Cyber Research Centre labels Australia's counter-threat capacity 'relatively weak'

The centre's chair has called for an overarching capability that supports federal, state, and territory-based cybercrime-countering efforts, labelling current capacities 'relatively weak'.
Written by Asha Barbaschow, Contributor

Australia's Cyber Security Research Centre (CSRC) wants to see the creation of a country-wide agency responsible for countering cybercrime in Australia, proposing in a submission to a Parliamentary Committee a Commonwealth-led capability that supports federal, state, and territory-based efforts.

In a submission [PDF] penned by CSRC chair David Irvine -- who was formerly head of the Australian Security Intelligence Organisation (ASIO) and director-general of the Australian Secret Intelligence Service (ASIS) -- the CSRC said such a capability would supplement, rather than supersede, existing cybersecurity-related agencies or organisations.

"Australia's national capacity to counter threats and criminal activity using cyber investigative tools is relatively weak, uncoordinated, and dispersed across a range of agencies in both Commonwealth and state jurisdictions," the CSRC told the Parliamentary Joint Committee on Law Enforcement's inquiry into the impact of new and emerging information and communications technology.

"Countering cybercrime in Australia will be most effective when investigative support mechanisms are concentrated and coordinated on a national basis, utilising skills and technical capabilities developed in the national security area to strengthen law enforcement activity, and vice versa."

See also: Former ASIO head questions why political parties are exempt from breach disclosure

The CSRC has asked the committee to consider a single Commonwealth-led cooperative agency that would be responsible for providing "expert technical cyber investigative services" in support of legal law enforcement and national security investigations carried out by all agencies.

The proposed solution, according to the CSRC, would "support, rather that supplant or duplicate, the proper functioning of those agencies under their existing legislative and operational authorisation requirements".

It would also have a training function that would help develop national cyber resilience across the government, private, and individual internet-user sectors, the submission explains.

While unsure of where the agency would sit, the CSRC has suggested that the newly created Department of Home Affairs could house the capability, either as a separate entity or one associated with the Australian Cyber Security Centre or the Australian Federal Police and the Australian Criminal Intelligence Commission.

The capability, as recommended by the CSRC, should also have a close working relationship with the Australian Signals Directorate.

To staff the model put forward, individuals would be seconded from appropriate federal and state authorities.

Another submission [PDF] made by the Data to Decisions (D2D) Cooperative Research Centre (CRC) highlights the issues of a siloed approach to thwarting threats results in.

"Traditional capability development in the national security and law enforcement community has often been done within single agency walls and stove piped from other agencies who share like problems and like datasets," the D2D wrote.

"The mismatch between the rapid update of new technologies by threat actors and the less agile capability development activities in agencies will only increase unless new approaches to fostering capability development within the AIC [Australian intelligence community] and the LEAs [law enforcement agencies] are adopted."

According to the D2D CRC, which was established in 2014 with a AU$25 million grant from the federal government's cooperative research centres program, there is a need for better capability development across a broad range of security domains, including border security, financial intelligence, defence, counter terrorism, and cybersecurity.

"Cooperative relationships must be forged between national security agencies, agencies, academia, and industry partners to foster a culture of capability 'co-creation' where like technical needs are identified and addressed openly and in a collaborative manner," the D2D told the committee.

Similarly, the Australian Securities and Investments Commission (ASIC) is seeking law reform to allow the sharing of information between agencies, asking the committee to consider prescribing ASIC as a law enforcement agency to give the corporate regulator further pull.

In its submission [PDF], ASIC said it is supportive of law reforms that would "harmonise and enhance" its search warrant powers with those in the Crimes Act, such as allowing ASIC to operate or secure electronic devices.

ASIC also wants reform to grant it access to telecommunications intercept material to investigate and prosecute serious offences; allow it to obtain and share telecommunications data with its foreign counterparts, which ASIC said will help with, for example, the investigation of "dark web" activity facilitated by actors located overseas; and prescribe ASIC as a law enforcement agency in the Crimes Regulations 1990 for the purposes of Part 1AC of the Crimes Act.

ASIC is an independent government body that acts as Australia's corporate regulator. It considers itself a primary law enforcement agency in relation to corporations, financial services, and market misconduct, as it regulates corporations, managed investment schemes, participants in the financial services industry, and people engaged in credit activities under a number of Commonwealth laws.

However, ASIC's line of visibility can only go so far, and as there has been a shift away from the use of traditional telecommunications channels towards the use of communications and social media applications such as WhatsApp and Facebook for calls and instant messaging, traditional sources of telecommunications information accessible to ASIC, such as call charge records, are becoming "less and less useful".

"We have limited capacity to compel the providers of these other communication channels to provide us with data, particularly where the provider is located overseas," ASIC wrote in its submission.

"We are also unable to receive telecommunications intercept material (ie, from a live stream of the content of communications carried over a telecommunications service), as we are not an 'interception agency' under the relevant legislation."

ASIC said the growth in volume and complexity of data it receives has been increasing substantially over recent years, creating a number of challenges.

"There has been a rapid increase in mobile phone models and operating systems, and it can take up to 12 months for forensic analysis tools to support a new operating system or update," ASIC explained.

"It can take a long time to forensically acquire and process the data; significantly more storage capacity is required to house the data; and it can be difficult to effectively and efficiently analyse the data to identify relevant evidentiary material. Traditional review methodologies reliant on keyword searches and manual review are becoming less practical."

The committee is yet to set a publish date for its findings.


The laws of Australia will trump the laws of mathematics: Turnbull

Despite calling the laws of mathematics 'commendable', the prime minister of Australia told ZDNet the only law that applies in Australia is the law of Australia when it comes to legislating decryption.

Australia to get Cyber Minister as part of AU$240m cyber package

The government expects to fill 100 cybersecurity jobs in an announcement that claims Australia is in favour of an 'open and secure' internet.

Australia's bold plan for cybersecurity growth

Australian Cyber Security Growth Network has set its goals, fleshed out its board, and announced a detailed plan for success.

Ombudsman finds Australian Federal Police unaware of journalist metadata requirements

The Ombudsman's report has said AFP officers did not 'fully appreciate their responsibilities' when using metadata powers.

Almost AU$200m later, data retention most used for chasing drugs, not terror

The Attorney-General's Department has released a report detailing the opening months of Australia's data retention scheme.

Editorial standards