The federal government is poised to release a new cybersecurity strategy, which follows last year’s criminal intrusions into Australia’s health and telecommunications sectors and recent revelations that the US government is hunting Chinese malware that could disrupt critical infrastructure.
The new strategy is timely and should be a clarion call to governments, businesses and individuals to ensure our online future is secure. It is an opportunity to put cyber at the centre, not the periphery, of national security and treat it as seriously as the defence strategic review treated our military capabilities.
Unfortunately, past efforts with cyberspace in Australia and other democracies have been inconsistent, and authoritarian regimes and criminals have been better than open societies at seizing the advantages of technological change.
As far back as 1972—the year email was introduced—the US Air Force commissioned a study on computer security technology planning and found that security risks, including to privacy and handling of classified information, were masked by users’ perception of benefits and ‘safe interaction’ online. It noted that the first steps were ‘recognition’ of the implications of malicious threats, and baking security into computer systems early. Yet it took another decade, and a Hollywood film, for that recognition to happen.
In 1983, US President Ronald Reagan asked his officials whether the cyberattacks portrayed in the Matthew Broderick movie WarGames could really happen. Broderick played a talented high school hacker who nearly started World War III by stumbling into the US military’s automated nuclear launch system. Reagan’s officials responded initially with derision, only for the chairman of the Joint Chiefs of Staff, General John William Vessey Jr, to return following a review with the answer: ‘Mr President, the problem is much worse than you think.’
Forty years on, the problem is still much worse than we think, and there’s still a need for both threat recognition and a coordinated approach to cybersecurity. That goes for Australian governments, industry and the public.
No matter how many times we hear that we need to treat cybersecurity more seriously, we consistently fail to match actions to sentiments. Our policies have too often viewed cyber as an adjacent sector or a mere vector for higher priorities, while our individual attitudes have tended towards believing we can enjoy extraordinary connectivity for free—like the Facebook user who’s affronted to learn their personal data has been sold to marketers.
Within a generation, most of our everyday tools and possessions have become digitised and connected, making everything vulnerable, from basic household items to the most sophisticated defence hardware. Technological advances will continue to exacerbate those vulnerabilities, including fast-improving artificial intelligence amplifying threats such as the production of convincing disinformation and the exploitation of social divisions.
That is why we should expect a strategy that talks to us in plain English about the reality of the threats and the need for investment in security. A light security touch does not free up innovation and prosperity. Rather, it is the surest way to a vacuum in which those who would do us harm are themselves able to operate, innovate and disrupt—as we have seen with Moscow and Beijing’s control of the internet and manipulation of social media.
Instead of asking what online freedoms must be sacrificed for security, we must ask what security is required for online freedom. Appropriate regulation creates a safer online environment that increases users’ resilience amid the threat of having their identities and intellectual property stolen, their information environment polluted by disinformation and their necessary daily interactions halted by denial attacks.
The strategy should set a path for strengthening defences to deter and block attacks while increasing clarity on lines of responsibility—across government, industry and individuals—for inevitable future intrusions. New Cyber Security Coordinator Darren Goldie will play an important role in managing a diverse range of stakeholders and ensuring a collaborative approach to cybersecurity and a coordinated incident response.
Communication is vital. Even as we stabilise relations with China, the strategy should be honest that the number one state threat to Australia in cyberspace is Beijing’s security apparatus. If New Zealand can identify China as its primary foreign interference threat, Australia can also note Beijing’s role in cyberattacks while maintaining the diplomatic policy of ‘cooperate where we can and disagree where we must’.
Above all, the strategy needs to set a course that future governments will maintain—something we have had trouble with in the past. An effort to focus on security in 2012–13 was diluted into a digital economy strategy, which meant years of inaction. A cybersecurity strategy was finally released in 2016, acknowledging for the first time that Australia had suffered state-based intrusions and had offensive cyber capabilities. It created new positions, including a minister for cybersecurity, the first national cybersecurity adviser and an ambassador for cyber, but in just a few years the cyber minister and security adviser roles were scrapped and the gains evaporated.
Cybersecurity in defence intelligence was given a major boost in 2021 with the Australian Signals Directorate’s REDSPICE program and its inclusion in Pillar 2 of AUKUS. But the upcoming strategy must treat cybersecurity as a genuine whole-of-nation undertaking.
To its credit, the Albanese government has restored the cyber minister role and elevated it to cabinet. That minister, Clare O’Neil, is now driving cybersecurity as a public policy issue. The test for O’Neil is to develop a strategy that isn’t itself the main outcome but rather positions Australia to better protect systems, data, critical infrastructure and citizens, while also delivering the necessary resources to do so.