ASPI’s decades: Cybersecurity

ASPI celebrates its 20th anniversary this year. This series looks at ASPI’s work since its creation in August 2001.

In the language of strategy and defence, the information space has become the battle space.

Cyberspace is a new military domain where heavy blows—‘kinetic effects’—can be inflicted.

In this crowded domain, governments seek to direct, demand, defend—and attack.

Tech giants grow gargantuan. Businesses swarm. Spies and criminals throng.

And billions of people can act as individuals as well as groups.

The cybersphere today, and the tomorrow of quantum computing, are a manifold expression of what Marshall McLuhan saw 50 years ago: ‘Electric circuitry has overthrown the regime of “time” and “space” and pours upon us instantly and continuously the concerns of all … It has reconstituted dialogue on a global scale.’

The cyberworld can be specific and infinitely individual, a realm where a lone terrorist can become radicalised and act.

Australia’s first national security statement in 2008 said e-security was one of the top security priorities, referring to cyberwarfare, cyberattacks, electronic espionage, threats to critical infrastructure running on computer systems, and computers used by terrorists.

An ASPI paper on threats and responses in the information age, by Alastair MacGibbon, said Australian cybersecurity policy had been outstripped by the take-up of technology by the public, industry and government—and its abuse by criminals and foreign powers.

Canberra had relied on business for security solutions via industry self-regulation and a failed belief in ‘light touch’ regulation of telecommunications. A narrow policy focus on the legal definition of cybercrime missed broader problems, MacGibbon said, causing a widening gap between the cybersecurity problem and the national capacity to deal with it. Australia faced a greater level of risk because of ‘the incremental nature of government policy-making which can’t keep up with the speed of information and communications technology innovation, and more importantly, how such systems are abused’.

Surveying cybersecurity in 2011, Andrew Davies judged that Australia had acted ‘after the event’ to ‘catch up’. Awoken by ‘consistent penetration of national and commercial systems and substantial commercial losses’, the elements of a national strategy had emerged.

Using expertise from cyber operations in defence and national security, Canberra could provide guidance, build regulatory frameworks and even offer technical help and tools. The outstanding issues, Davies wrote, were whether the governance mechanisms in place would be sufficient as the problem evolved and grew, and whether the resources brought to bear were proportional to the threat.

At the 2011 AUSMIN talks in San Francisco, marking the 60th anniversary of ANZUS, the alliance extended into cyberspace: ‘[O]ur Governments share the view that, in the event of a cyber attack that threatens the territorial integrity, political independence or security of either of our nations, Australia and the United States would consult together and determine appropriate options to address the threat.’

It was the first time outside NATO that two allies had formalised cooperation in the cyber realm, Carl Ungerer wrote, while cautioning that classic deterrence wouldn’t work in this new domain:

The real cybersecurity threat is not from a single weapon of mass destruction but from the persistent and pernicious combination of online crime and espionage that is undermining financial systems, compromising the identity of individuals and stealing important intellectual property rights from corporations and governments. The classic deterrence theory of holding at risk the things that an adversary values fails in the cyber world because would-be attackers operate with an assumed level of deniability that changes their risk calculus.

ASPI convened a conference of Australian and American experts in Washington in 2011 to discuss the future of cyber conflict and defence. Lydia Khalil wrote that the alliance would have to define what type of cyberattack would be a threat to territory, politics or security:

[T]here’s an important blurring between espionage and attack in cyberspace that doesn’t exist in the physical space. The same intrusion method that’s used to extract information from a network can also be exploited to conduct an attack to disrupt that network. This is a critically important distinction that policymakers must be aware of and account for. While every cyberintrusion can’t be labelled as an ‘attack’ per se, it’s critically important to assess whether or not an intrusion has exploited a vulnerability that could also be used to disrupt or destroy networks.

ASPI thought Canberra had to offer more coherence and clarity on the cyber challenge. The institute’s response was to create the International Cyber Policy Centre, in August 2013, with Tobias Feakin as director.

Peter Jennings said that the centre was ASPI’s first major expansion as a think tank, giving it a wider remit. Cybersecurity, he said, was emerging as ‘one of the most significant strategic challenges faced by Australia’. Jennings and Feakin wrote that ASPI saw a pressing need to be involved in emerging policy debates:

There are two such debates: one at an often very highly classified government level, and one that encompasses a wider group in civil society but is often limited to those with deep specialist knowledge about information technology and security. There’s a need for a broader dialogue among people interested in many aspects of the impact of cyber issues on public policymaking.

The International Cyber Policy Centre would have four aims:

  • Lift the level of Australian and Asia–Pacific public understanding and debate on cybersecurity.
  • Provide a focus for developing innovative and high-quality public policy on cyber issues.
  • Provide a means to hold Track 1.5 and Track 2 dialogue on cyber issues in the Asia–Pacific region.
  • Link different levels of government, business and the public in a sustained dialogue on cybersecurity.

Jennings and Feakin set out a creed for the cyber centre based on needs and ambition:

These efforts will be at the national and international levels and look to enhance the cybersecurity of Australia and the region. There’s currently no centre in Australia or Asia that provides a focused research and strategic outreach program on the national and international development of the ‘rules of the road’ and confidence building measures for the cyberdomain.

One of the ASPI International Cyber Policy Centre’s core principles will be to ensure that both private sector and public sector voices are heard and considered. The internet is mainly in the hands of the private sector and civil society, so their opinions are essential if we’re to build lasting cyber norms that don’t constrain innovation and commerce, and that make cyberspace a secure place.

Visiting Washington in January 2016, Prime Minister Malcolm Turnbull announced a new US–Australia Cyber Security Dialogue to be convened by ASPI and the Center for Strategic and International Studies.

As co-chair of the first dialogue, Feakin said it responded to a newly central policy interest. The two allies realised more could be done using the public and private sectors and academics. Unlike traditional security issues, cybersecurity could not remain purely the purview of states:

[R]esources must be pooled and expertise and information shared. In the online world, Australia faces a strategic picture filled with foes constantly rewriting the rule book as to what can be achieved though disruption and disinformation online. But governments are not the exclusive targets. States looking to gain a competitive economic advantage are targeting the private sectors of other nations in pursuit of the nugget of information or intellectual property that will guarantee a domestic payday.

In November 2016, the Turnbull government announced the appointment of Australia’s first ambassador for cyber affairs: ASPI’s Toby Feakin.

Drawn from the book on the institute’s first 20 years: An informed and independent voice: ASPI, 2001–2021.