Put cyber front and centre as ‘war games’ intensify
The new strategy is timely and should be a clarion call to governments, businesses and individuals to ensure our online future is secure. It is an opportunity to put cyber at the centre, not the periphery, of national security and treat it as seriously as the Defence Strategic Review treated our military capabilities.
Unfortunately, past efforts with cyberspace in Australia and other democracies have been inconsistent, and authoritarian regimes and criminals have been better than open societies at seizing the advantages of technological change.
As far back as 1972 – the year email was introduced – the US Air Force commissioned a study on computer security technology planning and found security risks, including to privacy and handling of classified information, were masked by users’ perception of benefits and “safe interaction” online. It noted the first steps were “recognition” of the implications of malicious threats, and baking security into computer systems early. Yet it took another decade, and a Hollywood film, for that recognition to happen.
In 1983, US president Ronald Reagan asked his officials whether the cyber attacks portrayed in the Matthew Broderick movie WarGames could really happen. Broderick played a talented high school hacker who nearly started World War III by stumbling into the US military’s automated nuclear launch system. Reagan’s officials responded initially with derision, only for the chairman of the Joint Chiefs of Staff, General John William Vessey Jr, to return following a review: “Mr President, the problem is much worse than you think.”
Forty years on, the problem is still much worse than we think. Our policies have too often viewed cyber as an adjacent sector or a mere vector for higher priorities, while our individual attitudes have tended towards believing we can enjoy extraordinary connectivity for free. Within a generation, most of our everyday tools and possessions have become digitised and connected, making everything vulnerable, while fast-improving AI amplifies threats such as the production of convincing disinformation and the exploitation of social divisions.
We should expect a strategy that talks to us in plain English about the reality of the threats and need for investment. A light security touch does not free up innovation and prosperity. Rather, it is the surest way to a vacuum in which those who would do us harm are themselves able to operate, innovate and disrupt – as we have seen with Moscow and Beijing’s control of the internet and manipulation of social media.
Instead of asking what online freedoms must be sacrificed for security, we must ask what security is required for online freedom. The strategy should set a path for strengthening defences to deter and block attacks while increasing clarity on lines of responsibility – across government, industry and individuals – for inevitable future intrusions. New Cyber Security Coordinator Darren Goldie will play an important role.
Communication is vital. Even as we stabilise relations with China, the strategy should be honest that the number one state threat to Australia in cyberspace is Beijing’s security apparatus. If New Zealand can identify China as its primary foreign interference threat, Australia can also note Beijing’s role in cyber attacks while maintaining the diplomatic policy of “co-operate where we can and disagree where we must”.
Above all, the strategy needs to set a course future governments will maintain. An effort to focus on security in 2012-13 was diluted into a digital economy strategy, which meant years of inaction. A Cyber Security Strategy was finally released in 2016. It created new positions, including a Minister for Cyber Security, the first national cyber security adviser and an ambassador for cyber but in just a few years the cyber minister and security adviser roles were scrapped and the gains evaporated.
Cyber security within defence intelligence was given a major boost in 2021 with the Australian Signals Directorate’s REDSPICE program and its inclusion in Pillar Two of AUKUS. But the upcoming strategy must treat cyber security as a genuine whole-of-nation undertaking.
To its credit, the Albanese government has restored the cyber minister role and elevated it to cabinet. That minister, Clare O’Neil, is now driving cyber security as a public policy issue. The test for O’Neil is to develop a strategy that isn’t itself the main outcome but rather positions Australia to better protect systems, data, critical infrastructure and citizens, while also delivering the necessary resources to do so.
Justin Bassi is executive director and Alexandra Caples is director of cyber, technology and security at the Australian Strategic Policy Institute.
The federal government is poised to release a new cyber security strategy, which follows last year’s criminal intrusions into our health and telecommunications sectors, and recent revelations the US government is hunting Chinese malware that could disrupt critical infrastructure.