Cyber must be part of all-hazards national resilience: Home Affairs chief

Australia should develop a national security response that addresses all vectors of risk to all sectors of society, but at the same time, it should not reinvent the wheel, according to Secretary Mike Pezzullo.

Cyber resilience needs to be part of a coherent "all vectors and all sectors" approach to national security, according to Mike Pezzullo, Secretary of Australia's Department of Home Affairs.

National security itself also needs to be discussed more broadly, he said. Not everything should become a national security problem, but he does believe in a whole-of-society approach to fostering resilience.

"I am in favour ... of emphasising concepts such as 'self-reliance' and 'sovereign capability' in national policy discourse, which would require the closer integration of security, economic, and social policy," Pezzullo told the National Security College in Canberra last week.

"We should logically separate the 'vector' -- whether it be an invading army, an enemy fleet, terrorists, saboteurs, cyber hackers, violent criminals, extreme weather events, or a global pandemic, and so on -- from the 'sectors' of society and the economy which are likely to be impacted, and which will need to be defended, mobilised, and/or remediated," he said.

"Relatedly, the logic and language of war in security thinking should be reduced to its proper and legitimate place, which is to say the field of armed conflict -- where it has enough to do."

Pezzullo's speech cited five centuries of political philosophy, among other things, to outline a conceptual framework for national security.

"Security is a means to an end. Its effects enable the pursuit of happiness and prosperity, which are the greater ends," he said.

"If one were to construct a national risk register, it would be immediately apparent that some are not 'national security' issues at all."

The speech also extended on Pezzullo's speech from March 2019, "Seven Gathering Storms -- National Security in the 2020s", by listing an even greater range of potential risks that might arise in the coming century through to 2120.

Too long to include here, the list included: A Great Power war that might even go nuclear; weapons of mass destruction used outside a nation-state conflict; terrorism and politically-motivated violence; massive economic damage by transnational criminal networks; supply chain risks; a global pandemic; "the adverse consequences of advanced technology, especially artificial intelligence and synthetic biology"; natural disasters; and much more.

"This is an apocalyptic list to be sure," he said.

"Indeed, in relation to ways in which humanity might become extinct you will find arguable cases for the following scenarios, amongst others: A deliberately released, humanity-killing synthetic virus; super volcanic eruptions which block the Sun; the Terminator AI threat; a nuclear apocalypse; and, yes, the killer asteroid."

To face these risks, Pezzullo put forward the concept of an "extended state", which he described as a "networked and dynamic conception of security which comprehends sectors across society and the economy".

This extended state would include the "entire apparatus" of the Australian government, not just the core agencies. It would convene and coordinate activities with the state, territory, and local governments, and beyond.

That includes "the business sector, including finance and banking; food and groceries; health and medical services; transport, freight and logistics; water supply and sanitation; utilities, energy, fuel, telecommunications; the scientific and industrial research establishment; as well as non-for-profit and community organisations, including charities; and households as might be required".

It is the extended state that needs to respond to these vectors of risk, according to Pezzullo.

Such systems were built for counterterrorism (CT), for example, especially after the 9/11 terrorist attacks in 2001.

"The states and territories and others all had to mobilise around the prospect of mass-casualty attacks. We built a lot of depth and ballast in our CT arrangements, and they've been honed over about 20 years," Pezzullo said.

"They are fit for purpose for that vector and sector problem. They are not necessarily easily replicated [for other matters]."

A more recent example is Australia's response to the COVID-19 pandemic, where coordination between governments was established differently in the rapidly-established National Cabinet.

"Let's not reinvent the wheel in relation, for instance, to cyber resilience," Pezzullo said.

"States and territories and indeed municipal governments... hold a lot of data. They manage a lot of sensitive networks, either directly or by way of infrastructure that they license through state utility arrangements and the like," he said.

"Don't just have a [single] sector response to a vector problem."

Home Affairs isn't 'tyrannical' or 'despotic'

Pezzullo responded to an audience question about authoritarianism and state secrecy by referring to the recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.

"Let's have a sensible discussion," he said.

"Let's just be open and upfront that the notion that somehow the colleagues that I've just identified [in law enforcement and intelligence], myself included, are tyrannical, despotic, you know, plotting behind closed doors to oppress the Australian population were it only for, you know, the altruistic fourth estate [the media], is frankly just an exaggeration, a caricature, and a trope."

Agencies are under "Royal Commission-level coercive oversight every day" and that's "liberating", according to Pezzullo.

"You know what the rules are. A royal commissioner could roll into my organisation, into anything we're doing, at any time, and out whatever they want," he said.

"And that's frankly liberating because you go, 'Yep', you've got that self-restraining, self-censoring idea of you've got to do the right thing anyway and, if you don't, you're going to get caught anyway."

Pezzullo was speaking off the cuff so to be fair, one shouldn't parse these comments too finely.

Nevertheless, your correspondent still wonders whether "Don't do bad things because you might get caught" is the best way to portray an organisational culture.

It's also unclear how this squares with the evidence given to Senate Estimates on Monday, where he was asked about the alleged cash-for-visa scheme that is currently being investigated by the NSW Independent Commission Against Corruption (ICAC).

When asked how the matter being investigated by ICAC sat when compared to the incidents seen within Home Affairs, Pezzullo said that "we see lots of things in the department".

"In fact, we see highly organised criminality. We see the loosely organised or casual opportunistic criminality. We see inadvertent either criminality or civilly sanctionable activity," he said.

"It's a constant enforcement and compliance activity."

Yet compliance hasn't always been Home Affairs' top strength.

An example of this was seen in February this year, when Home Affairs was savaged by PJCIS for its poor oversight of data retention laws. Also in the Home Affairs portfolio, Australian Federal Police officers were found in 2017 to have not fully appreciated their responsibilities in relation to those laws.   

SEE ALSO