The key message from the government on cybersecurity is that we all need to be very afraid — so afraid that we don’t need to know too much about what extra powers are to be given to security agencies to “defend” Australians.
After months of delay, yesterday the government finally released its new cybersecurity strategy, developed by the Department of Home Affairs.
The Department of Home Affairs itself has a shocking record on cybersecurity: it has been repeatedly criticised over several years by both the Australian National Audit Office and parliament’s Joint Committee of Public Accounts and Audit for failing to comply with the Australian Signals Directorate’s (ASD) cybersecurity mitigation strategies.
In 2017, the department told the committee it would not be “technically” compliant until June 2020. Today it refused to reveal whether it met that promise. Surely the department that has “primary responsibility for delivering the strategy” isn’t non-compliant with the mitigation strategies at the core of the strategy?
Or perhaps it’s apt given portfolio minister Peter Dutton, who famously privately lunched with now banned Beijing-linked billionaire Huang Xiangmo, graces the strategy with his picture and foreword.
The tone of the new strategy is melodramatic, if not hysterical. “Cyber criminals” are “infiltrating systems from anywhere in the world, stealing money, identities and data from unsuspecting Australians,” the strategy claims. “They are taking advantage of COVID-19 to target families and businesses, including health and medical research facilities. And they are hiding on the dark web to traffic drugs and other illicit goods, and share abhorrent images of child abuse.”
Child abuse is mentioned frequently in the document, though not as frequently as the “dark web”, which is mentioned more than a dozen times. What’s the dark web? “The dark web is the part of the internet that allows its users to remain anonymous.” Like, erm, Twitter and the comments section of most media websites.
Anonymity is a great evil, cited over and over, along with encryption. “Encryption and anonymising technologies allow criminals, terrorists and others to hide their identities and activities from law enforcement agencies.” Accordingly, law enforcement’s “ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced”.
You get the message. Anonymity and encryption are only used by paedophiles and terrorists. Not, say, journalists, lawyers, politicians, campaigners, businesses — people who not merely legitimately have something to hide, but whose job it is to have something to hide.
What evidence is offered to support the strategy’s claim of a “growing” cyber threat? “In 2019, one in three Australian adults were impacted by cyber crime,” the strategy says. The basis for that claim is a survey by Norton, which does not at all have a financial interest in encouraging cybersecurity concerns.
How does Norton define cyber crime? Check its list, and you’ll discover that, after a long list of actions like identity theft, malware and phishing, is “stalked, bullied or harassed online”. Undoubtedly crimes in some contexts, but a near-universal experience for anyone active on social media.
In response, the government proposes to pump more money into security agencies — $1.67 billion, albeit over over 10 years. The big winner is the ASD, which will receive $469 million extra to “recruit 500 additional intelligence and cybersecurity personnel”.
The ASD will also be given “new powers proportionate to the consequences of a sophisticated and catastrophic cyber attack” to “ensure the Australian government can actively defend networks and help the private sector recover in the event of a cyber attack. The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools”.
This means that ASD will be given powers to “help” the private sector by entering corporate IT systems under the guise of providing “direct assistance”.
Remember that one of ASD’s primary jobs, like other intelligence agencies like ASIS, is commercial espionage. That’s why ASD famously spied on Indonesian trade negotiators to benefit US corporations. The proposed expansion of powers by the government will mean that ASD can force its way into corporate IT systems, under the pretext of defending against cyber attacks, enabling it to vacuum up corporate and personal information on Australians in huge volumes.
Companies from non-Five Eyes countries operating in Australia, such as European defence firms, will offer a particularly lucrative target for commercial espionage, which will then be available to share with US companies.
As the above wording indicates, however, the proposal for these powers is extraordinarily vague. Indeed, the whole document is nebulous about specific implementation of the strategy, loaded of pabulum about “allowing businesses and the community to achieve greater national cybersecurity resilience so Australia can take advantage of the opportunities of an increasingly digital economy”.
One area of particular vagueness is where, exactly, all these additional cybersecurity workers are going to come from, despite the insightful observation that “a strong workforce of skilled cybersecurity professionals is a key enabler of Australia’s digital economy”. There will be a a Cyber Security National Workforce Growth Program, though only $40 million is set aside over 10 years to grow the industry workforce.
That’s commendable, at least as a start. But Australia relies heavily on migration for its IT workforce. Software engineer was the most common occupation for temporary skilled visa applications in 2019, according to Home Affairs, and makes up more than 5% of all temporary visa applications. Developer programmers make up more than 3%.
The challenge for the government isn’t growing the industry workforce. With our borders sealed, the problem is avoiding losing hundreds of temporary workers a year that are crucial to the sector.