Australian government, spooks, and industry all on different cyber pages

Views on civilian cybersecurity's future differ widely, but does the Morrison government, and Minister Dutton in particular, have the clarity and clue to sort out the 'train smash' of legislation?

Michael Pezzullo, the powerful and ambitious Secretary of the Department of Home Affairs (DHA), wants vast new domestic powers for the Australian Signals Directorate (ASD). But reportedly they're not powers the ASD has asked for.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

The thought bubble of extending ASD operations to domestic targets has been kicking around for a while now, despite attempts by Minister for Home Affairs Peter Dutton to hose down concerns.

Last week, The Saturday Paper reported that DHA is now "pushing ahead" with the proposal, although it's "expected to be presented as a joint submission from several departments whose portfolios would be affected".

The ASD already reaches out to the private sector through its Australian Cyber Security Centre (ACSC) of course. One example is when the agency discovered that a data breach at a small engineering firm in 2017 had leaked data on sensitive defence projects, including the F-35 Joint Strike Fighter.

But DHA's proposal goes much further. It would "potentially embed ASD within the corporate computer systems that run the nation's banks, telecommunications, and other critical infrastructure," and would "ultimately more deeply enmesh the agency within private-sector corporations," The Saturday Paper wrote.

"There is some frustration within ASD that it has been portrayed publicly as a voracious agency seeking ever-more intrusive powers, when it did not initiate the proposal."

Watch out for the Cyber Luftwaffe

Pezzullo doesn't see any of this as an overreach. He sees the cyber struggle as something that will transform the global order beyond recognition, and therefore something that must be met with a similarly large-scale transformation.

"Cyberspace challenges our historical models and all prior human experience," he said in a fascinating speech at Edith Cowan University last November.

"In traditional conflict and warfare, separable phases of peace, confrontation, and war can be discerned, even in the 'grey zone' of counter-insurgency and so-called hybrid warfare," he said.

"Cyber warfare and covert cyber activity exist, I would contend, on a different plane altogether, co-existing with and alongside war, confrontation, peace, hybrid conflict, and the grey zone."

See also: Lack of focus on security of Australia's critical infrastructure: ASPI  

Pezzullo's reference points included a "'cyber Maginot Line', the perils of a 'cyber Pearl Harbour', or the risk of a 'cyber Cuban Missile Crisis'," and more.

"In cyber war the first indication of the virtual equivalent of a Luftwaffe bombing raid might well come from the information security 'war room' of a major financial institution or a major energy supplier, which might, with appropriate authorities and immunities, cue the cyber Spitfires and Hurricanes of the Australian Signals Directorate," he said.

He stressed, however, that this could only happen "should the relevant legal and constitutional issues be first resolved through diligent and creative policy making and strategic planning".

But perhaps we already have too much cyber legislation.

Australia's 'train smash' of cyber laws

According to AustCyber Chief Michelle Price, the federal government is framing cybersecurity as a national security issue, and that the series of legislation that's emerged over the past two years has only added to the confusion.

A key item is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, referred to as the Assistance and Access Bill (#AABill) when it was in progress, but often now known as the TOLA Act.

It has been claimed that this encryption legislation has damaged the ability of Australian tech products to compete internationally.

"The TOLA Act attracted a huge amount of attention at the end of last year, and still continues to do so. But it is but one of a series of 10 pieces of legislation and regulation that impact directly Australia's cybersecurity," Price told media and analysts in Sydney on Tuesday.

See also: Encryption laws to run up against CLOUD Act and GDPR: Law Council  

"How much are we losing, from the innovation side of things and commercialisation opportunities, by having unknown and untold unintended consequences that are coming from what is a train smash of a legislative landscape?" she asked.

"We need to take a pause and understand the legislative regulatory standards and guidance environments that we've created for cybersecurity, but also for the rest of the economy, knowing that cyber security is the true horizontal, and recognise that yes we have made a few mistakes."

Where is the government consultation?

Telstra's national cybersecurity adviser Jennifer Stockwell, meanwhile, has warned against ignoring industry input, something that has been lacking in the development of the TOLA Act.

"Contrary to what we are starting to see as the prevailing narrative, you will find in talking to big businesses -- who are all talking to each other by the way in our cybersecurity teams -- that we really do care about the security of our customers and our systems and our services and our networks," Stockwell told Tuesday's gathering.

"We're very willing to consult, and to understand where government sees potentially the gaps in regulation and where they want to go with it, and to provide that balance as to what is technically possible and what would realistically have an impact for the security of the nation."

The following day her boss, Telstra chief executive officer Andy Penn, reinforced that point.

"The only way to look at cybersecurity is as a team," Penn told the National Press Club in Canberra.

"Large enterprises, small and medium businesses, government, we all have shared platforms, common customers, we are all the target of attacks. We all therefore play a role in keeping Australians safe -- it is a shared accountability," he said.

"Meeting this challenge therefore needs tight engagement between government -- who control national security policy -- and the private sector, where much of the technical innovation in cybersecurity takes place. Engagement on critical topics such as regulation in encryption, data retention, the operation of networks, interception."

Penn proposed a "permanent telecommunications critical infrastructure security committee", which would include the CEOs of major industry players and representatives from government and security agencies.

Where is Australia's cyber strategy?

Without a doubt, there are major gaps in Australia's cyber civil defence. Calls for a cyber civil defence organisation, perhaps a National Commission for Cyber Civil Defence, have continued.

But while the private sector and even the ASD talk about a team approach, by sharing information through the Joint Cyber Security Centre structure and elsewhere, DHA has proposed a much more intrusive approach.

Meanwhile, the government continues to draft legislation with little private sector input and zero interest in a broader community debate despite the outcomes affecting every Australian for years, or possibly decades to come.

So many players have called for a strategic approach, but where is it?

As I wrote last month, unlike Australia's previous Prime Minister Malcolm Turnbull, Scott Morrison doesn't seem to care about the cybers, and Dutton seems too distracted.

Meanwhile, The Saturday Paper says Pezzullo's proposal will "likely go before the cabinet's national security committee in coming months". Stay tuned.

Disclosure: Tuesday's discussion was organised by Aura Information Security.

Related Coverage