Prime Minister Malcolm Turnbull has declared that Australia is now willing and able to hit back at cyber adversaries attacking the nation’s assets and infrastructure, using the launch of the government’s new $230 million Cyber Security Strategy in Sydney to publicly caution that an “offensive capability” is a real and live option.
The public confirmation by the PM that the Australian Signals Directorate (formerly the Defence Signals Directorate) has cyber weapons at the ready is the first time the government has officially acknowledged the capability – and marks a significant change in posture in how future attacks, criminal or nation state sponsored, may be dealt with and potentially called out and publicised.
The shift to acknowledge the changing reality of what some analysts fear could become a cyber arms race is a major shift from the previous policy of not confirming inbound attacks and intrusions nor the measures used to mitigate or neutralise them.
“An offensive cyber capability, housed in the Australian Signals Directorate, provides another option for Government to respond,” Mr Turnbull said.
“The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.”
Cyber security insiders have fretted for years that high levels of secrecy and very deliberate government silence around the mechanics of cyberattacks has made hacking agencies and businesses more appealing – mainly because the lack of a publicly visible deterrent, punitive countermeasure or adverse consequence to dissuade attackers overseas.
Although Mr Turnbull stopped visibly short of saying what kinds of adversaries or attacks might attract or prompt the use of the now public “offensive cyber capability”, the Prime Minister emphasised that just calling it out produced its own benefits.
“Acknowledging this offensive capability, adds a level of deterrence. It adds to our credibility as we promote norms of good behaviour on the international stage,” Mr Turnbull said.
“And importantly, familiarity with offensive measures enhances our defensive capabilities as well.”
The PM then directly called on the business community to join him and the government “in building a national cyber partnership, setting the strategic agenda; co-designing national cyber security initiatives; and committing to annual Cyber Security forums.”
Confess early, confess often
However the call for businesses – especially banks, telcos, utilities and retailers – to both publicly back and commit their own resources to the Cyber Security Strategy and its new posture is far from obligation free, with Mr Turnbull pressing arguing for urgent cultural change in how private organisations acknowledge their own incidents and deal with them.
A major concern for both regulators and law enforcement has been the longstanding unwillingness to either acknowledge or report cyber incidents by many companies for fear of reputational damage or conceding competitive advantage.
The strong historical predilection of business to sweep cyber incidents under the rug has frustrated cyber investigators for at least two decades because the unwillingness of victims usually makes mounting prosecutions next to impossible – again removing a tangible deterrent.
To reverse that mentality, Mr Turnbull conspicuously broke with the government’s own non-admission convention on incidents and confirmed two of the most widely reported recent attacks directed at the government that many experts believe were orchestrated from China at the behest of the People’s Liberation Army – although China was conspicuously not mentioned once during the speech, nor at the following press conference.
Diplomatic sensitivities aside, the hard push for full and frank confession resumed.
“In this spirit of openness, and the need for clear leadership to break down a culture of denial as to the scope and scale of cyber threats, I can confirm reports that the Bureau of Meteorology suffered a significant cyber intrusion which was first discovered early last year,” the Prime Minister said, adding that “the Department of Parliamentary Services suffered a similar intrusion in recent years.”
In terms of the kind of corporate candour the government is looking for, Mr Turnbull singled out budget retailer KMART as a good cyber citizen “for showing leadership and being up front about the intrusion” the company suffered when hackers made off with customer data.
“Only by acknowledging, explaining and analysing the problem can we hope to impose costs on perpetrators and empower our private citizens and government agencies and businesses to take effective security measures,” he said.
Compulsive government intervention – such as requiring mandatory public disclosure of cyber incidents – remains largely off the table, with some stakeholders at the event privately saying such moves could give away tactical advantage in tracing attackers.
ACSC shifts out ASIO, business gets bespoke threat centre, secure network
In terms of optics and user friendliness, the Australian Cyber Security Centre (ACSC) – which is the frontline cyber response coordination body between intelligence agencies, law enforcement and the corporate sector – will be shifted out of ASIO’s temperamental Canberra headquarters at the Ben Chifley building to a new location that is likely to be in Sydney.
Mr Turnbull said this would make it “easier for industry to engage with it”, an admission in kind that ACSC’s current location in lakeside spy central has generated plenty of practical obstacles.
Information sharing appears to have been one of them and has been prioritised.
In addition to the ACSC’s move, Mr Turnbull said that the government will also establish new Joint Cyber Threat Centres that will harness expertise and representation from the corporate sector, government agencies and the research sector.
The new joint centres are likely to fill an emerging gap in government-to-business and business-to-business in sharing sensitive information on threats and attacks that might fall below the higher national security thresholds, but still represent a major pain point for business and agencies alike.
The facilities will be bolstered by what the government is calling “a secure online threat sharing network”, another monitoring and intelligence clearing house of sorts that looks to have been too hard for business to establish on its own.
“Government and the private sector both have vital roles to play in promoting an open and secure internet. But both parties have often fallen short when it comes to sharing important information,” Mr Turnbull said.
New Chiefs: Special Adviser, Assistant Minister and Ambassador
With a rich history of the Australian government creating new cyber functions or agencies before nailing down how they’ll all work together, a major focus of Turnbull’s Cyber Security Strategy is finally creating a cohesive, influential and highly visible leadership structure.
By far the most important step in that area is the creation of a new role of a Special Adviser to the Prime Minister on Cyber Security, a job handed to former Federal Police cyber warrior and current Children’s e-Safety Commissioner.
Effectively Australia’s first ‘cyber tzar’, the Prime Minister said Mr MacGibbon will be “responsible for leading the development of cyber security strategy and policy”.
Mr Turnbull said the Special Adviser “will also provide clear objectives and priorities to operational agencies and oversee their implementation of these priorities” a description that firmly indicates any an expectation of clearer structure and better, more visible performance.
Talking-up the Special Adviser’s job in leading cultural change, Mr Turnbull again pressed the need for greater public visibility and called out the need to engage the media, private sector, international partners and researchers.
A new junior ministry is also being set up within the Turnbull Government – also reporting directly to the Prime Minister – that the Prime Minister said would help him in “leading the Government’s work with business leaders”, a nice way of saying the issue of Cyber Security will be a lot more than an election ‘announcable’.
Who the new minister will be is yet to be announced, but industry betting at the launch was favouring Justice Minister Michael Keenan, although it’s still unclear whether a name will emerge before the anticipated July election.
The diplomatic corps – normally the beneficiaries of foreign intelligence gathered by clandestine electronic means – also gets a new appointment with Australia’s first Cyber Ambassador whom Mr Turnbull said will “lead our international engagement in advocating for an open, free, and secure Internet, based on our values of free speech, privacy and the rule of law.”
In terms of leather on the ground, Mr Turnbull said the $230 million included “funding for over a hundred new specialist jobs” spread “across 33 new initiatives”, a boost that came on top of the 800 specialist roles and $400 million committed to improving “Defence’s cyber and intelligence capabilities through the 2016 Defence White Paper.”