Australia is "not adequately prepared" for a so-called "cyber storm", or multi-vector, multi-wave destructive cyber attack against the country's infrastructure. Nor is it making adequate investments to fix the problem.
That's the conclusion of the Research Group on Cyber War and Peace at the University of New South Wales (UNSW) Canberra Australian Defence Force Academy (ADFA). The group's newly-released discussion paper [PDF] is based on the discussions from the two-day Cyber Storm international conference in February.
The group is led by professor Greg Austin from UNSW Canberra Cyber.
"In several respects, Australia is already in a cyber storm while major powers are actively planning much more intense and wide-ranging attacks, perhaps a form of cyber blitzkrieg, in the event of war," the research group wrote.
At the conference, the Australian Defence Force (ADF) Head of Information Warfare, Major General Marcus Thompson, had warned that while Australia's cyber defences were "good", they might not be able to scale if faced with a large-scale attack.
The research group's conclusions are more pessimistic.
"The discussion ... does not allow any other conclusion than this: Australia is not adequately prepared for a cyber storm. It has not yet made adequate investments in a range of capabilities and human capital that would help the country prepare appropriately," their discussion paper said.
"There are several mitigating circumstances: Australia is not alone (no country is well prepared), a cyber storm is a low-likelihood event (so we may appear to have a certain luxury of time), and Australia simply lacks the research base in public policy aspects of complex cyber crises to inform government policy."
The research group identified "several worrying circumstances that they felt demanded prompt attention":
- What precisely are the responsibilities of the three different layers of government in Australia (federal, state, and local) in cyber civil defence and what will they not defend?
- What is the role of the ADF in defence of the "homeland" in cyberspace, a question complicated by the fact that key Australian information assets are outside the territory of Australia?
- How do the Australian government agencies and security forces defend civilian infrastructure in the absence of a civil defence organisation?
- How should Australia better respond to aggressive and malicious activity in cyberspace that targets civil assets but which falls short of the legal definition of armed attack?
- How do we elevate the awareness and education of the Australian population as "combatants", albeit unwitting ones, in cyberspace?
- What is the best model from international experience for effective high intensity collaboration across government, industry, and citizens in the event of a national cyber crisis?
- How do we build a full-spectrum capability across information operations, cyberspace operations, and electronic warfare (including through the fusion of technology and social or political consideration)?
- How do we define and maintain sovereignty in a globalised cyberspace?
- How do we achieve information advantage through advanced technologies, like artificial intelligence, machine learning, and behavioural analytics?
- How will technological, political, and doctrinal changes in the coming decades affect any of the above?
The research group recommended forming a National Commission for Cyber Civil Defence, "led by the private sector, supported by government, and with heavy representation from a wide variety of scholars".
"The logic behind the leadership of the private sector is that civil defence activities always fall heaviest on private actors," they wrote.
The group noted that the existing State Emergency Services could provide a suitable model for any new cyber civil defence corps or militia.
"The benefit of the SES model is that it brings together disciplined structures of command authority through a relevant Minister, the Commissioner, Zone Commanders, Local Commanders and Unit Commanders," they wrote.
"The current practice of appointing retired military commanders to Commissioner roles in some states also provides a useful pointer for cyber civil defence policy. In the current New South Wales SES Act, state police are subordinated to the SES Commissioner in the event of emergency."
The research group also recommended a wide range of research to inform the development of "a national cyber incident response plan that is far more detailed than anything in existence in Australia". They also suggested year-long inquiries by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS), and the Senate Committee on Constitutional and Legal and Constitutional Affairs.
The idea of a cyber civil defence corps has slowly developing one over the last decade, with Austin as one of its key proponents.
A China expert, Austin previous noted that "China is exceptionally well placed to develop the most powerful and best-organised cyber militias in the world".
In 2012, emeritus professor Bill Caelli also suggested the formation of a cyber posse when circumstances demanded.
Caelli argued that police could simply enlist any technically adept citizens and form a posse to deal with the bad guys. Similarly, citizens could be conscripted into a militia, should the threat be more military in nature rather than criminal.
In 2016 , the idea of cyber national service was proposed by security adviser James Turner, now head of CISO Lens.