What Australia’s cyber strategy means for Asia Pacific

By Dr. Damien Spry

Dr. Damien Spry examines how Australia will promote and assist with cyber security in the region.

The launch of Australia’s International Cyber Engagement Strategy in October 2017 followed the appointment of that nation’s first ambassador for Cyber Affairs, Dr Tobias Feakin, in early 2017 and updates and expands upon the 2016 cyber security strategy – a flurry of activity reflecting the role that digital networks increasingly play in Australian international relations, trade and investment, and security and strategic concerns.

Australia is, and has been since colonial days, highly dependent on international networks of capital, trade, people and information. This outward-looking global connectivity remains a source of Australia’s prosperity and enriches the country culturally. However, these connections are also potential pathways for unwelcome or malevolent actors.

Thus, the strategy seeks to enhance Australia’s advantageous participation in global markets and governance, including through support for the technological and multi-stakeholder governance systems that underwrite the Internet, while protecting Australia from those same systems’ apparent risks and emerging threats.

Engaging the region

Australia’s place in the Asia Pacific means the strategy must include and prioritise engagement in a region that is large and diverse – from micro-states in the Pacific to continental powerhouses – as well as being dynamic, turbulent, and potentially dangerous. the re-emergence of China as a global power is the dominant feature of this region’s trading and security landscape.

For Australia, this is keenly felt: for the first time in its history, Australia’s major trading partner, China, is an authoritarian state while Australia’s major security partner, the United States, is China’s strategic rival.

Cyber security, including cyber warfare, and the threat of malicious interference with national political systems, have prompted legislative responses in Australia and rank high among national security priorities. China’s use of digital means of surveillance and control is also at odds with Australia’s commitment to a free and open internet.

Other nations, notably Cambodia and Myanmar, are similarly exploiting online methods of state control that place democracy and human rights at risk. Non-state actors, from terrorist networks to growing cyber-criminal threats, pose increasingly alarming risks for Australia and her partners in the region.

The strategy

The security risks the strategy seeks to confront are three-fold: criminals, operating for profit; non-state actors, motivated by ideological or political interests, including terrorist organisations and similarly motivated individuals; and foreign states seeking to infiltrate, interfere or threaten national institutions and democratic processes. According to reports from security agencies, affected companies and the Australian government, concerns about such threats are rising.

For example, in May 2018 Australian Security Intelligence Organisation Chief Duncan Lewis described the threat of foreign interference as being at “An unprecedented scale”. In November 2018 the Australian Cybersecurity Centre and Austal, an Australian shipbuilder and defence contractor supplying the Australian, American and Omani navies, announced a hacker had stolen personnel information and non-sensitive ship drawings in an extortion attempt.

Australian government efforts to address such threats include the reorganisation of the intelligence community, including placing the Australian Signals Directorate (ASD) with its offensive cyber capabilities into the defence portfolio, and the introduction of new laws that specifically address foreign interference. In his speech introducing the legislation to parliament, the then Prime Minister Malcolm Turnbull underscored the cyber threat – “the very technology that was designed to bring us together, the internet, is being used as an instrument of division” – and named China and Russia as countries of concern.

China in particular has also been identified as involved in cyber espionage, often targeting the intellectual property of companies supplying Australia’s defence forces. China was reportedly behind cyberattacks on the Australian national university in 2018 and Australia’s Bureau of meteorology as far back as 2015.

And Chinese telecommunications giant Huawei has twice had bids rejected by Australian governments because of concerns about security, the most recent being the effective banning of Huawei from Australia’s 5G network due to the likelihood that it could be required, under Article 7 of China’s 2017 national Intelligence Law, to secretly collaborate with Chinese intelligence services.

For its own part, Australia’s hands are not entirely clean when it comes to the use of cyber espionage capabilities. Past allegations include spying on then-Indonesian President Susilo Bambang Yudhoyono, his wife and other senior officials in 2009, bugging the Timorese Cabinet offices during negotiations over a maritime boundary in 2004, and monitoring mining giant Rio Tinto’s negotiations with a Chinese bank during the 2008 financial crisis. despite these indiscretions, Australia has positioned itself as a trusted partner.

Promoting and assisting cyber security

The rising threat to security, whether from criminals, terrorists or countries, is the context for the strategy and helps explain its sense of urgency and thoroughness. However, the strategy’s emphasis is less on naming cyber attackers – China is included as a potential partner, its statements in support of agreements against cyber theft highlighted – and more on the role that Australia can play in promoting and assisting with cyber security in Asia and especially the Pacific.

Australia’s international engagement prioritises the Asia Pacific because that is where it has identified threats and vulnerabilities but also because that is where it can have the greatest impact. As with Australia’s aid programmes, the closer to home, the more engaged Australia is.

The logic is clear: under-resourced Pacific Island nations may prove a weak link in the chain of security required to keep the internet safe. Australia can and in its own interest should address this as a matter of national security, as well as a matter of international diplomacy and development.

Papua New Guinea, a growing, resource-rich nation with considerable social and political challenges separated from Australia at its closest point by a mere five kilometre stretch of water, is a clear priority. Australia has already committed AU$14.4 million (US$10.4 million) for an advanced cybersecurity package for PNG (encompassing technical, policy and training elements, and the establishment of a cyber security operations centre) as part of its focus on cyber-resilience in the Pacific through its Cyber Cooperation Program.

Elsewhere in the Pacific, Australia is also supporting the Solomon Islands to establish a cyber security operations centre, and Vanuatu and Tonga to establish national Computer Emergency Response Teams, and has assisted Tonga to develop stronger cybercrime laws, a model approach to more robust legislation for other countries in the region.

More widely, throughout the Asia Pacific, the CCP includes support for the Asia-Pacific Network Information Centre), the Forum of Incident Response and Security Teams to provide cyber security training, including incident response training across the Pacific, and the Pacific Cyber Security Operational Network, launched in April 2018, comprised of government-designated cyber security incident response officials, which shares information, tools, techniques and ideas.

The Australian Cyber Security Centre was re-elected as Chair of the Asia-Pacific Computer Emergency Response Team Steering Committee in Shanghai in October 2018, indicating Australia’s commitment to, and the region’s acceptance of, its leadership in Asian cyber security.

At the ASEAN regional forum in August 2017, with Malaysia, Australia co- sponsored a proposal to establish a cyber Point of Contact database to facilitate communication in times of crisis – one of the strategy’s goals – and will pilot the concept in 2018-19. In August 2018, Australia and Indonesia signed a memorandum of understanding, with an associated action Plan, regarding cooperation over the next two years.

A Cyber Capability Engagement Program, which has provided training to 20 Indonesian government officials in partnership with the Australian National University’s National Security College, is already underway. The ASD’s Essential Eight, a checklist of strategies to mitigate cyber risks, is scheduled for translation into the ten official ASEAN languages.

Tackling cyber threats

Australia’s strategic response to cyber threats is a combination of robust domestic defensive – and offensive – capabilities and a forward-defence through international engagement. Australia’s cyber security efforts are in concordance with their overall security and strategic positions in that, more than the other themes, they are related to the alliance with the US and the close relationships with their fellow members of the “five eyes” intelligence sharing network. The ANZUS treaty is affirmed in the strategy as applying to cyberattacks.

Since April 2016, Australia has acknowledged that it has an offensive cyber capability and in November 2016, Australia’s then Prime Minister Malcolm Turnbull confirmed that these offensive capabilities were used to target the Islamic state. In 2017, Australia became the first nation to disclose that its offensive cyber capabilities would be directed at “organised offshore cyber criminals”.

Beyond the Asia Pacific, Australia has established key working-level partnerships to confront cybercrime. The Five Eyes Cyber Crime Working group shares best practices and operational resources and an Australian Criminal Intelligence Commission Cybercrime analyst is posted at the FBI International Cyber Crime Coordination Cell in the United States. Another is posted at the National Cybercrime Unit at the United Kingdom’s National Crime Authority.

Diplomatically, Australia participated in coordinated action to protest unacceptable behaviour by North Korea WannaCry ransomware and Russia email hack, 2016 notPetya malware, and cyber operations against the organisation for the Prohibition of Chemical Weapons and the investigations in the Malaysian Airlines plane shot down in the Ukraine. Australia also works closely with the International Telecommunications Union and is at the time of writing standing for re-election to the ITU council.

A new purposefulness

Australia’s approach to cybersecurity demonstrates a combination of international cooperation through leadership and modelling responsible practice, and a capacity and robust willingness to confront threats. The strategy provides a clear articulation of Australia’s priorities, intentions and capabilities.

In part, it is an expression of how the country will continue to pursue its national interests in the new technosocial trading and strategic environment. The key pillars of Australian foreign policy, in one sense, have not changed much: the US alliance, its position as a middle-power engaged in and supporting global cooperation through multilateral institutions, and its key relationships in the Asia Pacific region.

In another sense the strategy clearly sets out a new purposefulness to Australia’s engagement, especially with its near neighbours. Its clarity is also a conscious effort at putting into practice one of its core values: transparency. Together with the 2016 Cyber security strategy and successive foreign Policy White Papers, the Strategy explains Australia’s intentions and outlines its capabilities in an effort to reduce the risk of miscommunication with, and to encourage greater candidness from, other international actors. This is one of the strategy’s most laudable objectives.

All nations, governments and policies are faced with the conflict between pragmatism versus principles. The strategy has elements of this in the scant attention to privacy rights. The omission of certain state actors as risks – either to their own people (Myanmar, Cambodia) or to other nations (China, Russia) – can be chalked up to diplomatic prudence.

And the shortage of due attention given to digital platforms such as Facebook may be a product of timing – the abuses in Myanmar and the risks to democratic processes both being associated with social media only quite recently. These are, however, areas which Australia’s Cyber Ambassador and his department may wish to give further attention to.

Despite these slight concerns, Australia’s combination of good standing and comparatively hale resources make its leadership feasible, the interconnectedness of the issues at stake makes its engagement necessary. The purposefulness and thoroughness of the strategy are in large part cause for confidence; its implementation thus far, likewise.

Dr. Damien Spry is a Lecturer in Media and Communications at the University of South Australia and a Visiting Fellow at the Digital Media Research Centre at the Queensland University of Technology. He has previously held academic positions in Hong Kong, Japan, South Korea and the United States of America. His scholarly research focuses on digital media impacts on international politics and diplomacy.

He has developed the Facebooking Diplomacy Database for this purpose. He is a regular contributor to think tanks, including the Lowy Institute and the Australian Strategic Policy Institute, and has consulted for several multinational companies, including Google, Facebook and Amnesty International, as well as to several governments.

This article was originally published in Panorama, a publication by Konrad Adenauer Stiftung, a German political foundation which runs programmes to promote democracy, peace and justice.