Australia’s cyber security: a unique opportunity
Introduction: statement of national security strategy
Australia’s national Cyber Security Strategy (“the Strategy”) was released in April 2016 by the Department of Prime Minister and Cabinet, under Prime Minister Malcolm Turnbull’s government. The Strategy is the second of its kind for Australia, being preceded only by the 2009 Cyber Security' Strategy (CSS), and has been perceived as being more “in touch” with Australia’s cyber needs (Stuparu, 2016), also providing broader strategic direction and deliverables, though some still found it to be vague, especially around lack of funding (Austin & Slay, 2016).
The Strategy covers five key areas:
- 1 A national cyber partnership;
- 2 Strong cyber defenses;
- 3 Global responsibility and influence;
- 4 Growth and innovation; and
- 5 A cyber smart nation (PMC, 2016: 5).
Since 2016, substantial progress has been made in the first and fourth areas, especially' through the work of the Australian Cyber Security' Growth Network (AustCyber). The second area also saw the Australian Signals Directorate update the Information Security Manual (ISM) and Essential Eight," as well as complete a network of Joint Cyber Security' Centres across Australia, among other successful initiatives. The third area was addressed through the creation of Australia’s International Cyber Engagement Strategy (DFAT, 2017), a document which will be discussed in further detail in the International Governance section below. The fifth and final key area has seen some more modest progress through enterprises such as the ACSC Threat Report release (ACSC, 2017) and those on the education front; for example, vocational education agreed to a national curriculum for a Certificate IV in Cyber Security (Sadler, 2018).
A point which has, however, been heavily criticized is that of the Strategy’s promised annual updates (Bashfield, 2019), of which only the first was delivered in 2017 (PMC, 2017), while Australia was still under the Turnbull government.
Though not officially announced as yet, a new Cyber Security Strategy is expected in 2020, as the current Strategy refers to its themes of action “over the next four years to 2020” (PMC, 2016) and the present government has arguably demonstrated a lack of action on progressing the existing Strategy' (Bashfield, 2019).
A few months prior to the Strategy’s release, namely in February', Australia also put out the 2016 Defence White Paper (“the White Paper”). Unlike the Strategy, the White Paper focused purely on defense capacity and capability' plans over the coming years, along with some broad budgetary' allocations. It is a very different document in style and purpose, representing “how Defence meshes with national efforts” to achieve long-term cyber resilience in Australia (Scully, 2016: 115).
It is important to recognize, however, that the White Paper “gives us no hint as to whether Australia recognises cyber space as a discrete domain of warfare” in the way' the United States of America “formally recognised cyber space as a fifth domain” in 2010 (Scully, 2016: 116).
Its main cyber-related outputs are articulated in a broad section entitled “Intelligence Surveillance and Reconnaissance, Space, Electronic Warfare, and Cyber Security'.” The focus is on intelligence gathering and electronic warfare support to the existing services, and one notable point is that of the Information Warfare Division’s creation, a “unit of key'board soldiers,” initially 100 personnel-strong but set to grow to 900 within 10 years (McGhee, 2017).
It is worth mentioning that other areas of government have also published their own cyber strategies, applicable to their own department, such as the Department of Human Services’ Cyber Security Strategy 2018—22 (DHS, 2018).
Australia has defined a number of key' terms which are relevant to the basis of the national cyber conversation. Examples include cybersecurity', cybercrime, cyberterrorism, and critical infrastructure, for which definitions are provided below. Though not word-for-word, and though not all defined in the one place in Australia’s case, these broadly align with the views that Five Ey'es partners seem to have on the matters.'
First, and “[i]n simple terms, cybersecurity involves the protection of computer systems connected to the Internet” (APH, n.d.b). Otherwise put, it is “an ongoing journey (...) about protecting your technology' and information from accidental or illicit access, corruption, theft or damage” (Australian Government, n.d.b).
In terms of cybercrime, the Australian Government equates it to “computer crime,” and states that it “involves using computers and the internet to break the law. Common kinds of cybercrime include: identity' theft and fraud; online scams; [and| attacks on y'our computer systems or websites” (Australian Government, n.d.b). Moreover, the Australian Federal Police (AFP) thinks of cybercrime as “|c|rimes such as fraud, scams, and harassment [which] can be facilitated by' using technology' [and] which bring unique challenges to old crimes” (AFP, n.d.a).
Though “]t|here is no universally agreed upon definition of cyberterrorism, [...] the term generally refers to an attack which uses electronic means (such as a computer worm, virus or malware) to penetrate and seriously' interfere with critical infrastructure” (Hardy, 2017). This general definition is a relevant working one in Australia, however, under the Australian Criminal Code Act 1995, one can only find a formal definition of a terrorist act, which can then be applied to cyberspace: an action or threat of action where: (a) the action falls within subsection (2) and does not fall within subsection (3); and (b) the action is done or the threat is made with the intention of advancing a political, religious or ideological cause; and (c) the action is done or the threat is made with the intention of: (i) coercing, or influencing by intimidation, the government of the Commonwealth or a State, Territory or foreign country', or of part of a State, Territory or foreign country; or (ii) intimidating the public or a section of the public.
(Australian Government, 1995: 83)
According to the Department of Home Affairs, “[cjritical infrastructure provides services that are essential for everyday life such as energy, food, water, transport, communications, health and banking and finance” (Australian Government n.d.a). More complexly, the Trusted Information for Sharing Network (TISN), another government agency, defines critical infrastructure as
[tjhose physical facilities, supply chains, information technologies and communication networks, which if destroyed, degraded or rendered unavailable for an extend period, would significantly impact on the social or economic wellbeing of the nation, or affect Australia’s ability to conduct national defence and ensure national security.
These “[ejssential services we all rely on in our daily lives (...) [include] power, water, health, communication systems, and banking” (Australian Government, 1995: 83).
Australia is at the forefront of international law in general, and is “a country that has actively encouraged the development and spread of international law and has integrated it into its national law to an extent unimaginable when the first edition of International Law in Australia was published in 1965” (Rothwell & Crawford, 2017). Indeed, Australia has a permanent Office of International Law (OIL) within the Attorney-General’s Department, providing relevant advice to the Government (AG, n.d.).
In terms of international cyber law, much of Australia’s viewpoint is tightly interlinked with that on international governance, and is articulated in its International Cyber Engagement Strategy (DFAT, 2017), which will be discussed in the following section.
A summary of Australia’s commitment to cyber international law is perfectly captured by the current Minister for Foreign Affairs, Senator the Hon Marise Payne, as she states that Australia is “very proud to |have| chair|ed] the UN GGE4 in 2013 when it agreed that existing international law applied in cyberspace,” and is “urging like-minded nations to throw their support and resources behind these international efforts that will build trust and transparency” (Payne, 2019).
Among the most recent actual examples of Australia’s understanding of the applicability of international law in cyberspace was the 4th Japan-Australia Cyber Policy Dialogue Joint Statement, whereby “Japan and Australia reaffirmed their commitment to continue to enhance cooperation and information sharing on responses to malicious cyber activities, including deterring and responding to significant cyber incidents, consistent with relevant domestic and international law” (MOFA, 2019). This illustrates Australia’s commitment to international law and cooperation on cyber issues with a number of international geopolitically strategic partners, including outside of the Five Eyes alliance.
In terms of regional governance, Australia holds the “leading role in the region’s largest cyber security community with the Australian Cyber Security Centre re-elected as Chair of the Asia-Pacific Computer Emergency Response Team (APCERT) Steering Committee in Shanghai on 23 October 2018” (ACSC, 2018a). This is an interesting point, as Australia unmistakably aims to balance out China’s power in the region (Huang, 2017).
Indeed, regional cyber governance initiatives abound for Australia;'1 for example, “[t]he Pacific Cyber Security Operational Network (PaCSON), [was| launched in Brisbane [Australial on 30 April 2018 with 14 foundation member countries from the Pacific”6 (Australian Government, 2018). Moreover, Australia and New Zealand jointly recently reaffirmed their commitment to enhance collective regional cyber resilience, notably “bringing Australia’s total investment in cyber cooperation to $38.4 million to 2022” (Australian Government, 2018).
The regional cyber governance involvement is part of a broader international cyber governance plan, detailed in the International Cyber Engagement Strategy (“the International Strategy”) (DFAT, 2017). The document makes a number of international commitments, and dedicates an entire section to “Internet Governance & Cooperation” (DFAT, 2017: 56-64). International cooperation is central to the document, through “multi-stakeholder Internet governance,” all with an aim to reduce the risk of cybercrime, promoting peace and stability in cyberspace, “particularly in our [Australia’s] region” (DFAT, 2017: 10). DFAT has also released a 2019 Progress Report for the International Strategy (DFAT, 2019).
As previously mentioned, Australia chaired the 2013 UN GGE whereby nations agreed that international law applied in cyberspace, thus avoiding the UN having to create a new global legal framework. Australia also supported the 2015 UN GGW, whereby “nations agreed to a set of 11 international noons in cyberspace” (Stilgherrian, 2019b). It continues to back the UN’s international cyber governance efforts, openly supporting both its present progress initiatives, namely a GGE proposed by the United States of America, and an Open Ended Working Group (OEWG) put forth by Russia, viewing the two as “complementary” (Stilgherrian, 2019b), and sending the Director of Cyber Policy at DFAT to represent Australia in those conversations (Stilgherrian, 2019b).
Two final things are noteworthy as relating to the Cyber Security Strategy here; first, the creation of an Australian Ambassador for Cyber Affairs (“Cyber Ambassador”) position as part of the Department of Foreign Affairs and Trade (DFAT), allowing Australia to pursue its interests and project its principles (as articulated in the International Strategy, such as advocating an “open and free internet among the international community” [Holding, 20181) on a more interpersonal level. Second, stability’ in the region and a strong international system can arguably not be approached without the “carrot and stick” concept, and, as such, Australia has openly confirmed its possession and further development of offensive cyber capability (Holding, 2018).
Australia, a sovereign nation state with a stable democracy of nearly 120 years (Lohman, 2011), has not formally claimed sovereignty over “its” cyberspace. Whilst it does not regard the Internet as its territory, it certainly seeks to protect Australia’s “sovereignty, (...) economy and (...) national security” (Turnbull, 2019) from cyberthreats though, and, to this effect, has both defensive and offensive military cyber capabilities,6 and a set of relevant internal legislations.
Australia has never in its history shut down the Internet; though the government has the actual legal ability to do so, “with emergency powers,” this is highly unlikely to occur (Lohman, 2011). It does, nevertheless, maintain a degree of control over the flow of information and regulating of speech on the Internet; this is done within specific legal frameworks and addresses primarily censorship around child pornography, sexual violence, and terrorism (Crozier, 2019), as well as piracy (Copyright Amendment [Online Infringement! Bill, 2015), practical aspects of suicide (2006 Suicide Related Materials Offences Act), and “abhorrent violent material” (Criminal Code Amendment [Sharing of Abhorrent Violent Material| Bill, 2019).
Restrictions must normally be ordered by the Australian Communications and Media Authority, however, as demonstrated in the aftermath of the 2019 Christchurch mosque shootings, Australian Internet Security Providers (ISPs) have the ability' to act independently in blocking the content ahead of any governmental directive (Barnett, 2019). It is worth noting that, as is to be expected in a federal system like Australia’s, state and territory laws also have additional provisions, particularly in relation to banning the transmission of material deemed unsuitable for minors.7
Australia does not, otherwise, censor free speech around political opinions or any other societal aspects that may be controlled under various other regimes. An interesting, tangent point worth mentioning, however, is that of the new, contentious anti-encryption law (Telecommunications and Other Legislation Amendment [Assistance and Access] Act, 2018) that was recently passed. A first in the world, this law aimed at enhancing national security - but arguably posing great risks to privacy — requires “technology companies to provide law enforcement and security agencies with access to encrypted communications.” The law is undergoing review but is currently being enforced. In the same vein, the Australian government has the legal right to request access to metadata from various organizations (telecommunication companies, and others that might be of interest, such as transport) in the interest of national security', and has done so “nearly 60 times” over the course of the past year (Shields, 2019).
Another rather fascinating debate took place in 2018; should Chinese planes, for example, flying in Australian airspace, abide by Australian law in terms of Internet censorship (or lack thereof?) (Xiao, 2018). Which country’s laws ought to come into effect when a plane is Chinese territory, but the airspace is Australian? This made for an interesting food-for-thought point, and, to date, Chinese flights offering Wi-Fi and flying in/out of Australia apply Chinese laws to their available Internet content.
Australia’s cultural understandings
Australia has been labelled a “cultural, ethnic and political melting pot” (Vosloo, 2014) and is one of the most stable democracies in the world, as previously' mentioned (Lohman, 2011). In stark antithesis to China, the regional pole of power, Australia aims for this open democracy and its respective founding values and principles to be exported in the Asia Pacific region, and indeed, to the world (DFAT, 2017: 5). Overall, Australians favor “an open, free and secure Internet, achieved through a multi-stakeholder approach to Internet government and cooperation” (DFAT, 2017: 9).
A number of understandings around privacy vs. national security in particular have changed in the past decade, granting more surveillance rights to the government (such as those discussed in the previous section around the anti-encryption laws) — which is indeed presently seeking additional “spying powers” (Karp, 2019).
This was heavily influenced by the rise in terrorism and specifically ISIS radicals leaving to fight, then seeking to return to Australia. In parallel, for example, the broader community debate extended to sometimes depict Muslims in an unfavorable light, and whilst this may not necessarily affect cyberspace issues directly, much of this proliferation of information and opinions around Islamophobia has been achieved digitally (Charnas, 2019).
As a nation, Australians have been known to enjoy sharing — and, in fact, oversharing — a substantial amount of information from their daily lives online; it is fair to say it has become a cultural Australian trait (Golbeck, 2014). There is an interesting paradox to be noted here around the value still placed on privacy (hence the general discontent with the current administration’s surveillance intents) and the yet the expectation that the government ought to protect its citizens from cyber threats in spite of this voluntary information dissemination. Indeed, in private as much as in business circles, Australia has an overall degree of naivety when it comes to cyber security (Calic, Pattinson, Parsons, Butavicius & McCormac, 2016: 17—18). This characteristic could be said to be a cultural trait, as traditionally Australia’s population has been quite fortunate and sheltered from cyber threats in comparison to the United States and certain European states, for example. This is also underlined by the fact that it is one of the Strategy’s main aims to make Australia a “cyber smart nation” (PMC, 2016: 51), though it has a way to go yet.
Australia does not currently have a Ministry of Information or Information Technology - but perhaps it should. This would not only demonstrate its commitment to the “cyber future,” but would also enhance and streamline Australia’s cyber policies and capabilities in the present, which could be perceived as rather fragmented.
Cyber security is currently under the umbrella of the newly (2017) formed Department of Home Affairs, an organization responsible for national security, law enforcement, emergency management, border control, immigration, refugees, citizenship, and multicultural affairs (Commonwealth of Australia, 2017: 4-5).
Other parts of government that have a say in cyber security policy and decision-making are, primarily, the Department of Prime Minister and Cabinet, the Attorney-General's Department, the Department of Foreign Affairs and Trade, the Department of Defence, and the statutory Australian Signals Directorate (with the Australian Cyber Security Centre under it).
The position of Cyber Ambassador driving DFAT’s International Strategy has been mentioned previously, and was established as part of the national Cyber Security Strategy in 2016. Other roles which were created at the same time as part of the Strategy were that of Special Adviser to the Prime Minister on Cyber Security and Minister Assisting the Prime Minister on Cyber Security (APH, n.d.a). Following a resignation without succession (Stilgherrian, 2019a) and as part of a cabinet reshuffling respectively (Stilgherrian, 2018), both of these positions have quietly vanished from Australia’s present cyber landscape, as of mid-2019.
There are a number of digital agencies and divisions across the Australian government which have strong cyber interests and are worth noting, including the Digital Transformation Agency, the Australian Digital Health Agency, the Office of the eSafety Commissioner, and the Office of the Australian Information Commissioner. Overall, Australia is driving digital transformation across the board in government, even if some agencies may be taking the lead over others.
Interestingly, the inaugural 2009 Cyber Security Strategy was released by the Attorney General’s Department, while the 2016 one was put out by the Department of Prime Minister and Cabinet. This shift illustrated the then-Prime Minister’s priorities; however, it is safe to assume that the next one is likely to be published by the Department of Home Affairs, which now has cyber under its umbrella.
Role of the private sector
Australia’s Cyber Security Strategy prides itself on having been written following extensive private sector consultation (also including academia), and has, as its first goal, to achieve an increasing degree of synergy and partnerships between government decision-makers and industry (PMC, 2016: 21).
AustCyber (the Australian Cyber Security Growth Network) was established in this scope, “growing Australia’s cyber security ecosystem” (AustCyber, n.d.). The organization also ensures the continuing communication link between government and industry insofar as national cyber policy, and is also involved in multiple educational initiatives connected to industry.
The private sector has the democratic right to lobby the government on a number of issues, having the potential to influence cyber policy making. In particular, large telecommunication companies (telcos) such as Telstra or Optus are consulted and heavily involved in legislative changes, and often the four largest banks are too (due to their central importance in funding and critical role in the economy), among other industry stakeholders. That being said, protest though they might some proposed legislation, it can be passed without their full agreement or support; for example, the top three Australian telcos objected to this, but did not sway the government:
The parliament of Australia passed a metadata retention bill back in October 2015; according to this law, all the Telcos and ISPs in the country will be legally responsible for storing the user’s metadata for a time period of 2 years. The data will be stored for the purpose of investigations and proceedings by law enforcement agencies in Australia.
Indeed, the metadata retention laws are a continuing sore point between government and telcos, with “back door to access data ‘deliberately left open’” and 21 agencies authorized access without a warrant (Schliebs, 2019).
Another group worth mentioning in terms of private sector involvement in the making of Internet policy in Australia is that of consulting firms. The Big Four (KPMG, Deloitte, EY and PwC), alongside other smaller firms, have a very substantial amount of advisory (among other) work in government organizations (Belot, 2018).
Finally, an example of a private corporation that has had much contentious publicity of late is Huawei. As of 2019, allegations were circulated that the company, a large player in the Australian tech market, shared infonnation with Chinese intelligence agencies. As such, it was banned from being a supplier to Australia’s 5G mobile phone network, which sparked continued controversy, and indeed strained Sino-Australian relations. It is therefore worth mentioning Huawei in the context of a private sector entity that directly (albeit unwillingly) affected a specific Australian policy (Ryan, 2019).
Role of the legislature
Though some were discussed in the “Sovereignty” section of this chapter, a few key pieces of Australian federal legislation relating to cyberspace are mentioned below, in chronological order of passing, or latest relevant amendment:
- • Broadcasting Services Act 1992 deals with issues to do with ownership of media and content regulation;
- • Telecommunications (Consumer Protection and Service Standards) Act 1999 is very broad legislation covering public interest and telecommunications services;
- • Suicide Related Material Offences Act 2006 forbids the sharing of practical aspects of suicide online;
- • Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 introduced a statutory obligation for telcos to retain for two years users’ metadata, and makes provisions for law enforcement agencies’ access to this under certain circumstances;
- • Copyright Amendment (Online Infringement) Bill 2015 deals with piracy over the Internet;
- • IP Laws Amendment Act 2015 is applicable to cyber Intellectual Property or IP stored online;
- • Enhancing Online Safety Act 2015 (amended in 2017) is a comprehensive mandate from the eSafety Commissioner around ensuring Australians are and feel safe digitally;
- • Privacy Amendment (Notifiable Data Breaches) Act 2017 mandates organizations to disclose online breaches by notifying/reporting them to the Office of the Australian Information Commissioner;
- • Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 requires technolog)' companies to grant access to encrypted communications to specific law enforcement, intelligence and security agencies;
- • Criminal Code Amendment (Sharing of Abhorrent Violent Material) Bill 2019 for virtual content deemed abhorrently unacceptable.
As previously mentioned, state and territories also have additional legal provisions, notably around banning the transmission of material deemed unsuitable for minors.
As yet, there is no specific law relating to cybervvarfare, and the Australian legal community is still working on “anticipating potential legal issues that might arise” from it (ANU, 2019).
The current Minister for Home Affairs has recently put forward a proposal which, if approved, would give the Australian Signals Directorate the power to be involved in domestic work, something that has been mediatized as an effort to spy on the Australian people (Karp, 2019). This is still under consideration, but, if approved, would represent a significant development in the area of surveillance in Australian policy.
Cybercrime and cyberterrorism
In Australia, responsibility is shared between internal- and external-facing federal and state/ territory security and intelligence agencies, depending on the type of cyber issue, its scale, where it originates, whom it affects and how.
Broadly, whole-of-nation level cyberattack and potential acts of cyberwar would be dealt with by the Department of Defence. Under certain circumstances, the latter may be able to assist on a national level also (e.g., in case of a large-scale act of cyberterrorism, including on critical infrastructure) via the Information Warfare Division; though this assistance has not been required as of yet, discussion is taking place around provisions to facilitate such a maneuver (Borys, 2019).
Cybercrime and identity security, in terms of final responsibility, falls under the Department of Home Affairs as part of criminal justice; this is, however, only the umbrella organization for the frontline entities mentioned below (DHA, n.d.).
The Australian Federal Police deals with high tech crime (defined as including computer intrusions, unauthorized modification or destruction of data, and Distributed Denial-of-Service attacks among other elements), and provides overarching support and assistance when/as required to state/territory' police, as it is often otherwise deemed not to have jurisdiction to intervene, and moreover noting they all have their “own legislated computer-related offences which are similar to the Commonwealth legislation” (AFP, n.d.b).
The Australian Security Intelligence Organisation (ASIO) - under the Department of Home Affairs (ASIO, n.d.) — alongside the Office of National Intelligence (ONI) — under the Department of Prime Minister and Cabinet (ONI, n.d.) — gather and analyze relevant intelligence and data that underpins the work of law enforcement agencies in the terms of countering national cybercrime, cyberterrorism and cyberespionage.
The Australian Signals Directorate is a statutory entity that provides intelligence for, and supports primarily, the Department of Defence and Australia’s international partners in cy'ber endeavors (ASD, n.d.).
Though the ASD is an external facing entity, under it falls the Australian Cyber Security Centre (ACSC), a multi-stakeholder initiative for national cyber resilience, indeed a “hub for private and public sector collaboration and information-sharing, [which exists] to prevent and combat cyber security threats and to minimize harm to all Australians” (ASD, n.d.). The ACSC in turn oversees the Computer Emergency Response Team (CERT), which responds to cy'ber threats and incidents within Australia (ASD, n.d.).
The ACSC published the Threat Report 2017, detailing who was affected by cy'bercrime and divulging some alarming national statistics. It also provided guidelines for reporting and assistance that could be provided to affected stakeholders, as well as outlined and recommended pre-emptive cyber security measures (ACSC, 2017). Another such report has not come out since.
It is worth mentioning that thus far, Australia has not suffered major cyberattacks, be they deemed cyberterrorist ones or other. Although instances like the hacking of the Australian Parliament (Remeikis, 2019) or the Australian National University' (McGowan, 2019) are becoming more frequent, instances such as WannaCry malware attacks have been avoided.10
Cy'berspace has become a shaping means to society’s evolution — that is certainly' Australia’s case, just like most other nations. Malicious cyber activity is also an avenue to strike at society, and especially civilians on a large scale (e.g., social engineering in instances like federal elections), using methods that may not even initially' appear malign.
As previously' mentioned, Australia has not suffered a critical attack as yet, but has seen a staggering number of individuals and organizations breached, hacked or infected, to which most people did not know how to respond or did not have the means to, and, as such, Australia suffered considerable financial damage to its economy (ACSC, 2017).
The Australian Cyber Security Centre states it exists to provide “information, advice and assistance to all Australians” (ASD, n.d.), but building nation-wide cyber resilience is not an easy goal to reach, which is why it comes into focus in the Cyber Security Strategy (PMC, 2016: 4).
The ongoing societal debate around whether Australians value privacy or security more is illustrated in the previously mentioned recent outrage at the Minister for Home Affairs’ proposed more “invasive” legislation (Karp, 2019). Nevertheless, admittedly, the government can only go so far in protecting those who may not want that protection or disregard the risks, as shown by the enthusiastic uptake of Australian citizens in the controversial FaceApp, in spite of possible implications (Blau, 2019).
Nationally, people are becoming more interested in hearing about issues relating to cyber security, whether media-sensationalized or rationally analyzed. The Australian Strategic Policy Institute’s International Cyber Policy Centre, one of Australia’s leading think tanks, has an ever-growing following (as shown, for example, by their constantly increasing number of Twitter followers and commentators) (ASPI, 2019).
Similarly, in the private sector, lawyers and insurance firms, for example, are beginning to offer more, and diversified, services in this space.11 Technology, IT and cyber education is being developed at all levels, as well as in terms of research,12 and employers are (as is the case in most countries around the world) asking for more professionals to deal with the workforce shortage and skills gap (Pearce, 2018).
It could overall be said that although a threat will likely always have a negative impact, a positive implication for the likes of cybercrime and cyberterrorism is the fact that Australians are embracing the challenge, and growing increasingly aware and savvy, albeit slowly, and are taking the opportunity to play in the innovation space which these threats create.
In conclusion, Australia is making progress in terms of cyber security policy and legislation, as well as in its international involvement. Much change has occurred at structural level nationally in terms of government responsibility for cyber policy, legislation and security in the past five years. Some strategic movement in the cyber sphere can also be seen from a private industry perspective, as well as an educational and cultural one. The nation still has a way to go in comparison to some allies and contenders, however, given its resources, population, and typical federal government mechanism, it is “holding its own” as a middle power.
Importantly, Australia is presently at a unique East-West confluence; “for the first time in its history, Australia’s major trading partner, China, is an authoritarian state while Australia’s major security partner, the United States, is China’s strategic rival” (Spry, 2019). There is a prospect for Australia to redefine its cyber self with the 2020 upcoming cyber strategy, and focus in further on what can make a difference immediately, but also consider and address longer term implications — will the current government take this opportunity?
- 1 Eighty-three outcomes have been mentioned specifically, though some are not quantifiable (Hawkins & Nevill, 2017: 3).
- 2 The Australian Signals Directorate’s (ASD) baseline cyber mitigation strategies, which are not mandatory for government departments (Sadler, 2019).
- 3 Definitions and terminology around cyber in the other Five Eyes nations can be found here: United States of America (N1CCS, n.d.), Canada (CCCS, n.d.), United Kingdom (UKGov, n.d.), New Zealand (NZGov, 2019).
- 4 United Nations Group of Governmental Experts.
- 5 For an overview of Australia’s involvement with individual Pacific nations’ cyber capacity, see Spry, 2019.
- 6 See, the Strategy and the White Paper for further detail.
- 7 See, for example: (1) In Victoria, Classification (Publications, Films and Computer Games)
- (Enforcement) Act 1995 — Section 58; (2) In New South Wales, NSW Internet Censorship Bill
- 2001; (3) In South Australia, Classification (Publications, Films and Computer Games) Act 1995 - Section 75D.
- 8 Such as the Australian Parliament (2019), among others.
- 9 See, for example: (1) In Victoria, Classification (Publications, Films and Computer Games)
- (Enforcement) Act 1995 - Section 58; (2) In New South Wales, NSW Internet Censorship Bill
- 2001; (3) In South Australia, Classification (Publications, Films and Computer Games) Act 1995 - Section 75D.
- 10 Some have argued that insofar as WannaCry is concerned, Australia simply got lucky because of its time zone, and the fact that the devastating effects in the rest of the world were broadcasted mainstream by the time Australia woke up (Smith & Flan, 2017). It is unclear how the situation would have been dealt with exactly and by whom, should Australia have been affected to the extent other nations were.
- 11 Such as Sladen Law’s cyber practice offerings (SladenLegal, n.d.) and AIG cyber insurance (AIG, n.d.) among many others that did not exist a few years ago.
- 12 For example: (1) At primary and secondary level, the Technologies Curriculum was recently rolled out; (2) At professional training level, a national curriculum was developed for a Certificate IV in Cyber Security (AustCyber, 2019); (3) At university level, most universities now offer a program in tangent with technology or cyberspace (Austin & Slay, 2018); (4) Cyber Security Cooperative Research Centre (CSCRC) has been created with branches across Australia (CSCRC, n.d.).
Australian Government. (2020). “Australia’s 2020 Cyber Security Strategy.” www.homeaffairs.gov.au/ reports-and-publications/submissions-and-discussion-papers/cyber-security-strategy-2020
Hanson, F. (2019, September 10). “Australia’s Cyber Strategy, Version 2.0,” 77ie Strategist, Australian Strategic Policy Institute, Barton, Australia, www.aspistrategist.org.au/australias-cyber-strategy-ver sion-2-О/
Joiner, K. F. (2017). “How Australia Can Catch up to U.S. Cyber Resilience by Understanding that Cyber Survivability Test and Evaluation Drives Defense Investment,” Information Security Journal: A Global Perspective, 26(2): 74—84.
Leuprecht, C. & MacLellan, S. (ed.). (2018). “Governing Cyber Security in Canada, Australia and the United States,” Special Report, Centre for International Governance Innovation, Waterloo, Canada. www.cigionline.org/sites/default/files/documents/SERENE-RISCweb.pdf
Mikolic-Torreira, 1., Snyder, D., Price, M., Shlapak, D., Beaghley, S., Bishop, M., Harting, S., Oberholtzer, J., Pettyjohn, S„ Weinbaum, C., & Westerman, E. (2017, August). “Exploring Cyber Security Policy Options in Australia.” RAND, Santa Monaca, CA. https://nsc.crawford.anu.edu.au/ sites/default/files/publication/nsc_crawford_anu_edu_au/2017-08/issues_and_options_paper-3_2_0.pdf
ACSC. (2017). “ASCS Threat Report 2017.”
ACSC. (2018a). “Australia Maintains a Key Role in International Cyber Security Community.”
ACSC. (2018b). “Strengthening Cyber Security across the Pacific.”
AFP. (n.d.a). “Cyber Crime.”
AFP. (n.d.b). “High Tech Crime.” www.afp.gov.au/what-we-do/crime-types/cybercrime/high-tech- crime
AG. (n.d.). “International Law.”
AIG. (n.d.). “CyberEdge,” AIG Cyber Insurance, www.aig.com.au/business/products/financial-lines/ cyberedge
Ali, Z. (2018). “Mandatory Data Retention in Australia,” PrivacyEnd, www.privacyend.com/mandatory- data-retention-australia/
ANU. (2019). “Cyber Warfare Law,” Australian National University, ANU School of Law https://pro gramsandcourses.anu.edu.au/2019/course/LAWS8035 APH. (n.d.a). “Cybersecurity, Cybercrime and Cybersafety: A Quick Guide to Key Internet Links.” APH. (n.d.b). “National Security — Cybersecurity.”
ASD. (n.d.). “Cyber Security,” Australian Signals Directorate, www.homeaffairs.gov.au/about-us/our- portfolios/criminal-j ustice/cybercrime-identity-security ASIO. (n.d.). “What We Do,” Australian Security Intelligence Organisation, www.asio.gov.au/what- we-do.html
ASPI. (2019). “ASPI Cyber Policy,” Twiner. https://twitter.com/aspi_icpc?lang=en AustCyber. (2019). “TAFECyber Initiative - A Year in Review,” AustCyber. www.austcyber.com/ news-events/ tafecyber-initiative AustCyber. (n.d.). “Home,” AustCyber. www.austcyber.com/
Austin, G. & Slay, J. (2016, May 31). “The Australian Government Must Take Cyber Security More Seriously,” The Conversation, https://theconversation.com/the-australian-government-must-take- cyber-security-more-seriously-60231
Austin, G. & Slay, J. (2018). “Development in Training and Education for Australian Cyber Security: Filling the Gaps,” Journal of the Colloquium for Information System Security Education, 5(2): 1—27. Australian Government. (1995). “Criminal Code Act 1995.”
Australian Government. (2018). “Australia and New Zealand: Pacific Cyber Cooperation,” Minister for Foreign Affairs, Minister for Women.
Australian Government, (n.d.a). “Critical Infrastructure Resilience.”
Australian Government, (n.d.b). “What Is Cyber Security?”
Australian Parliament. (2019). “Review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, Parliamentary Joint Committee on Intelligence and Security,” Parliament of the Commonwealth of Australia.
Barnett, K. (2019, April 8). “Censorship Is the Wrong Response to Christchurch,” Spiked-Online, www.
Bashfield, S. (2019). “Australia Needs a New National Security Strategy,” The Diplomat. https://thediplo mat.com/2019/02/australia-needs-a-new-national-security-strategy/
Belot, H. (2018, August 17). “Big Consultancy Firms Call the Federal Government ‘The Dairy’ because They Milk It for All It’s Worth, Inquiry Hears,” ABC News, www.abc.net.au/news/2018-08-17/con sultancy-bosses-quizzed-on-government-nickname-the-dairy/10132264 Blau, A. (2019, July 18). “Tried the Viral FaceApp Transformation? Here’s What Might Happen to Your Photo Now,” ABC News, www.abc.net.au/news/2019-07-18/faceapp-privacy-concerns-dampen- viral-challenge/11321728
Borys, S. (2019). “Senior Defence Figure Raises Concerns about Future Cyber Attacks - And the Scenario Costing Him Sleep,” ABC News.
Calic, D., Pattinson, M., Parsons, K., Butavicius, M., & McCormac, A. (2016). “Naive and Accidental Behaviours that Compromise Information Security: What the Experts Think,” Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance, HAISA. https://pdfs.semanticscholar.org/b553/7b5368c9e0955b82d3dd93fd3fe4d2bb8fl 1 .pdf CCCS. (n.d.). “Cyber Threat and Cyber Threat Actors.”
Chamas, Z. (2019, May 17). “Australia Vote: Concern about Islamophobia among Smaller Parties,” AI Jazeera. www.aljazeera.com/news/2019/05/australia-vote-concern-islamophobia-smaller-parties- 190517074521443.html
Commonwealth of Australia. (2017). “The Consititution - Amendments to the Administrative Arrangements Order.”
Crozier, R. (2019). “Govt Expands Socmed Crackdown Laws, Includingjail Time, to Internet, Content and Hosting Providers,” ITNews. www.itnews.com.au/news/govt-expands-socmed-crackdown- laws-including-jail-time-to-internet-content-and-hosting-providers-523352 CSCRC. (n.d.). “About,” Australian Cyber Security Cooperative Research Centre, www.cybersecuri tycrc.org.au/
DFAT. (2017). “Australia’s International Cyber Engagement Strategy.”
DFAT. (2019). “2019 Progress Report.”
DHA. (n.d.). “Cybererime and Identity Security,” Department of Home Affairs, www.homeaftairs.gov.
au/about-us/our-portfolios/criminal-justice/cybercrime-identity-security DHS. (2018). “Cyber Security Strategy 2018—22.”
Golbeck, J. (2014). “Why We Overshare Online,” Psychology Today, www.psychologytoday.com/au/ blog/your-online-secrets/201410/why-we-o vershare-online?amp Hardy, K. (2017). “Is Cyberterrorism a Threat?” Australian Institute of International Affairs, www.internatio nalaftairs.org.au/australianoutlook/is-cyberterrorism-a-threat/
Hawkins, Z. & Nevill, L. (2017). “Australia’s Cyber Security Strategy: Execution & Evolution,” Australian Strategic Policy Institute, Barton, Australia. https://i.nextmedia.com.au/Assets/ASPI_cy ber_security_strategy_review.pdf
Holding, M. (2018). “Australia Is Set to Future-Proof Its Cyber Foreign Policy,” Australian Institute of International Affairs, Deakin, Australia, www.internationalaffairs.org.au/australianoutlook/white- paper-cyber/
Huang, K. (2017, November 23). “Australia Looks for Balance to China’s Rising Power in lndo-Pacific Region,” South China Morning Post, www.scmp.com/news/china/diplomacy-defence/article/ 2121245/australia-looks-balance-chinas-rising-power-indo Karp, P. (2019, June 16). “Peter Dutton Confirms Plan to Create New Spying Powers Still Being Considered,” The Guardian, www.theguardian.com/australia-news/2019/jun/16/peter-dutton-con fmns-plan-to-create-new-spying-powers-still-being-considered Lohman, T. (2011, January 31), “Can Australia’s Internet Be Switched Oft, Too?,” Computer World.
McGhee, A. (2017, June 29). “Cyber Warfare Unit Set to Be Launched by Australian Defence Forces,” ABC News, www.abc.net.au/news/2017-06-30/cyber-warfare-unit-to-be-launched-by-australian- defence-forces/8665230
McGowan, M. (2019, June 6). “China behind Massive Australian National University Hack, Intelligence Officials Say,” The Guardian, www.theguardian.com/australia-news/2019/jun/06/china-behind-mas sive-australian-national-university-hack-intelligence-officials-say MOFA. (2019) “The 4th Japan-Australia Cyber Policy Dialogue Joint Statement.”
NICCS. (n.d.). “Explore Terms: A Glossary of Common Cybersecurity Terminology.”
NZGov. (2019). “New Zealand’s Cyber Security Strategy 2019.”
ONI. (n.d.). “What We Do,” www.oni.gov.au/what-we-do
Payne, M. (2019, March 12). “Marise Payne on Australia’s International Cyber Strategy,” Lowy Institute, Australia, www.lowyinstitute.org/publications/marise-payne-australia-s-international- cyber-strategy
Pearce, R. (2018). “$400 Million: The Cost of Australia’s Cyber Security Skills Shortage,” Computer World.
www.computerworld.com.au/article/650122/400-million-cost-australia-cyber-security-skills-shortage/ PMC. (2016). “Australia’s Cyber Security Strategy.”
PMC. (2017). “Australia’s Cyber Security Strategy — First Annual Update.”
Remeikis, A. (2019, February 8). “Australian Security Services Investigate Attempted Cyber Attack on Parliament,” The Guardian, theguardian.com/australia-news/2019/feb/08/asio-australian-security- services-hack-data-breach-investigate-attempted-cyber-attack-parliament Rothwell, D. & Crawford, E. (2017). “International Law: Is Australia a Good International Citizen?” Australian Institute of International Affairs, Deakin, Australia, www.internationalaffairs.org.au/austra lianoutlook/international-law-australia-good-citizen/
Ryan, P. (2019, July 17). “Huawei Protests 5G Mobile Phone Network Ban, Saying ‘Australia Can Trust Huawei,”’ ABC News, www.abc.net.au/news/2019-07-18/huawei-protests-5g-mobile- phone-network-ban/11320426
Sadler, D. (2018). “National Plan for Cyber Studies,” InnovationAus. www.innovationaus.com/2018/ 01/National-plan-for-cyber-studies
Sadler, D. (2019). “Govt Won’t Mandate Essential Eight, InnivationAus.” www.innovationaus.com/ 2019/04/Govt-wont-mandate-Essential-Eight
Schliebs, M. (2019). “Back Door to Access Data ‘Deliberately Left Open’,” The Australian, www.theaus tralian.com.au/nation/back-door-to-access-data-deliberately-left-open/news-story/9416da.34adac 9d6dcf24e 14c836d 1 b 15
Scully, T. (2016). “Cyber Security and the 2016 Defence White Paper,” Security Challenges Journal, /2(1): 115-126.
Shields, B. (2019, July 8). “Federal Police Accessed the Metadata of Journalists Nearly 60 Times,” The Sydney Morning Herald, www.smh.com.au/politics/federal/federal-police-accessed-the-metadata-of- joumalists-nearly-60-times-20190708-p52598.html SladenLegal. (n.d.). “Cyberlaw.” https://sladen.com.au/cyberlaw
Smith, P. & Han, M. (2017, May 14). “Wake up Call for Aussie Business after ‘Lucky Escape’ from WannaCry Ransontware Attacks,” Financial Review, www.afr.com/technology/wake-up-call-for- aussie-business-after-lucky-escape-from-wannacry-ransomware-attacks-20170514-gw4kbb Spry, D. (2019, March 24). “What Australia’s Cyber Strategy Means for Asia Pacific,” Govlnsider.
Stilgherrian. (2018, August 26). “Cyber Defence Goes Missing in Australian Cabinet Reshuffle,” ZSNel.
Stilgherrian. (2019a, May 6). “Australia’s Cybersecurity Chief Alastair MacGibbon Resigns,” ZDNet.
Stilgherrian. (2019b, April 16). “Australia to Keep Playing the UN Cyberspace Norms Game,” ZDNet.
Stuparu, A. (2016). “Australia’s New Cyber Security Strategy: A Critical Outlook,” The Interpreter, www.
lowyinstitute.org/the-interpreter/australias-new-cyber-security-strategy-critical-outlook Turnbull, M. (2019). “Statement to the House of Representatives on Cyber Security,” Prime Minister of Australia.
UKGov. (n.d.). “What Is Cyber Security?”
Vosloo, E. (2014, August 28). “Australia: A Cultural, Ethnic and Political Melting Pot,” Australian Times. Xiao, B. (2018, September 7). “The Complexities of Cyber Sovereignty in Chinese Airlines over Australian Skies,” ABC News, www.abc.net.au/news/2018-09-08/i-confronted-the-great-firewall- of-china-in-australian-airspace/10159900