Cyber war is a whole-of-nation endeavour, but cybersecurity policy is still stuck in security silos

04 June 2020

In November 2018, senior government figures convened at the ANU’s National Security College to consider a frightening scenario: It’s 2022 and Australia is at war. Unusually, we don’t know it yet. It’s especially unusual because our adversary’s intentions aren’t subtle — they want to cripple essential services, undermine social cohesion and inspire terror.

So why don’t we know we’re at war? For one, there are no bombs, destroyers or ground invasions — this is a cyber war. What’s more, there’s been a long pre-war phase which we’ve mistaken for ad hoc intrusions. For years, our adversary — a nation state — has been performing cyber reconnaissance. They’ve been testing our computer systems, looking for weaknesses. They’ve performed discrete hacks and occasional attacks.

And they haven’t only considered our cyber weaknesses, but also weaknesses in our social cohesion — issues that can be exploited to divide us and weaken our faith in government institutions. They have run campaigns of mis- and disinformation online, perhaps about immigration or climate change.

We don’t realise that all of these seemingly unconnected events are co-ordinated. We don’t realise that it’s all part of a war plan. We’ve missed the signal for the noise. When war comes, we’re unprepared. Healthcare, transport and food security are imperilled. There is the threat of civil unrest.

The findings of this war game informed the Defence Department’s mobilisation review which was finalised last year and released last week under Freedom of Information law. It is an important document which underscores Australia’s lack of preparedness for cyber attacks. Defence found that:

“There has been little consideration of mobilisation responses to unconventional attacks on both the [Australian Defence Force] or Australian society.”

It might seem cruel to ask us to think about, and plan for, future crises while we’re experiencing one. The pandemic has caused suffering and uncertainty, and given how COVID-19 has savagely re-ordered society and dominated our minds, many must live with levels of fatigue.

But some things can’t wait. Before the release of this Defence review, we have already had plenty of warnings about our lack of national cyber resilience. Multiple audits of government entities, conducted by the Australian National Audit Office (ANAO) since 2014, have consistently revealed low-compliance levels on cyber security. This was reinforced just this week in hearings of the Joint Committee of Public Accounts and Audits when the Auditor-General said that the number of cyber audits they’ve performed — five in six years — show how concerned they are.

Multiple industry surveys also tell us that there is a worryingly variable level of cyber security amongst small- to mid-sized businesses. Now we have the Defence Department saying:

“Of particular concern is the likely unconventional approach that could be taken by potential adversaries that could negate much of the benefits of conventional military planning.”

The warning is obvious: old thinking and traditional military planning won’t help develop national cyber resilience against attacks that have the potential to harm our society just as much — or even more — than the current pandemic. So what do we do?

For too long, the government has accepted a discrepancy between our military and our wider community. In secret, high-end operations, our cyber security is strong — but out in the wider community, it’s far too weak. The truth is, our country’s cyber resilience will depend upon civilians. A massive, co-ordinated cyber attack will target the weakest points in social systems — which may likely be civilian. For instance, the workshop at the National Security College found that hospitals could become dysfunctional if the few laundromats who specialise in hospital-grade linen are crippled.

This is why Labor’s discussion paper on national cyber resilience, which we released in April, floated an Active Cyber Defence framework, suggested that cyber security be treated as a public health issue, and considered the potential for civilian cyber corps.

Our thinking was reflected in the Defence review, and the supporting workshops and war-gaming exercises. The November 2018 National Security College workshop found that the

“mobilisation, in the context of a cyber war, will be a whole-of-nation endeavour. This is because, first, many of the targets will be civilian businesses or individuals. Second, the resources needed to respond will be mostly privately held. Third, the centre of gravity is likely to be popular will and resilience… as a result, contingency planning cannot just occur inside defence or government silos.”

Additionally, the Defence Department itself said in its review:

“There is… a need to critically assess if specialised roles are actually required in uniform. Civilians or contractors may be more practical.”

Labor couldn’t agree more. Australia’s cyber resilience is not solely a matter for our military or intelligence agencies — it must be a whole-of-nation project. “Security is like oxygen,” the US doyen of foreign policy, Joseph Nye, once said. “You tend not to notice it until you lose it.”

We can’t afford to lose it, so we must prepare. But this will require imagination and leadership from a government that, on this issue, has shown very little.