Australian Government Cyber Security Review
The National Security College is hosting expert consultations for the Australian Government’s Cyber Security Review. A workshop on 30 March addressed the challenges of developing policies to secure Australia’s interests in the cyber world of tomorrow.
On 27 November 2014, the Prime Minister announced the Australian Government would undertake a review of Australia’s cyber security policies and strategies. The Cyber Security Review is due to be delivered to Government in mid-2015. This will be followed by a public strategy providing practical initiatives for improving Australia’s cyber security. The Review will set out ideas on how the Government, industry and academia can better work together to make our online systems and internet connected networks more resilient against cyber attacks.
To find out more about the review visit the website.
The workshop held on 30 March 2015 brought together academics from strategic, policy, legal, ethical and technical fields to meet with government officials involving in the review. The participants considered the following key issues:
- Are Australia’s cyber security architecture and capabilities appropriate to meet the challenges of the future?
- How can our cyber security settings, legislation and policies support our economy?
- How can we support the development of international norms and/or laws that meet Australia’s cyber security interests?
NSC Workshop Discussion Paper
The reach of cyberspace is extending further into our daily lives. Its touch is no longer virtual: we can wear internet-enabled devices on our wrists, carry them in our pockets, pack them into our bags and set them up on our desks. Cyberspace ceases to be a virtual environment when it shapes our physical world and our daily lives. It obviously has the power and capacity to shape us – indeed, we must remind ourselves that we too can shape and alter the character of cyberspace, given that it is a constructed environment. Given our interdependent relationship with technology we must ask ourselves the ‘big questions’: what are Australians at risk of in this ubiquitous environment? And how can these risks be leveraged to our collective advantage both in terms of national security and economic prosperity? These are the overarching themes of the Policy Workshop.
Cyber is now an established top-tier national security priority. The cyber problem is not new, nor an emerging challenge to the security and prosperity of Australia. In 2009 the Australian Government released its Cyber Security Strategy, guided by the principle of enhancing our online trust and confidence. Six years on, cyber is cemented as a strategic pillar of Australia’s national security architecture. The security of cyberspace is at the core of creating both trust and confidence in the digital environment so that every individual, business and government may flourish.
The linkages between the Australian economy and the digital environment are inextricably coupled. The resulting digital economy is a source of national prosperity as well as a source of insecurity. These same networks are vulnerable to exploitation bringing with it compromise of intellectual property and other sensitive commercial data. This has the potential to undermine Australians’ confidence in the digital economy. Cyber security is therefore not just an issue of national security but one of economic security. For this reason, it is foreseeable that these linkages will affect both national security policy and economic policy in unique, yet interconnected ways.
Whilst the intractable national security and economic policy problems of cyberspace are not new, there is widespread acknowledgement that cyberspace is constantly evolving in complexity, scale and sophistication. The novelty that we see in the environment is due to the dynamic evolution of the technical layer of cyberspace: the bits and bytes. Policy challenges are not impervious to whims of technical changes, variations in computer protocols or the unpredictable advances of innovative technologies. Yet, there is a need to simultaneously recognise the malleability of cyberspace at the technical layer, whilst keeping our eyes fixed upon the higher-order policy problems. Some of the most pertinent challenges include the information sharing, the architecture of cyber security within the national security community, insuring best practice is incentivised and the establishment of norms for responsible state behaviour in cyberspace. These policy challenges will be elaborated below.
Cyber security architecture and capabilities
The architecture of cyber security in the Australian Government has altered since the previous review. There are two notable additions to this space:
- The Australian Cyber Security Centre (ACSC); and
- The Australian Cyber Online Reporting Network (ACORN).
The evolution of current roles and responsibilities for cyber security amongst Government agencies has been a piecemeal process from existing budgets both within and outside the national security community. Academic institutions and the private sector have a role to play in the whole-of-nation approach to cyber security. The question remains whether or not the current structure best serves trust and confidence in cyberspace, and whether or not the current roles and responsibilities for cyber security in Australia need clarifying or updating.
Another potential addition to Australia’s cyber security architecture and capabilities could be the establishment of a national cyber security reserve, a new kind of reservist. A national cyber security reserve, involving creative work arrangements and flexible exchanges with private industry, would transform traditional notions of what ‘soldiering’ is about, and what new generations with new skills can do for their country. The UK experience of a pilot project along these lines is worth close attention. Key questions would involve identifying the right talent, ensuring flexible work arrangements with the private sector, providing suitable security clearances and adapting the work culture of the national security community – including the ADF – accordingly.
The economy and cyber security
Economic policy is closely coupled with cyber security policy, since Australia’s digital economy thrives on the free flow of capital, trade and ideas through a secure cyberspace. Preventing cybercrime, securing small and medium sized businesses (SMEs) and stymieing the loss of intellectual property to adversarial competition can be partly achieved through effective cyber security policy. It is a challenge that requires a coherent, integrated approach – led by government, but working in close partnership with the private sector – that seeks to address the strategic vulnerabilities of an increasingly hostile online environment.
Information sharing in the context of cyber security is the ability of domestic and international governments, firms and individuals to communicate timely advice on cyber threats amongst one another in order to protect, shield and harden cyber defences.
Information sharing can also fulfil a governance role through existing legislation. Policymakers may need to consider how this governance function as well as other structural and legal challenges may affect cyber threat information sharing. In Australia, it raises the question of whether there should be legal protections for private entities sharing information about cyber threats, vulnerabilities and breaches. The reporting of this data to the rest of the market would have immediate and real impact, which requires further consideration. There have been calls for organisations who share information with government to be afforded a degree of regulatory ‘safe harbour’ for their actions. However for this safe harbour to be effective, the regulatory and legislative penalties associated with data breeches may need to be strengthened.
Insurance, incentives and markets
A thriving cyber security insurance market could mitigate losses from certain types of cyber incidents and it can help reduce the number of low-level attacks. It may also act as a demand side driver to improve a business’ cyber security posture through reduced company premiums based on their level of self-protection.
Empowering markets to identify and reward effective cyber risk management can help to achieve best practice in cyber security. Once a robust actuarial framework is developed, it can help customers, investors, auditors and insurers to make judgements about how well firms are managing their risk in cyberspace. Whilst the UK and US have already considered such schemes, it is worthwhile evaluating this market mechanism in the Australian context.
Legislation, standards and guidelines
Australia has a comprehensive cyber security legal framework that is set out in Commonwealth, State and Territory legislation. Some of the key elements include:
- Criminal Code Act 1995 (as amended by the Cybercrime Act 2001);
- Telecommunications (Interception and Access) Act 1979;
- Spam Act 2003;
- Telecommunications Act 1997; and
- Privacy Act 1998.
All Australian corporations are also covered by the Corporations Act 2001, which sets out a company director’s obligations to manage risks, including cyber security risks. Australian businesses are also affected by other jurisdictions obligations to disclose cybersecurity risks and incidents. As an example the United States’ the Securities and Exchange Commission published a Disclosure Guidance on cybersecurity in 2011 that applies to any Australian company listed on an American stock exchange.
Whilst cyberspace extends into the domestic sphere of affairs, it also opens Australia’s border with all other digitally connected countries, albeit virtually. This questions the appropriateness of existing legislation and regulations to serve Australia’s security in cyberspace. Perhaps there are new pieces of legislation or regulation that need to be considered, like the current data retention laws. Additionally, striking the right balance between standards and self-determination is a challenge that requires debate, especially in light of individual privacy concerns online.
Establishing norms of behaviour
Leadership on the development of norms of responsible state behaviour in cyberspace is required to reduce the frequency, severity and unrestrained cyber activity amongst international actors. States are combining national power with technical capability to compete against one another in terms of cyber power. The application of international law in cyberspace goes some way to establish norms of behaviour in cyberspace. There is a need for confidence building measures in order to build understanding, confidence and cooperation between states.
From an academic perspective, the problem of analysing effective norms of behaviour and confidence building measures is constrained by the limited number of historical example. This raises the question of how to effectively evaluate these emerging norms and constructively critique them, whilst road-testing new ideas that might better serve cyber security.