Australia is "not adequately prepared" for a so-called "cyber storm", or multi-vector, multi-wave destructive cyber attack against the country's infrastructure. Nor is it making adequate investments to fix the problem.
That's the conclusion of the Research Group on Cyber War and Peace at the University of New South Wales (UNSW) Canberra Australian Defence Force Academy (ADFA). The group's newly-released discussion paper [PDF] is based on the discussions from the two-day Cyber Storm international conference in February.
The group is led by professor Greg Austin from UNSW Canberra Cyber.
"In several respects, Australia is already in a cyber storm while major powers are actively planning much more intense and wide-ranging attacks, perhaps a form of cyber blitzkrieg, in the event of war," the research group wrote.
At the conference, the Australian Defence Force (ADF) Head of Information Warfare, Major General Marcus Thompson, had warned that while Australia's cyber defences were "good", they might not be able to scale if faced with a large-scale attack.
The research group's conclusions are more pessimistic.
"The discussion ... does not allow any other conclusion than this: Australia is not adequately prepared for a cyber storm. It has not yet made adequate investments in a range of capabilities and human capital that would help the country prepare appropriately," their discussion paper said.
"There are several mitigating circumstances: Australia is not alone (no country is well prepared), a cyber storm is a low-likelihood event (so we may appear to have a certain luxury of time), and Australia simply lacks the research base in public policy aspects of complex cyber crises to inform government policy."
The research group identified "several worrying circumstances that they felt demanded prompt attention":
The research group recommended forming a National Commission for Cyber Civil Defence, "led by the private sector, supported by government, and with heavy representation from a wide variety of scholars".
"The logic behind the leadership of the private sector is that civil defence activities always fall heaviest on private actors," they wrote.
The group noted that the existing State Emergency Services could provide a suitable model for any new cyber civil defence corps or militia.
"The benefit of the SES model is that it brings together disciplined structures of command authority through a relevant Minister, the Commissioner, Zone Commanders, Local Commanders and Unit Commanders," they wrote.
"The current practice of appointing retired military commanders to Commissioner roles in some states also provides a useful pointer for cyber civil defence policy. In the current New South Wales SES Act, state police are subordinated to the SES Commissioner in the event of emergency."
The research group also recommended a wide range of research to inform the development of "a national cyber incident response plan that is far more detailed than anything in existence in Australia". They also suggested year-long inquiries by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS), and the Senate Committee on Constitutional and Legal and Constitutional Affairs.
The idea of a cyber civil defence corps has slowly developing one over the last decade, with Austin as one of its key proponents.
A China expert, Austin previous noted that "China is exceptionally well placed to develop the most powerful and best-organised cyber militias in the world".
In 2012, emeritus professor Bill Caelli also suggested the formation of a cyber posse when circumstances demanded.
Caelli argued that police could simply enlist any technically adept citizens and form a posse to deal with the bad guys. Similarly, citizens could be conscripted into a militia, should the threat be more military in nature rather than criminal.
In 2016 , the idea of cyber national service was proposed by security adviser James Turner, now head of CISO Lens.