The Australian government must take cyber security more seriously

Most of us can relate to the government’s plan to build 12 new submarines for A$50 billion, at least in principle. But you might be alarmed to hear the government is investing only a fraction of that amount on protecting us from cyberattacks.

Our research suggests that now may be the time to think more deeply about having fewer submarines so that we can afford to pay for the cyber defence of the civil sector.

This is because we are not spending anywhere near as much as our allies on cyber defence, especially in the civil sector.

In April 2016, having declared cyberattacks to be a national emergency, US President Barack Obama announced a spending plan of A$26 billion in one year for urgent remedial policies largely to protect the non-defence sector.

In December 2015, describing the cyber threat as “one of the great challenges of our lifetime”, the UK Chancellor George Osborne announced a broadly similar remedial plan to spend almost A$800 million per year over five years.

By comparison, the latest federal budget allocated around A$100 million for one year based on its new Cyber Security Strategy released a month earlier. Yet the threats these three countries face are not different by the orders of magnitude suggested by budget comparisons.

In 2015, the Australian government said that the country had never suffered a cyberattack seriously compromising national security, stability or prosperity.

Obama said at the same time that cyberattacks posed an “extraordinary threat to the national security, foreign policy and economy of the United States”. He repeated this in March 2016 when extending the national emergency declaration for another year.

Security gap

There are two important areas where Australia is doing less than our allies, and less than we need to: protecting critical cyber infrastructure; and fighting cybercrime.

Both these areas of cyber policy have separate strategy documents. And there are no strong linkages between them and with the April 2016 Cyber Security Strategy action plan.

In 2015, the government issued two documents on critical infrastructure, a Policy Statement and a Plan, one of which has a single page on cyberattack.

But these documents use anodyne statements, such as ensuring the continuity of “service delivery”, rather than using the concept of an extreme cyber emergency that underpins planning assumptions, exercises, research and operational preparation of the US and the UK.

In terms of research, the Idaho National Laboratory and others like it conduct research on national resilience in the face of “catastrophic and potentially cascading events that will likely require substantial time to assess, respond to, and recover from.”

In the UK, the responsible agency “supports three exercises per month to test cyber resilience and response”. The US and UK work together to prepare for a terrorist cyber-enabled attack on nuclear power stations.

In his preface to the Cyber Security Strategy, Prime Minister Malcolm Turnbull said Australia needed to prepare for a “significant cyber event”, with an unspecified scale of effect.

This exemplifies the laid-back tone of most Australian policy documents on this subject.

In strong contrast, in May 2016, ASIO offered a rather gloomy assessment:

The gap is likely widening between the scale and scope of harm experienced to Australia’s sovereignty, government systems, and commercial and intellectual property, and the ability of ASIO and partner agencies to successfully mitigate that harm.

Getting serious

On cybercrime, the gap between need and and policy is even more starkly visible.

In the Cyber Security Strategy, the government did not see cybercrime as an important focus. It did say that the country doesn’t have a good handle on how much such crime was costing the economy, citing one estimate of A$1 billion and another of A$17 billion.

While collection of data on the cost of cybercrime is notoriously difficult, the wide range for this “estimate” is strong evidence of how low a priority this area of policy has been.

The Cyber Security Strategy does make a commitment to develop and implement a training plan for specialists in the field of countering cybercrime, with no further detail.

It also commits in the broadest terms to increasing the capacity of the AFP and the Australian Crime Commission (ACC) to counter cybercrime. Forward estimates for the latest budget revealed a commitment of almost A$15 million over four years to the ACC to support stronger capability to combat cybercrime.

But in this area, the cyber strategy basically passed the buck. It suggested that the main source of policy was the National Plan to Combat Cyber Crime released in 2013 by the previous government.

This is not much consolation, as that document lacks detail and certainly does not reveal a commitment of funding on a level likely to contain or reduce a cost to the economy estimated in the billions of dollars.

The government needs a more open and candid conversation in public with key stakeholders about the sort of threat scenarios we face, but especially for cybercrime and “significant cyber attack”. It also needs to develop policies and agencies, funded appropriately, that can begin to perform on a level that matches the threats.