Cybersecurity

Nicole Brangwin and Helen Portillo-Castro, Foreign Affairs, Defence and Security

Key issue
Australia’s activities in the digital world rely on secure online access and modes of interaction. Cybersecurity and fostering cyber resilience are ongoing concerns not only for the private sector and governments in Australia, but also for Parliament.
The 2016 Cyber Security Strategy was the roadmap for the Australian Government’s pursuit of cybersecurity throughout the 45th Parliament. Revisiting and renewing the strategy will be a matter for the incoming Government.

Securing networked systems and online services is a complex endeavour in a global threat environment where data breaches, malicious intrusions and foreign interference activities are prevalent.

Recent policy and legislative responses

Having achieved substantial progress towards several milestones to date, the Australian Government’s 2016 Cyber Security Strategy will be superseded by the next action plan to address a rapidly and ever-evolving threat landscape. Broadly, the desired outcomes outlined in the 2016 strategy were to: defend networks; safeguard data and information; grow the cybersecurity workforce and nurture domestic industry; educate users about threats, targets and vectors; promote international engagement on cyber issues; and develop and maintain offensive cyber capabilities.

The Government’s first annual update, released in April 2017, indicated overall progress towards these aims. While an official 2018 update had not been published prior to the dissolution of Parliament in April 2019, it appears that progress remained constant (see list of outcomes below).

In August 2018, the Turnbull Government outlined its intention to deliver ‘an updated National Cyber Agenda focused in particular on a National Cyber Defence Network’. This announcement underscored that:

… the current cyber threat is different and greater than we had imagined in 2016 when we launched our first Cyber Strategy. And it will evolve more in the coming years than we can imagine today.

No further details of a new cyber agenda were announced prior to the dissolution of the 45th Parliament.

Developments related to cybersecurity outcomes, in pursuit of the 2016 Strategy’s action plan or corresponding objectives, included:

implementing changes to the cyber mandate of the Australian Cyber Security Centre (ACSC) and Australian Signals Directorate (flowing also from the 2017 Independent Intelligence Review recommendations—see ‘Intelligence community reforms’ elsewhere in this publication); and launching Defence’s Information Warfare Division
budget allocations across portfolios to expand civilian and defence personnel resourcing and capital expenditure
establishing the Australian Cyber Security Growth Network (AustCyber) and the Cyber Security Cooperative Research Centre
establishing Joint Cyber Security Centres in five capital cities through the ACSC, enabling information-sharing and collaboration between government agencies; businesses offering cybersecurity products or services; and academic, research and not-for-profit institutions
establishing Defence portfolio mechanisms to fund collaborative ventures between government, academia and industry (for example, the Sovereign Industrial Capability Priority Grants and the Next Generation Technologies Fund)
the commencement of the Security of Critical Infrastructure Act 2018 and the Telecommunication Sector Security Reforms, which reinforce the regulatory framework that safeguards critical infrastructure—and tie in with common efforts to address security challenges among the five country partnership (comprising Australia, Canada, New Zealand, the UK and the US)
the formation of an inter-departmental committee of Australian Government stakeholders to coordinate and prioritise Australia’s international cyber activities, holding quarterly, whole-of-government meetings through 2018
founding the Pacific Cyber Security Operational Network in 2018 with Pacific Island neighbours under the Cyber Cooperation Program and
strengthening cooperation with Indonesia, Singapore, PNG, France, Israel and Thailand under bilateral Memoranda of Understanding.

In addition, the Notifiable Data Breaches scheme came into effect in February 2018, which applies to government agencies and private-sector organisations responsible for securing personal information subject to the provisions of the Privacy Act 1988. This scheme is designed to harden information governance and security practices, and mitigate actual or potential harms arising from a data breach incident. The inaugural report on the scheme states that 60 per cent of data breaches are traceable to malicious or criminal attacks.

2019 Parliament network breach: broader context

The cyber threat to Australia’s political system became starkly evident in February 2019 when a ‘sophisticated state actor’ was detected conducting malicious activity on the computer networks of the Australian Parliament and major Australian political parties. Updating Parliament on the incident in April 2019, the head of the Australian Signals Directorate (ASD), Mike Burgess, advised the attack had resulted in the loss of some data, but none considered sensitive. The incident was still under investigation when the 45th Parliament dissolved, and has so far not been publicly attributed to a specific state actor.

As Burgess explained, ‘attribution is a difficult thing, so tying it down to a particular country, a particular organisation, and perhaps particular individuals, is a piece of work that takes considerable time’. While the increasing frequency of cyber-enabled intrusion and interference across the globe is generating wider awareness of the issue, it is also clear that public attribution does not strictly flow from identifying the origin of malicious activity. Australia’s Cyber Ambassador, Tobias Feakin, recently explained that attribution requires drawing from technical and intelligence assessments, in addition to diplomatic considerations. In conjunction with international partners, the Australian Government has previously attributed cyber attacks to particular countries—for example to Russia in February 2018 and October 2018; and to China in December 2018.

So, what is the point of attribution? In short, international law applies to cyberspace. This was confirmed in 2013 by the UN Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security. (Australia was Chair of the UNGGE at the time, and will sit on the reinstated body through 2019–21.) The UNGGE position was reaffirmed in 2015 and acknowledged in Australia’s International Cyber Engagement Strategy 2019 international law supplement. Australia’s position ‘recognises that activities conducted in cyberspace raise new challenges for how international law applies’, such as the use of force; the application of international humanitarian law in international or non-international armed conflict; and cyber activities outside of armed conflict.

Australia’s position is increasingly being tested as the number of cyber attacks across the world continue to grow. Consequently, state investment in offensive cyber capabilities is also growing. The Geneva Internet Platform’s Digital Watch website maps trends in ‘cyber-armament’ and has confirmed 23 states (as at March 2019) have offensive cyber capabilities, including Australia. Unsurprisingly, outgoing National Cyber Security Adviser Alastair MacGibbon has been reported warning that cyber attacks are ‘the greatest existential threat we face’. In 2018, the Australian Security and Intelligence Organisation emphasised the increase in ‘cyber espionage activity targeting Australia’. Given the current threat assessments, not only are offensive cyber capabilities important to Australia’s national security, so is cyber-resilience.

Building cyber-resilience

Cybersecurity for the Australian Parliament is based on the same requirements as for federal government agencies: the Protective Security Policy Framework and Information Security Manual. (For further information, see the article ‘Public sector digital transformation’ elsewhere in this publication.) The Office of the Australian Information Commissioner also recommends these documents to state and territory government agencies and the private sector ‘as a model for better security practice’.

Parliamentary examination

The Australian National Audit Office (ANAO) has conducted a series of audits over several years on cybersecurity risk mitigation processes within select government agencies, government business enterprises and corporate Commonwealth entities. The Joint Committee of Public Accounts and Audit (JCPAA) has focused on the ANAO’s reporting on cyber resilience, and launched an inquiry in February 2019, based largely on ANAO findings. This coincided with official public statements about the Parliament network breach. The then JCPAA Chair, Senator Dean Smith, said:

Effective implementation of a comprehensive cyber security framework across Commonwealth agencies is critical to protect Australians’ privacy and Australia’s social, economic and national security interests from emerging cyber threats.

The JCPAA inquiry into the Commonwealth’s cyber resilience lapsed on the dissolution of the 45th Parliament in April 2019. The JCPAA held a public hearing in March 2019 in which the ANAO stated that ‘cyber security audits over four years have found four of 14 entities (29 per cent) to be compliant’. The ANAO attributed low levels of compliance among Commonwealth agencies to ‘cyber security investments being focused on short-term operational needs rather than long-term strategic objectives’ and ‘entities not adopting a risk-based approach to prioritise improvements to cyber security’.

In response to a JCPAA recommendation made in October 2017, the Morrison Government agreed in April 2019 that the Attorney-General’s Department and ASD will consult with the Department of Home Affairs to prepare an annual report to Parliament on the Commonwealth’s cybersecurity posture.

The 2019–20 Budget included an undisclosed amount of funding for a Cyber Security Response Fund and the creation of a cybersecurity uplift team, recruited through the ASD to support ACSC in ‘helping agencies raise their cyber posture’.

Looking ahead

Labour shortages and future workforce

There is a considerable shortage of qualified professionals to fulfil public and private sector demand for cyber-related skills. This is a problem in not only Australia, but various other countries as well. Prime Minister Scott Morrison announced a $156 million cyber resilience and workforce package during the 2019 election campaign, including $50 million towards a cyber-workforce strategy.

Critical infrastructure resilience

Secure connection, distribution, supply and management of utility, communications and transport systems underpins public health and safety, economic security and emergency response capabilities. The ACSC is scheduled to conduct a coordinated functional exercise for Australia’s electricity industry in November 2019, in partnership with private and public sector entities that have a role in Australia’s energy sector.

Regional and global geopolitics

The Australian Government recognises that 5G technology will be integral to economic competitiveness and critical to the domestic services sector. However, strategic and geopolitical concerns caused the Government to ban Huawei from Australia’s 5G infrastructure projects, without an economically viable alternative that could otherwise support the growth of the digital economy. The 2018 decision to ban Huawei has drawn international attention and comment, including from Australia’s Five Eyes partners. In May 2019 Australia participated with 31 other countries in the Prague 5G Security Conference, which made non-binding recommendations on the safe introduction of 5G networks—the economic aspect of this equation remains unresolved, however. Former Commander of the US Cyber Command, Mike Rogers, considers that the 5G controversy exemplifies questions that policymakers will face over other emerging technologies (such as 6G, quantum computing and artificial intelligence).

Industry policy settings

The erosion of Google and Huawei’s commercial partnership and the tenor of US–China trade negotiations bring into sharp focus the threat that technological rivalry may pose to economic prosperity. Australia’s commitment to growing a domestic cybersecurity industry will require adequate policy settings to prevent market failures. These settings will need to be formulated to generate comparative advantages for firms that comprise the domestic industry while balancing national security imperatives, foreign policy and strategic interests.

International norms and regulation

For information on the forward agenda for the UNGGE, see ‘The United Nations and Australia’ elsewhere in this publication.