Malcolm Turnbull’s Cyber Security Strategy was an underfunded and uncertain response to an increasingly complex problem: cyberattack and online interference. Morrison’s 2022 Strategy needs a cradle-to-grave investment in digital literacy to protect Australia’s national interests moving forward.
Cybersecurity as the protection of the hardware, software and online data of a country’s citizens, businesses and government has become a point of concern for Australia over the past half-decade. Despite the introduction of Malcom Turnbull’s Cyber Security Strategy in 2016 and Morrison’s revamp which is to be rolled out in July 2022, Australia continues to drag its feet in the cyber race. What is worse, cyber technology and the threats bound up with it, are likely to become more complex before Australia’s security agencies can combat them. Outgoing Director General of the Australian Security Intelligence Organisation (ASIO), Duncan Lewis warned at the Lowy Institute in September that digital foreign interference is “by far and away the most serious issue going forward.”
As a transformative technology wiring us together, cyber networks have presented new challenges as they open up online gateways for the malicious perforation of Australian society through system hijacking, hacking or phishing to name a few. Cyber technology can be harnessed by a variety of perpetrators whether they be nation states, disgruntled individuals or non-state actors. However, cyber is not dramatically new and is rather an enabling technology to conduct warfare for traditional aims and outcomes, particularly when used for statecraft. It is this uniqueness that both Turnbull and Morrison’s Cyber Security Strategies attempt to negotiate.
Turnbull’s 2016 Cyber Security Strategy was promising because it recognised the dual importance of a fortified cyber space for Australians: to protect individual and state security and prop up an “wired” economy. The plan involved sustained investment in cyber architecture, enhancing intellectual capital and an encouragement of cyber partnerships between the government, business and wider community. At the first annual update in April 2017, Turnbull noted “trust and confidence through cyber security is becoming economic and security currency for Australia,” as he worked to reassure the 1 million Australians who fell victim to cybercrime in 2014 and lost $17 billion. Turnbull’s attempt to promote Australia as a “cyber smart nation” was well intentioned but failed to invest the capital to back up its promises. Turnbull’s five target action plan including goals such as “global responsibility and influence,” were severely underfunded, vague and largely immeasurable. The Strategies’ $230 million cyber security commitment pales in comparison to Australia’s frequent digital disruptors, particularly China. Huawei, China’s “national champion” invested $2 billion in cyber security measures in 2019 alone.
The lacklustre budget is reflective of Turnbull’s failure to appreciate the scale of the online avenues his Strategy was trying to manage. Dedicating decisively more capital to Cyber Security Strategies than other threat prevention plans is a necessary measure Australia’s government has resisted. However, with the ability of cyber violations to be managed and carried out by machines communicating autonomously, a significant increase in human and material capital is urgent to counteract the magnitude of the digital threat. By 2020, it is estimated that there will be 50 million devices connected globally, all of which converse with humans outside of the loop and are easily manipulated for competing interests. The impact of state sponsored cyberattack and interference is not only financial but has real kinetic potential. The West weaponised cyber technology in the Stuxnet worm against Iran in 2010.
Although Australia is better off than most in terms of our physical capacity to defend, the increase to over 90 percent of Australians being online in the last five years has also seen our societal dependence on digital technology move at warp speed. It is this rapid expansion that Turnbull’s Strategy failed to capitalise on and now forms our key vulnerability to insidious state interference. Australia should learn from the 2015 Ukraine power grid cyberattack, and focus on deterring, disrupting and denying state sponsored cyberattacks as our primary national security focus moving forward. Unfortunately, the necessity to revise the Cyber Security Strategy was only realised after the Australian Parliamentary network attack in early 2019 by a “sophisticated state actor.” Forcing a password reset for all Parliament House network users, politicians and staffers, the breach did not violate Australia’s sovereignty legally but exposed the inadequacies of the current Strategy to safeguard Australia’s critical networks and national interests online.
Morrison’s removal of “Cybersecurity” from his first ministerial line up in April 2018 was a concerning regression in this respect. Minister for Home Affairs Peter Dutton has since taken leadership for Cybersecurity policy, using Turnbull’s plan as a roadmap, the 2022 Strategy has refocussed efforts on cyber resilience. With an ever-evolving digital threat landscape, detaching from hopes of absolute cyber security and rather ensuring Australia’s critical networks are durable against interference is a wise change of course.
To insert Australia’s influence into this network of constantly communicating Artificial Intelligences, Australia needs a nation-wide push for cyber literacy. Compared to countries like Japan and Israel, we have an embarrassing deficiency in cyber entrepreneurs, with 20 percent of cyber security professional roles in Australia unfilled. This deficit shows with our lagging rates of cyber research and innovation, raising the amount of Australian business loss to cybercrime to $29 billion in 2018. Morrison’s redress of this issue with promises of a $156 million Cyber Resilience and Workforce Package including a Cyber-Workforce Strategy, is a well-considered element of his 2022 revamp.
Prime Minister Scott Morrison supports a progressive budget for the Foreign Signals Intelligence and Cyber Security and Offensive Cyber Operations program. With an allowance of $851 million for 2022-23 to fortify online security systems, it is a promising start. It will build on foundations of Turnbull’s 2016 plan and should see a focus on cyber security as not a technological but a strategic issue. The 2019-2020 Budget’s “Cyber Uplift” and introduction of “Cyber Sprint teams” supports this re-definition of cybersecurity as of tactical value in Australia’s policy rhetoric. Although, we cannot insulate our critical networks completely, the 2022 Strategy needs continual, substantial and targeted investments to enrich our capability and resilience against attacks on critical infrastructure. With new technological developments fast approaching with 5G and potentially 6G in the next half decade, the informational and financial incentives to puncture Australia’s economic and national systems will intensify. Our global competitors are moving forward resolutely with long-term investments in their own IT industries, capabilities and professionals, and we need to follow suit. Australia must to evolve our cyber posture from reactive to proactive, and patch gaping digital holes rather than drain the water from a sinking ship.
Weaponising the Internet is highly political and state agents are extremely adept at exploiting foreign national systems and manipulate them for competing national interests. If Australia is to derive economic value from the digital domain while protecting our sovereignty, Morrison’s Cyber Security Strategy needs to invest in information-driven change. Australia has been slow off the mark, it is time we invest in cyber literates, make clear, decisive and metric goals for innovation and education and commit to long-term investment in our cyber professionals to remove the rigidity of Australia’s rapidly ageing crisis-response model.
Abbey Dorian is an intern at the AIIA (NSW) branch
This article is published under a Creative Commons Licence and may be republished with attribution.