1 April 2019
PDF version [325KB]
Produced by
members of the Parliamentary Library’s Cyber and Digital Research Group
Cat Barker, Monica Biddington, Nicole Brangwin,
Helen Portillo-Castro and Tyson Wils
Background
This Quick Guide provides some brief background information on
national measures to build cybersecurity and cybersafety and combat cybercrime,
and includes links to relevant websites.
Cybersecurity
Development of Australia’s
cybersecurity framework
Vulnerabilities in online environments are
discovered every day. Cybersecurity involves preventing the technical exploitation
of such vulnerabilities and mitigating the risk of such exploits occurring. The
extent of the cyber threat is vast, traversing many jurisdictions (domestically
and internationally), and stems from a myriad of sources. As such, it is not
just a technical ICT (information, communication and technology) issue.
According to the Government’s Australian
Cyber Security Centre (ACSC), some of the threats to Australia’s cybersecurity include
cyber espionage that gathers intelligence in support of state-sponsored
activities; cyber attacks that aim to destroy critical infrastructure; and criminals
using online environments to defraud, or steal individual identities.
As a government policy issue, concerns
about Australia’s cyber resilience were initially raised in the Howard
Government’s 2000 Defence White Paper, Defence 2000: Our Future Defence Force. A number of initiatives flowed from this policy, including
cooperation among key national security agencies to assess and deal with
emerging threats. In the 2009 Defence White Paper, Defending Australia in the Asia Pacific Century: Force 2030, the Rudd Government elevated investment in cyber capabilities to a
national security priority, and in 2010, established the Cyber Security
Operations Centre (CSOC) within the Defence Signals Directorate (now the
Australian Signals Directorate—ASD).
In September 2011, the Gillard Government
announced the development of a cyber white paper,
which was meant to address a broad range of cyber issues including safety,
crime, consumer protection, as well as broader issues such as national security
and defence. However, the concept of a cyber white paper lost its impetus and eventually
morphed into an overarching update of the National Digital Economy Strategy, which was released in June 2013.
In January 2013, prior to the strategy’s release, the CSOC had evolved
into the ACSC as ‘the hub of the government’s cyber security efforts’ and in May
the Defence White Paper 2013 was
released, which highlighted cybersecurity as an ‘important national capability’.
Following the 2013 election, cybersecurity
was not part of the Abbott Government’s public focus on national security
issues until the cybersecurity review was announced in November
2014. The review was originally intended to take six months but it was 17 months later, under the Turnbull
Government, when Australia’s new cybersecurity strategy was
announced—effectively replacing the 2009 Cyber Security Strategy.
While the Turnbull Government’s
Cyber Security Strategy (released
in April 2016) recognised that cybersecurity is a strategic issue for
Australia’s economy and national security, there was less emphasis placed on national
security than in 2009 when cybersecurity was considered ‘one of Australia’s top
tier national security priorities’. However, the Turnbull Government’s 2016 Defence White Paper (released
in February) acknowledged the importance of cybersecurity in that cyber attacks
directly threaten the Australian Defence Force’s (ADF) warfighting ability.
Under the 2016 Cyber Security Strategy,
the Turnbull Government established the positions of Australian Ambassador for
Cyber Affairs (Tobias Feakin), Special Advisor to the
Prime Minister on Cyber Security (Alastair MacGibbon—now Deputy Secretary
National Cyber Security Adviser under the Home Affairs portfolio and Head, ACSC)
and Minister Assisting the Prime Minister on Cyber Security (originally Dan Tehan, then Angus Taylor as the Minister for Law
Enforcement and Cyber Security). The latter position has since been subsumed by the Minister for Home Affairs, Peter Dutton, under the Morrison Government.
In the defence environment, debate continues to surround the
exact nature of cyberwarfare as a sole undertaking. The 2016 Defence White
Paper highlights the ‘complex non-geographic threats’ in cyberspace and
space, and how military capabilities can be adversely affected. The Australia –
United States alliance also acknowledged the seriousness of these threats
during ministerial
talks in 2011 (AUSMIN) where it was agreed that the ANZUS Treaty could be
invoked in response to a cyber attack. Cybersecurity has featured in each
AUSMIN discussion since.
The threshold for an armed response to a cyber attack is not
entirely clear nor is it publicly discussed by Australian or US officials. The Trump
Administration declared in its September 2018 National
Cyber Strategy that ‘all instruments of national power are available
to prevent, respond to, and deter malicious cyber activity against the United
States’, including military force. The Australian Strategic Policy Institute
(ASPI), however, suggests
that offensive cyber operations are being deliberately conducted ‘below the
threshold of armed attack’ because ‘no cyber operation thus far has been
classified as an armed attack’, which might prompt an overt military response.
Key internet links
National—government
-
Australian Signals
Directorate (ASD)—an independent statutory agency within the Defence
portfolio, ASD is Australia’s signals intelligence and information security
agency and provides services to the ADF and the Australian Government. On 30
January 2018 the Defence Signals-Intelligence (SIGINT) and Cyber Command was established
within ASD as the military
component. ASD is also home to the ACSC.
-
Australian Cyber Security
Centre (ACSC)—established in November 2014 and formally part of ASD since
July 2018, the ACSC incorporates cyber expertise from the Defence Intelligence
Organisation, Australian Security Intelligence Organisation, Australian Federal
Police and the Australian Criminal Intelligence Commission. The ACSC maintains the
Australian Government Information
Security Manual (ISM) that contains advice to businesses, industry and
government about best-practice cybersecurity measures. The ACSC also maintains cyber.gov.au, which is designed
to be a ‘central hub for cyber security information, advice and assistance to
all Australians’. This resource includes ACSC updates and reports on cyber
threats targeting Australia (see the 2015,
2016
and 2017
threat reports).
-
Critical Infrastructure
Centre—assists owners and operators of critical infrastructure
facilities to identify and manage national security risks such as sabotage,
espionage and coercion. Given the increase of cyber connectivity in this
sector, the Security
of Critical Infrastructure Act 2018 was passed to, among other
things, support cybersecurity efforts.
-
Department of Home
Affairs—the lead department for national security policy. The department’s
cybersecurity webpage links to relevant resources and initiatives, such as Australia’s Cyber
Security Strategy.
-
Data61—Australia’s
main digital research network within the Commonwealth Scientific and Industrial
Research Organisation (CSIRO). In the cybersecurity
sphere, Data61 is working to build more trustworthy and resilient systems
that have military applications, developing knowledge-based risk management,
automating cybersecurity and expanding partnering opportunities through
initiatives such as SINET61 (security innovation network).
-
Under the Joint
Cyber Security Centre Program, a number of Joint Cyber Security Centres
(JCSC) are being established across Australia. The first
JCSC was opened in Brisbane in February 2017, and others have since opened
in Melbourne, Sydney, Perth and Adelaide.
-
Defence Science and
Technology (DST)—the ADF’s research and development arm, which aims to
enhance military and national security
capabilities, including cyber. DST also has responsibility for the National
Security Science and Technology Centre, which includes cybersecurity as one
of six national security science and technology priority areas.
-
Information
Warfare Division (IWD)—formed in July 2017 as part of the Joint
Capabilities Group within the ADF. The IWD has four branches: the
‘Information Warfare Capability, C4 and Battle Management Capability,
Capability Support Directorate and the Joint Cyber Unit’. In January
2018 the IWD released the Information Warfare Strategy, which identifies
four areas of capability: ‘self-defence, passive defence, active defence and
offence’.
National—non-government
International
- International
Telecommunications Union—Cybersecurity—ITU members can access tools,
advice, assessments and technical assistance to increase cybersecurity
capabilities and build trust in information, communication and technologies.
- World
Economic Forum Centre for Cybersecurity—aims to ‘establish, activate
and coordinate global public-private partnerships to encourage intelligence
sharing and the development of cyber norms’.
- Organization
for Security and Co-operation in Europe (OSCE)—details initiatives that
OSCE member states are taking to reduce the risks of conflict stemming from the
offensive use of cyber capabilities through devising confidence-building
measures.
- New
America Cybersecurity Initiative—publishes reports and blog posts on
cybersecurity issues, including translations of official Chinese-language
materials on cyber and information policy through its DigiChina
project.
- The RAND blog—hosts
commentary, essays and articles on issues intersecting with cyber and data
sciences, including cybersecurity. A 2017 research paper, Exploring
Cyber Security Policy Options in Australia, presents recommendations
based on an exploratory exercise held in December 2016 with participants drawn
from the public and private sectors, academia, think-tanks, industry
associations and the media at the Australian National University’s National
Security College in Canberra.
- Cybersecurity
Capacity Portal—developed by the Global Cyber Security Capacity Centre,
this resource maps projects, programs and initiatives aimed at capacity
building to achieve cybersecurity objectives. It also publishes cybersecurity
capacity maturity model assessments as either regional studies or country
reports.
- North Atlantic Treaty Organization
(NATO)—established a number of Cyber Defence
mechanisms as part of NATO members’ overall collective defence. This
includes the 2016 Cyber Defence Pledge to prioritise cyber defence and the
formation of NATO Cyber Rapid Reaction teams. In 2018, NATO allies agreed to
‘set up a new Cyberspace Operations Centre as part of NATO’s strengthened
Command Structure’. NATO and the European Union also cooperate via a Technical
Arrangement on cyber defence, which was signed in February 2016. Cooperation
with industry is being advanced though the NATO Industry Cyber Partnership.
- NATO Cooperative
Cyber Defence Centre of Excellence (CCDCOE)—formally established in
2008 to ‘enhance the capability, cooperation and information sharing among
NATO, NATO nations and partners in cyber defence by virtue of education,
research and development, lessons learned and consultation’. The CCDCOE
maintains the Tallinn
Manual, which is considered the ‘most comprehensive analysis on how
existing international law applies to cyberspace’.
- UN Group of
Governmental Experts (GGE) on Developments in the Field of Information and
Telecommunications in the Context of International Security—considers
the application of international law and norms on the activities of UN member states
in cyberspace. The GGE maintains a ‘trends in cyber-armament’ map that
illustrates member states’ increasing investment in offensive cyber capabilities.
Cybercrime
Cybercrime is criminal activity where a computer or network
is integral to, or the target of, an offence. It will often target individuals,
their data or their reputation. Cybercrime can encompass conduct such as cyberbullying,
hacking, unauthorised modification or destruction of data, distributed denial
of service attacks, online child pornography, online fraud and scams, ‘trolling’,
and image-based abuse.
The Commonwealth first enacted specific computer-related
offences in 1989, after such offences were recommended by the Review
of Commonwealth Criminal Law Committee. The Cybercrime Act 2001
modernised Commonwealth computer offences, inserting Part 10.7 into the Criminal Code Act
1995 (Criminal Code). The key offences cover unauthorised access
to and modification or impairment of data held in a computer or other device,
and unauthorised impairment of electronic communications.
The Cybercrime Act also updated search powers in the Crimes Act 1914
and the Customs
Act 1901 in response to technological developments. These provisions
have been regularly updated to ensure that law enforcement officers have the
powers necessary to search for and obtain electronic evidence. Most recently,
the Telecommunications
and Other Legislation Amendment Act 2018 (TOLA Act) amended
search powers in the Crimes Act and the Customs Act so that
officers may access data remotely for the duration of a search warrant. The TOLA
Act also introduced several other measures to assist law enforcement
agencies to better deal with challenges posed by the increasing use of encryption,
including an industry assistance regime (Part 15 of the Telecommunications
Act 1997) and new computer access warrants (Division 4 of
Part 2 of the Surveillance
Devices Act 2004).
Australia
acceded to the Council of Europe’s Convention on Cybercrime (sometimes
referred to as the Budapest
Convention) in 2012. The Convention is the first
international treaty on crimes committed against or using computer networks,
and requires parties to criminalise relevant conduct, have certain
investigative powers in place, and to cooperate with each other to the widest
extent possible on cybercrime investigations.
The Australian Government and state and territory governments
agreed to the first
National Plan to Combat Cybercrime in 2013. The plan committed governments
to actions against six key priorities: community education; partnering with
industry; fostering an intelligence-led approach and sharing information;
improving law enforcement capacity and capability; improving international
cooperation; and ensuring the criminal justice framework is effective. In
May 2017 relevant federal, state and territory ministers
agreed to develop an updated national plan, but as at the date of
publication of this Quick Guide, a revised plan had not been released.
Australia’s
International Cyber Engagement Strategy, released in 2017, included
commitments aimed at raising cybercrime awareness in the Indo-Pacific region;
assisting countries in the region to strengthen their cybercrime legislation;
building cybercrime investigation and prosecutorial capacity in the region; and
enhancing diplomatic dialogue and international information sharing on
cybercrime.
Two parliamentary committee inquiries have focused
specifically on cybercrime. The then Parliamentary Joint Committee on the
Australian Crime Commission reported
on its inquiry in March 2004, and the House of Representatives Standing
Committee on Communications reported
on its inquiry in June 2010.
Key internet links
Many of the resources listed above under ‘Cybersecurity’ are
also relevant to cybercrime. In that context, it is worth noting that:
Cybersafety
Cybersafety is the term used to describe initiatives and
resources to help an individual manage their online behaviour and information.
A number of Commonwealth offences to punish and deter offensive online
behaviour exist, and there are offences at the state level that address cyber
harassment, cyberstalking and cyberbullying, which carry prison sentences.
However, the focus of cybersafety is on education and an individual’s capacity
to monitor their online presence and online risks, including cyberbullying and
image-based harm.
Discussion in parliament about online safety for children
can be traced back to at least 2010 with the creation of the Joint
Select Committee on Cyber-Safety by the then Labor Government, which
released the reports High
Wire Act: Cybersafety and the Young in June 2011 and Issues
Surrounding Cyber-Safety for Indigenous Australians in June 2013. This
latter report focuses on young Indigenous people in remote and rural
communities.
In January 2014 the Department of Communications and the Arts
released
a discussion paper seeking views about a range of policy proposals by the
Abbott Government, including the establishment of a Children’s e-Safety
Commissioner and possible legislative changes to create a new, simplified
cyberbullying offence. In December 2014 the Enhancing Online Safety for
Children Bill 2014 was introduced to establish the Children’s
e-Safety Commissioner, within the Australian
Communications and Media Authority (ACMA). The Enhancing Online Safety for
Children Bill provided for a complaints system for cyberbullying material aimed
at Australian children and a two-tiered scheme for rapid removal of that
material from large social media services. It also set out the functions of the
Children’s e-Safety Commissioner to include promoting and supporting online
safety for children. Both Bills were referred to the Environment
and Communications Legislation Committee in December 2014 and a report was published
in March 2015. The Act came into force that same month.
Since 2015 additional amendments have been introduced to the
Enhancing Online
Safety for Children Act 2015. This includes the Enhancing Online
Safety for Children Amendment Act 2017, which changed the title of the
Act to the Enhancing
Online Safety Act and the Children’s e-Safety Commissioner to the
Office of the eSafety Commissioner (eSafety Commissioner). It also expanded the
functions of the eSafety Commissioner to include promoting online safety for
all Australians.
The Enhancing Online
Safety (Non-consensual Sharing of Intimate Images) Act 2018 amended the
Enhancing Online Safety Act, the Broadcasting Services
Act 1992 and the Criminal Code
to establish a complaints and objections system for the sharing of intimate
images without the consent of the person depicted in those images—what is
commonly referred to as ‘revenge porn’. This legislation also made it illegal
to share an intimate image of another person on social media, the Internet or
other electronic service.
In 2017 the Senate
Legal and Constitutional Affairs Committee inquired into the adequacy of
existing offences in the Criminal Code and of state and territory
criminal laws to capture cyberbullying. This included consideration of the
adequacy of the policies, procedures and practices of social media platforms in
preventing and addressing cyberbullying. In 2018 the Committee
made recommendations that included increasing the maximum penalty for the
current Commonwealth cyberbullying offence from three years to five years
imprisonment. The Government had not responded to the Committee’s recommendations
as at the date of publication of this Quick Guide.
The eSafety Commissioner also administers the Online Content
Scheme (Schedules 5 and 7 of the Broadcasting
Services Act 1992). The Online
Content Scheme regulates the internet industry and the content services
industry through Codes of Practice and a complaints mechanism, which aims to
protect the public from ‘prohibited and potentially prohibited content’. The
National Classification Code sets out the principles under which classification
decisions are made. There are also guidelines for the classification of films,
computer games and publications. In June 2018 the Government commenced
a review into the Enhancing Online Safety Act and the Online Content
Scheme. The report of that review was published
on 15 February 2019 and made five recommendations, including that the
Government introduce ‘significant and wide ranging changes to the online safety
system’, which will ‘set out the new norms and standards for the online world,
and establish new regulatory arrangements to put them into practice’.
Cybersafety can also be seen as something for groups and
organisations to consider in their day-to-day practices as well as in their
broader planning. Increasingly, organisations are forced to consider
cybersafety in their values, risk assessments, capacity and their everyday
communications and transactions. Australia has focused on the cybersafety of the
individual (or groups of individuals such as children and the elderly) and
emphasised the importance of managing one’s online behaviour. However, there is
an increasing awareness of the need to assist small and medium enterprises to
protect themselves from malicious online activity that can affect their
reputation or financial security.
Australian cybersafety
resources include:
- bullyingnoway.gov.au—provides
information and ideas for students, parents and teachers. Bullying. No Way! and
the National Day of Action
against Bullying and Violence are managed by the Safe and Supportive School
Communities (SSSC) Working Group. The SSSC includes representatives from the
Commonwealth and all states and territories, as well as the national Catholic
and independent schools sector.
- childwise.org.au—provides
education and resources for people to actively prevent child abuse and
exploitation, including online exploitation.
- eSafety.gov.au—the
Office of the eSafety Commissioner’s website provides a reporting portal for
cyberbullying, illegal content and image-based abuse, as well as resources for
schools, parents and children.
- ThinkUKnow—a
partnership between the Australian Federal Police, Commonwealth Bank, Microsoft
and Datacom, and delivered in partnership with all state and territory police
and Neighbourhood Watch Australasia. ThinkUKnow presents to schools and parents
about what young people see, say and do online, and the risks of online
activity.
- IDCare—a
not-for-profit initiative, serving Australian and New Zealand communities, which
provides specialist counselling and information resources to support victims of
cybercrime and members of the public with cybersecurity concerns. It also
offers subscription services for private and public sector organisations to
promote cyber resilience and awareness.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia

Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
This work has been prepared to support the work of the Australian Parliament using information available at the time of production. The views expressed do not reflect an official position of the Parliamentary Library, nor do they constitute professional legal opinion.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.