Australia’s cybersecurity approaches have been brought back into the public eye with the recent passing of the Telecommunications and Other Legislation (Assistance and Access) Bill, better known as the AA Bill. The Bill, which has been met with widespread domestic and international criticism, seeks to force technology companies to provide law enforcement access to encrypted communications. Many have lashed out at these new powers, suggesting that it could jeopardise existing cybersecurity measures and threaten Australian technology companies abroad.
The AA bill is just one part of Australia’s vast network of interconnected cybersecurity strategies. These are mainly centred around the Cyber Security Strategy, a $230 million strategy released in 2016. However, in an international environment increasingly dominated by threats to cyberspace by non-traditional actors and a growing push by companies and civil liberties groups for privacy and encryption online, Canberra appears woefully and dangerously unprepared to respond to threats and engage more with stakeholders.
The Cyber Security Strategy seeks to bring together government, business, academia and international partners to build cyber defences and to promote open and secure cyberspace. Under the strategy, a Joint Cyber Security Centre has been established and new cyber governance structures have been established, including special advisors and a dedicated Ambassador for Cyber Affairs to build domestic and international cooperation on cybersecurity. Building on the Cyber Security Strategy the International Cyber Engagement Strategy, released in 2017, outlines how cyberspace and cyber security have become a central aspect of contemporary grand strategy and is critical to Australia’s international relations. This strategy seeks to integrate cyber security and broader aspects of foreign policy such as trade, development and regional security, especially in the Indo-Pacific with concerns that Chinese influence in the region will grow via state-owned telecommunications enterprises like Huawei providing critical infrastructure.
These strategies also highlight that the development of common global norms for states within cyberspace is of central concern to Australia. Canberra continues to insist on the ‘rules-based global order’, which has become a significant buzzword in foreign and defence policy. This insistence is also present in cyberspace policy, a domain usually considered disorderly and decentralised. The International Cyber Engagement Strategy makes Australia’s commitment to this order very clear, insisting on an ‘open, free and secure’ cyberspace word-for-word 18 times. However, as scenario analysis has suggested, there is a possibility that a rules-based cyberspace may not emerge, and that Australia’s existing strategies are not enough to deal with this possibility. With cyberwarfare and cyber fragmentation becoming more common, and with both state and non-state actors possessing capabilities to disrupt the status quo, future strategies must better plan for a potentially fragmented and increasingly hostile cyberspace.
It is also important that future cybersecurity strategies do not infringe on rights such as privacy, which the AA Bill has brought to light, or negatively impact on other aspects of the economy and society. There is an increasing tendency across the Western world to justify anti-encryption legislation on the grounds of national security, often being portrayed as a necessary deterrent against terrorist networks and other criminal organisations. However, as shown in the lead-up to the AA Bill, this legislation may, in fact, serve to weaken security. For instance, technology companies who would otherwise be close partners may limit investment and be disenfranchised working with government, and nefarious actors may be able to exploit forced systemic weaknesses in technology. Public trust in government cybersecurity measures has also been diminished recently, with experiences such as the My Health Record and 2016 Australian Census highlighting poor responses to data privacy and cyber preparedness. Canberra should learn from these mistakes and seek to become a re gional and world leader in balancing the right of privacy and national security priorities, especially through working with the private sector and the public at large.
At the very base level, however, these strategies suffer from basic structural problems which can and should be addressed immediately. While progress reports have suggested that Australia is making ‘strong progress’ in the 2016 Cyber Security Strategy, others have suggested that this progress is difficult to quantify, disorganised, poorly funded and lacks fundamental societal change needed to truly ingrain cybersecurity into society. The International Cyber Engagement Strategy also appears somewhat underfunded, with its Cyber Cooperation Program having a meagre $14 million until 2020 to build cyber capacity in the region. There are other basic problems that need to be addressed, including a lack of women in the tech industry and a major security skills shortage.
Canberra’s cybersecurity approaches are undoubtedly comprehensive, yet their poor future-proofing, failure to address concerns over privacy and basic shortfalls in funding and manpower may negatively impact their implementation and jeopardise the security of Australia and the region. The informed furore surrounding the AA Bill should serve as a stark lesson for future cybersecurity strategies and global cyber cooperation. Euan Moyle is the Australian Foreign Policy Fellow for Young Australians in International Affairs.