On 30 June, Prime Minister Scott Morrison earmarked $1.35 billion for cyber security investment over the course of the next decade – a historic high. Yet some would argue too little, too late, after a “sophisticated, state-based” attack was launched against critical government infrastructure in the weeks prior.
At the time, Defence Connect reported that Prime Minister Scott Morrison, Home Affairs Minister Peter Dutton and Defence Minister Linda Reynolds issued a joint statement outlining the nature and form of the attack against Australian business, government and political organisations.
Yet as is all too common in the space, their statement was at times vaguely worded, sparse on detail, and unclear about the nature of the threat itself.
In fact, it has taken until recent days for the US Department of Justice (DOJ) to shed further light on the attack, levelling an official indictment against a duo of Chinese citizens said to be acting in concert with the Chinese government’s Ministry of State Security.
According to a statement released by the DOJ, Li Xiaoyu, 34, and Dong Jiazhi, 33, targeted a swathe of US defence and infrastructure companies in recent months – as well as an unnamed Australian defence contractor and solar engineering company.
In addition, the pair stand accused of conducting surveillance on multiple US biotech firms working on COVID-19 vaccines and stealing hundreds of millions of dollars in trade secrets and intellectual property.
“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being 'on call' to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research,” said Assistant Attorney John Demers, the DOJ’s top national security official.
In the official indictment documents, the DOJ didn't mince its words either – revealing that the two "stole approximately 320 gigabytes of documents including, among other things, source code for (the company’s) products, engineering schematics and technical manuals".
Too little, too late
Australian investment into cyber defence strategies has been on an uptick for some time now. In line with the new strategy unveiled in 2016 (intended to cover the four-year run-up to 2020), public consultation was sought with a range of well-heeled academic and policy institutions. Yet this has never been coupled with a direct line of communication to Australian businesses and institutions about defensive doctrine.
There was no shortage of input from academia and policy institutions at the time; the last national strategy review settled on 33 separate initiatives. Yet this wasn't reflected in budget allocations – as Fergus Hanson of ASPI's International Cyber Policy Centre put it, the associated funding package of $230 million seemed like a "pretty modest budget given what was proposed".
Writing in The Strategist in September of last year, Hanson said that the next strategy needs to be "a lot more focused, given significantly greater resourcing seems unlikely".
With the geopolitical twists and turns of 2020, it seems that Hanson might have his way. The question remains, however, as to how and where this funding will be directed to plug the self-evident gaps in the national cyber defences – and perhaps just as importantly, whether the government will be open and honest about its moves.
Plugging the gaps
If the DOJ's accusations are to be taken at face value, it would seem that the gaps in Australian cyber infrastructure pose a risk not just to government infrastructure, but also to defence industry and the private sector in a broad sense.
With the renewed national strategy due out towards the end of the year, there is a serious need for a candid public-private interface on cyber issues. According to most experts in the space, there simply hasn't been this up until this point.
"The Prime Minister’s press conference should spark the beginning of an ongoing conversation that the government has with the Australian public on the breadth and depth of malicious cyber behaviour that has long occurred in Australia, but too rarely been talked about by our parliamentarians and senior officials," said Danielle Cave, ICPC deputy head.
"Australia's public cyber attribution has been patchy.
"It has also been poorly communicated, with information hosted on different government websites and often disappearing as the ministers who were involved in these announcements move on to other portfolios. This could be easily streamlined and rectified."
In a year of geopolitical turbulence, many have sought to see the silver linings. Framed in terms of cyber security, it's clear that the government's 19 June announcement resets the expectations surrounding the 2020 cyber strategy update.
It's possible (though not certain) that it may also mark a shift in government PR policy towards a more honest and effective method of communication. Over time, this has fluctuated – in September 2011, the Gillard government announced the development of a cyber white paper, which was meant to address a broad range of cyber issues including safety, crime, consumer protection, as well as broader issues such as national security and defence.
Over time, the idea of a cyber white paper lost momentum, eventually being absorbed into an overarching update of the 2013 National Digital Economy Strategy.
Perhaps it's time to start taking cyber threats more seriously and keep Australian businesses and individuals properly informed about developments in the space. This could take the form of a separate white paper, or it could take the form of less drastic moves – such as a unified cyber communications policy, as Cave would have it.
It remains to be seen to what extent exactly such change is embodied in the national cyber strategy review, yet time will soon tell (with submissions closing 1 November, and the report due out soon after).
Get involved with the discussion and let us know your thoughts on Australia’s cyber capability and what you would like to see from Australia’s political leaders in terms of the national strategy review.