Tonight’s ABC Four Corners program revealed that China, as we all suspected, is seen by the Australian government as a repeat and serious attacker on the country’s security in cyber space.
The story is sensational for only one reason: the government has been keeping the public in the dark over the scale and seriousness of the cyber threat in general, and in particular on China’s place in that threat landscape.
The story marks out a new set of policy challenges for Prime Minister Malcolm Turnbull as he heads into his first week of the new Parliament and prepares for his next visit to China for a G20 meeting in less than a week.
I have already called out this gap between the country’s cyber security challenges and its public rhetoric, especially in the context of the recent decision to prevent Chinese bidders from gaining a controlling stake in Ausgrid.
The government’s reticence to document and articulate comprehensively these detailed threat assessments stands in stark contrast to the practices of our major ally, the United States. President Obama this year renewed a national emergency in cyber space for the second year running, because of serious threats to the country’s national security and economic prosperity.
Australia’s reluctance to be more open on cyber threats has several sources. First, it is following a long British and Australian tradition of not commenting in public on intelligence sources and methods.
Second, in conducting espionage against Australia for national security purposes, China is doing nothing that Australia itself would not do.
Third, and less importantly, the government would be reluctant to add yet another sour note to bilateral security relations with China after the tirades from Chinese officials about Australia’s position on the South China Sea disputes.
Even if we accepted all of those reasons as persuasive, there is still room to revisit the public handling by the government of the China relationship on cyber threat issues.
There are quite negative consequences of Australia’s relative silence on cyber threats from China. We have already seen these play out in several ways in the past six months.
First there was the opaque decision-making over Chinese majority ownership of Ausgrid. Then came the speculation on China being the source of cyber attacks on the Bureau of Meteorology and the Census website.
Finally, and less obviously, Turnbull’s decision in April 2016 to announce Australia’s engagement in planning offensive cyber combat operations.
This last point, and its connection to China, helps to explain why the Australian government’s Defence White Paper released a month earlier foreshadowed up to 1,700 new posts in cyber or intelligence billets for uniformed and civilian personnel.
However, a more fundamental underlying problem is the government’s refusal to provide any meaningful detail on the seriousness of the threats in cyber space to Australian interests. And this factor explains why the United States talks of a national emergency and we don’t.
The Americans accept that unless they escalate the public rhetoric and name the threats quite specifically and consistently, then the government will not get the response from the community, educators, law enforcement or the corporate sector that matches the severity of the threats.
The US government also accepts that in order to build a constituency for more spending on cyber security that there has to be a well-informed public debate.
has had an open and candid conversation in public with key stakeholders about the sort of threat scenarios we face, from military operations to privacy, from cyber crime to extreme cyber emergencies.
In its cyber security strategy, the Turnbull government called for a national partnership with businesses and the research community as one of five pillars of its policy.
We are seeing convincing signs that this intent will be implemented in important new ways, not least through the work of Data 61 (CSIRO), the Defence Science and Technology Group, and the developmental phase of the new cyber growth centre.
We have a brand new Assistant Minister for Cyber Security, Dan Tehan, a new special adviser to the Prime Minister in the field, Alastair MacGibbon, and imminent appointment of a new ambassador for cyber security.
With the institutional foundations in place for a new public-facing strategy, including its international dimensions, there must be a reasonable expectation that the government will now change its public affairs approach to a more open one to meet the partnership ambition it has set itself.
This will have to be accompanied by a new knowledge base, not secret but open source, that can comprehensively, consistently and accurately describe the cyber threat environment for the enlightenment of the public.
To meet the Turnbull ambition of becoming an innovation leader, Australia needs a much stronger commitment to open government. A public information process that so consistently involves sensational stories from Four Corners and the ABC is not what Australia should aspire to.
Authors: Greg Austin, Professor, Australian Centre for Cyber Security, UNSW Australia