Viewed through the prism of military analogy, as is favoured by Home Affairs boss Michael Pezzullo, we’re 10 years into a global cyber war with no established defensive doctrine. Is cyber martial law the answer?
Cyber security is one concern shared by the government officials who have been demanding new powers to eavesdrop on encrypted messages, and those who oppose the legislation, or at least demand significant revision to guard against unintended consequences.
One major worry is that the legislation could in fact undermine cyber security, by essentially enabling the abuse of eavesdropping capabilities created for the use of law enforcement and security agencies.
Legitimate concerns from the legal profession, IT and cyber security experts as well as civil rights and privacy advocates had only minor impact on the legislative process, compared to the views coming out of Australia’s national security establishment, which are broadly shared by their international colleagues.
Home Affairs secretary Michael Pezzullo has been front and centre, arguing that security agencies badly need the power to compel operators of encrypted communication services to help them intercept conversations between suspected criminals, and can do so in a way that does not compromise the products for other users.
Pezzullo believes the advent of the internet has brought about a new era of both opportunity and danger. On the one hand he thinks serious criminals and violent extremists are getting ahead of policing and security agencies thanks to encrypted messaging, but he also regularly warns that modern cyber attacks present a catastrophic danger as well.
If the critics of the new legislation are broadly right – and there are a lot of critics in this vein – the same agencies could find themselves responding to future acts of espionage, crime and even major cyber attacks they have inadvertently helped to enable.
Damien Manuel, who chairs the Australian Information Security Association, argues the new law “represents a direct threat to Australia’s national security on a number of levels” and could see agencies “create new avenues for cyber criminals and state sponsored actors to attack Australian businesses and critical infrastructure” in a statement this afternoon.
“As security professionals we know this legislation will not affect criminals or terrorists as they have the means and the expertise to create their own tools and applications,” he adds. “While everyday citizens will have their privacy and security compromised, criminals and terrorists will simply move to establish a black market to share and distribute their own applications for encrypted communications which will be unaffected by the current legislation.”
Take back cyber reins from the technologists, academics and business
The Home Affairs secretary does not seem particularly worried about these possibilities, however, based on a recent speech on cyber security. He did not mention this concern or link the two issues but did say “a society-wide cyber-attack” was one of the two biggest threats on his mind – “a terrorist-borne nuclear, chemical, biological or radiological attack” being the other.
Speaking at Edith Cowan University during Western Australian Cyber Week, he argued that consultation and discussion with stakeholders was helpful but in the end, “the policy-maker and the strategist” had to make the final call in these matters.
“Cyber intrusions, cyber-attacks, and cyber warfare are transforming the geopolitical features of the global order more rapidly than strategic concepts and plans can be formulated and deployed,” he argues.
“Over the past decade, discussion (at least in the West) has been shaped by technologists, academics, businesspeople, and operational practitioners, from the private sector and from government.
“There is nothing wrong, of course, with inclusive discussion. Only good ever comes of intellectual diversity and wide dialogue, but absent the policy-maker and the strategist, discussion will only ever, in my view, stumble in the dark, without historical analogies, analytical constructs and other reference points to guide action.”
Threat vectors becoming exponential with ‘Internet of Things’
Pezzullo said his newly established department had developed a better combined understanding of all the different “threat vectors” — including the traditional and the newer ones — than was previously possible. Much like his cyber security boss Alastair MacGibbon, he believes the consequences could be rather apocalyptic.
The risk of a large traditional attack is not necessarily easy to counter but security agencies “understand it and know what to look for” according to Pezzullo.
“Cyberspace could hardly be more different,” he said, warning the risk was growing all the time through new services and products like those embedded with mobile internet connections, referred to as the internet of things.
He says “cyber warfare and covert cyber activity” occur in a new space that confounds students of military and political history like himself, requiring them to develop public safety and security strategies based on “new thinking and new constructs” unlike those that made sense in the past.
“In cyber, everyone and everything is externally-facing and therefore connected to benefit and possibility, risk and threat. As the Internet of Things enmeshes human existence, the attack terrain will become planetary and therefore existential.”
A “viable and scalable security program” to deal with this does not exist, and will need to be “painstakingly” built, in his view, and without one, “all we are potentially doing … is purchasing and connecting the devices of our future enslavement to a dystopian world of cyber threat and harm.”
Online, he sees the chaotic “state of nature” in an ungoverned society as described by Thomas Hobbes in the 1600s – but is not sure that states can assert their sovereignty to maintain law and order in cyberspace in the traditional social contract that gives citizens a set of rights by enforcing a set of rules.
This brings Pezzullo to reveal more of his personal theory that perhaps 400-odd years of Western political philosophy has run out of answers [emphasis in original]:
“Hobbes referred to the sovereign state – ‘Leviathan’ of course – as all-powerful in keeping this public order. Who, or what, in this new ‘state of nature’ will be the Leviathan, which can legitimate public order and enforce that order, and thereby create the secure space for commerce, learning, culture, leisure, family life and so much more? In the cyber ‘state of nature’, does it even make sense to think of the ‘Leviathan function’ of the state?
“If it does not, then we have reached the frontier of a new political order, which will have to supplant that which has emerged over four centuries in the West.”
Pezzullo sees the interconnected online world as a place where the balance is tipped in favour of the antagonist, and “the hierarchy of geopolitical power which is generated in the physical world through geography, commerce, access to resources and military capability” loses relevance.
“Each acts against all, or at least against as many as might suit their interests or inclinations. Chaotic outcomes inevitably arise from the tangle of unforeseen consequences and unrestrained action in cyberspace.
“Rogue actors, often acting in concert with, or through, proxies and criminal confederates, can harm larger ones and—in experience hitherto at least—escape serious sanction. Some states are effectively issuing modern cyber ‘privateers’ the virtual equivalent of the old letters of marque, which in the days of sail gave their holders the assumed authority to prey on designated enemies at sea.
“The lack of consequences, and the negligible imposition of costs, for malicious conduct in cyber emboldens yet more malicious conduct—which is ever ratcheting up, with more brazen attacks in prospect, which will make the cyber-attacks of the past decade seem like the first dogfights between bi-planes in the earliest days of aerial combat.”
‘Rushed and politicised’
Even with such dramatic visions of cyber danger foremost in the Home Affairs secretary’s mind, he has steadfastly dismissed concerns that the new anti-encryption legislation could increase cyber risk, expressed by so many experts and interested stakeholders over a highly technical and internationally unprecedented piece of legislation.
So, it seems, has the government and the opposition, which voted in favour of the legislation faced with the repugnant threat of being labelled as friends of terrorists and paedophiles ahead of next year’s election if they did not, despite being openly uncomfortable and uncertain about what its consequences might be.
The AISA chairman reflects the views of many others both in his field and beyond, when he accuses the government “politicising tragedy” and ignoring what it heard, loud and clear, through the consultation process. Prominent academic and commentator Dr Suelette Dreyfus also added to the organisation’s latest statement:
“The Government played political games with this Bill, rather than serving the very real security needs of the country,” Dreyfus argued.
“It deliberately ambushed the Parliament with a Bill riddled with major flaws; no one had time to read and analyse it in full. It released a 50 page list of 173 amendments just hours before ramming the ill-considered Bill through the Parliament. It ignored the technical and other expertise provide to the Parliamentary committee in 85 submissions.
“This is no way to make laws or public policy about a complex, fast-moving area such as cybersecurity.”
Law Council of Australia president Morry Bailes expressed general support for laws aimed at improving public safety but also felt the process left a lot to be desired.
“We now have a situation where unprecedented powers to access encrypted communications are now law, even though Parliament knows serious problems exist,” said Bailes.
“This is what happens when you compromise a committee process and allow the work of parliament to be rushed and politicised.”
Total war without end?
Towards the end of Pezzullo’s warning of impending cyber doom, he acknowledged that government agencies couldn’t manage these new and growing risks without help from all other sectors, including the IT security professionals whose concerns were largely brushed away in the push for ways to get around encryption.
“Of necessity, an open and continuous dialogue will need to be undertaken with a multiplicity of actors, where researchers, ‘white hat hackers’, cyber security vendors, infrastructure operators, legal experts, intelligence analysts, and others – including of course strategists, I would like to think, and security planners – will need to come together and hold discussions the like of which have not been seen in human experience,” he said.
“Cyber security is a unique mixture of activities – it brings together on the one hand the equivalent of road maintenance crews whose task it is to repair and maintain our highways, roads and streets, and on the other hand the virtual equivalent of the Special Air Service Regiment, and all manner of capabilities in between.”
The analogies with military history continue in the speech as Pezzullo’s main way to describe and understand this new frontier of national security and defence, where the “war room” that sets off the cyber-raid sirens might actually be inside a bank or energy supplier.
So do the dire warnings: that a continuous global cyber war on mulitple fronts has been underway for about 10 years and the public are mostly ignorant of how serious it is. He suggests the danger of cyber attacks is up there with nuclear bombardment, and probably more likely, and says that attacks are going on, including in Australia, that are like the digital equivalent of a hostile nation strapping bombs to the Sydney Harbour Bridge, but with “no established doctrine” for how to respond.
Appealing to the sectors that government just spurned
While never touching on the warnings from the IT industry and relevant fields of academia about the new digital eavesdropping legislation, the Home Affairs boss said these sectors generally should do more to help prevent a cyber catastrophe and not rely solely on government [emphasis in original]:
“I recognise that cyber security concerns are rightly shared among industry, government and academia. But to date, there has been too little action. We need manufacturers and providers to take their share of responsibility, and for consumers to make informed, responsible choices to ensure their own security.”
He argued there was no question that “an effective approach to cyber security will rely on broad cross-sectoral collaboration” and all organisations taking on clearer “roles and responsibilities within our national ecosystem” to play a role in protecting Australia.
“True engagement necessitates more than commercial dealings and industry needs to contribute to the broader mission – as partners, more than as vendors or individual businesses.
“One of the areas that requires greater partnership is in the creation of a trusted Australian ecosystem – for individuals, businesses and governments. To make that trusted ecosystem a reality, we need to better leverage all parts of industry and academia in partnership with government as part of a holistic national cyber security apparatus.
“We need to amplify the skills and capabilities of domestic industry by investing in both niche capability and specialised areas of focus. We need to grow a critical mass of sovereign capability so that all sectors have an Australian option for secure products.”
Providing secure products is going to be much harder, according to most of the IT industry, in light of the powers conferred on the agencies under his departmental umbrella via the latest national security legislation. The Law Council president is hoping it can be improved after Christmas.
“Next year, as well as passing the remaining amendments, the intelligence and security committee needs to be brought back into the frame to get these laws right,” said Bailes.
“The committee can ensure there are no unintended consequences, which could be to the detriment of us all.”
A transcript of Michael Pezzullo’s full speech is available from the Department of Home Affairs.