Transforming Australian Cyber Security

Australian cyber security strategies and development is lagging dangerously behind...

A global power transition is underway, hastened by the erratic, even vindictive, policies of the second Trump Administration, Russian aggression in Ukraine, Israeli escalations, an increasingly assertive China, and a technological-fed destabilisation of existing institutions.

Because ‘cyber’ is obscure to the average punter, even as it is intrinsic to everything digital, and so everyone’s daily life, cyber’s evolution—and the potential changes for Australia—have largely been unremarked. Here, we consider how cyber has evolved over the last 20 years, potential implications of power shifts for Australia, and the possible steps Australia may make in response, from following current best practice (for example, from Estonia and the United Kingdom) to step changes in posture, capabilities and policies.

The shifting cyber landscape

Contrary to what the average Australian may garner from the media—intermittent, event-based headlines, such as the Medisecure, Optus, Medibank, and Qantas compromises—cyber security has long been ever-evolving, in complexity, pace of change and scale of effect. The Australian public hears much less of broader cyber activity and how it is a domain of cause and disproportionate effect. But, perhaps more importantly, how individuals can best defend themselves against maliciousness—aside from bromides encouraging password security and multi-factor authentication—and how they can engage with and influence the cause-effect phenomena.

There is no advice from Australian agencies made available publicly, for example, for those concerned about their communications security when global telecommunications infrastructure is attacked. Following the discovery of the Salt Typhoon campaign late last year, the United States was quick to publicly advise its people to use Signal or WhatsApp—end-to-end encryption—to protect those communications, making no assumption of the perceived or actual sensitivity of anyone’s messages.

This action served multiple purposes, all in plain sight—alert and educate your population on malicious cyber actions, including businesses of any type and size; send allies and likeminded nations a somewhat pointed hint to follow suit¹; and send a clear message to those behind Salt Typhoon that all sorts of international laws and cyber norms of behaviour had been breached.

If we look back over the last 20 years, we can identify several evolutionary step changes in the cyber domain that have had profound effects on Australian’s social and economic welfare.

• Prior to 2007, the known global cyber landscape was dominated by basic malware, individual hackers, with some profit-driven crime and intelligence use. Then in 2007, Estonia was the subject of a concerted campaign of attacks, most plausibly by Russia, targeting the Estonian Parliament, banks, ministries and media. That attack signaled the first nation-state cyber-conflict, and the realisation of cyber activities as a geopolitical tool.

• Subsequently, Russia sought to coordinate cyber operations—and its more traditional tool of choice, disinformation—with kinetic operations in its Five Day War with Georgia in 2008. Separately, in 2010, Stuxnet, highly sophisticated malware, now widely accepted to have been developed by the US for Israeli use, was used to disrupt Iranian nuclear enrichment, setting back its nuclear program by some years² and so illustrating the potential kinetic uses of cyber. Cyber operations started to become integrated into military planning.