If the ambitious goals of Malcolm Turnbull’s just released cyber security strategy are achieved, the document could turn out to be the most important and innovative government strategy yet written.
Its great strength is that it provides a clear plan for harnessing Australia’s transitioning economy to the enabling technology of the internet, while recognising that a secure cyber space is critical to exploiting the benefits of the digital age and to protecting our interests online.
Turnbull’s aim is to make Australia a cyber smart nation. This is a formidable undertaking requiring sustained investment in cyber architecture and intellectual capital, major cultural change and a genuine cyber partnership between government, business and the wider community that has yet to materialise.
His starting point is that the internet is the most transformational technological development in human history and therefore central to Australia’s future prosperity and security. It’s hard to argue with this proposition. Australia is already a wired economy. Nearly 90 per cent of Australians are online, including 84 per cent of small and medium businesses. The internet-based economy contributed $79 billion, or 5.1 per cent of GDP, in 2014 which could grow to $139bn, or 7.3 per cent of GDP, by 2020. By 2019, the average Australian household will have 24 devices connected online.
But it’s not just humans who are connecting to the internet. Machines are, too, in ever increasing numbers. Cars, fridges, power plants — just about every device we use has the capacity to communicate autonomously with other machines. By 2020, the government estimates there may be 50 billion devices connected to the internet globally. Cybersecurity pioneer John McAfee believes the figure is likely to be 212 billion. The Internet of Things is increasingly the Internet of Everything.
Australia has been slow off the mark to understand and capitalise on the enormous economic potential of this cyber revolution. We have too few cyber entrepreneurs; business still regards cyber security as a technological, rather than a strategic issue; and there is an educational and vocational mismatch between what the digital economy needs and what our schools and universities provide. We are a long way from being a cyber smart nation.
By contrast, a small country like Israel has embraced the cyber revolution, attracting 20 per cent of global private sector investment in the burgeoning cyber security industry and joining the US, Russia, China and Britain as an emerging cyber power. Israel is nurturing a new generation of cyber-literate young people in its universities and schools, right down to primary school level.
The good news is that the cyber security strategy puts Australia on a path to addressing our digital deficiencies by fostering a new network of cyber research and innovation.
At its hub will be a cyber security growth centre that will define and prioritise cyber challenges. Cyber security centres of excellence in universities will be established to help address the serious shortage of cyber security professionals. They will be linked to previous STEM initiatives designed to boost our dwindling stocks of scientists, technologists, engineers and mathematicians.
However, these commendable steps and the accompanying four-year commitment of $230 million are insufficient to realise Turnbull’s vision, which requires nothing less than a cradle-to-grave investment of a kind rarely seen in Australia, starting with primary school education. Cyber literacy has to become an intuitive and foundational skill for all Australians.
A second impediment to realising the full potential of the internet is malicious cyber attacks, which have grown exponentially in number and sophistication over the past decade.
An estimated one million Australians were victims of online identity fraud in 2014 and cyber crime may be costing the economy as much as $17bn annually. One in three Australian businesses have experienced some form of cyber crime.
Professional services firm Deloitte ranks Australia as one of the five most vulnerable economies to cyber attacks in the Asia Pacific region.
The loss of intellectual property and state secrets in electronic smash and grab burglaries is an even more serious issue, because they are the crown jewels that determine a country’s competitive position and capacity to defend itself. Malicious actors inhabit the cyber world’s dark side and include criminals, terrorists, spies and hostile states. They undermine trust in the reliability and security of the internet. So improving our cyber defences and sensitising Australians to the risk is central to the strategy’s success.
The core problem is finding the right balance between protecting users through better security and regulation, and maintaining an open and free system. In Turnbull’s words, “we must ensure that the administration of the internet continues to be governed by those who use it — not dominated by governments. Equally, cyberspace cannot be allowed to become a lawless domain”.
Unfortunately, there are daily reminders that the bad guys are winning. These headlines, taken from a representative selection of international news stories, give a sense of what a lawless internet could mean. “Two teenage hackers crack Brinks smart safe in less than 30 minutes’’; “Pirates hack into shipping company servers to identify booty’’; “Islamic State brainwashes youth online’’; “Electricity grid at risk, says spy boss’’.
Despite the increasing coverage of dark side stories, most Australians do not see cyber threats as first order security issues because of the reluctance of governments, and business, to openly discuss the challenge.
Governments worry about revealing sensitive intelligence methods. Companies fear a loss of reputation, or business to competitors in publicly revealing the loss of IP, personal data or money, from a successful hack.
Another reason, according to Alastair MacGibbon, Turnbull’s new special adviser on cyber security, is that “we seem to think that cyber attacks have no offline or kinetic effects”, unlike a highly visible and obviously destructive terrorist bomb, conventional war or natural disaster. Not being able to see the perpetrator, or vicariously share the anguish of victims, diminishes the emotional impact of a cyber attack.
Regrettably, cyber wars with real kinetic effects are already a reality since it is possible to destroy a power generator with only 21 lines of malicious code, as Russian hackers demonstrated in December, last year, with a devastating attack on Ukraine that left 230,000 Ukrainians in the dark and was the first confirmed hack to take down a power grid.
In championing the virtues of an open, free but secure internet network the national security strategy has struck the right balance between advancing and protecting our economic and security interests in the digital age. But the jury is still out on the ultimate measure of success — the creation of a dynamic digital economy supported by a resilient cyber network.
Alan Dupont is adjunct professor of international security at the University of NSW and a non-resident fellow at the Lowy Institute.