It has not been an easy year. Just as the great fires began receding, police started patrolling supermarkets. Our Black Summer was replaced with a global pandemic, and the subsequent death, unemployment and restrictions of freedom. It’s given us a new, first-hand perspective on our national resilience — our ability to mitigate, and respond to, great external shocks.
The COVID-19 pandemic has exposed the profound interconnectedness of our world. It’s never been a secret that globalisation stretches many of the supply chains that we rely on for the provision of essential services beyond the reach of our sovereign control. Nor have we been oblivious to the way outsourcing and just-in-time delivery business models have left firms reliant on a complex web of external suppliers.
When times were good, this hyper-specialisation produced a wider variety of goods and services for consumers at a cheaper price. But the COVID-19 pandemic has given us first-hand experience of the systemic weaknesses that accompany this paradigm.
The cascading consequences of connection; where failures in the operation of one part of the network threaten the resilience of the broader, interconnected system. In a world where everything is connected, how should we think about our national resilience?
Nowhere is the question more pressing than in the realm of cyber security. How well would Australia fare in the face of a widespread, global cyber incident? An incident that simultaneously crippled the computer networks of large numbers of organisations providing essential services like healthcare, child-care, essential retail services and logistics around the world?
This isn’t theoretical. In 2017, the NotPetya malware — wickedly designed to propagate rapidly and automatically — began corrupting cyber networks across the world. Originally designed by the Russians to target organisations in Ukraine, it quickly spiralled out of control and began spreading around the world.
It happened swiftly and indiscriminately and caused $10 billion worth of damage. By crippling major logistics company Maersk, one-fifth of the world’s shipping was affected. In Ukraine, where the virus was first unleashed, it crippled hospitals, airports, banks, the power grid and almost every government department.
Only a month before, the WannaCry ransomware worm spread worldwide. Developed by North Korea as a source of illicit revenue, the worm infected hundreds of thousands of computers in more than 150 countries and caused $4–8 billion of losses.
But the potential costs of attacks like this are far greater than just economic losses. Most concerningly, the network of Britain’s public health-care system — the National Health Service — was corrupted, causing panic and delaying surgeries.
The NotPetya and WannaCry incidents could have been worse. A joint report prepared by Lloyds of London and risk-assessment firm Cyence, modelled the economic costs of an attack on one of the cloud service providers that enable so many of the IT services we now rely on, and found that such an attack could cause $121 billion in actual losses worldwide.
How well would Australia be prepared for such a global incident? How would we respond? How much of the potential harm from such an incident would we be able to mitigate? How quickly would we bounce back? There’s reason to be concerned.
Late last year, David Irvine, the only person to have led both our foreign and domestic intelligence agencies, warned:
“We need .. more effort both by the government and the private sector and individuals into developing what I’ll call national cyber resilience to a far greater level than we have now … Today when I talk to business … there isn’t yet a full understanding about how we actively manage our cyber crime vulnerabilities, how we defend ourselves against those vulnerabilities.”
He’s right. Australia’s cyber resilience is uneven at best. At the pointy end, we’re strong. The capabilities of the Australian Signals Directorate (ASD) are world class. We’ve also dedicated significant attention to thinking about how to protect critical infrastructure from cyber threats.
Our biggest targets in the private sector, particularly our financial institutions, are national leaders in their cyber security capability. Where we’ve had less success is in lifting the baseline of our national cyber resilience.
The most egregious failure in this respect is within government. Despite the ASD’s “Top Four” mitigations being mandatory since April 2013, late last year we discovered that nearly four in 10 Australian government entities had still failed to implement these basic cyber security measures six years later.
A succession of ANAO reviews have found continuing failures of Commonwealth agencies to implement basic cyber resilience measures without consequence or accountability. The recent Commonwealth Cyber Security Posture in 2019 review confirmed the government’s sustained indifference to this national vulnerability, concluding that the implementation of the ASD’s Top Four cyber security measures “remains at low levels across the Australian government”.
It’s a similar story in the private sector. While our largest companies often have good cyber security postures, capability quickly drops away with business size. Indeed, a massive 87 per cent of Australian SMEs reported believing that their business was safe from cyber risks because they use antivirus software alone.
These SMEs include plenty of organisations that provide services that, in this time of lockdowns, we newly appreciate as being essential. Places like child care centres, GP clinics, chemists and essential retail. In the face of a global cyber incident, this common vulnerability is a potentially significant systemic threat to our national resilience.
So we’ve got work to do. But this is also a moment — an opportunity — to think more seriously, and more imaginatively, about strengthening our national resilience. That’s why Labor has released a discussion paper on Australia’s National Cyber Resilience to encourage new thinking about these potential vulnerabilities and how we could respond.
One aspect of our cyber resilience that we should be thinking hard about now is our domestic cyber security capability. In the event of a major global cyber attack — say, a bigger, more destructive NotPetya — Australia would not only suffer from vulnerable government and private networks, but it would also confront an acute cyber security skills shortage.
According to AustCyber, Australia will need 17,000 extra cyber security professionals by 2026. While government expects the number of cyber security graduates to increase four-fold in this time, even if this is able to be achieved, we will still fall far short of what’s needed to meet demand even in the absence of a significant incident.
While in the past we have relied upon immigration to address skill shortages in this space, a global crisis means global demand for essential goods and services, as we’re seeing now with awful international shortages of respirators and personal protective equipment for medics.
The 2012 ‘Shamoon’ wiper attacks on Saudi Aramco forced the company to urgently replace 50,000 hard drives, drying up world supply for the better part of six months.
A global cyber incident wouldn’t just impact on hardware supplies though, we would see similar international competition for human talent. Australia would be at an acute disadvantage in such a contest.
Given this, how we develop and organise Australia’s cyber security skills is a crucial part of building Australia’s cyber resilience. We can learn from the ways other countries have already confronted this challenge.
In 2007, in the Estonian capital of Tallinn, a decision was made to relocate a Soviet World War II statue from a city square to a military graveyard. Moscow issued dark but unspecified threats if the statue was moved. But moved it was.
Then, in what became a global watershed, Estonia was subject to a massive cyber attack. It lasted 22 days, and large swathes of the Internet were inaccessible to Estonians. Government websites crashed, so too the sites for online newspapers. Estonians couldn’t access bank accounts. It was a national shock and one that the Estonian government learnt from.
Estonia responded in a variety of ways, and has been a world leader in imaginative cyber security policy ever since. For one, it established the volunteer-based Cyber Defence Unit. While attached to its para-military organisation, the Estonian Defence League, it emphasises broad national resilience and public education.
Their Cyber Defence Unit runs courses in schools, conducts simulation exercises in government and educates policy-makers — as well as providing an emergency response capacity.
Determining the best model for Australian circumstances would require thoughtful consideration. There have been a number of different models for Civilian Cyber Corps and Cyber Reserve forces proposed in Australia over recent years.
One has even been implemented — the Australian Defence Forces currently operates a Cyber Reserve that at last count had recruited 77 cyber reservists for 110 allocated positions. It’s a start, but to deliver the kind of capability needed genuinely deepen Australia’s national cyber resilience, we will need to think bigger in the future.
We are obviously experiencing a great crisis and an historic moment. Less obvious is how well we can reconsider our vulnerabilities in the shadow of the pandemic. Estonia didn’t squander their crisis of 2007, and neither should we squander this opportunity to strengthen our national resilience, or to reimagine our future.