The Prime Minister has warned that human operators or “warmware” represent the biggest cyber risk, as his government opens a new cross-agency cyber security body to focus on critical infrastructure and prepares to throw a few million dollars at cyber-defence outside Australia’s borders.
The new Critical Infrastructure Centre is required to deal with “complex and evolving national security risks” within the web of public and private organisations that deliver essential services like water and electricity, according to a joint statement from Attorney-General George Brandis and Treasurer Scott Morrison:
“With increased privatisation, supply chain arrangements being outsourced and offshored, and the shift in our international investment profile, Australia’s national critical infrastructure is more exposed than ever to sabotage, espionage and coercion.”
The CIC aims to work together with “all levels of government, owners and operators” of important infrastructure, and sits inside the Attorney-General’s Department. Its staff will come from the Australian Security Intelligence Organisation, Australian Signals Directorate, Treasury and other agencies, according to a journalist at The Australian who was briefed by government sources ahead of the announcement.
Ports, the water supply and electricity networks are the first priorities. Other kinds of critical infrastructure will be determined following talks with state and territory governments, industry and investors looking to buy into critical infrastructure. The CIC will produce a public discussion paper seeking additional views, and build a register of critical assets in high-risk sectors. Morrison and Brandis said:
“The Centre will develop coordinated, whole-of-government national security risk assessments and advice to support government decision-making on investment transactions. It will also provide greater certainty and clarity to investors and industry on the types of assets that will attract national security scrutiny.”
Emerging from a briefing with the Australian Signals Directorate on Tuesday morning, Malcolm Turnbull said he also feared foreign spies influencing Australian politics, and warned that all organisations should be more “alert” to the risk of human operators compromising information security, either by mistake or deliberately.
“This is the new frontier of warfare, it’s the new frontier of espionage, it’s the new frontier of many threats to Australian families, to governments, to businesses,” he said.
But there’s only so much government agencies and other organisations can do. Individuals need to think about the risk their own practices could pose.
“Awareness is the absolutely most important first step,” Turnbull said. “A lot of the vulnerabilities, as you will have seen, are because people do not follow good cyber practice. They open attachments from sources they’re not familiar with, they’re not sufficiently careful in the way they manage their passwords. They don’t, for example, use two-factor authentication with cloud-based applications, and so forth.”
Just last week, the Victorian government suffered a serious privacy breach caused by officers from the Department of Environment, Land, Water and Planning accidentally uploading the wrong attachment. The result: a long list of registered gun owners was sent to eight different recipients on separate occasions.
Now, the minister can’t say with complete certainty that the list is secure. All the department could do was call the police and the state privacy commissioner, ask the eight recipients to delete the files, and hope for the best.
Above politics? Not likely
The PM said the claim that Russia interfered with the United States political system “both in terms of hacking and in terms of seeking to influence the election through so-called fake news” had been accepted by “all sides” and was no longer politically controversial.
“Threats like this, from wherever they come, are of great concern to our nation, to our government, to me as prime minister,” he said, adding that all other political parties would get a briefing from public sector experts when Parliament resumes.
Turnbull said he wasn’t aware of any evidence that a foreign country had tried to swing an Australian election “in recent times” but that ignoring the possibility made the nation “more susceptible” to it. Ironically, some of the most well-known claims of a foreign power meddling with Australian democracy during the Cold War concern the US working against the Whitlam government in the 1970s.
Both Turnbull and his new Assistant Minister for Cyber Security Dan Tehan insisted profusely that their motives in making the announcement were above politics.
“We have state elections coming up this year. We have to make sure that they are protected, that when Australians go to vote, they can have confidence that there is no compromise of our electoral system and our democratic process,” said Tehan.
But hours before the press conference even began, the opposition had already raised questions about the real purpose of the twin cyber security announcements, particularly briefings about them from government sources to journalists at The Australian ahead of time.
Shadow Attorney-General Mark Dreyfus sent a letter to Turnbull accusing the PM of taking “the exact opposite approach” to the longstanding convention that politicians don’t discuss intelligence activities and “specific security vulnerabilities” in public. He said:
“I am very concerned that this issue has been publicised by you directly, including highlighting specific agencies, their functions, and target areas considered as vulnerable.”
While Dreyfus wrote there was “no reasonable purpose” for the publicity, the PM said the announcements aimed to raise awareness, thereby improving Australia’s cyber security, and dismissed his concerns as political opportunism.
“The reality is every Australian government has sought to raise awareness of cyber vulnerabilities — my government more than its predecessors, both Labor and Liberal, but that is a function of the nature of the times,” the PM said.
“But this has always been a risk and we have always set out to make people aware of the risks because unless they’re aware of the risks, they won’t take the measures to protect themselves.”
DFAT reaches out to the region
The Commonwealth is also looking outwards to align its cyber security efforts with those of regional neighbours through a diplomatic program run by newly appointed Cyber Ambassador Tobias Feakin, who is well known for his work with the Australian Strategic Policy Institute.
The Cyber Cooperation Program offers grants up to $100,000 to projects that aim to assist the cyber security efforts of other governments in the Indo-Pacific region, with a preference for public-private partnerships.
An information pack for bidders explains the program supports a pledge to “ensure that our cyber engagement advances our security and economic interests; and to advocate for an open, free and secure future for the internet”.
The guidance note shows a diverse range of projects could win the funding, as long as they fit into one of four thematic areas: Raising Cyber Security Capability and Awareness; Combating Cybercrime ‘Safehavens’; Digital Economy and the Online Delivery of Government Services; and International Cyber Policy.
Projects will generally run for two years and link with other development assistance programs that aim to help countries in our region improve their law enforcement and judicial systems.