiguity and makes it harder for governments to respond. I mean, and this is. This is why, you know, a lot of people will say to you in the, you know, military world, they will say, a, you know, an attack, a cyber attack that destroys or, you know, brings down a bunch of critical infrastructure, should be treated the same way as if it is done in a kinetic fashion, so with, you know, bombs and missiles and so forth. But the reality, from a political point of view is that it is very hard, be very hard to get the, you know, public support and political support, start firing missiles after a cyber attack. Because there would be people who would say, well, you know, isn't that, you know, excessive disproportionate escalation? And that is why one of the other things we did in the. Around the time of the cyber strategy is we acknowledged that ASD had offensive cyber capabilities. And this is a big feature. Offensive cyber, I might say, is a big feature of President Trump's Cyber Strategy for America, just published in March, just this month, March 2026. You've got to be able to have the ability, and not just have the ability, but you got to have the ability and acknowledge you have the ability. So everybody knows that you can go after your adversaries with cyber means when they can. So in other words, they can't think that just because they saying, oh, no, it wasn't us, that A, you won't know and B, you can't do the same back again, you know, it's a really important point of deterrence.

C (25:36)

So going back to the attribution, would you say, and I'm listening to what you're saying, and what's coming in my mind is out of sight, out of mind. So what I mean by that is with cyber, you can't sort of see it. You can see a missile, though, coming out and something happens. So if I go out in the street and I punch someone, they're going to feel, presumably they feel the pain of the punch versus a cyber attack. You don't see it coming. And then it completely overturns companies, it rattles them. So do you think that perhaps historically speaking, it was something. Cybersecurity was relegated because we couldn't see the impact? Especially everyday people, they can't see it. Yes. Their money being sold out of their bank account. I worked in a bank. I've seen it. I've been on the front lines of these people being impacted. But it's one of those things that I've noticed in my time, and I'm curious to get your thoughts. Is it because people just can't see it, therefore it's like, oh, well, we've forgotten about it a little bit.

A (26:27)

I think that's part of it, Carissa. I think the other part is, and this is, this is the really problematic part, is that a lot of this is normalized, and it's just treated as a sort of cost of business. Yeah, okay. Yep. I, you know, identities were stolen. You know, the Qantas frequent flyer, you know, database has been hacked. People go, oh, well, okay. That happens all the time. And it. People feel it isn't such a big deal, but, you know, it is. We don't want this to be normalized. Let me put it this way. We wouldn't accept, you know, a gang of thieves, you know, robbing every shop in or, you know, or Orlando or New York, and just accept that as, oh, well, that just happens. You know, you got to accept people are coming in, stealing all the time. Would be saying, you know, the police have got to do something about this. You know, they've got to catch them and lock them up and so forth, throw away the key. However, there is a tendency, I think, because it isn't as dramatic, because. Because there isn't that physicality for people to just shrug their shoulders about it and almost treat it as a cost of doing business, which, you know, is very. Is very dangerous. So I imagine what. And again, I'm not on top of this. You would be much more than me. But I imagine the thing that will make a big difference in this area is when you get companies being sued by their customers or their counterparties because of loss occasioned to those customers and counterparties by the company failing to have adequate cybersecurity protections.

C (28:05)

And there are those class actions trickling through at the moment that you would have seen. It's happening a lot in the States. Do you go back to the normalized piece? And this is interesting because I've asked people on the show, do you think people. Customers are desensitized? So when we're, you know, doing interviews like this, I'm always looking in the comments on social media, what is the average Australian person think? Most people literally say, oh, well, I was in the last 10 breaches, so who cares? So it seems to be a common trend. So people desensitize. What motivation then does a business to actually put money behind and secure their customers when it's like, oh, well, well, Betty and Johnny don't care anyway.

A (28:44)

That's right. And I mean, I think this is where the class is. This is where you can criticize a lot of things about the American legal system. Everyone hates it, except for the lawyers, I guess. But the class actions that have a way of holding corporations, including very big corporations, to account. And, you know, you're seeing this with the litigation against Facebook and Google Right. Just, just in the last week. So I think that's a liability. Any company that is not able to demonstrate that it is doing absolutely everything it can to protect its data and its customers data and so forth is very, very unwise. I mean, you cannot be complacent. And, you know, this is a message for CISOs, by the way, like an interesting thing. I mean, I, I don't want to name names, but, you know, as you know, I'm involved with quite a few cybersecurity companies. You mentioned Cassada, an Australian company started by a very brilliant young guy called Sam Crowther. And obviously we're talking about Semperis and there are quite a few others that I'm involved. It's an area that I'm very interested in. And sometimes I get involved in, you know, the sales process. And typically it begins with a siso. And sometimes, like the good sisos have always got an open mind. They want to know what's going on and someone's got a new product or a new idea come in, let me have a look at it. You know, you want to do a proof of concept? Yep, absolutely. Let's do it. That's how you learn. But then you get other people who have a sort of not invented here approach, and they will say, ah, no, no, no, no, we've always done it this way. We're okay, there's no problems, nothing to see here. And I've found that increasingly with companies that have got sizers like that, you've got to go to this. If you're in the software business or security business, you've got to go to the CEO. You got to get into the CEO. Because the CEO will often say, I've heard this quite a few times. He or she will say, okay, so these guys are offering us a poc. What have we got to lose? I mean, this is a free measure and quote, okay, why would we not. Why would we not look at that? You know, I mean, what. And you see, and that's where the chief executive is smarter because they're saying not only, you know, there could be a good product here, but they're saying we want to be in a position where if anyone says we're not keeping everything up to scratch, we can say, we. Not only have we got the suite of protections that we think are the best that are advised best, but we regularly look at ways of upgrading it alternates and so forth. We're always on the front foot because you, I mean, the defense, you don't have absolute Liability legally for these kind of incursions or, you know, you might contractually depends what you told your customers, but let's assume you haven't. Your obligation is basically to act reasonably and responsibly. And so if you've done everything that, you know, reasonable, responsible person would do to protect their data, then, you know, you're probably in pretty good shape even if you are later breached.

C (32:03)

So do you. I mean, look, I know you're not Nostradamus, but thank God for that. Do you think that Australia will start to go down and I know they are starting to go down in terms of the class actions with Optus and Medibank and friends. Do you think they go down that route now? There's more. These companies follow the Americans on that. And you are right, they are a very litigious country.

A (32:23)

Yeah, the, the system here is not as supportive for class actions, but they're definitely a feature of the landscape. I mean, it's insofar it's not as, you know, both culturally and I think financially it's not as supportive. But you know, there are litigation funders and you know, it's got a lot of the features of the U.S. i mean, some of these things are, look, some of the class actions, particularly those, you know, funded by people as a business, are basically trying to get companies to settle. Okay? So the company, and particularly where you get companies and businesses like the bank that you used to work for that are effectively what I would call professional defendants. I mean, if you're a bank, you get sued all the time, right? So it's just cost of doing business, getting sued and you know, you want to try and mitigate your risk, have good lawyers both in house and outhouse, but ultimately you will settle a lot of cases because you'll say, you know, the cost of defending this is $5 million. I can settle it for $1 million. It's a no brainer. Now the, one of the big differences between Australia and the US and really the US and pretty much everywhere else is that in Australia we have a fairly universal rule of the loser pays the winner's costs. And they don't have that in the state or very rarely, it's the exception. And so that means that if you a, if you got a class action and you're suing, you know, a big company in Australia are going to have, you know, they will say, all right, we want security for costs. You know, how do we know you're going to be able to cover the costs of this action? And so you're going to have to put up. You guys are going to have to have some money or put up some money or your litigants are at personal risk. And so that provides a little bit of discipline. I mean, I've always felt that the US System would probably be better balanced if they did have a loser pays the winners costs principle.

C (34:23)

Yeah. So I think it's a slap strategic lawsuit against public participation. So I think that's a frivolous lawsuit designed to silence, like critics, like activists, journalists, for example, citizens, you probably heard of this. So use for power entities like big banks in France.

A (34:43)

Yeah.

C (34:44)

To intimidate and to settle, I'm assuming.

A (34:47)

Oh, yeah, well, that's right. Well, I mean, people bring litigation for all sorts of reasons. I mean, big companies and politicians. Look at Donald Trump. I mean, he's brought litigation against all sorts. You know, normally politicians never sued. They took the view that you had to have a thick skin and people would say tough things about you. In fact, in America, the defamation laws are very supportive of the press. To be honest, I'm surprised that Trump has sued and I'm surprised that he got the settlements that he did. But, yeah, litigation can be used to intimidate. But I guess what I'm saying is just getting back to cyber security. If we're getting back to cyber security, you can't eliminate the risk of it, but the way to mitigate it is to make sure that your cybersecurity protections and culture is really up to scratch.

C (35:37)

So I really want to talk about. When you, Mr. Turnbull, introduced foreign interference reforms, you drew a hard line against conduct that was covert, coercive, corrupt. So then in today's sort of gray zone environment, where cyber operations, disinformation, economic pressure to critical infrastructure, which we just touched on before they intersect. Right. As you know. So has Australia developed a credible doctrine of deterrence and response? Or would you say we're still reacting case by case?

A (36:08)

Oh, no, I think there is a very much a doctrine of deterrence and response. But equally, you do deal with it case by case. Right. So you do both. You know, you have a law in the statute books about, you know, murder, but nonetheless, the homicide squad is dealing with it case by case. So we braided our foreign influence and foreign interference legislation at the end of 2017, when I introduced it and the parliament was passed about the middle of the following year. Yeah, that was well, that was well ahead of most countries. And it was really just designed to bring our Cold War espionage legislation into the 21st century in terms of critical infrastructure. That was again the focus on, that began when I was PM and continued under Prime Minister Morrison and Prime Minister Albanese came about in an interesting way. There was a, I guess electricity utility that belonged to the state government of New South Wales which they were proposing to sell a half of, raise money to spend on other things. Perfectly sensible thing for state government to do. And the China's state grid was the, you know, the bidder. Now they'd already bought energy assets in Australia in the past and this transaction, you know, needed in the consent of the federal government which was all on track to be given until somebody from within our system pointed out that there were some national security aspects to this that were a bit unique and, and may not be such a great idea for this to have half of it sold to a Chinese state owned company. And so we stopped the sale. The state government was, I mean I've written about this in my book A Bigger Picture. So if people want to read more about it, can read it there. But it's a, it's an important lesson. So I apologized to Xi Jinping about it. I said look, I'm really sorry, we should have told you this was a no go zone right at the start. Okay. You know, because they obviously spent a ton of money on due diligence and so forth. And then we said at the last minute you can't do the deal. So it wasn't a high point of business, business like behavior on our part. And President Xi was perfectly, he was understanding about this. I mean there's a ton of things we couldn't invest in in China. And you know, and you know, we're entitled to ring fence certain types of assets in our own country, so we don't make absolutely no apologies for that. But, but it's better to tell people upfront obviously. And what became obvious to me was that there were silos in government that were not talking to each other. Very familiar problem. But secondly, we didn't actually have any agreement on what was critical infrastructure. What is critical infrastructure? You know, at that stage it was literally, there was no definition for it. So we set up a register of critical infrastructure and then, you know, a whole legislative regime developed. But it was literally something that had pro. Had not properly been paid attention to and it was being dealt with in a quite an unsystematic way. And so basically the change that started under my time and it was triggered by this incident was one to be much more focused and systematic about it. Now on telecoms, which of course relates to cybersecurity more than energy. Well, energy does too. But telecoms, very cutely, we had always been quite advanced in our legislation. So you know, telecoms security legislation which had been in place for some time, which we updated during my time and you know, it was very keen focus. So we had the powers, for example, when as the telcos were looking to move to 5G to be able to make a decision about whether we wanted to have what we called euphemistically high risk vendors, which basically meant Huawei and CTE in the network. And we looked at it very carefully. It was not a political decision, it was not dictated by the Americans. In fact, we were way ahead of the United States on this and we, we looked at it very carefully. And my concern was I kept on sending ASD back to do more homework because I said find a way for us to mitigate the risk. Because I did not want to ban Huawei, frankly. I mean, because I wanted to have as many vendors in the mix because that meant you'd have lower prices. Because clearly if you chop out all of the Chinese vendors, the other ones, you know, people like Ericsson and Nokia will be able to charge more. So anyway, we came to the view that we couldn't mitigate the risk. And you know, there's a whole bunch of reasons for that. You know, relates to the virtualization of networks. You know, the fact that, you know, a lot of what had been core functions in telecom networks, wireless networks in particular, were now distributed throughout the network. I mean, that's how they reduced latency. So the, you know, the old distinction between the core and the edge was really no longer relevant. And so that's, so we made that decision and that was a, you know, we had the legislative ability to do that and we were perfectly polite about it. We didn't make a fuss about it, didn't bang any drums or try to get any political capital of it. We gave the Chinese companies and Chinese government, you know, a heads up well in advance of the announcement. You know, it was just, again, it was just good housekeeping. I think that's the way you've got to deal with these issues between states. I mean, there's a tendency, and you know, some other Australian politicians have done this, I think unwisely. There's a tendency to try to use decisions like this for political capital at home to show that you're a tough guy and, you know, get the applause of the right wing media. I think you've just got to say it's just risk management and the way I try to express risk management in this context, Carissa, is all of us calibrate risk every day in our lives, right? There are things you would tell your wife or husband that you would not tell your best friend. There were things you would tell your best friend or your spouse that would not tell your colleague at work. They're things you tell your colleague at work, you wouldn't tell somebody you meet on the bus. And so we're doing that all the time. And, you know, the same goes with nations. So there, you know, there is a level of trust we have with some countries that is higher than with others. And sometimes that's just a question of scale and history and culture and so forth. And we just got to be realistic about that. And instead of focusing on the areas where we have less trust, focus on the areas where we do have more trust.

C (43:14)

And so, Mr. Turnbull, finally, if those are the lessons of, you know, your time in office, what should the next prime minister learn, perhaps from them?

A (43:25)

Well, I think the key lesson is do not take anything for granted. Do not ever sink into complacency. The challenge is never met. And you have to be prepared every day to get up and be prepared to do things differently. You cannot assume that the world is the same as it was when you went to bed the night before, if you like, the scale and pace of change is greater than it has ever been in human history and certainly in our lifetimes. So you've got to be prepared to look at things again. And there is a, you know, set and forget is very, very easy thing, particularly for governments. Let me close with this. I mean, this is a good example. In November 2015, I launched my first big economic policy agenda, which was called the National Innovation and Science Agenda, Nesa. There are about 24 measures in it, as I recall. And in, you know, a lot of it was focused on education, on investment, on, you know, encouraging more money into venture capital to support startups. You know, there's a ton of stuff there. And it did very well. I mean, it was real inflection point in the innovation economy and innovation generally in Australia. So it was one of those things that by and large did work. But at the time, I remember a reporter saying to me, can you guarantee that all of these measures will work? And I said, no, I cannot. I cannot. I said, I hope they all do. These are the best ideas we have at the moment. Those things that work, we will do. More of. Those things that don't work, we will dump if we see somebody achieving our goals with methods and techniques that we haven't thought of, we will shamelessly plagiarize them. And I mean, this is one of the problems that governments have, and I think business leaders have this too, is they set the wrong expectations. You know, you should not say this endeavor, this plan, you know, this bit of legislation, this policy, this investment in this new sales agenda, I guarantee it is going to deliver X, Y, Z. You can say this is the best idea we've got at the moment. We hope it will do X, Y, Z. But we are monitoring it very carefully and if it underperforms, we will cut it, quit and do something else. I always found if you set the expectations right at the outset, it gives you a lot more flexibility.

C (46:01)

Mr. Turnbull, thank you so much for your time.

A (46:03)

Thanks Carissa. Great to see you and chat with you.

B (46:09)

This is Kabycast, the voice of Cyber.

C (46:13)

Thanks for tuning in. For more industry leading news and thought provoking articles, visit KB KBI Media to get access today.

B (46:21)

This episode is brought to you by MercSec. Your smarter route to security talent MercSec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out more at mercse.

C (46:44)

Act.

B (46:44)

Com today.