Australia Makes a Record Investment in Cybersecurity
Print Issue: December 2020
With roughly 26 million residents, Australia is not among the most populous nations in the world. But it is increasingly facing a wide range of cyberattacks, many of them initiated by nation-states, like China, and targeting critical infrastructure.
Between 1 July 2019 and 30 June 2020, the Australian Cyber Security Centre (ACSC) responded to 2,266 cybersecurity incidents—an average of roughly six per day. Approximately 35 percent of those incidents targeted federal, state, and territory government entities, while 35 percent of the incidents impacted critical infrastructure.
On 19 June 2020, Australian Prime Minister Scott Morrison announced that a sophisticated nation-state cyber actor was targeting Australian organizations, including government, industry, political organizations, education, healthcare, essential service providers, and critical infrastructure.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” Morrison said. “Regrettably, this activity is not new—but the frequency has been increasing. Our objective is to raise awareness of these specific risks and targeted activities and tell you how you can take action to protect yourself.”
Morrison outlined three steps all organizations should take to protect themselves: patching their Internet-facing devices promptly, enabling multifactor authentication, and becoming an ACSC partner to obtain access to threat advice.
The ACSC and the Australian Department of Home Affairs also issued a technical advisory with advice for Australian businesses and organizations to defend against cyberattacks. Morrison declined to name the nation responsible for the attacks, but Reuters spoke with five individuals with direct knowledge of a classified report on the attacks who said China was responsible.
“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said,” according to Reuters. China is Australia’s largest trading partner.
After announcing this latest string of cyberattacks, Morrison added that his government would soon release a new cybersecurity strategy to enhance Australia’s overall security. In July, following the release of an industry advisory panel report on Australia’s cybersecurity posture and recommendations to improve it, the government released its 2020 Cyber Security Strategy and a commitment to devote $1.35 billion AUS ($1 billion) over the next decade to cybersecurity—the largest national investment in cybersecurity to date.
“The federal government’s top priority is protecting our nation’s economy, national security, and sovereignty. Malicious cyberactivity undermines that,” Morrison said in a statement. “My government’s record investment in our nation’s cybersecurity will help ensure we have the tools and capabilities we need to fight back and keep Australians safe.”
The strategy is a unique document, outlining the current threat environment that Australia faces, based on consultation that assessed where action needed to be taken, measures the government will take to improve the nation’s cybersecurity, and an implementation plan—along with the budget allotted for each initiative.
“This strategy will benefit all Australians. Families and businesses will have increased access to reliable cybersecurity advice and assistance,” wrote Minister for Home Affairs Peter Dutton in the introduction. “The Coalition Government will boost law enforcement’s capacity to combat cyber criminals, improve threat information sharing with industry, and support initiatives to grow a skilled cyber workforce. Working in partnership with owners of critical infrastructure, the government will bolster protecting the critical systems on which all Australians depend.”
The release of the 2020 strategy was part of an effort that began in November 2019 when the government asked for industry and private sector input on the state of Australia’s cybersecurity, says Hamish Hansford, first assistant secretary of cyber, digital, and technology policy in the Department of Home Affairs.
The government received more than 200 submissions and set up an industry advisory panel to review them and craft its own report of recommendations, which the government then assessed before finalizing its own cybersecurity strategy.
One core concept of the strategy is Australia’s commitment to “actively defending” its assets. The government will “confront illegal activity, including by using our offensive cyber capabilities against offshore criminals, consistent with international law,” it says. “The Australian Government will continue to strengthen the defences of its networks, including against threats from sophisticated nation-states and state-sponsored actors.”
Additionally, the strategy includes a heavy focus on protecting Australia’s critical infrastructure. The government will set expectations for critical infrastructure and systems of national significance to ensure they have the policies and capabilities in place to manage the “highest consequence threats to Australia to protect the essential services on which all Australians depend for our way of life,” according to the strategy.
Australia will begin implementing its strategy with a focus on critical infrastructure as the government intends to introduce legislation to raise cyber standards for owners and operators, Hansford adds.
“Starting with that is precisely what the industry advisory report said, and with COVID-19, supply chains have been stressed and we have identified even more vulnerabilities that need to be addressed,” he explains.
This commitment to taking an active defense posture sets the Australian strategy apart from others, says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C.
The Australian strategy is the “next generation of security strategies,” Lewis explains. “It breaks two taboos we used to have. It talks about using offensive cyber operations against Australia’s attackers, and talks about imposing standards on critical infrastructure; it’s what’s new and a big change in how we think about this.”
Lewis says including this language was a conscious decision on behalf of the Australian government to be more open with its citizens about what it is doing—and to encourage other nations to take a similar approach.
“The defensive approach hasn’t worked,” Lewis adds. “If anything…the cost of cybercrime has gone up 50 percent in the last two years. Australians are getting the same attention that [the United States] gets from the Chinese when it comes to economic espionage.”
Many nations have been reluctant to vocally take the position that they will use offensive means to protect their assets because they either do not have the capability to carry out such a strategy or they do not want to reveal that they have the technical ability to do so.
“The Russians and Chinese will deny that they can. In Germany and Japan, it’s a constitutional issue that they are wrestling with—they realize that their cyber defense is inadequate,” Lewis says. “There’s no global consensus, but more than 20 countries have offensive cyber capabilities.”
One area that is lacking in the strategy, however, is requirements for the Australian government itself to improve its cybersecurity posture, says Fergus Hanson, director of the International Cyber Policy Centre based in Sydney, Australia.
“The federal government is constantly being called out by the national auditor for failing to reach basic minimum standards,” Hanson adds. “It’s grave for government to be an exemplar and get its own house in order. That problem is going to persist—which is a shame.”
Another challenge the strategy may face during implementation is that while there are measures included to address law enforcement’s ability to respond and investigate cybercrime, it’s an international problem that will require a global response—not just an Australian one.
“The problem globally is people are trying to localize a solution to a global problem,” Hanson says. “It’s like trying to deal with diplomatic relations by beefing up your local provincial councils.”
Instead, Hanson says Australia will need to work with an international coalition to address countries that are facilitating cybercrime.
“If we really want to solve this problem that’s costing us billions every year, we need to connect the dots and get our foreign ministries and arms and federal police on board,” Hanson adds. “Or we spin our wheels for another decade.”
Overall, however, Hanson says it is a positive that the Australian government is investing more resources into cybersecurity—especially in the midst of a global pandemic.
“It’s a tough environment for funding, and obviously COVID is a priority and keeping people in jobs; the investment in cybersecurity was a good surprise,” he adds.