Tom Burton: mish-mash of reporting threatens sensible security reforms


It’s possible the Home Affairs superministry didn’t go far enough, with cyber still out of the main game. What’s left is a classic bureaucratic compromise that in the end will work against the primary aim of better co-ordination against threats.

The amalgamation of various federal public safety agencies into a new Home Affairs portfolio is logical from an organisational design perspective. But the jumble of accountabilities, federated structures and organisational authorities means the desire to have a single-focus security and safety function are unlikely to be achieved in the short term. And the failure to fully integrate cyber into this new civilian administrative architecture leaves gaping holes in our domestic security regime.

In the lead up to yesterday’s Cabinet decision, portfolio ministers predictably defended their patches, while political reporters — equally predictably — interpreted the changes as the Prime Minister shoring up his leadership credentials with conservative Coalition MPs.

“For far too long we have hung onto notions of different specialised front line and intelligence agencies, well after the original argument for self-standing specialist agencies had faded.”

But, outside the beltway, the decision to bring the Australian Security Intelligence Organisation, the Australian Federal Police, the Australian Border Force and the Australian Criminal Intelligence Commission into one portfolio seems to me to be a sensible grouping of front line public safety agencies.

Building highly integrated public safety response and management is a global challenge for all governments, as they struggle with rapidly shifting economic and strategic forces, against a backdrop of major technology change and the emergence of what the L’Estrange intelligence review report calls “extremism with global reach”. This was the context for the Prime Minister’s decision to reset the federal government’s safety and security architecture and the concept of proactively moving to get the government’s house in order should be applauded, rather than be seen as yet another week of Canberra partisanship.  

The split role of public safety and legal advice in the Attorney General’s Department, has in my experience never been a comfortable marriage. Bow ties and battle dress are not natural bed fellows and it makes sense for the lawyers to refocus on bringing the archaic judicial system and the creaking Westminster regulatory system into the twenty-first century.

Operational policing, border gate protection and domestic intelligence and espionage fit more naturally as a group, but looked at with clean eyes I wonder why these agencies have not been merged, capturing back office efficiencies and finally removing what are basically historic divides. Politicians are innately scared of security and safety agencies, and for far too long we have hung onto notions of different specialised front line and intelligence agencies, well after the original argument for self-standing specialist agencies had faded.

But rather than take the opportunity to rethink what a modern federal safety agency could be, instead each agency is going to remain independent of each other, operating as a “federation” under the policy guidance of Peter Dutton’s new Home Affairs department. This is a classic bureaucratic compromise that in the end will thwart the primary aim of far better co-ordination against threats.

The same applies to the attempt to shore up cyber defences.

Blindsided by cyber activism

While no one likes to admit it, the Five Eyes alliance powers have been completely blindsided by the rise of cyber activism, including the US. A recent report of the Pentagon’s Defense Science Board could not be clearer: “The unfortunate reality is that, for at least the coming five to ten years (my emphasis), the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States’ ability to defend and adequately strengthen the resilience of its critical infrastructures.” The report concludes that barring major unforeseen breakthroughs in the cyber defence of civilian critical infrastructure, the US will not be able to prevent large-scale and potentially catastrophic cyber attacks by Russia or China. 

If the US — with all its technological and military might — is effectively naked against aggressive Chinese, Russian and North Korean cyber attacks, then the Australian government might as well simply cut the ocean cables which connect the internet, if it is truly serious about stopping bad international actors.

It was this reality which caused the Prime Minister to earlier this year declare cyber warfare as the new frontline: “This is the new frontier of warfare; it’s the new frontier of espionage.”

The government has already announced a thousand-strong new cyber military ops unit. Yesterday it accepted the recommendations of the L’Estrange review, to upgrade the Australian Signals Directorate to an independent authority, bringing it on par with ASIO and ASIS. ASD started out life intercepting phone and wireless communications for the ADF, but these days leads much of the Defence Force’s cyber activities. As the national cryptologic agency, L’Estrange argues it constitutes the critical mass of national expertise on cyber issues at a government level.

But ASD’s remit is rightly national security and till now they have had little interest in civilian cyber issues.

That is meant to be the role of  the Australian Cyber Security Centre, which at the behest of L’Estrange finally gets a public boss, with the Prime Minister’s cyber adviser, Alastair McGibbon, taking formal charge and to have singular accountability for cyber security in government.

The ACSC is an unorthodox beast, a virtual entity of co-located staff seconded from five different agencies who remain accountable to those home agencies. They are supported by ASD and occupy the uber secure new ASIO building in the Defence Russell precinct — the Ben Chifley building pictured above — but are now moving out to Canberra’s airport, to a bigger building with reduced security requirements. This will help attract staff who have been reluctant to go through the two year clearance process. And it will boost much-needed collaboration with the broader vendor and utility community, which has found the arduous clearance processes a show stopper when it comes to intel sharing. 

But rather than giving it a clear independent civilian mandate L’Estrange recommended the ACSC operate as part of a more independent ASD, arguing it was important for the ACSC to tap the capability of the ASD.

This seems short sighted. While the big agencies like ATO, DHS and Immigration have the capacity and resources to properly manage their own cyber security, there are over 900 other agencies, which frankly are relatively clueless on cyber security. Plus a whole gaggle of small to medium state agencies.

Hacks expose gaps in government capability

The recent hacking of the Bureau of Meteorology and the Census exposed the awkward reality of just how exposed most agencies are, and underlined the need for a well resourced central agency capable of servicing the long tail of agencies that have no or limited cyber defences.

Cyber defence is very much a team game and the 2016 Cyber Strategy identified the need to “civilianize” and open up the ACSC so it can more effectively collaborate with the broader cyber community. But instead of giving it a clear open mandate and accountability, the ACSC will remain formally accountable to the necessarily secretive world of Defence, but answerable to a separate dedicated minister. Governance for the ACSC is to come from the current Cyber Security Board chaired by the secretary of PM&C with its membership to be increased to include the new director-general of the Office of National Intelligence. That board is to also include CEO-level representatives of critical national infrastructure sectors such as telecommunications, health care, financial institutions, other services, energy, water and ports.

At the risk of trivialising, this all feels like a bureaucratic camel, when what is needed is an agile, tightly focused cyber agency, working very closely with other domestic civilian public safety agencies. And with the same large local infrastructure players the US Defense Science Board’s report identified as essentially lame ducks in any concerted national cyber attack.