The new ACSC: a ‘reasonable illustration’ of a cybersecurity hub?
The government’s new Australian Cyber Security Centre — hailed as “the hub of the government’s cyber security efforts” and tasked with ensuring “Australian networks are among the hardest to compromise in the world” — will have no legislative basis, the government has revealed. In response to questions on notice from Greens Senator Scott Ludlam, the government indicated it would be making no legislative changes to establish or enable the operations of the centre.
The Centre was announced in January amid a flurry of claims about the sinister threat of cybercrime to Australia from the government. It was intended to be a joint operation involving personnel from the existing Cyber Security Operations Centre based inside the Defence Signals Directorate, the Defence Intelligence Organisation, Australian Security Intelligence Organisation, Attorney-General’s office, the Australian Federal Police and the Australian Crime Commission.
Since then, information has slowly dribbled out about how the centre will function. ITNews‘ John Hilvert reported the centre would have no additional funding, personnel would continue to be accountable to their home agencies and the Department of the Prime Minister and Cabinet was still working out how the agencies’ wide variety of systems were going to work together.
The legislative issue is significant because the different agencies have different remits and restrictions, meaning the “centre”, to the extent it exists, will house personnel with different functions, different restrictions on what they are able to do and different managers to report to.
For example, the AFP has law enforcement powers that ASIO, Attorney-General office bureaucrats and Defence personnel do not, while Defence Signals Directorate staff are prohibited from gathering intelligence on Australians, and the AFP is subject to freedom-of-information laws while security agencies are not.
Based on current information, it appears the ACSC will be closer to permanent inter-departmental committee meeting than a functional “centre”. However, the government also stated the centre:
“… will accommodate a range of needs — from Top Secret spaces for dealing with sensitive information, to unclassified areas for work with foreign governments and industry. A particular feature of the facility’s fit out will be that it will allow industry representatives to have the opportunity to engage closely with the Centre on everything from information sharing and training, to the development of effective response strategies.”
This alludes to a key logistical issue given the housing of the ACSC within the highly secure Defence Signals Directorate. “Unsecured” personnel have to be escorted, often by more than one person, when they are within DSD, which has an elaborate system of flashing lights to warn staff that an “unsecured person” is present; non-DSD participants in ACSC, such as federal police, will have to obtain a high-level clearance to work in the centre without constant supervision. The regular presence of industry representatives and foreign government agents would be a security nightmare for DSD — thus the “unclassified areas”.
The government has also blamed the AFP for the Prime Minister using a discredited industry claim about the cost of cybersecurity. In announcing the ACSC, the Prime Minister used a claim by security company Norton about the cost and extent of cybercrime. However, the figure had long since been debunked by Crikey: ”The Department of the Prime Minister and Cabinet has consulted the Australian Federal Police, who consider that the figures on victims and cost quoted in the Prime Minister’s announcement present a reasonable illustration of the breadth of the cybercrime challenge.”
So, those discredited figures are now merely a “reasonable illustration”.
That’s more than you could say about the ACSC, which has no funding, no central leadership, no legislation and no clarity around different roles.