This week, Australian government and private sector cooperation on cybersecurity appears to have picked up pace. Speaking at a summit in Sydney, Mike Rothery, First Assistant Secretary at the Attorney-General’s Department’s National Security Resilience Policy Division, revealed that an ‘outreach to industry had identified a pressing need for tangible risk assessment tools as opposed to an ever-extending laundry list of potential threats’. Julian Bajkowski writes that ‘the government’s wider cybersecurity outreach has been fostering a channel of boardroom diplomacy between industry and senior representatives of the ASIO, ASD and CERT’. The push is intended to encourage private-sector executives to help protect the national interest by assessing their own risks and bolstering defences accordingly.
For more on that discussion, Stilgherrian explores the vulnerabilities in Australia’s modern industrial economy, looking at SCADA systems in particular. He says that ‘consultations between the Australian government and industry have revealed a patchy security landscape’. On phys.org, Phil Ciciora looks at a study published by the University of Illinois that places public–private information-sharing frameworks at the centre of combating cybersecurity threats. The researchers argue the need to ‘encourage the development of a ‘Circle of Trust’, bringing the public and private sectors together to resolve cybersecurity threats more effectively’.
To the region now, where Mihoko Matsubara, senior cyber security analyst at the Pacific Forum CSIS discusses on East Asia Forum what Japan’s new defence policy means for international cooperation on cybersecurity. Despite constraints, such as there being no internationally-agreed definition of ‘armed attack’ in cyberspace upon which to base the right to collective self-defence, Matsubara observes that ‘does not mean that the reinterpretation of the Japanese constitution prohibits Japan from contributing to other countries’ cyber defences’.
In Singapore, the Infocomm Development Authority, a statutory board that charts Singapore’s transformation into a global IT hub, will set up a Monitoring and Operations Control Centre to help the government guard against, and respond to, security threats. ‘Following a wave of cyber security breaches, Singapore needs to ensure its security measures stay updated and can counter increasing threats’, Minister for Communications and Information Yaacob Ibrahim told a seminar on Tuesday.
In Indonesia, Australia’s Justice Minister Michael Keenan held counterterrorism and crime co-operation talks last week at the Jakarta Centre for Law Enforcement Cooperation in Semarang. Mr Keenan announced further support for the centre and an agreement that ‘lays out the strategic, formal framework for ongoing cooperation between Australia’s and Indonesia’s two National Police forces’. The centre runs training programs for police officers across the region in areas including cybercrime. For more on Australia–Indonesia police cooperation, see David Connery, Natalie Sambhi and Michael McKenzie’s piece here on The Strategist, and their related ASPI report.
Further afield, the question of whether NATO needs a stronger policy against cyber threats has come to prominence in recent weeks. While NATO has announced its intention to include cyber attacks in its Washington Treaty under Article 5, members have yet to reach an agreement on how that article should be applied. James G. Stavridis and Dave Weinstein argue on The Boston Globe that the Treaty needs to ‘define exactly what constitutes cyber aggression, and how NATO members, individually or collectively, will respond’. Edgar Buckley and Ioan Pascu oppose ‘spelling out in advance any specific conditions for invoking Article 5’ and say that ‘NATO should judge each situation as it arises’.
In the US, White House cyber czar Michael Daniel has come under criticism for his comments on the technical vs policy cybersecurity divide. ‘Being too down in the weeds at the technical level could actually be a little bit of a distraction,’ he said in a recent interview. His position doesn’t, on the face of it, sound unreasonable: policy should be made by managers, not by tech-heads.