Dr WOODRUFF - On 30 January there was a zero-day vulnerability found on the third party file transfer service that we discussed by GoAnywhere MFT, which was later patched on 7 February, eight days later. That was the vulnerability that left many thousands of Tasmanians vulnerable to hackers. You claimed you were made aware of the breach on Saturday 25 March, well over a month later. Why did it take you so long to be notified of this breach?
Ms OGILVIE - Very happy to walk you through the time line and it will be instructive to note -
Dr WOODRUFF - Just that part of the time line. I am aware of the rest of it, I have laid some of that out and do not need to hear it all again. It is the period from 7 February until 25 March.
Ms OGILVIE - But you may be interested in the perspective of the trajectory of the matter. From 30-31 January 2023, a DECYP GoAnywhere MFT cloud instance was compromised by cyber criminals, as you are aware. On 1 February 2023, DECYP was advised by email to check a GoAnywhere service portal for advice re service update, so that is the patch to which you refer. The advice from GoAnywhere indicated they were investigating potentially suspicious activity on the GoAnywhere MFT cloud instance and while the investigation was underway, they would, out of caution, implement a temporary service outage for the GoAnywhere MFT cloud instance.
On 3-4 February 2023 malicious activity, including data infiltration, occurs on the file transfer service for a third-party service provider which connects to DECYP GoAnywhere instance. On 6 February 2023 the Tasmanian Government was informed of a software vulnerability within the GoAnywhere MFT system and took the appropriate remediation actions, with all action being completed by 7 February.
On 11 March 2023, DCEYP received advice from the GoAnywhere MFT vendor Fortra that DCEYP's managed GoAnywhere MFT cloud instance had been subject to unauthorised activity between 28 January and 31 January 2023, prior to any knowledge of the vulnerability, also referred to as an exploitation of a zero-day vulnerability. The advice from Fortra to DCEYP was that they had little visibility at the time of any data being extracted as a result of the unauthorised activity.
On 25 March 2023, the Australian Cyber Security Centre contacted the Tasmanian Government through DPAC regarding claims from a cyber-criminal organisation that it had stolen data from the Tasmanian Government. What is commonly referred to as the Clop Group had posted on their website allegations that they had stolen data from tas.gov.au. Tasmanian Government investigation into the allegation commenced, covering state and local government organisations. The criminal organisation in question had been linked to the exploitation of a vulnerability associated with the GoAnywhere MFT system. This factor guided the initial and subsequent investigations.
On 27 March 2023, DCEYP advised the Tasmanian Government Cyber Security Team of an incident in their GoAnywhere instant. The Tasmanian Government CIO activated the Tasmanian Government's cyber incident management arrangements in relation to the threat and the advice.
Dr WOODRUFF - Thank you, minister. I was interested in the period of time in between 7 February and you have outlined that now. From 11 March, DCEYP got the advice that there had been a breach but it was not until 25 March, when the Australian Cyber Security Centre contacted DCEYP about that, that there was an understanding of the gravity of the breach that had occurred. Why wasn't DCEYP aware of the gravity of what had occurred?
Ms OGILVIE - That is a very good question. This might be a good time to have our CIO add some commentary because he can speak specifically to that question.
Dr THURLEY - On 11 March, DCEYP received the advice, as you referred to a minute ago. During that time the advice provided effectively said that there was very little visibility of any data being stolen at the time.
Dr WOODRUFF - What does 'very little visibility' mean in lay terms?
Dr THURLEY - No evidence of data being exfiltrated at the time. As a result, they effectively put in place the remediations requested from the provider. Because it was a cloud-based service, they were responsible for the maintenance and patching of their own systems. They were just providing information to say that we had not detected any vulnerabilities.
Dr WOODRUFF - I am concerned now in hindsight because I am a lay person and I am looking at what happened. I am concerned that DCEYP didn't anticipate that a breach could mean that data would be hacked at some point. Why did it take the Australian Cyber Security Centre to tell a Tasmanian agency that that actually was a risk?
Ms OGILVIE - The question you go to and I think you used the word 'gravity' of the situation, and I think that is the right word to use because there is a range of scale in relation to cyber issues. You can imagine something at a very low level through to something at a very serious level. The responses to managing that risk in both a technology and a community sense differ depending on the scale of the issue. In relation to how that process is managed, you asked that question why didn't they treat it as a more serious risk immediately. I will ask the CIO to talk us through the levels of risk and how you manage that within that cyber assessment or hacking round.
Dr WOODRUFF - What I am interested in understanding is, a small hack, the data wasn't taken straight away, shouldn't it have been obvious that it could have been taken at any point and therefore there was a sense of obvious threat. But that wasn't communicated. That's my concern. Why didn't we understand?
Ms OGILVIE - There is a process around that, I will ask the CIO to -
Dr THURLEY - I'll go back to the point where we get notified. We've obviously got threat and intelligence sharing arrangements where we get information from various service providers and partners. If we picked up something, we'd share it with the people as well.
We were provided some information at the earlier possible instance of it being known that there was a claim or an allegation that some information had been stolen from the Tasmanian Government. We didn't know exactly what it was, where it came from. We didn't have a lot of detail when we first started. That made it very difficult and complicated to pin down what it may have been.
When you're going through a process, particularly when it comes to a process, say at DCEYP where they would have been going through vulnerability and patch management as a fairly routine process that happens in every department every week, they just haven't picked up that the extrication of data had occurred. The vendor it's happening to is saying, 'No, we weren't sure, we're not sure what's going on, we've fixed everything, it's all okay'. You're going through this process of trying to assess whether there is actually a risk or not. Notwithstanding -
Dr WOODRUFF - The vendor being GoAnywhere MFT?
Dr THURLEY - Yes, correct. This event was not just occurring to the Tasmanian Government but globally. More than 130 organisations around the world were stung by exactly the same scenario. What seems in hindsight an easy thing to pick up wasn't picked up as part of the process. That's a question that you'll go back and learn from. We take every vulnerability seriously. A lot happens in that space. There are a lot of resources dedicated to addressing vulnerabilities and patches to software.
Dr WOODRUFF - Have you learnt from the vulnerability? What have you learnt from the vulnerability, so that - what have you learnt? What are you doing differently?
Ms OGILVIE - Sorry, what's the question?
Dr WOODRUFF - What are you doing differently, what have you learnt?
Ms OGILVIE - I think it would be fair to say there have been a lot of learnings. Craig Limkin will speak about what we've learnt and the process of review.
Mr LIMKIN - As with any event, be it a flood, fire, cyber event, there's a review undertaken following that in accordance with our Tasmanian Emergency Management Arrangements that looks at how we responded, how we recovered, how we communicated? Those lessons are taken into account and we update our plans.
In the case of cyber, the secretary of DPAC, who is the responsible management authority, has determined that we should have a specific cyber media SSEMP, update our cyber SSEMP and all of those type of matters will go in there. In addition, DSS will also work with partner agencies across Government to review and continue to update policies, procedures and those types of matters to ensure that our state is protected in the best way.
Dr WOODRUFF - For Hansard, what is SSEMP, can you please de jargonise that?
Mr LIMKIN - Sorry. Special State Emergency Management Plan.
Dr WOODRUFF - Thank you.
Dr WOODRUFF - On Friday 25 April, one of Australia's biggest legal partnerships, HWL Ebsworth, discovered it had been targeted by a Russian hacking group called BlackCat. In a report on 11 May, the Australian Financial Review said the group claims it stole four terabytes of data from HWLE's services, a service spanning internal company files and personal employee data including CVs, IDs, financial reports, accounting data, loans data and insurance agreements. HWLE has more partners, 280, than any law firm in Australia and employs 1300 people. It does legal work for most of the ASX top 50, a host of banks and insurance companies and all levels of government. Minister, is the Tasmanian Government one of the firm's clients or have we been, and if so, what services have HWLE provided and to what agencies?
Ms OGILVIE - The Government has been advised that the law firm HWL Ebsworth - which used to be called Ebsworth back in the days so I will use that for short - may have been the victim of an attempted cybersecurity breach. The Tasmanian Government is one of the firm's clients along with other major institutions. We are being kept up to date about this possible incident and with your okay, I will see if there is an update that can be provided, or are we are still in watch and brief, Mr Williams?
Mr WILLIAMS - Absolutely, that is correct. We have no advice that we had any information compromised from the Tasmanian Government and that's as far as we have information.
Dr WOODRUFF - You didn't answer my questions about what services HWLE have provided and to what agencies.
Ms OGILVIE - To our government? I will seek some advice. I have received advice that it is just Justice - as you would expect, being legal in nature.
Dr WOODRUFF - The Australian Financial Review also reported that several clients concerned about the protection of their data had removed their files from HWLE, including the Commonwealth Bank of Australia, Latrobe Financial and ING Bank. Did the Tasmanian Government take this step? Why, or why not?
Ms OGILVIE - Unfortunately, that is a question for Justice. However, I can say that, as you have seen today, we have a wide-ranging remit across departments in relation to ICT and tech matters. In relation to the watching brief that we are keeping on that, we have a pretty rigorous process for triaging issues. As we are in watching brief mode I don't believe we have taken steps. I am looking at Mr Williams to confirm if that is the case.
Mr WILLIAMS - No, we haven't taken any of those steps, as I understand it. It is a matter for the Department of Justice because it is a third-party provider; it is not a cybersecurity incident as such for our division.
Ms OGILVIE - They are an external firm.
Dr WOODRUFF - Aren't you responsible at the agency for securing the interests of the Tasmanian Government when it comes to the integrity of our IT systems, which includes all agencies, not just Justice? I don't understand why you don't have a role in that. Have you not provided advice to Justice about what they should do in this instance?
Ms OGILVIE - Through me. Thank you for the question. When we have third-party issues like this there is a quite rigorous navigation process that we use. This one in particular, Ebsworth - being a third-party legal provider using its own technology - doesn’t sit directly under my or our control. However, you quite rightly say that three is an ecosystem. What we are seeking to do with cybersecurity and cyberresilience is make sure that every level and every layer of the ecosystem is as robust as it can be.
The CIO may be able to add a little bit more information, through you, Mr Williams, that ecosystem approach and what we need to do when we are crossing the boundaries of organisations which is really what we are talking about.
Dr WOODRUFF - Thank you, minister. I would rather ask more specific questions of you rather than some general questions. There were four terabytes of data published on the dark web as a result of that data breach.
Ms OGILVIE - You are still on Ebsworth?
Dr WOODRUFF - Yes. Has the Government done, or are you doing, an in-depth assessment of this data to guarantee that no Tasmanian Government records are up there?
Ms OGILVIE - I will seek some information on what steps they are taking. I do have some information for you. The Australian Cyber Security Centre is managing this issue. It's worthwhile pointing out that when there are these major issues, there are entities and organisations that come into play whose advice we also take. I am also advised we do not have any information that anything has been released.
Dr WOODRUFF - That sounds like an extremely passive approach. Just before it you made it sound as though that it was all DOJ's responsibility. What we have got is potentially the same situation as the hack that has already happened as a result of the GoAnywhere MFT patch failure.
Ms OGILVIE - It is a slightly different technical situation, with different entities.
Dr WOODRUFF - That's irrelevant from the point of view of Tasmanian people's data. Why aren't we taking a more active approach and looking on the dark web to see whether any of Tasmanian's information has been published up there?
Ms OGILVIE - The ACSC does that work and does have eyes on. As you would understand, the issue of cybersecurity can traverse many jurisdictions. I would not want to recommend that anybody try access the dark web, other than our agencies who are appropriately and formally geared up to do that. We work very closely with the ACSC and we rely on their advice. As I have said, I take advice and I rely on advice. We have entered a new paradigm with cybersecurity. You will note that it is a hot issue across Australia and internationally. We will work with the expert agencies. If they advise us that there's more to do, we will do that. In relation to impacts internally, we haven't had advice that there has been a theft of information from Justice.
Dr WOODRUFF - It sounds like you're just going to sit there and wait until some federal agency says, there's Tasmanian information. Why aren't we looking for that? Do we have an MOU with the ACSC where we outsource all the responsibility to check if Tasmanian's information has been up there? You haven't made a statement to Tasmanians about this situation, have you,?
Ms OGILVIE - I have, yes. Yes, I've been in the media. I have spoken about it.
Dr WOODRUFF - About the potential for data to have been breached?
Ms OGILVIE - I have identified this as an issue, and one that's on our radar. I've spoken about that publicly.
Dr WOODRUFF - When did you do that?
Ms OGILVIE - I'd have to get the date for you.
Dr WOODRUFF - At the time?
Ms OGILVIE - Yes.
Dr WOODRUFF - You've got more information since then; why haven't you been updating Tasmanians about this?
Ms OGILVIE - We run a very robust and complex IT -
Dr WOODRUFF - Possibly a secretive and opaque approach, some people would say.
Ms OGILVIE - Well, I wouldn't say that; IT cyber security and resilience program right across Government. It's fair to say that when third parties have cyber security instances that may or may not impact Government, neither myself nor our Government can control them as third party enterprises. And it's important to remember, of course, that this is a serious crime of international proportions that has impacted, not just us, but others as well. We respond in a proportionate and reasonable way to issues as they arise -
Dr WOODRUFF - But you haven't done anything, except leave it -
Ms OGILVIE - We are doing things -
Dr WOODRUFF - You're not, you're just waiting for the ACSC.
Ms OGILVIE - No, we have a department - we have the CIO here today and you might like to hear more from him - that works across Government to make sure that we are doing all we can to protect Government data.
Dr WOODRUFF - When was that four terabytes of data stolen? Were you informed about that? Were you aware that four terabytes of data had been stolen from HWLE?
Ms OGILVIE - I was personally not aware but -
Dr WOODRUFF - We're not being kept up to date by the ACSC, either.
Ms OGILVIE - That's a question we'd need to ask at the ACSC but -
Dr WOODRUFF - I’m asking it of you, because you don't seem to be getting information or directing the ship. You're just sitting here. It seems a very passive approach –
Ms OGILVIE - Answering your questions, with great detail.
Dr WOODRUFF - Four terabytes of data, that could have Tasmanian's information on the dark web. You're leaving it to some federal agency to spend the time to look through and see if Tasmanian's identities are up there. Why aren't you taking an active responsibility?
Ms OGILVIE - The ACSC is the expert organisation that works at that layer. They advise us as and when we need to and we are not aware of any Tasmanian data being released.
Dr WOODRUFF - No questions asked, then.
Ms OGILVIE - We are not aware of any Tasmanian data being released; the ACSC is monitoring and we are keeping a watching brief.
Dr WOODRUFF - The cybercriminals will be looking forward to getting Tasmanian's data, because you're not defending it very strongly.
Ms OGILVIE - I take that as a statement.
Dr WOODRUFF - Minister, you have told Tasmanians about the GoAnywhere MFT breach and the 10 555 people who were sent emails and the 145 683 debtors, credits and previous DoE employees who may also have had their data breached. You told Tasmanians on 3 April that the information we have within state Government is protected by our cyber security team. Our cyber security team is doing a deep and robust investigation. We understand no information has been provided or released. Then two days later we found out that literally thousands of documents had been stolen and placed on the dark web.
It does not exactly instil Tasmanians with confidence when you are saying exactly the same thing about the HWLE breach. We have four terabytes of data and you have not directed your staff to do an investigation to find out if any of that Tasmanian information is on the dark web, even though you have admitted that the Department of Justice is one of HWLE's clients.
Ms OGILVIE - The Australian Cyber Security Centre, with which we work closely, takes responsibility for the management of these issues. You would appreciate, having a science background yourself, that when it comes to making sure that we have all the information we need literally from the dark web and in relation to any sorts of hacks, a centralised approach at that national government security agency level is the appropriate way to go. I act on advice, as does the team. When we are advised, through that process, particularly where it is a third-party organisation or an entity that has a number of customers or consumers associated with it, we will act on that advice. I have said that many times.
For what it is worth, we do keep a weather eye on things. We are in close connection.
Dr WOODRUFF - Oh
Ms OGILVIE - Now you are scoffing. I appreciate a scoff. We are in close connection with the security agencies. That includes both enforcement agencies and the Australian Cyber Security Centre. It is a very technical issue, it is complex, it is nationwide, we are dealing with well-organised criminals who quite often sit in other jurisdictions, so you would assume that international security agencies are involved as well, including national security organisations.
So, it is a bit of a stretch to say that we, as a government, are not doing enough. What we are doing is engaging deeply, we are ready, we have our people connected with those organisations and we will always adopt, and I have it here, the Office of the Australian Information Commissioner guidelines in relation to how we manage these hacks. That includes: we maintain government information -
Dr WOODRUFF - Thank you, minister. Can I ask you more specific questions about this because I think people want to know. The Department of Justice holds some very important and very private information, including, for example, the evidence and information of the Commission of Inquiry. What you have just told me, as I understand it, you have outsourced to a federal agency the responsibility of investigating to see whether any information from the Department of Justice has been placed onto the dark web. Are you saying there is no role for the Tasmanian Government in ensuring that that's not there, or are you saying you're under-resourced and aren't capable of doing the work?
Ms OGILVIE - What terrible two options. There's a third option, which is no we have not outsourced our responsibilities. What we do is work in a very collaborative manner with the Australian cybersecurity agencies and with our federal government counterparts. I know that the CIO community is also highly connected at the state, national and international level.
Dr WOODRUFF - Could the CIO then address what we are doing in relation to this particular matter of HWLE and the possibility of Tasmanians' data being put up on the dark web?
Ms OGILVIE - I was trying to get to that question before. I am very happy to do that. We have not received information from our trusted partners at the Australian Cyber Security Centre that Tasmanians' information as part of the Ebsworth issue has been released. I appreciate and agree with you that it might be helpful to have a bit more of an overview about how we manage these issues, because it is quite technical and we have the CIO here. I will refer to Dr Thurley through Mr Williams, if I may.
Dr THURLEY - In relation to this matter, the first thing I want to put on the table is there is no data that has been released. It is an allegation. It is 4 gigs of data that you referred to, of what? We don't know if there is, even if it's an allegation, so I just need to point that out. It's very difficult to take any assertions from that.
The next question was whether we had done anything about it. We have incident management arrangements within the Tasmanian Government and all incidents that we become aware of progress through that process. That process is handling an incident in relation to this particular issue at the moment, but it doesn't become a whole-of-government issue at this point in time, it's still managed within the agency that needs to manage it, with assistance and support. I would say that yes, our relationships with others potentially could be impacted by this, but in reality it's been handled by HWLE because it is their incident.
Dr WOODRUFF - Minister, can you explain why some very important agencies like the Commonwealth Bank of Australia, Latrobe and ING have removed their files from HWLE as a result of this hack but we haven't undertaken the same action? I'm inferring; I haven't heard a comment otherwise that DOJ hasn't stopped using the services of HWLE since that breach.
Ms OGILVIE - To clarify, is your question whether we continue to use that law firm?
Dr WOODRUFF - Yes.
Mr WILLIAMS - That is a matter for the Department of Justice to assess what their risk is. Each agency is responsible for their information. I guess the challenge in this space is that while the Australian Government is working with HWLE, we have no way, apart from relying on the Australian Government or HWLE directly, to have any investigative power. They have to do the investigation because it wasn't one of our systems that had been breached.
Dr WOODRUFF - How is it possible for DOJ or any agency to decide to continue or discontinue services of an agency that's been hacked without advice from your area, Minister? Without that advice what are they basing it on, otherwise it is ad hoc, isn't it?
Ms OGILVIE - I'm happy for Mr Williams and perhaps the CIO to speak to the nature of the advice that is available to departments so that we can give you a proper sense of the conversations that occur.
Mr WILLIAMS - I am aware that the Australian Government is convening a legal services reference group around this issue and the Department of Justice is represented on that nationally. At this stage the latest advice we have is that there is no information from HWLE that we have had any data compromised and the Department of Justice or any other agency needs to take a risks-based approach to how they deal with these sorts of matters going forward.
Dr WOODRUFF - On what basis would they make a decision about what an appropriate risks-based approach is unless there is a whole-of-government agreement on what that should be - the criteria, measurements, the guidelines? Do we have one that's standardised across agencies?
Mr WILLIAMS - The risks-based approach, the advice that they're getting is coming from a national group coordinated by the Australian Government and because it is a national issue - as you pointed out, the Commonwealth Bank et cetera is involved - the Australian Government is coordinating relationships with HWLE and that's the sort of mechanism the Department of Justice is using to get information and they have to make a judgment, I guess, on all the normal sort of risks based factors. What do they think could be at risk in terms of information? What they're hearing at this stage is there's no indication that they've lost any information. These are very complex matters that -
Ms OGILVIE - It is very complex but perhaps I'll pick up on that. Does that help somewhat? Agencies have access to expert advice on the ground in their departments and they'll make their best judgments based on the advice that we're able to provide through the department.
Dr WOODRUFF - I suppose what I'm concerned about is the hodgepodge effect of different agencies making different decisions and if there isn't something that's across all agencies, what's the point in having your agency? What is the point of your agency if you're not leading a consistent approach to managing risk across all agencies? There should be one way in Tasmanian agencies to manage the risk and to make decisions about how to proceed in a situation like the DOJ, otherwise what are we putting resources into a centralised service at all?
Ms OGILVIE - Indeed. It's a fair question. The challenge we have, of course, is that each agency has a bespoke level of services and arrangements they are trying to deliver. As you would imagine, Service Tasmania delivers different sorts of services and needs different sorts of IT and systems within its organisation to Justice, who are doing a different sort of business. Each agency has some scope, as you would expect, to be able to use some of the services they need and connect with external parties through the services those external parties use. I love the idea of having a cookie cutter, one-size-fits-all tech system, but we live in a world where there are different models and different ways of connecting and as a government, we need to interact with third parties and third parties use other software as well. That is the ecosystem I've been speaking of and we need to improve our cybersecurity and resilience right across that within government, business, at the federal level, also the community and small business and I was speaking recently with TasCOSS around the digital divide issues to make sure that residents and everyday people are aware of cybersecurity.
Dr WOODRUFF - One of the issues that's come up in this whole mess this year is that -
Ms OGILVIE - It was a crime.
Dr WOODRUFF - No, it was also a mess in how it was handled from your point of view, minister.
Ms OGILVIE - I don't think everybody agrees with you on that.
Dr WOODRUFF - Some of the things that looking back in hindsight need to be fixed are things like a requirement for you as minister to be upfront with Tasmanians about when a breach has occurred. Regardless of whether you know if data has been uploaded or not, there needs to be a set of minimum standards for reporting, particularly from the minister, so that Tasmanians know what has happened because at the moment, how do we know? Have any other cyber-attacks affecting or potentially affecting the Government happened other than that HWLE and the earlier one with DOE data? Is there anything else we don't know about?
Ms OGILVIE - That's very broad and you've asked a number of questions within the preamble, so I'll tackle it in pieces. The first one is in relation to the management of data breaches, and I'll just summarise that they range from insignificant through to very significant. I tried to put this on the record before and I'll do it again - Office of Australian Information Commissioner guidelines for how we manage this, which I think goes directly to your question. First of all, if we have a suspected or known data breach we identify that. The second obligation and duty of us and others involved is to contain that breach. Then we assess the breach and the risk -
Dr WOODRUFF - It's the time frames, minister.
Ms OGILVIE - That's right, the time frames relate to the nature of the breach because they are third party actors involved. We assess the breach, then we take remedial action and then we notify. We do that because it's incumbent on us to make sure we've done everything we can to protect vulnerable people, data and our assets before we perhaps even tip off the malicious and malevolent actors. Once we've addressed these issues we go into the review stage. It's an engineering model and we adopt that and as we have heard today, that review is occurring.
Dr WOODRUFF - Minister, in relation to the HWLE data breach, it is unconfirmed exactly how much data was hacked; but we do know that BlackCat allege they have put the HWLE data hack back online on its site on the dark web?
Ms OGILVIE - Sorry - what were you saying there?
Dr WOODRUFF - The group - BlackCat - has claimed that four terabytes of data - we don't know exactly, but that is the claim. There was no information on the public record prior to today about what Tasmanian department was potentially affected by the HWLE breach. Why didn't you tell Tasmanians that DoJ had potentially been affected? Why didn't you do that?
Ms OGILVIE - Again, I'll have to refer to the process we take - which is about containment and management. I also reiterate that we have no information that Tasmanian data has been affected.
Dr WOODRUFF - You have no information that Tasmanian data wasn't affected.
Ms OGILVIE - We are relying on the Australian Cyber Security Centre (ACSC) and their expert skills.
Dr WOODRUFF - Minister, we would have asked more information about it in the Justice portfolio, if we'd known
Ms OGILVIE - That's a fair comment.
Dr WOODRUFF - You might call it containment and management; we call it a lack of transparency.
Ms OGILVIE - That's the process, and this is where the rub comes; I appreciate that.
Dr WOODRUFF - We are concerned at your process because it is about withholding information from Tasmanians and I think it treats Tasmanians like children, as though people are going to go and hit the red zone. Some people will but we have to provide some advice and support to people.
Ms OGILVIE - It is a very tricky balance; I agree with you.
Dr WOODRUFF - We would have asked questions in the Department of Justice about this and we would like to understand. We would hope that you could take it on notice, if your officials need to talk to Justice, but we would like some more information about the specific nature of the services that was provided by HWLE to Justice so that we could understand the possibility of the sorts of records that might have been put on the dark web.
Ms OGILVIE - Okay. I am not immune to the complexity of this issue and I totally appreciate what you're saying as well. I want to flesh out for those who are watching that we try to very carefully balance our obligation and duty to contain and protect people, with an obligation to be as transparent as possible. I know I've been chipped for not using the most sophisticated language in doing that, but the reality is when it comes to a decision and the advice that I receive in relation to that flex point about whether we have to err on the side of caution to protect people or speak early, I will always seek to protect people. I appreciate your comments and perhaps we'll let the Office of the Australian Information Commissioner know that we have some learnings from that situation, but this process that we use is best-practice process. I've just been reminded that we also have the public information unit, so when we stand up an actual cyber event and the response to that, there is assistance with that.
Dr WOODRUFF - You didn't answer my question, minister.
Ms OGILVIE - You had a number of questions.
Dr WOODRUFF - I want to know the specific nature of the services provided by HWLE to the Department of Justice?
Ms OGILVIE - Again, I don't want to annoy you all but of course that is another portfolio and different minister. I appreciate your comment that had you known, you would have asked, but please feel free to put it on notice and we will do what we can.
Dr WOODRUFF - So you can't give any information to the committee today?
Ms OGILVIE - It's not my portfolio area. I've had to say that quite a lot today.
Dr WOODRUFF - I get that, but I'm also interested at the lack of information that's available in your department about this, because it is a notified hack of an agency that the Government purchases services from. Why hasn't there been an investigation into the potential threat to clients of DOJ, to Tasmanians who have information on DOJ files?
Ms OGILVIE - I think it's worthwhile saying that when it comes to the IT and technology system, we don't look inside files, we don't look into what's being transmitted and read peoples files, there is a level of privacy and security that is maintained.
Dr WOODRUFF - That's not what I'm asking.
Ms OGILVIE - In relation to what Justice may actually be exchanging with Ebsworth, that is a question they would have to answer. I appreciate your comment that had you known it was a Justice issue you would have asked that in that output, so by all means put it on notice.
Dr WOODRUFF - Thank you. Minister, what we have determined is that you've talked about your policy for managing risk as one of containment and management and what I'm concerned about is that there is not one of transparency and information provision to Tasmanians. You've talked about a balance but what we've seen from the situation with GoAnywhere MFT was that it's really first and foremost about -
Ms Ogilvie - Looking after people.
Dr WOODRUFF - looking after yourself and managing political risk for yourself.
Ms OGILVIE - No, I disagree with that.
Dr WOODRUFF - Well, there was a period of time before you made an announcement on 2 April where you were aware in the week before that - while we were in parliament and the heat was on you as Racing minister - but you didn't make the information available to Tasmanians then about the data breach that had occurred. Why didn't you make it available, even though the record now shows that you were aware of it in that week?
Ms OGILVIE - I think we've traversed the processes around this. I agree with you, there is a balance between transparency, containment and management and certainly our department looks to take care of Tasmanians and Tasmanians' data first. We are dealing with a crime, a criminal event called a ransom attack, in which information can be taken and held, so there are issues that we need to balance and we work closely with the Cyber Security Centre and other national level agencies.
It is helpful to get to the point to really articulate the steps before we go public and that might help provide you some information, so I will ask Mr Thurley to do that. I think that's the answer to your question.
Dr WOODRUFF - Minister, I am not interested in generalities.
Ms OGILVIE - You don't want to know the information?
Dr WOODRUFF - No, I want to know the specifics of what happened from when you were advised of the data breach on 25 March and when you publicly reported that breach. We know that at the same time in that period, you were under intense scrutiny and I think there might have a no confidence motion in you as Racing minister, so it was not surprising that Tasmanians did not hear until after that period that you were heading up an agency under which there was the discovery of a major data breach. Why didn't you tell Tasmanians when you were advised on 25 March?
Ms OGILVIE - My goodness. Is your allegation that I am somehow responsible for a Russian cybercriminal cohort? It is quite a remarkable statement you've just made.
Dr WOODRUFF - Minister, could you please let me finish my question? Why didn't you tell Tasmanians when you were advised on 25 March? What possible reason would there have been for not revealing that information?
Ms OGILVIE - We have traversed this issue.
Dr WOODRUFF - I know it's painful for you.
Ms OGILVIE - It's not painful at all. I'm very happy to go through it again. As I've said, there is a range of the nature of cyber-hacks that can happen within government. You've heard of some of those today, and as it happens, I actually have a bit more information on the Ebsworth one for you, so don't let me forget that at the end.
These issues arise because they are criminal attacks by criminal organisations and they can range from small in severity right through to very large in severity. This is a continuum that we are dealing with. These are not one off events. When a hack occurs and when information is taken, it traverses and, in this case, has traversed months. I am kept informed by my department and, in particular, by my CIO. In relation to the time frames on it, you've said some pejorative things about me and I'll just take that as a statement and won't respond to those, but I will ask Dr Thurley to speak exactly through how it works in relation to going public with information and how we do that.
Dr THURLEY - I'll go through the process here. It's common in data breaches that you have complexities in relation to what type of data is being disclosed. With this incident, you've got to understand that on 25 March it was actually an allegation that a criminal had stolen information from the Tasmanian Government. Our initial response was effectively to examine the credibility of that claim because it was an allegation only. It also wasn't very clear what they'd stolen from the information that was exposed on the dark web. We effectively get a very ambiguous claim, so that meant we had to set in play some way of trying to understand what the possibilities were, looking at what we knew from intelligence that we'd gathered.
Then once we got to that process where we actually started to understand more of that and let's face it, this was a complex investigation, we had to mobilise people to understand it, we had to ask a lot of questions of a lot of people moving around within government to understand what our threat profile might be, and this allowed us to establish where the potential threats may have come from. Once we understood what the potential threats could have been and we obviously understood that DECYP might have been in that space, we then started to think about the potential harms, the potential risks and who could be vulnerable.
Our first objective in a data breach or any type of cybersecurity scenario is to assess and contain the incident. Our first approach was to understand if it was just a data breach or did we have an actor inside our network? Is there a ransom type scenario, a ransomware scenario in play? We had to again go through this process and it's very much the case that we are about reducing harm to either individuals or to our systems that would make further harm possible. So that time frame, we're talking about two to three days added all together, and eventually we got to a point where we understood more about what we were dealing with.
Then again, our first objective is when you're knowing that maybe it's only a data breach, maybe it's certain cohorts of people, we need to make sure that those most vulnerable would be notified as quickly as possible before anything and anybody else knew. That's really important because if information gets exposed before somebody hasn't had a chance to act and we had an opportunity to understand that then we should act on it.
Hence we have a process that pretty much follows the playbook that's outlined in the Notifiable Data Breaches scheme guidelines offered up by the Australian Government. We think that playbook's pretty much universal for data breaches and it's pretty consistent with those time frames.
Dr WOODRUFF - Minister, through you to the CIO if appropriate, does that national playbook advise not making the information available to the broader public about the data breach? Is that the advice?
Dr THURLEY - The advice when it comes to notifications is that you need to take into effect harm and there's methods of notifying, so in other words, you could notify the individuals who have the biggest implications upfront first and then notify others later if it was possible. It does actually put in play that there are mechanisms for doing the notifications and we follow that playbook and most organisations do. It's good advice and we feel that we operated well within the frame of the guidelines that the Office of the National Information Commissioner would actually put on any private organisation that was caught up in the Privacy Act, which we are not caught up in but we follow the same playbook.
Dr WOODRUFF - Minister, accepting what we've just heard, and accepting that you were given advice, what day and time were you given the advice?
Ms OGILVIE - I would need to confirm that. I don't have the time. I'll see if I can get the information for you.
Dr WOODRUFF - Was that made to you in a formal briefing? How did you receive the advice?
Ms OGILVIE - I will turn to Rob, I think he has that. Would you like us to table a copy of this? It might be helpful and will give you an idea of how the process rolls out.
Mr WILLIAMS - As the minister read out earlier, the SEMC met on 29 March to get an update on what was going on. There is a tipping point during the investigation. The minister made a media statement some time before we had proof data had been lost. We knew there was a compromise but we only had proof that we'd lost data on the day it was released on the dark web.
In that period of investigation it reaches a point where on the balance of probability we have to think what's our duty of care to the Tasmanian people. As the picture became clearer, we reached that point and we briefed the SEMC. It was on 31 March that the minister came out and said we were investigating. That was some time before 7 April when the data dropped.
We were only acting on the notion that we had a risk of loss. Until 7 April we had no proof that we'd lost anything, even though we had a risk and suspicion. That's why the minister went out the week before.
Dr WOODRUFF - Were you at the state management committee meeting on 29 March?
Mr WILLIAMS - Yes, I was at that one.
Dr WOODRUFF - That was when it was clear that there had been a data breach?
Dr WOODRUFF - On 25 March the ACSC advised us that were allegations that people had data. On 29 March was a briefing that said this was an emerging issue. We didn't know the depth of it. In that ensuing week there was investigation, especially by DECIP to understand what were the dimensions and what was the possible data that could have been in that exposure? As the minister said, this is still live. We don't know if they have anything more and if they do we may never know until they release more data.
Dr WOODRUFF - After 29 March there was a two-day gap before the minister made the announcement. Who made the advice for the minister to be able to release the information? Was that made by the SEMC?
Mr LIMKIN - At that stage we still at a level one event. The SEMC was informed to keep them informed and ensure awareness and collaboration should we need to move to a level two event, which is what we did later in the period. At that time, the responsible management authority for a cyber event is the secretary of the Department of Premier and Cabinet.
Dr WOODRUFF - What changed between the SEMC meeting on 29 March, given that the Australian Cyber Security Centre had already provided the information on 25 March, so we are already four days later. Then, there was the SEMC meeting. Why did you have to delay? Why couldn't you tell Tasmanians at that point?
Mr LIMKIN - As the Chief Information Officer said, we were investigating at that point in time an alleged event that was occurring, so the SEMC was informed and the deputy state controller was informed of the investigations that were currently being undertaken, and further work was done on that.
At that point we also stood up the public information unit, which brings together cross-government communication specialists who lead and provide that advice to the responsible management authority on that. Between those two days, a lot of work was happening under our Tasmanian emergency management arrangement to put us in the best place to manage this event.
Dr WOODRUFF - How did it end up that you ended up making an announcement on a Friday night, after a week of parliament where you had been under intense scrutiny with a no confidence motion as the Minister for Racing -
Ms OGILVIE - Are you going to do pejorative statements again. Perhaps best if you just ask a question.
Dr WOODRUFF - It was released late on a Friday night. It just seems so Liberal, the timing of these things, it is just so unlucky for you, isn't it, that these things come out at the last minute on a Friday afternoon. Take out the trash hour.
Ms OGILVIE - Do you have a question?
Dr WOODRUFF - When were you given the advice to make the announcement?
Ms OGILVIE - We have been right through that and Mr Williams was wanting to make a contribution. I can't control when things happen in relation to cybersecurity. I can't control Russian hackers, unfortunately. I wish I could because, if I could, I would make sure these crimes didn't happen. But we are in the world of cyber and criminal security concern. Things happen when they happen and, as it happens, all of these people at this table, myself included, got on the tools right through Easter, on the front line and worked very hard. I would like to thank everybody here, particularly the CIO and all of the techs, and everybody in the public information unit who did that work.
Dr WOODRUFF - When were you told you were allowed to tell Tasmanians? What was the day and the hour and the minute?
Ms OGILVIE - In relation to the hour and the minute, et cetera, I will have to seek that information. In relation to when it is appropriate to go to a public statement, I did that on 31 March. You have heard from the CIO and also Mr Williams in relation to the work that was being done and emerging during that time. I think Mr Williams can respond to that.
Mr WILLIAMS - All I can add is that during that time, after the ACSC advised us, we stood up an incident management team which kept on running through. The advice that we gave was flowing through that to the minister's office. As I said, at that first instance of notification it was very unclear what had happened. We still didn't know until the date the data was dropped that we had lost any. We knew we had a risk. It just built a picture.
These things start off at day one really unclear and build up a picture over time. Some of them can take a very long time and some of them you will never know you lost data until it is lodged. That incident management team brought together a number of agencies, including DPAC and the Department of Education, Children and Young People, to try and manage the issue carefully and bring the data together so we were all on the same page.
Dr WOODRUFF - Minister, Mr Limkin just outlined and clarified the State Emergency Management Committee process and the fact that it is convened by the state controller or the deputy controller and that it was convened on 29 March, and then I think he also said that he and maybe some other people from DPAC and the incident management team provided advice to you as minister on 31 March. Is that correct?
Mr LIMKIN - Through you, minister. It's the responsible management authority, so the secretary of DPAC and the incident management team, which is Mr Rob Williams and Mr Justin Thurley.
Dr WOODRUFF - Okay. Can you confirm that the SEMC at its meeting on 29 March did not endorse the release of information about the data hack on that date?
Mr LIMKIN - Just to clarify, the minister was not at the State Emergency Management Committee meeting. As I said before, that is a matter for all the heads of agency and the responsible statutory authority holders. I hold the position of state recovery advisor, for example. To the best of my recollection, there was no endorsement of any media release or any media strategy at the meeting of 29 March. That was more about informational awareness and collaboration across the bureaucracy.
Dr WOODRUFF - Was there any decision made at that meeting that it would not be appropriate to make any public statements about the matter?
Mr LIMKIN - Dr Woodruff, as I said before, the matter was about collaboration and information sharing. The public information unit was stood up not long after that meeting and that is when advice was provided to government through the bureaucracy leaders but to the best of my recollection, there was no endorsement either with them.
Dr WOODRUFF - Was then not any decision by the State Emergency Management Committee that there shouldn't be information made available to Tasmanians?
Ms OGILVIE - I'm not sure -
Dr WOODRUFF - No, there wasn't. That's what Mr Limkin said. There was no decision to prevent information being publicly advertised at that point by the SEMC? It wasn't their view that that would be an incorrect action?
Ms OGILVIE - That's the question? I think I will ask -
Dr WOODRUFF - I think I've just answered it.
Ms OGILVIE - I think you've misinterpreted.
Mr LIMKIN - Through you, minister, I think there's some confusion. At that point of the SEMC, we were still managing the incident under a level-one event. At a level-one event, the responsible management authority, which at that stage was the Department of Premier and Cabinet and its secretary, advised the Government of the decisions. The SEMC was set up to collaborate and inform, it was not at a decision making point at that time. The only time the SEMC begins to become more effective in managing an emergency is when we move to level two - the SEMC moved to level two during the event - and sometimes moving to level three, which was when we moved to a state of emergency under the COVID arrangements. At level one, the responsible management authority and the relevant incident management teams make the decisions and advise the minister and the government of the day.
Dr WOODRUFF - Thank you, Mr Limkin. What I think we've established is that there was no advice or prohibition on making a public statement. The decision to make a public statement and the timing of that was essentially a political one in that it came from the secretary of DPAC with the advice of the incident management team. We are quite interested in the fact the advice was dropped late on a Friday afternoon. We are very suspicious of the motivations for doing it at that time. This Government's got form of taking out the trash late on a Friday afternoon, so we're trying to get to the bottom of this. I mean, it's this reflex to hide stuff and keep out of the papers and it would help so much if you were more open and upfront with Tasmanians. We'd be more likely to believe you if you said this wasn't politically motivated timing. It beggars belief really, given what had happened in parliament that week, that the decision was made late on a Friday. So we do want to know, and you've already said you'll table the exact time you were given the advice and who you were given it by.
Ms OGILVIE - I said I would seek that.
Dr WOODRUFF - You said you'd table it, because I've got it as a question on notice.
Ms OGILVIE - I want to respond to you. You may not like the timing of when things happen, but things happen when they happen. I act on advice, as I have said, and you have just heard a very detailed account of the decision-making process that the department went through to get to that stage, including of course that I was, for good reason, not at the relevant meeting, not influencing timing and not part of any issue around that.
You have heard from me about my desire to communicate as much as I can, when I can. I went public as quickly as I could with as much information as I could and then I proceeded to continue to do that. I think the argument you're making doesn't stack up. This is not a one-shot piece of information to take out. This is a continuum of an issue that we are currently still in. This crime is currently still on foot, so the concern you have specifically around whether I was being given a hard time in parliament or not - and actually I was given a pretty hard time in parliament which was pretty unpleasant and distressing -
Dr WOODRUFF - Well, you brought it on yourself, I've got to say.
Ms OGILVIE - No. I don't believe that the nature of the conversation that happened during those days was entirely appropriate. What we have is me, as a responsible portfolio minister, taking advice appropriately from my experts, from my department, from national security organisations including the ACSC and the appropriate people, and acting on the advice on the day I was provided with the advice that it was appropriate to make a public statement. The fact that you may not like the date or the time that that was done is really not part of the decision-making process.
Dr WOODRUFF - In relation to the question I asked earlier about the likely data breach from HWL Ebsworth Services, do you have anything you need to make as a clarifying statement on any of the comments that you made earlier?
Ms OGILVIE - Yes. Thank you for reminding me, I did have a bit of further information for you. We've done a little bit of checking and we can confirm that State Growth and the Department of Police, Fire and Emergency Management have matters directly with HWL Ebsworth and not through DOJ.
Dr WOODRUFF - Who?
Ms OGILVIE - State Growth and the Department of Police, Fire and Emergency Management have specific matters with that law firm.
Dr WOODRUFF - Not DOJ?
Ms OGILVIE - No, in addition. DOJ has matters with that law firm and I've been advised there are two other departments that have matters directly with that firm.
Dr WOODRUFF - So why don't Tasmanians know this?
Ms OGILVIE - Because you're asking me now and we're telling you and we haven't had information -
Dr WOODRUFF - It was three weeks ago that Australians found out about that data breach. Why haven't you made a statement in the media about it?
Ms OGILVIE - I have make a statement.
Dr WOODRUFF - Yes, I know, this is the way you do things.
Ms OGILVIE - You just said I haven't made a statement but I have made a statement.
Dr WOODRUFF - You were pulled kicking and screaming. Only because we pushed you. We have asked you to make the clarifying statement, I asked you before, you said, 'Just DOJ'.
Ms OGILVIE - I did a press release in which I spoke about it.
Dr WOODRUFF - At every point you hide something and keep something up your sleeve.
Ms OGILVIE - Not true. It is getting a bit silly.
Dr WOODRUFF - Why haven't you told Tasmanians about this earlier?
CHAIR - Order, please. Dr Woodruff.
Dr WOODRUFF - You did not make any comment about State Growth or DPFM or DOJ agencies having services that have data that could have been breached.
Dr WOODRUFF - When you made the announcement about the HWL Ebsworth data hack, did any media contact you to seek more details about that? And did you respond to them if they did?
Ms OGILVIE - I don't recall. I think there was interest from the Mercury.
Dr WOODRUFF - Did you respond?
Ms OGILVIE - I'm not certain, so let me check.
Dr WOODRUFF - Did they ask which agencies were affected?
Ms OGILVIE - I'm not certain. It was some time ago. I will see if I can get information for you.
Dr WOODRUFF - To the committee before we finish in 20 minutes' time? Otherwise I will put the question on notice.
Ms OGILVIE - We will try and do it now for you.
Dr WOODRUFF - Did the Public Information Unit proactively release any information to the media either on the Ebsworth hack or on the Go -
Ms OGILVIE - Separately to my ministerial statement?
Dr WOODRUFF - Did the Public Information Unit proactively release any information?
Ms OGILVIE - I will ask Mr Limkin, our Public Information Unit specialist, to speak to that.
Mr LIMKIN - The Public Information Unit has not been stood up for that event. What has been stood up is an incident management team. The reason why the Public Information Unit has not been stood up is because, at this stage, it is being managed through the Tasmanian Emergency Management Arrangements as a Level 1. A PIU is only really stood up when we move into a Level 2 event.
Dr WOODRUFF - Just to clarify, other than statements that Ms Ogilvie has made at press conferences, has any area of the Government made information available to the media about both of those hacks or either of them?
Ms OGILVIE - Not that we're aware of but it might be that they need to check.
Dr WOODRUFF - Will you check that, please?
Ms OGILVIE - We're just trying to confirm for you. They're not aware but they are happy to check with Police, Fire and Emergency Management, Justice and State Growth.
Dr WOODRUFF - Thank you. Cassy O'Connor received an email from Jenny Gale, the head of the State Service, from a DPAC email address on 9 April, a week after you made your announcement, saying:
The current level of media coverage of this event is detrimental to Tasmania's interests and increases its attractiveness as a target for future attacks.
The current media environment is fuelling the business model of cyber criminals and potentially putting the Tasmanian community at further risk.
She goes on to say:
Public Information Unit will not be providing further media statements unless there is another data drop or there is a significant event to inform the community. The security advice is that continual coverage, beyond informing Tasmanians when there is a release of data, can increase the cyber risk to Tasmania and none of us want to be responsible for that.
But there was no media commentary about it other than around the comments you had made because no information was coming from the Government at all. The media had asked questions and been given no answers, and there was nothing coming from the Public Information Unit. Really, what Ms Gale was trying to do was shut down comments from, as she specifically referenced, Josh Willie and Jen Butler, who had been appearing in the media and making their concerns known to Tasmanians. That's a very concerning development, don't you think, the head of the State Service trying to shut down MPs?
Ms OGILVIE - I received the letter as well and it applied to me also.
Dr WOODRUFF - Ah, hello. Can you answer the question, please?
Ms OGILVIE - The answer is pretty straightforward. We all received the same letter. In relation to Ms Gale's letter, it would be helpful if I invited Ms Gale to join the table.
Dr WOODRUFF - That would be great.
Ms OGILVIE - Thank you. We'll do that. She'll be happy to assist.
Dr WOODRUFF - Through you, minister, why did you advise Cassy O'Connor and other MPs, who I understand received the same letter and so did I, that media coverage was detrimental to Tasmania's interests and that you had received security advice that continual coverage beyond informing Tasmanians would increase the cyber risk to Tasmania? On what basis did you provide the advice?
Ms GALE - We had received information from a couple of national security organisations, including the Department of Home Affairs and the Australian Federal Police. Their advice was that we should look to normalise media messages as we were putting increased focus on Tasmania and Tasmanians. Their advice was that this could lead to greater incidences and events. At that time, we were also advised that they were seeing other groups looking more into our data, which does not help us to manage the situation. My judgement was that that could potentially create further harm to Tasmanians and, therefore, believed that it was necessary to provide that information to all of the major political parties to try to normalise that media message.
Dr WOODRUFF - Could you please table that advice for the committee?
Ms GALE - This advice was verbal and I would ask Mr Limkin if he could comment on that.
Mr LIMKIN - Dr Woodruff, we receive regular, verbal advice from the Commonwealth through various mechanisms. We have a telepresence room on Level 7 of DPaC; it is a NV1 security clearance, [checked]it has various locks, checks and security types of things. We spent a lot of time out of that recently doing National Cabinet in that room, so that is one activity of how they provide advice to us. The second activity that the Commonwealth does is through Signal [checked]
Dr WOODRUFF - Thank you, Mr Limkin
Mr LIMKIN - and finally Dr Woodruff, through confidential communications. There are even some matters that I get sent that I am not allowed to provide the government of the day because of the security clearance. That is the standard process.
Dr WOODRUFF - Can I ask a second question minister, through you to Ms Gale, if you think that is appropriate. You have used verbal advice to advise the media and members of Parliament to not make public statements, and you did not get that in writing? Is that correct?
Ms OGILVIE - I am happy for you to respond.
Ms GALE - As Mr Limkin has explained, we often get security advice that is not in writing, but that does not mean that it is not important advice for us to heed.
Dr WOODRUFF - Minister, why wouldn't you ask for such important advice, which is seeking to shut down conversation from the media and from elected members of parliament, why wouldn't you ask for that advice in writing to cover you, and to provide to people when they wanted to understand why you would seek to shut down serious questions of concern about how the Government is managing the matter?
Ms OGILVIE - I want to understand the question - is it, why there was no written advice?
Dr WOODRUFF - Yes. Why wasn't that asked for?
Ms GALE - We don't ask for the advice in writing because we know that we are not likely to always get it, because it is up to those Commonwealth agencies to determine the nature of their advice. I would like to indicate to you that the purpose of the letter was not to shut down media commentary, it was to normalise the media message so that there was not so much activity in the media about Tasmania that it might pose potential further harm to Tasmanians. In relation to that, the information we provided to the media gave some good practice advice about the way in which these types of incidences could be covered, in order to minimise the harm to the public.
Dr WOODRUFF - Through you, minister. I do not know what Ms Gale is talking about, because we have just heard that there was no information provided to the media through the public information unit and we have just heard from you that you don't believe that information was provided on these matters to the media.
In Ms Gale's letter to all members of parliament, she said -
I would appreciate your cooperation by heeding the same advice and not doing any further media.
Through you, minister, Ms Gale, do you regret saying those words, silencing members of parliament, and silencing the media from asking reasonable questions about what was happening, what the scale of the threat was, how the Government was managing it? They were the questions that were being asked at the time. Do you regret making that direction to members of parliament?
Ms OGILVIE - Through me, please. Is your question whether Ms Gale has a regret?
Dr WOODRUFF - Whether she regrets taking such an extraordinary step to stop reasonable questions from members of parliament about such a serious threat to Tasmanians.
Ms OGILVIE - You have had a very long preamble, but I am happy for Ms Gale to perhaps comment.
Ms GALE - Dr Woodruff, I think you may be referring to an email which I sent as a precursor to the formal letter that I then sent again to all of the major political parties. In relation to the email, the purpose of that was to indicate that there would be further advice provided formally later in the day.
My assessment of the situation at the time was that it was a fast-moving event; we knew potentially that there was a lot more data that could have been dropped - and still could be dropped now; and therefore we had to make decisions based on what we believed to be in the best interests of Tasmanians.
In relation to the email - it was intended as an indicator that more formal advice would be coming. I did also try to call leaders of the parties on that day, but noting that it was Easter Sunday, it was difficult to get people on the phone.
In relation to the sentence that you're referring in the email-
Dr WOODRUFF - That you wrote. Yeah, I'm not making it up. You wrote it.
Ms OGILVIE - I don't think anyone has suggested that. Please do go on Ms Gale.
Ms GALE - In relation to that particular sentence that I wrote, that you've just referred. It says 'I would appreciate your cooperation by heeding the same advice and not doing any further media'. Yes. It would have been better if I had indicated - and not doing any further media until such time as I'm able to get you the formal advice.
In hindsight, yes, that could have been better expressed, but the intention of it was to try to minimise the hard to the Tasmanian community.
Dr WOODRUFF - But you still can't provide the formal advice because it was never given to you in writing? So when would you have ever provided the formal advice?
Ms OGILVIE - Sorry, I think there's been a misunderstanding. Please go on.
Ms GALE - I did provide, together with the State Controller, a more comprehensive letter later in the day that contained the nature of the advice that we had received; and, to that, was attached some best practice principles or information about how we would benefit, I guess, from treating this type of information in the media.
Dr WOODRUFF - From a private company, not from national security; from a private company - CyberCX. This is the problem. CyberCX was a private company, so it feels as though you scratched around after you sent this letter and it went down like a stink bomb, to try to find some other place to get advice. The information that you provided was conflicting because what you sent us later in the day was that the guidelines from Australian Cybersecurity Center were to provide communication in a transparent way and making sure the community is informed, but not alarmed. In fact, what you were trying to do was shutdown conversation. Which clearly doesn't help.
So why did you seek -
Ms OGILVIE - Sorry, what was the question?
Dr WOODRUFF - I want to confirm that there was no national security advice from a national security government agency that was ever provided to Ms Gale.
Mr LIMKIN - Just to confirm. There was advice received by the Department of Home Affairs, and the Deputy Commissioner of Police received advice from the AFP about cybercriminals responding to increased media publication. I am advised that was all received on Good Friday, 7 April; and we were beginning to see increased activity regarding Tasmanians servers at that point as well, which is why that advice was provided further on.
Dr WOODRUFF - Can you table that advice please, Mr Limkin?
Mr LIMKIN - As I've indicated before, it is verbal advice, which is a common practice provided by cybersecurity arrangements at a time.