Known unknowns: cyber insecurity troubles Australian lawmakers

‘[I] want to know more about all of it, and about what we know and what we don’t know.’

— An Australian federal parliamentarian

Technology and the digital world are evolving at a blistering pace.

As tech users, information consumers and citizens we’re faced with an ever-growing list of new technologies and platforms that shape our daily lives.

Few fully understand them, or the ways in which they interact.

Cloud computing, big data, artificial intelligence and machine-learning models, and next-generation cyber technologies challenge even those individuals and entities that make digital literacy their business.

It should come as no surprise, then, that parliamentarians also struggle to keep pace. Nor is it a surprise that, faced with big decisions on cybersecurity and emerging technologies that will inform Australia’s future, they want accessible, practical and independent expert advice.

ASPI’s latest report, What do Australia’s parliamentarians think about cybersecurity and critical technology?, offers a non-partisan snapshot of the views of some of our nation’s policy shapers and policymakers, and what they think about cybersecurity and critical technologies.

What are they worried about? Where are their knowledge gaps and interests? What technologies do they think are important to Australia? What do they want and need to know?

In 2021–22, we approached every member of Australia’s 46th parliament for this multi-year study—24 took part.

Parliamentarians spoke on condition of strict anonymity, without any identifiers apart from their gender, chamber, electorate profile, and backbench or frontbench status. As a result, the conversations were candid, upfront and insightful.

First, parliamentarians have the same security concerns and uncertainties as any other tech consumer. More than a third say they never feel safe online against scams and cyber threats.

On top of this, some worry about vulnerabilities due to their position. ‘I treat my mobile phone as if it’s an open line of communication to the CCP [Chinese Communist Party], because that’s basically what it is,’ says one.

Parliamentarians admit to being struck by how little they know about the opportunities and threats in the cyber and technology domains, and how quickly those are evolving beyond their understanding.

As one puts it, Australian policymakers interested in deepening their understanding of cybersecurity ‘don’t know what they don’t know’ and rely almost completely on experts to provide digestible information and guidance.

There’s broad agreement on the biggest cybersecurity threats (see Figure 1). In the first rank are state‑backed cyber threats to critical infrastructure, long a focal point of Australian cybersecurity discussions and top of mind during last week’s Optus outage and this weekend’s DP World cyberattack, which shut down major ports.

Figure 1: On a scale of 1–3, please rank the top three threats you personally are most concerned about for Australia

At a big-picture level, parliamentarians understand that there are credible and increasing cyberattacks against Australia’s critical infrastructure sectors.

At the same time, they lack—and know they lack—a detailed understanding of how cyber resilient Australian government and industry sectors are right now, and how cyber threats might manifest (see Figure 2).

Although concerned about critical infrastructure attacks, half of the participants are ‘not sure’ of just how cyber resilient sectors like communications, energy, water and sewerage, or healthcare are. It should be noted that the study’s data collection concluded before recent and prominent data breaches, including those at Medibank, Optus and Latitude.

Almost 40% of respondents are uncertain about the cyber resilience of the defence industry sector. They perceive the risks but cannot evaluate them based on informed advice or integrate them with policy settings.

Such knowledge gaps likely extend from our sample group to a much higher proportion of parliamentarians, many of whom will be asked to make policy decisions that shape (or depend) on one or more of those sectors.

Figure 2: On a scale of 1–10, how ‘cyber resilient’ do you consider the following to be (1 being not at all cyber resilient and 10 being very cyber resilient)

Some of these policy decisions are playing out now.

Data security and storage is a live policy question—picked up in the government’s upcoming data and digital government strategy and in draft legislation on Australia’s digital identity system, which parliamentarians are expected to vote on next year. Yet 50% of parliamentarians in the study are ‘not sure’ about cyber resilience in the data storage and processing sector.

Equally, the majority view that classified government data and identifiable citizen-related data should be stored on servers located in Australia doesn’t reflect the evolution of secure cloud technologies or, possibly, an appreciation of other threats such as the trusted-insider risk.

Figure 3: What types of [federal government/state/territory government/local council] data should it be mandatory to store on Australian servers?

State-backed cyber‑enabled foreign interference is another common concern, well ahead of other types of state-backed activity such as cyber espionage and intellectual property theft. Parliamentarians worry about the potential of online information operations to undermine social cohesion and democratic processes (the CCP campaign against Canadian politicians is a good recent example).

Their instincts are good: as we’ve written before, this type of foreign interference is still falling between the cracks of policy, intelligence and policing agencies.

However, attempts to limit malign information operations also require carefully balancing freedom of speech. As the ongoing debate on draft legislation to expand the Australian Communications and Media Authority’s power in combatting misinformation and disinformation demonstrates, consensus on where that balance lies is tricky. Australia’s next cybersecurity strategy is unlikely to tackle state-backed information operations for just that reason, although, as we have also written, a solid policy foundation would be attributing state-based information operations whenever they are identified and requiring greater transparency from social media platforms on their efforts to label and moderate content.

So, what technologies do parliamentarians think are important for Australia, and where should we invest?

Unsurprisingly, cybersecurity technologies, quantum computing and AI all feature high on every list. There’s also a strong bent towards building sovereign capacity in these technologies or ensuring access to reliable supplies from other nations.

At the same time, most parliamentarians recognise that Australia is not a major technology provider. Squaring that circle means accepting the need for (limited) foreign investment in critical technologies—depending on both the technology type and the country investing. Here there is more accord than you might assume: most parliamentarians advocate limiting foreign investment to some degree, and economic considerations are nearly as strong a driver as national-security interests (see Figure 4).

Figure 4: Should there be limitations on foreign investment in Australian businesses that develop or manufacture critical technologies based on [national security/economic prosperity] concerns?

Finally, what do parliamentarians need to know?

Australians look to their elected representatives to make big decisions on cyber and technology investment and security. It follows that we should expect them to be both informed and actively engaged. As parliamentarians, they already know that Australia needs to keep pace with technological developments to ensure national security and prosperity.

The broad brushstrokes are there: the need for an integrated cybersecurity strategy, working with allies to set cyber and critical infrastructure standards, building sovereign capacity, adopting greater agility in legislative and regulatory approaches to cope with a rapidly changing environment, and improving digital literacy.

A fundamental missing piece is a whole-of-government focus on technology and the ways in which it cuts across every aspect of modern life. Another is access to clear, up-to-date and factual explanations that would allow time-poor parliamentarians and their advisers to engage on cybersecurity issues and technologies with confidence and to continually develop their understanding of this rapidly evolving landscape ‘through connecting with examples and showing how Australia is placed to handle it’.

A commitment to education will be key to Australia’s successful response to gamechangers like generative AI and a whole-of-economy commitment to advanced capabilities, as are intended to emerge under AUKUS Pillar 2. The Labor member for Fraser, Daniel Mulino, and the Liberal member for Casey, Aaron Violi, have already proposed establishing a non-partisan parliamentary technology assessment office to advise policymakers on the impact emerging technologies may have on proposed policy and how to ensure that regulations keep pace with technological change and development.

This would be a step in the right direction and would bring us into line with the UK’s Parliamentary Office of Science and Technology. Like our Parliamentary Budget Office, the technology assessment office could be independently staffed to ensure it offers objective advice.

We suggest going one step further and developing a briefing program that draws on civil society, think tanks, research institutes, peak associations, and federal departments and agencies, including agencies in the national intelligence community, to ensure a steady stream of much-needed policy and operationally relevant information.

We also recommend the briefing program not be confined to sitting weeks. Parliamentarians are crazy busy during sitting weeks, with myriad back-to-back chamber, committee, community and political party commitments. Accordingly, the program should include one-on-one briefings during non-sitting weeks, where parliamentarians would have the opportunity to probe and discuss cybersecurity and critical technology issues in private and in a less pressured environment.

Parliamentarians understand they ‘have a responsibility to lead the debate’ and are hungry for knowledge to help them do that.

It’s now up to experts and thought leaders to heed the call and equip our nation’s policy shapers and policymakers with the information they need to address the challenges of the future. Our parliamentarians are up for it. They understand these are globally significant issues and this is an important area for parliament.

‘Everyone kind of knows about technology, but they just accept it in the form that it comes to them,’ says a parliamentarian. ‘Policymakers need to know more about it … We have got to find ways to explain it better.’