Dr WOODRUFF – On 30 January there was a zero-day vulnerability found on the third party file transfer service that we discussed by GoAnywhere MFT, which was later patched on 7 February, eight days later. That was the vulnerability that left many thousands of Tasmanians vulnerable to hackers. You claimed you were made aware of the breach on Saturday 25 March, well over a month later. Why did it take you so long to be notified of this breach?
Ms OGILVIE – Very happy to walk you through the time line and it will be instructive to note –
Dr WOODRUFF – Just that part of the time line. I am aware of the rest of it, I have laid some of that out and do not need to hear it all again. It is the period from 7 February until 25 March.
Ms OGILVIE – But you may be interested in the perspective of the trajectory of the matter. From 30-31 January 2023, a DECYP GoAnywhere MFT cloud instance was compromised by cyber criminals, as you are aware. On 1 February 2023, DECYP was advised by email to check a GoAnywhere service portal for advice re service update, so that is the patch to which you refer. The advice from GoAnywhere indicated they were investigating potentially suspicious activity on the GoAnywhere MFT cloud instance and while the investigation was underway, they would, out of caution, implement a temporary service outage for the GoAnywhere MFT cloud instance.
On 3-4 February 2023 malicious activity, including data infiltration, occurs on the file transfer service for a third-party service provider which connects to DECYP GoAnywhere instance. On 6 February 2023 the Tasmanian Government was informed of a software vulnerability within the GoAnywhere MFT system and took the appropriate remediation actions, with all action being completed by 7 February.
On 11 March 2023, DCEYP received advice from the GoAnywhere MFT vendor Fortra that DCEYP’s managed GoAnywhere MFT cloud instance had been subject to unauthorised activity between 28 January and 31 January 2023, prior to any knowledge of the vulnerability, also referred to as an exploitation of a zero-day vulnerability. The advice from Fortra to DCEYP was that they had little visibility at the time of any data being extracted as a result of the unauthorised activity.
On 25 March 2023, the Australian Cyber Security Centre contacted the Tasmanian Government through DPAC regarding claims from a cyber-criminal organisation that it had stolen data from the Tasmanian Government. What is commonly referred to as the Clop Group had posted on their website allegations that they had stolen data from tas.gov.au. Tasmanian Government investigation into the allegation commenced, covering state and local government organisations. The criminal organisation in question had been linked to the exploitation of a vulnerability associated with the GoAnywhere MFT system. This factor guided the initial and subsequent investigations.
On 27 March 2023, DCEYP advised the Tasmanian Government Cyber Security Team of an incident in their GoAnywhere instant. The Tasmanian Government CIO activated the Tasmanian Government’s cyber incident management arrangements in relation to the threat and the advice.
Dr WOODRUFF – Thank you, minister. I was interested in the period of time in between 7 February and you have outlined that now. From 11 March, DCEYP got the advice that there had been a breach but it was not until 25 March, when the Australian Cyber Security Centre contacted DCEYP about that, that there was an understanding of the gravity of the breach that had occurred. Why wasn’t DCEYP aware of the gravity of what had occurred?
Ms OGILVIE – That is a very good question. This might be a good time to have our CIO add some commentary because he can speak specifically to that question.
Dr THURLEY – On 11 March, DCEYP received the advice, as you referred to a minute ago. During that time the advice provided effectively said that there was very little visibility of any data being stolen at the time.
Dr WOODRUFF – What does ‘very little visibility’ mean in lay terms?
Dr THURLEY – No evidence of data being exfiltrated at the time. As a result, they effectively put in place the remediations requested from the provider. Because it was a cloud-based service, they were responsible for the maintenance and patching of their own systems. They were just providing information to say that we had not detected any vulnerabilities.
Dr WOODRUFF – I am concerned now in hindsight because I am a lay person and I am looking at what happened. I am concerned that DCEYP didn’t anticipate that a breach could mean that data would be hacked at some point. Why did it take the Australian Cyber Security Centre to tell a Tasmanian agency that that actually was a risk?
Ms OGILVIE – The question you go to and I think you used the word ‘gravity’ of the situation, and I think that is the right word to use because there is a range of scale in relation to cyber issues. You can imagine something at a very low level through to something at a very serious level. The responses to managing that risk in both a technology and a community sense differ depending on the scale of the issue. In relation to how that process is managed, you asked that question why didn’t they treat it as a more serious risk immediately. I will ask the CIO to talk us through the levels of risk and how you manage that within that cyber assessment or hacking round.
Dr WOODRUFF – What I am interested in understanding is, a small hack, the data wasn’t taken straight away, shouldn’t it have been obvious that it could have been taken at any point and therefore there was a sense of obvious threat. But that wasn’t communicated. That’s my concern. Why didn’t we understand?
Ms OGILVIE – There is a process around that, I will ask the CIO to –
Dr THURLEY – I’ll go back to the point where we get notified. We’ve obviously got threat and intelligence sharing arrangements where we get information from various service providers and partners. If we picked up something, we’d share it with the people as well.
We were provided some information at the earlier possible instance of it being known that there was a claim or an allegation that some information had been stolen from the Tasmanian Government. We didn’t know exactly what it was, where it came from. We didn’t have a lot of detail when we first started. That made it very difficult and complicated to pin down what it may have been.
When you’re going through a process, particularly when it comes to a process, say at DCEYP where they would have been going through vulnerability and patch management as a fairly routine process that happens in every department every week, they just haven’t picked up that the extrication of data had occurred. The vendor it’s happening to is saying, ‘No, we weren’t sure, we’re not sure what’s going on, we’ve fixed everything, it’s all okay’. You’re going through this process of trying to assess whether there is actually a risk or not. Notwithstanding –
Dr WOODRUFF – The vendor being GoAnywhere MFT?
Dr THURLEY – Yes, correct. This event was not just occurring to the Tasmanian Government but globally. More than 130 organisations around the world were stung by exactly the same scenario. What seems in hindsight an easy thing to pick up wasn’t picked up as part of the process. That’s a question that you’ll go back and learn from. We take every vulnerability seriously. A lot happens in that space. There are a lot of resources dedicated to addressing vulnerabilities and patches to software.
Dr WOODRUFF – Have you learnt from the vulnerability? What have you learnt from the vulnerability, so that – what have you learnt? What are you doing differently?
Ms OGILVIE – Sorry, what’s the question?
Dr WOODRUFF – What are you doing differently, what have you learnt?
Ms OGILVIE – I think it would be fair to say there have been a lot of learnings. Craig Limkin will speak about what we’ve learnt and the process of review.
Mr LIMKIN – As with any event, be it a flood, fire, cyber event, there’s a review undertaken following that in accordance with our Tasmanian Emergency Management Arrangements that looks at how we responded, how we recovered, how we communicated? Those lessons are taken into account and we update our plans.
In the case of cyber, the secretary of DPAC, who is the responsible management authority, has determined that we should have a specific cyber media SSEMP, update our cyber SSEMP and all of those type of matters will go in there. In addition, DSS will also work with partner agencies across Government to review and continue to update policies, procedures and those types of matters to ensure that our state is protected in the best way.
Dr WOODRUFF – For Hansard, what is SSEMP, can you please de jargonise that?
Mr LIMKIN – Sorry. Special State Emergency Management Plan.
Dr WOODRUFF – Thank you.
Dr WOODRUFF – On Friday 25 April, one of Australia’s biggest legal partnerships, HWL Ebsworth, discovered it had been targeted by a Russian hacking group called BlackCat. In a report on 11 May, the Australian Financial Review said the group claims it stole four terabytes of data from HWLE’s services, a service spanning internal company files and personal employee data including CVs, IDs, financial reports, accounting data, loans data and insurance agreements. HWLE has more partners, 280, than any law firm in Australia and employs 1300 people. It does legal work for most of the ASX top 50, a host of banks and insurance companies and all levels of government. Minister, is the Tasmanian Government one of the firm’s clients or have we been, and if so, what services have HWLE provided and to what agencies?
Ms OGILVIE – The Government has been advised that the law firm HWL Ebsworth – which used to be called Ebsworth back in the days so I will use that for short – may have been the victim of an attempted cybersecurity breach. The Tasmanian Government is one of the firm’s clients along with other major institutions. We are being kept up to date about this possible incident and with your okay, I will see if there is an update that can be provided, or are we are still in watch and brief, Mr Williams?
Mr WILLIAMS – Absolutely, that is correct. We have no advice that we had any information compromised from the Tasmanian Government and that’s as far as we have information.
Dr WOODRUFF – You didn’t answer my questions about what services HWLE have provided and to what agencies.
Ms OGILVIE – To our government? I will seek some advice. I have received advice that it is just Justice – as you would expect, being legal in nature.
Dr WOODRUFF – The Australian Financial Review also reported that several clients concerned about the protection of their data had removed their files from HWLE, including the Commonwealth Bank of Australia, Latrobe Financial and ING Bank. Did the Tasmanian Government take this step? Why, or why not?
Ms OGILVIE – Unfortunately, that is a question for Justice. However, I can say that, as you have seen today, we have a wide-ranging remit across departments in relation to ICT and tech matters. In relation to the watching brief that we are keeping on that, we have a pretty rigorous process for triaging issues. As we are in watching brief mode I don’t believe we have taken steps. I am looking at Mr Williams to confirm if that is the case.
Mr WILLIAMS – No, we haven’t taken any of those steps, as I understand it. It is a matter for the Department of Justice because it is a third-party provider; it is not a cybersecurity incident as such for our division.
Ms OGILVIE – They are an external firm.
Dr WOODRUFF – Aren’t you responsible at the agency for securing the interests of the Tasmanian Government when it comes to the integrity of our IT systems, which includes all agencies, not just Justice? I don’t understand why you don’t have a role in that. Have you not provided advice to Justice about what they should do in this instance?
Ms OGILVIE – Through me. Thank you for the question. When we have third-party issues like this there is a quite rigorous navigation process that we use. This one in particular, Ebsworth – being a third-party legal provider using its own technology – doesn’t sit directly under my or our control. However, you quite rightly say that three is an ecosystem. What we are seeking to do with cybersecurity and cyberresilience is make sure that every level and every layer of the ecosystem is as robust as it can be.
The CIO may be able to add a little bit more information, through you, Mr Williams, that ecosystem approach and what we need to do when we are crossing the boundaries of organisations which is really what we are talking about.
Dr WOODRUFF – Thank you, minister. I would rather ask more specific questions of you rather than some general questions. There were four terabytes of data published on the dark web as a result of that data breach.
Ms OGILVIE – You are still on Ebsworth?
Dr WOODRUFF – Yes. Has the Government done, or are you doing, an in-depth assessment of this data to guarantee that no Tasmanian Government records are up there?
Ms OGILVIE – I will seek some information on what steps they are taking. I do have some information for you. The Australian Cyber Security Centre is managing this issue. It’s worthwhile pointing out that when there are these major issues, there are entities and organisations that come into play whose advice we also take. I am also advised we do not have any information that anything has been released.
Dr WOODRUFF – That sounds like an extremely passive approach. Just before it you made it sound as though that it was all DOJ’s responsibility. What we have got is potentially the same situation as the hack that has already happened as a result of the GoAnywhere MFT patch failure.
Ms OGILVIE – It is a slightly different technical situation, with different entities.
Dr WOODRUFF – That’s irrelevant from the point of view of Tasmanian people’s data. Why aren’t we taking a more active approach and looking on the dark web to see whether any of Tasmanian’s information has been published up there?
Ms OGILVIE – The ACSC does that work and does have eyes on. As you would understand, the issue of cybersecurity can traverse many jurisdictions. I would not want to recommend that anybody try access the dark web, other than our agencies who are appropriately and formally geared up to do that. We work very closely with the ACSC and we rely on their advice. As I have said, I take advice and I rely on advice. We have entered a new paradigm with cybersecurity. You will note that it is a hot issue across Australia and internationally. We will work with the expert agencies. If they advise us that there’s more to do, we will do that. In relation to impacts internally, we haven’t had advice that there has been a theft of information from Justice.
Dr WOODRUFF – It sounds like you’re just going to sit there and wait until some federal agency says, there’s Tasmanian information. Why aren’t we looking for that? Do we have an MOU with the ACSC where we outsource all the responsibility to check if Tasmanian’s information has been up there? You haven’t made a statement to Tasmanians about this situation, have you,?
Ms OGILVIE – I have, yes. Yes, I’ve been in the media. I have spoken about it.
Dr WOODRUFF – About the potential for data to have been breached?
Ms OGILVIE – I have identified this as an issue, and one that’s on our radar. I’ve spoken about that publicly.
Dr WOODRUFF – When did you do that?
Ms OGILVIE – I’d have to get the date for you.
Dr WOODRUFF – At the time?
Ms OGILVIE – Yes.
Dr WOODRUFF – You’ve got more information since then; why haven’t you been updating Tasmanians about this?
Ms OGILVIE – We run a very robust and complex IT –
Dr WOODRUFF – Possibly a secretive and opaque approach, some people would say.
Ms OGILVIE – Well, I wouldn’t say that; IT cyber security and resilience program right across Government. It’s fair to say that when third parties have cyber security instances that may or may not impact Government, neither myself nor our Government can control them as third party enterprises. And it’s important to remember, of course, that this is a serious crime of international proportions that has impacted, not just us, but others as well. We respond in a proportionate and reasonable way to issues as they arise –
Dr WOODRUFF – But you haven’t done anything, except leave it –
Ms OGILVIE – We are doing things –
Dr WOODRUFF – You’re not, you’re just waiting for the ACSC.
Ms OGILVIE – No, we have a department – we have the CIO here today and you might like to hear more from him – that works across Government to make sure that we are doing all we can to protect Government data.
Dr WOODRUFF – When was that four terabytes of data stolen? Were you informed about that? Were you aware that four terabytes of data had been stolen from HWLE?
Ms OGILVIE – I was personally not aware but –
Dr WOODRUFF – We’re not being kept up to date by the ACSC, either.
Ms OGILVIE – That’s a question we’d need to ask at the ACSC but –
Dr WOODRUFF – I’m asking it of you, because you don’t seem to be getting information or directing the ship. You’re just sitting here. It seems a very passive approach –
Ms OGILVIE – Answering your questions, with great detail.
Dr WOODRUFF – Four terabytes of data, that could have Tasmanian’s information on the dark web. You’re leaving it to some federal agency to spend the time to look through and see if Tasmanian’s identities are up there. Why aren’t you taking an active responsibility?
Ms OGILVIE – The ACSC is the expert organisation that works at that layer. They advise us as and when we need to and we are not aware of any Tasmanian data being released.
Dr WOODRUFF – No questions asked, then.
Ms OGILVIE – We are not aware of any Tasmanian data being released; the ACSC is monitoring and we are keeping a watching brief.
Dr WOODRUFF – The cybercriminals will be looking forward to getting Tasmanian’s data, because you’re not defending it very strongly.
Ms OGILVIE – I take that as a statement.
Dr WOODRUFF – Minister, you have told Tasmanians about the GoAnywhere MFT breach and the 10 555 people who were sent emails and the 145 683 debtors, credits and previous DoE employees who may also have had their data breached. You told Tasmanians on 3 April that the information we have within state Government is protected by our cyber security team. Our cyber security team is doing a deep and robust investigation. We understand no information has been provided or released. Then two days later we found out that literally thousands of documents had been stolen and placed on the dark web.
It does not exactly instil Tasmanians with confidence when you are saying exactly the same thing about the HWLE breach. We have four terabytes of data and you have not directed your staff to do an investigation to find out if any of that Tasmanian information is on the dark web, even though you have admitted that the Department of Justice is one of HWLE’s clients.
Ms OGILVIE – The Australian Cyber Security Centre, with which we work closely, takes responsibility for the management of these issues. You would appreciate, having a science background yourself, that when it comes to making sure that we have all the information we need literally from the dark web and in relation to any sorts of hacks, a centralised approach at that national government security agency level is the appropriate way to go. I act on advice, as does the team. When we are advised, through that process, particularly where it is a third-party organisation or an entity that has a number of customers or consumers associated with it, we will act on that advice. I have said that many times.
For what it is worth, we do keep a weather eye on things. We are in close connection.
Dr WOODRUFF – Oh
Ms OGILVIE – Now you are scoffing. I appreciate a scoff. We are in close connection with the security agencies. That includes both enforcement agencies and the Australian Cyber Security Centre. It is a very technical issue, it is complex, it is nationwide, we are dealing with well-organised criminals who quite often sit in other jurisdictions, so you would assume that international security agencies are involved as well, including national security organisations.
So, it is a bit of a stretch to say that we, as a government, are not doing enough. What we are doing is engaging deeply, we are ready, we have our people connected with those organisations and we will always adopt, and I have it here, the Office of the Australian Information Commissioner guidelines in relation to how we manage these hacks. That includes: we maintain government information –
Dr WOODRUFF – Thank you, minister. Can I ask you more specific questions about this because I think people want to know. The Department of Justice holds some very important and very private information, including, for example, the evidence and information of the Commission of Inquiry. What you have just told me, as I understand it, you have outsourced to a federal agency the responsibility of investigating to see whether any information from the Department of Justice has been placed onto the dark web. Are you saying there is no role for the Tasmanian Government in ensuring that that’s not there, or are you saying you’re under-resourced and aren’t capable of doing the work?
Ms OGILVIE – What terrible two options. There’s a third option, which is no we have not outsourced our responsibilities. What we do is work in a very collaborative manner with the Australian cybersecurity agencies and with our federal government counterparts. I know that the CIO community is also highly connected at the state, national and international level.
Dr WOODRUFF – Could the CIO then address what we are doing in relation to this particular matter of HWLE and the possibility of Tasmanians’ data being put up on the dark web?
Ms OGILVIE – I was trying to get to that question before. I am very happy to do that. We have not received information from our trusted partners at the Australian Cyber Security Centre that Tasmanians’ information as part of the Ebsworth issue has been released. I appreciate and agree with you that it might be helpful to have a bit more of an overview about how we manage these issues, because it is quite technical and we have the CIO here. I will refer to Dr Thurley through Mr Williams, if I may.
Dr THURLEY – In relation to this matter, the first thing I want to put on the table is there is no data that has been released. It is an allegation. It is 4 gigs of data that you referred to, of what? We don’t know if there is, even if it’s an allegation, so I just need to point that out. It’s very difficult to take any assertions from that.
The next question was whether we had done anything about it. We have incident management arrangements within the Tasmanian Government and all incidents that we become aware of progress through that process. That process is handling an incident in relation to this particular issue at the moment, but it doesn’t become a whole-of-government issue at this point in time, it’s still managed within the agency that needs to manage it, with assistance and support. I would say that yes, our relationships with others potentially could be impacted by this, but in reality it’s been handled by HWLE because it is their incident.
Dr WOODRUFF – Minister, can you explain why some very important agencies like the Commonwealth Bank of Australia, Latrobe and ING have removed their files from HWLE as a result of this hack but we haven’t undertaken the same action? I’m inferring; I haven’t heard a comment otherwise that DOJ hasn’t stopped using the services of HWLE since that breach.
Ms OGILVIE – To clarify, is your question whether we continue to use that law firm?
Dr WOODRUFF – Yes.
Mr WILLIAMS – That is a matter for the Department of Justice to assess what their risk is. Each agency is responsible for their information. I guess the challenge in this space is that while the Australian Government is working with HWLE, we have no way, apart from relying on the Australian Government or HWLE directly, to have any investigative power. They have to do the investigation because it wasn’t one of our systems that had been breached.
Dr WOODRUFF – How is it possible for DOJ or any agency to decide to continue or discontinue services of an agency that’s been hacked without advice from your area, Minister? Without that advice what are they basing it on, otherwise it is ad hoc, isn’t it?
Ms OGILVIE – I’m happy for Mr Williams and perhaps the CIO to speak to the nature of the advice that is available to departments so that we can give you a proper sense of the conversations that occur.
Mr WILLIAMS – I am aware that the Australian Government is convening a legal services reference group around this issue and the Department of Justice is represented on that nationally. At this stage the latest advice we have is that there is no information from HWLE that we have had any data compromised and the Department of Justice or any other agency needs to take a risks-based approach to how they deal with these sorts of matters going forward.
Dr WOODRUFF – On what basis would they make a decision about what an appropriate risks-based approach is unless there is a whole-of-government agreement on what that should be – the criteria, measurements, the guidelines? Do we have one that’s standardised across agencies?
Mr WILLIAMS – The risks-based approach, the advice that they’re getting is coming from a national group coordinated by the Australian Government and because it is a national issue – as you pointed out, the Commonwealth Bank et cetera is involved – the Australian Government is coordinating relationships with HWLE and that’s the sort of mechanism the Department of Justice is using to get information and they have to make a judgment, I guess, on all the normal sort of risks based factors. What do they think could be at risk in terms of information? What they’re hearing at this stage is there’s no indication that they’ve lost any information. These are very complex matters that –
Ms OGILVIE – It is very complex but perhaps I’ll pick up on that. Does that help somewhat? Agencies have access to expert advice on the ground in their departments and they’ll make their best judgments based on the advice that we’re able to provide through the department.
Dr WOODRUFF – I suppose what I’m concerned about is the hodgepodge effect of different agencies making different decisions and if there isn’t something that’s across all agencies, what’s the point in having your agency? What is the point of your agency if you’re not leading a consistent approach to managing risk across all agencies? There should be one way in Tasmanian agencies to manage the risk and to make decisions about how to proceed in a situation like the DOJ, otherwise what are we putting resources into a centralised service at all?
Ms OGILVIE – Indeed. It’s a fair question. The challenge we have, of course, is that each agency has a bespoke level of services and arrangements they are trying to deliver. As you would imagine, Service Tasmania delivers different sorts of services and needs different sorts of IT and systems within its organisation to Justice, who are doing a different sort of business. Each agency has some scope, as you would expect, to be able to use some of the services they need and connect with external parties through the services those external parties use. I love the idea of having a cookie cutter, one-size-fits-all tech system, but we live in a world where there are different models and different ways of connecting and as a government, we need to interact with third parties and third parties use other software as well. That is the ecosystem I’ve been speaking of and we need to improve our cybersecurity and resilience right across that within government, business, at the federal level, also the community and small business and I was speaking recently with TasCOSS around the digital divide issues to make sure that residents and everyday people are aware of cybersecurity.
Dr WOODRUFF – One of the issues that’s come up in this whole mess this year is that –
Ms OGILVIE – It was a crime.
Dr WOODRUFF – No, it was also a mess in how it was handled from your point of view, minister.
Ms OGILVIE – I don’t think everybody agrees with you on that.
Dr WOODRUFF – Some of the things that looking back in hindsight need to be fixed are things like a requirement for you as minister to be upfront with Tasmanians about when a breach has occurred. Regardless of whether you know if data has been uploaded or not, there needs to be a set of minimum standards for reporting, particularly from the minister, so that Tasmanians know what has happened because at the moment, how do we know? Have any other cyber-attacks affecting or potentially affecting the Government happened other than that HWLE and the earlier one with DOE data? Is there anything else we don’t know about?
Ms OGILVIE – That’s very broad and you’ve asked a number of questions within the preamble, so I’ll tackle it in pieces. The first one is in relation to the management of data breaches, and I’ll just summarise that they range from insignificant through to very significant. I tried to put this on the record before and I’ll do it again – Office of Australian Information Commissioner guidelines for how we manage this, which I think goes directly to your question. First of all, if we have a suspected or known data breach we identify that. The second obligation and duty of us and others involved is to contain that breach. Then we assess the breach and the risk –
Dr WOODRUFF – It’s the time frames, minister.
Ms OGILVIE – That’s right, the time frames relate to the nature of the breach because they are third party actors involved. We assess the breach, then we take remedial action and then we notify. We do that because it’s incumbent on us to make sure we’ve done everything we can to protect vulnerable people, data and our assets before we perhaps even tip off the malicious and malevolent actors. Once we’ve addressed these issues we go into the review stage. It’s an engineering model and we adopt that and as we have heard today, that review is occurring.
Dr WOODRUFF – Minister, in relation to the HWLE data breach, it is unconfirmed exactly how much data was hacked; but we do know that BlackCat allege they have put the HWLE data hack back online on its site on the dark web?
Ms OGILVIE – Sorry – what were you saying there?
Dr WOODRUFF – The group – BlackCat – has claimed that four terabytes of data – we don’t know exactly, but that is the claim. There was no information on the public record prior to today about what Tasmanian department was potentially affected by the HWLE breach. Why didn’t you tell Tasmanians that DoJ had potentially been affected? Why didn’t you do that?
Ms OGILVIE – Again, I’ll have to refer to the process we take – which is about containment and management. I also reiterate that we have no information that Tasmanian data has been affected.
Dr WOODRUFF – You have no information that Tasmanian data wasn’t affected.
Ms OGILVIE – We are relying on the Australian Cyber Security Centre (ACSC) and their expert skills.
Dr WOODRUFF – Minister, we would have asked more information about it in the Justice portfolio, if we’d known
Ms OGILVIE – That’s a fair comment.
Dr WOODRUFF – You might call it containment and management; we call it a lack of transparency.
Ms OGILVIE – That’s the process, and this is where the rub comes; I appreciate that.
Dr WOODRUFF – We are concerned at your process because it is about withholding information from Tasmanians and I think it treats Tasmanians like children, as though people are going to go and hit the red zone. Some people will but we have to provide some advice and support to people.
Ms OGILVIE – It is a very tricky balance; I agree with you.
Dr WOODRUFF – We would have asked questions in the Department of Justice about this and we would like to understand. We would hope that you could take it on notice, if your officials need to talk to Justice, but we would like some more information about the specific nature of the services that was provided by HWLE to Justice so that we could understand the possibility of the sorts of records that might have been put on the dark web.
Ms OGILVIE – Okay. I am not immune to the complexity of this issue and I totally appreciate w
