National security—cybersecurity

Nicole Brangwin, Foreign Affairs, Defence and Security

Key Issue
The cybersecurity environment is a constantly evolving and complex issue that affects numerous sectors. Strategic level policies and programs are struggling to keep up with threats as technology rapidly advances. The Cyber Security Strategy released in April 2016 is Australia’s response to the threat but its implementation is now urgent.

What is cybersecurity?

In simple terms, cybersecurity involves the protection of computer systems connected to the Internet.

Entities such as government, business and organisations, as well as millions of individuals in Australia, rely on these connections every day.

What are we protecting these systems from?

According to the Government’s Australian Cyber Security Centre (ACSC), threats might include cyber espionage that gathers intelligence in support of state-sponsored activities; cyber attacks that aim to destroy critical infrastructure; or criminals using the Internet as a means to defraud, or steal individual identities.

How serious is the threat?

According to the ACSC Threat Report, from 2011 to 2014, the number of cybersecurity incidents to which the Australian Signals Directorate (ASD) responded rose by around 260 per cent (from 313 incidents in 2011 to 1,131 in 2014). These incidents involved Australian Government and other networks of national interest.

Needless to say, the cyberthreat is vast, traversing many jurisdictions—and it is not just a technical ICT (information, communication and technology) issue. Effective threat mitigation requires action across sectors including government (not just defence and policing, but all government entities); industry (large, medium and small businesses); academia and science (research and development) and the community (personal security awareness), just to name a few.

What is being done?

As a policy issue, concerns about Australia’s cyber resilience were initially raised in the Howard Government’s 2000 Defence White Paper, Defence 2000: our future defence force. A number of initiatives flowed from this policy including cooperation among key national security agencies to assess and deal with emerging threats. In the 2009 Defence White Paper, Defending Australia in the Asia Pacific century: Force 2030, the Rudd Government elevated the cyberthreat to one of national security priority, and in 2010, established the Cyber Security Operations Centre (CSOC) within the Defence Signals Directorate (now ASD). In 2013, under the Gillard Government, the CSOC evolved into the Australian Cyber Security Centre as ‘the hub of the government’s cyber security efforts’. The 2013 Defence White Paper recognised that dealing with cyberthreats requires not only a whole-of-government approach, but industry involvement as well.

The Department of Defence continues to play the primary role within the ACSC, which also hosts the Attorney-General’s Computer Emergency Response Team Australia (CERT Australia); the Cyber Espionage Branch of the Australian Security Intelligence Organisation; components of the High-Tech Crime Operations unit of the Australian Federal Police; expertise from the Australian Criminal Intelligence Commission (formerly the Australian Crime Commission) and key industry participants.

Is Australia prepared?

In September 2011, the Gillard Government announced the development of a cyber white paper, which was meant to address issues ranging from safety, crime, and consumer protection, to national security and defence. The initial impetus eventually morphed into an overarching update of the National Digital Economy Strategy, released in June 2013.

Following the 2013 election, cybersecurity was not part of the Abbott Government’s public focus on national security issues until the cybersecurity review announced in November 2014. The review was originally intended to take six months but it was not until 17 months later when, under the Turnbull Government, Australia’s new cybersecurity strategy was finally announced—effectively replacing the 2009 cyber security strategy. While the 2016 strategy recognises cybersecurity as a strategic issue for Australia’s economy and national security, the emphasis placed on this issue appears less significant than in 2009 when cybersecurity was considered ‘one of Australia’s top tier national security priorities’.

The Government’s commitment to the strategy is demonstrated by the April 2016 announcement of an Ambassador for Cyber Issues (yet to be appointed), a Minister Assisting the Prime Minister on Cyber Security (Dan Tehan) and a Special Advisor to the Prime Minister on Cyber Security (Alastair MacGibbon).

Offensive capabilities

Given the escalation of cyber attacks and Defence’s role in responding, it is unsurprising to learn that Australia has an offensive capability. However, this was not publicly acknowledged until the release of the 2016 Cyber Security Strategy. No further details about Australia’s offensive capabilities are publicly available, but ASD now openly recruits for offensive and defensive cyber specialists.

Could this lead to cyberwarfare?

Debate surrounds the exact nature of cyberwarfare as a sole undertaking. The 2016 Defence White Paper highlights the ‘complex non-geographic threats’ in cyberspace and space, and how military capabilities can be adversely affected. The Australia-United States alliance also acknowledged these threats during Ministerial talks in 2011 (AUSMIN) where it was agreed that the ANZUS Treaty could be invoked in response to a cyber attack. But when does a cyber attack constitute an armed attack? The US considers, on a case-by-case basis, the ‘nature and extent of injury or death to persons and the destruction of, or damage to, property’. The threshold for, say, an armed response to a cyber attack is not clear or publicly discussed by Australian or US officials.