The Prime Minister has flagged “potentially devastating cyber-attacks” as a priority in the government’s new National Security Strategy and announced the establishment of new “Australian Cyber Security Centre” to combine existing cyber security functions across Attorney-General’s and its agencies the AFP, the Australian Crime Commission and ASIO, and Defence.
Launching the strategy in a speech this morning, the Prime Minister warned that “malicious cyber activity will likely be with us for many decades to come, so we must be prepared for a long, persistent fight” and that the government would “work closely with industry and international partners to develop a set of global ‘norms’ for online behaviour.”
The strategy, posted belatedly by the Department of Prime Minister and Cabinet states:
“The growing number of malicious cyber incidents has juxtaposed the dangers of a hyper-connected world against the considerable economic and social benefits afforded by the Internet. Our national security and law enforcement agencies are now focusing more urgently on how best to combat cyber-based threats, but not at the expense of Australians’ privacy and the broader benefits the online environment brings …
“Foreign intelligence services and criminal organisations can use the Internet to infiltrate systems, extremists can more easily coordinate, communicate and radicalise, and the Internet can be a means to promote hate and division among community groups.”
The establishment of a new cyber security agency in particular raises significant questions because it would combine a variety of different roles and personnel operating under different remits and laws: ASIO officers, for example, have very different functions and restrictions compared to the Australian Federal Police, while Defence’s primary civilian cybersecurity role is currently provided via the Defence Signals Directorate’s Cyber Security Operations Centre, which acts as the government’s in-house cybersecurity watchdog and coordinates responses to major cyber attacks. The DSD is currently not permitted to gather intelligence on Australians.
The strategy also speaks of “international cooperation in the investigation of cybercrime offences, including through our accession to the Council of Europe’s Convention on Cybercrime”. Legislation for Australia to accede to the cybercrime convention was passed last year and, among other things, enabled foreign governments to demand the retention of information of Australians’ internet usage.
The government currently has over 40 proposals to expand national security laws up for consideration by a parliamentary committee, many of them revolving around increasing law enforcement and intelligence agency powers to monitor and record Australians’ internet usage. The committee’s report has been delayed beyond the end of 2012.
Cybersecurity was one of three priorities identified by the Prime Minister in her speech. The first was effective partnerships both domestically and internationally aimed at more efficient use of resources. “The National Security Decade was a time of rapid ramp-up in resources,” she said, referring to the post-9/11 period. “Now, inevitably, we are in a period of consolidation and we need to get the most value out of every dollar expended. ”
The third priority was “enhanced regional partnerships”, though clearly anchored in our support for the United States, specifically singled out as “our ally” by Gillard, compared to “China, Indonesia, India, Japan and Korea”, with whom she said we are “building deeper relationships.”
The strategy also flags greater information sharing across not merely government but with the private sector, saying:
“National security agencies must be able to manage and share information securely and quickly with domestic and international partner agencies. More information sharing is also needed between government and business to create a common national risk picture and focus our collective efforts.”
The Prime Minister’s rhetoric about cybersecurity matches increasing efforts from other western governments to portray cybercrime, “cyberwarfare” and “cyberterrorism” as imminent threats not just in economic terms, but as possible sources of mass casualty attacks. Such efforts are frequently used as justification for laws extending government control of critical infrastructure (one of the Australian government’s 44 proposals) and curbing online privacy, as well as increased funding for cybersecurity companies at a time when other defence contractors are dealing with more austere fiscal environments.
Examples of how claims of potential “mass casualty” cyberattacks have proven false are easy to track down.
As a number of sceptics have pointed out, much of this hysteria involves conflation of a range of quite separate threats, from old-fashioned espionage, to fraud, to actual terrorism, to online activism. This also raises questions about the remit of any new cyber-bureaucracy, given it will potentially be dealing with everything from spying to credit card theft to terrorism and activism.
The Prime Minister’s rhetoric about developing “global norms” for online behaviour also echo the rhetoric of other governments, most notably France’s then-president Nicolas Sarkozy, who in 2011 claimed the internet freedom advocates believed the internet to be “a parallel universe, freed from the rule of law“. In fact, the online world has norms, and many of them; they are simply norms that governments and corporations dislike, because they are norms that reflect the reality of easy, rapid distribution of information and global interconnectedness, rather than the norms of centralised control.