The intelligence review: the cybersecurity dimensions
25 Jul 2017|

The cybersecurity dimensions of the 2017 intelligence review report have been mostly overlooked, but it contains some interesting recommendations, as well as leaving considerable detail still to be worked out. The proposals don’t fix all the issues faced by a system coming under heavy strain, but they add potentially helpful adjustments, several of them aligned with ASPI recommendations.

The big changes centre on the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). The ACSC will formally operate as part of the ASD, with one minister having primary responsibility for the ACSC and cybersecurity. That minister is likely to be the new super-duper minister, Peter Dutton, but that’s still to be determined.

The new head of the ACSC will be the prime minister’s special adviser on cyber security, Alastair MacGibbon, who will serve ‘as the single focus of accountability to the Government for cyber security’. The review proposes merging his team in PM&C into the ASCS. While that move makes a lot of sense, it could create some potentially challenging ministerial reporting lines that the taskforce set up to implement the changes will need to resolve. For example, depending on who the head of the ACSC ultimately reports to, MacGibbon could be reporting to the Home Affairs minister with his ACSC hat on, to the PM with his special adviser hat on, and to the Defence minister with his ASD hat on (given that the ACSC sits under ASD). The big advantage of the move is that putting MacGibbon in charge of the ACSC joins up his policy role with the doing side of the equation.

Centralising cybersecurity policymaking and drawing the operational agencies into one centre should improve MacGibbon’s ability to encourage government departments to step up their cybersecurity defences. To facilitate that, the review suggests supporting more secondments from across government into the ACSC and allowing staff ‘to retain their existing organisational authorities and ability to access data, information and capabilities from their home organisations’.

At present, MacGibbon faces what must be a very frustrating ritual of being hauled before Senate Estimates and asked to explain why government departments keep failing to meet minimum cybersecurity standards, while simultaneously having no authority to force them to step up their game. This change doesn’t fix that disconnect, but it’s a move in the right direction by combining policymaking with operational agencies.

With MacGibbon’s strong links to industry, the new arrangement should also help improve industry engagement, including within the Joint Cyber Security Centres, which the review proposes remain the responsibility of the government’s computer emergency response team, CERT Australia (which is also likely to move from the Attorney-General’s portfolio to Home Affairs and be placed within the ACSC).

The suggested appointment of an intelligence coordinator for cybersecurity ‘to meet and manage the growing expectations of the ACSC, particularly in safeguarding the security of government networks’ also makes sense. That official would report to the head of the ACSC.

The suggestion to stand up a 24/7 ‘capability to manage public messaging and policy advice in relation to rapidly emerging cyber events’ is a strong one, given Australia’s thus far advantageous time zone, which gives us a handy lead time to prepare for attacks that are first unleashed on the other side of the planet. It should also assist with communication deficiencies highlighted by recent cyber incidents.

The move to officially broaden ASD’s mandate is another important change, and updates its role to fit contemporary realities. As my colleague Andrew Davies has noted with encryption, there are plenty of areas where our legislation is lagging.

Finally, the review provides some striking assessments of the cyber-threat landscape, suggesting this is a beginning rather than the end:

One of the most worrying aspects of technological change is the way it is helping to place enormously destructive capabilities within easier reach of rogue states and non-state actors. This trend is not reversible and it will lead to an even more threatening international environment than now exists.

In our view, the challenge of protecting the integrity, confidentiality and availability of systems and data will only become more important and more complex. Defensive and proactive technical security measures will increasingly be at the core of strategies to secure systems and data. Whether it is in relation to data analytics, encryption, decryption, data protection generally or the use of cyberspace, collaboration and co-operation between Australia’s intelligence agencies and the private sector will become increasingly necessary and relevant, not least because in important specific areas private sector ICT innovation and technology application are more advanced.