In a review of the Australian government's cyber security strategy, the Australian Strategic Policy Institute (ASPI) has said the government is looking to drop its reputation for overclassifying material in a bid to enhance its relationship with industry.
"It has long been argued that overclassification of material, such as threat intelligence, by governments prevents easy information exchange with the outside world, including key partners such as industry," the report said.
"The government has recognised this and is positioning ‘Australian Cyber Security Centre (ACSC) 2.0’ to facilitate a more cooperative and informed relationship with the private sector."
The report, authored by head of the International Cyber Policy Centre Fergus Hanson and ASPI visiting fellow Tom Uren, also recommended the government could get more benefits by lowering classifications of information related to offensive cyber operations; operations that disrupt, deny or degrade the computers or computer networks of adversaries.
"The government should continue to scope the potential benefits from lowering the classification of information associated with oﬀensive cyber operations. In particular, there are benefits in operating at the SECRET level for workforce generation and training and providing a ‘halfway house’ to usefully employ incoming staff as they wait during vetting procedures," the report argues.
"More broadly, excessive classification slows potentially valuable two‑way information exchange with the information security community."
The report also called for a review of the laws governing oversight for the ASD. Currently, the Australian government’s offensive cyber capability sits within ASD and works closely with each of the three services, which embed staff assigned to ASD from the ADF’s Joint Cyber Unit. Current legislation, policy and oversight ensures that ASD and the ADF work together in a lawful, collaborative and co-operative manner to support military operations. When seeking approval for operations from the Minister for Defence, ASD has to seek legal, foreign policy and national security advice from sources external to Defence.
Hanson and Uren argue that while this current arrangement works at present, the policy and legislative framework will need to be updated to allow for the employment of offensive cyber in ADF operations.
"While those oversight arrangements may be sufficient for now, the ADF will inevitably need to incorporate offensive cyber on the battlefield as a way to create local effects, including force protection measures and to deliver effects currently generated by electronic warfare (such as jamming communications technology)," the report said.
"It should not always be necessary to reach back to the national authorities for clear‑cut and time critical battlefield decisions. There appears to be scope to update the existing policy and legislative framework that governs the employment of oﬀensive cyber in deployed operations to support those kinds of activities."