Tag Archive for: critical infrastructure

Enhancing cyber capabilities through AUKUS

The AUKUS pact is an important piece of regional architecture that has the potential to operate as a technology accelerator to strengthen security and stability in the Indo-Pacific. It seeks to do this by enhancing joint technical capabilities and interoperability among Australia, the UK and the US. ‘Advanced capabilities’ is a secondary focus of AUKUS after nuclear-powered submarines, but it is an equally important part of this new partnership to develop a technological edge.

Australia, the UK and the US are like-minded countries whose relationship is underpinned by a strong security partnership, shared values and a long history of trust. This gives AUKUS particular advantages to be able to achieve outcomes that might be more difficult for other and larger groupings, even strong intelligence-sharing alliances such as the Five Eyes. But for AUKUS to bring about greater collaboration and deeper interoperability, its three members will need to bring their similar (though not necessarily interoperable) people, processes and technology into alignment where it is appropriate and safe to do so.

‘Advanced cyber’—one of AUKUS’s technology priorities—is a focus area that presents short- and medium-term opportunities to build connections and lay the groundwork for some of the longer-term AUKUS technology objectives. This work can and should be carried out simultaneously while the submarines component of AUKUS progresses. But what’s missing are practical proposals for harnessing these opportunities.

Having common cyber-related standards among the AUKUS members, for example, is a relatively low-cost, high-value way to contribute to AUKUS technology objectives and provide a pathway to greater interoperability and efficiency, especially if it builds on existing programs. One low-risk initiative that would enhance capability and interoperability and improve cyber resilience in the digital supply chain is aligning digital skills training. Another is harmonising cybersecurity accreditations. A medium-term opportunity that would benefit both the digital and physical supply chains would be defining a set of ‘AUKUS-assured capabilities’. Fourth, a long-term project could be to use the AUKUS partnership as a vehicle to foster technology relationships in the Indo-Pacific.

AUKUS is understandably defence focused—a narrow scope that will allow it to better carry out its objectives. But cyber, like many of the other critical technologies, isn’t confined to the military and intelligence domains. The expertise and support needed for both offensive cyber actions and the defence of digital assets and equities will require the involvement of industry, academia and citizens. Outcomes that benefit these entities will therefore also support and contribute to AUKUS’s technology objectives.

A digital skills uplift could leverage defence force training and private-sector expertise to improve not only the cyber skills of defence personnel but also the cyber resilience of the defence digital supply chain—the third parties that service and support the defence organisation, such as defence industry, defence suppliers and critical infrastructure providers.

The harmonisation of similar cybersecurity protection standards and assurance practices among AUKUS countries—such as between Australia’s IRAP (Infosec Registered Assessors Program) and the US’s FedRAMP (Federal Risk and Authorization Management Program) systems—would open up greater and more timely choices for the public sector. AUKUS suppliers would also benefit from the resulting cost and resource efficiencies and a deepening of markets.

Markets thrive on certainty. AUKUS should look to define a set of assured capabilities to bolster critical supply chains. These would be capabilities or components of mutual benefit that could be unilaterally or jointly developed by AUKUS partners, but with assured availability to all AUKUS countries. Because the development of such capabilities would likely involve the private sector, clarity about which cyber capabilities (products, services, components, and so on) are critical and of national significance will help provide guidance on the direction of private investment in research, development and commercialisation efforts, as well as viable international collaboration partners.

Finally, a collective of countries beyond the AUKUS partners will be needed to meet the modern technology and security challenges in the Indo-Pacific now and in the future. While it might not be an immediate priority, down the track AUKUS could be used as a vehicle to foster some of these relationships. One way in which AUKUS could gain legitimacy and credibility among Southeast Asian nations over the coming years would be to provide both digital and non-digital public goods that help improve regional prosperity and security. Such efforts could include technology knowledge diffusion, ensuring the benefits of technology reach across entire economies.

The AUKUS countries have much they can learn from and share with the region in cyber and critical technologies, from e-safety and digital inclusion to next-generation mobile wireless and artificial intelligence. Cultivation of these relationships will, however, often require an individualised approach, including different investments in different countries.

The region’s nations are a diverse group, with different priorities and views on cyber norms, standards and regulations. But as a group, AUKUS members will be better positioned to support the region as it seeks to make a post-Covid-19 technology step-up.

Securing northern Australia’s critical infrastructure against cyberattacks

The strategic importance of northern Australia within the broader defence and national security framework has been well articulated and widely acknowledged. Related to this is the significant role critical national infrastructure plays in supporting defence capabilities. However, digital communication technologies have changed the threat landscape in which critical national infrastructure providers operate and, in turn, placed Australia’s national security at risk.

Critical national infrastructure encompasses any capability, network or facility that, if compromised, would threaten Australia’s security. The development of critical national infrastructure across Australia’s north offers the federal government an opportunity to proactively work with private-sector providers of critical national infrastructure on cybersecurity. Such efforts are necessary in ensuring supply-chain relationships and vulnerabilities are well identified, understood and addressed.

The government’s 2020 defence strategic update made clear that Australia’s defence organisation needs to be prepared for conflict in the increasingly contested Indo-Pacific and cannot rely on the luxury of a 10-year warning period. The development of defence capabilities and critical national infrastructure in the north reflects this thinking. Earlier this year, the government announced an additional $2 billion in funding for the Northern Australia Infrastructure Facility, on top of the $5 billion already committed. The increased support is aimed at bolstering the government’s targeted growth plan for the north, which recognises that investment in critical national infrastructure is necessary in the protection of Australia’s national security.

The investment reflects the findings of the government’s 2015 audit of infrastructure in northern Australia, which identified substantial gaps in infrastructure to support sustained regional growth, provide adequate service standards and achieve cost-effective practices—all of which weaken Australia’s overall northern defence posture.

The supply-chain implications of a cyberattack on a critical infrastructure provider are acknowledged in the amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) enacted in December 2021 and March 2022. The first tranche of amendments identifies 11 critical infrastructure sectors that, if subject to a cybersecurity incident, could threaten national security due to relationships with other capabilities critical to national defence.

Northern Australia is home to only 5.6% of Australia’s population, but it is a significant contributor to major critical national infrastructure industries. Around 70% of the nation’s known resources of iron ore, zinc and lead are located in the region, as well as 64% of the nation’s beef cattle herd and approximately 94% of both banana and mango crops. Infrastructure in northern Australia is therefore vital to the nation’s overall economic performance and food security, as well as key in supporting the immediate needs of local communities and defence facilities in the region.

Last year’s cyberattack on meat-processing company JBS Foods demonstrated the supply-chain consequences of a cyberattack on an Australian-based critical national infrastructure provider. The five-day attack disrupted food supply operations across all JBS Foods’ global locations, including Australia, despite the attack occurring offshore. If a similar attack were to occur on northern critical national infrastructure, such as gas providers or water- and sewage-processing plants, the flow-on effects for defence bases reliant on their services could create significant disruption.

While cybersecurity is clearly a necessary protection for northern critical infrastructure providers, challenges exist in its implementation. The amendments to the SOCI Act represent an important attempt to define industries relevant to national security and implement cyber reporting standards. However, private-sector industry providers have expressed concerns about the level of interference the government can exercise. Under the amendments, the government has the power to install its own security software and ‘access, add, restore, copy, alter or delete data’ at its discretion.

Aside from privacy concerns, the SOCI amendments reflect an attempt at a one-size-fits-all approach to cybersecurity for critical national infrastructure. This aspect arguably helps to manage the hard reality that critical infrastructure providers, particularly in northern Australia, face significant skills shortages and a lack of experienced specialists to handle sophisticated cyberattacks.

However, the legislation fundamentally fails to recognise the cyber complexities and nuanced characteristics of different industries, as well as the diversity of cyberattacks they might experience. This remains true despite the announcement of the Security Legislation Amendment (Critical Infrastructure Protection) Bill in April. The proposed legislation builds on the SOCI Act by implementing a risk management program and imposing new cybersecurity obligations for ‘systems of national significance’ in recognition of their critical importance to national security and the unique cyber threats they face.

While these proposed changes are a promising step towards the implementation of cyber threat intelligence and preparedness against known risks to critical infrastructure providers, their effectiveness is unproven. It’s highly likely that further policy action will be required, and opportunities for policy tailored to the unique role of northern Australia’s critical national infrastructure should be sought.

Critical infrastructure providers such as water- and sewage-processing plants, gas supply facilities and electricity providers typically use supervisory control and data acquisition, or SCADA, systems, which were not originally designed to be connected to the internet. However, as technology has evolved, these systems have been integrated with advanced communication technology that enables remote operation and monitoring; essentially, they are no longer closed-circuit systems and are vulnerable to a wide range of cyberattacks.

The process of patching vulnerabilities in these systems is difficult and, if possible, avoided due to the difficulties associated with switching to back-up systems and the risk of disrupting their activities.

The uniqueness of each critical infrastructure provider in both its internal functioning and its relationship with the broader defence system is therefore a considerable challenge when implementing a national cybersecurity strategy. In this light, there are benefits in encouraging the adoption of a ‘security convergent’ approach within each provider. Security convergence is an approach that holistically considers all security domains and creates greater internal awareness about how vulnerabilities are related. Logical integration of security functions, processes and objectives across traditionally separate domains will better protect critical infrastructure supply-chain relationships, thus strengthening Australia’s national security.

With these challenges in mind, the government should seek to incorporate convergent and cybersecurity development, training and practices into its northern infrastructure investment activities. The opportunity to ensure the security standards necessary to protect northern Australia’s critical national infrastructure should not be overlooked, particularly as the increased development efforts create a similar opportunity to understand and review unique relationships between critical infrastructure and Australia’s defence capabilities.

Cyberattacks are likely sources of aggression that could have major physical consequences if not properly accounted for in the development of critical infrastructure in northern Australia. Patchwork security arrangements are not adequate in supporting national defence; however, neither is the carte blanche cybersecurity response in the new legislation. Instead, a hybrid and convergent approach that considers the security network at large is required and deserves further discussion.

Remote Australians need the effective communications big cities take for granted

When Northern Territory supply chains that were already stressed by Covid-19-related delays were hit by massive flooding in January, it’s not surprising they buckled and broke.

For nearly a month after acute flooding damaged railways and closed a 250-kilometre section of the Stuart Highway, remote parts of the territory experienced disruption, isolation and deprivation. The simultaneous failure of highways and railways caused food shortages, left residents stranded and delayed mail for three weeks.

The vital railway has reopened, but only after the remote community of Wadeye endured digital isolation when mobile services were disabled for almost a week. On any given day, mobile coverage in most of the NT is sparse; see the visual representations offered by coverage maps from the territory’s mobile communications providers, Telstra, Amaysim, Vodafone and Optus.

Mobile blackouts brought immediate consequences—residents couldn’t contact family and friends, businesses couldn’t operate and people couldn’t call emergency services if they required assistance. But other problems became increasingly acute as the crisis persisted. As an example, residents were unable to use QR code check-in apps at venues for Covid-19 contact tracing.

Critically, the outage of EFTPOS and ATM connections had a serious impact on individuals as well as businesses. Users of the Basics Card, a form of income management administered by the federal government, are unable to withdraw up to 70% of their funds as cash and can only purchase via EFTPOS from a limited number of approved retailers. Nearly 25,000 people in the territory use the Basics Card, out of a population of 246,000, representing 93% of all users of the card Australia-wide. In Wadeye—as in Maningrida, which experienced a four-day outage in December—nearly 10% of community members were unable to purchase food, fuel and other essentials.

The ethical considerations of involuntary income management aside, the failure of digital infrastructure to enable territorians to access essential supplies and emergency services, exacerbated by the simultaneous failure of physical infrastructure to allow proper distribution of goods, highlights yet again the importance of connectivity in Australia’s north.

Perversely, the timing of the clouds that brought disaster to the territory may provide a silver lining. The federal parliament is reviewing a bill that would impose an obligation on operators of critical infrastructure to adopt and maintain a risk management program. The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 differentiates between ‘critical infrastructure assets’ and ‘systems of national significance’.

Systems of national significance are a small subset of critical infrastructure assets that are deemed to be particularly vulnerable due to their cross-sectoral interdependencies and the cascading consequences of disruption. Although the operators of systems of national significance would bear additional obligations, the relevant minister would have the power to ‘personally and privately’ determine a critical infrastructure asset to be a system of national significance—such that that status would not be made public.

In Wadeye, Telstra said the EFTPOS and ATM outage was caused by a transmission issue that was unrelated to the loss of mains power that occurred at the end of January. Then, the community waited four days for a technician to arrive—with a specialised part that was faulty leading to further delays.

Presumably Telstra, as Australia’s largest telecommunications company by market share, would be designated a provider of a system of national significance. The legislation seems clearly aimed at protecting critical infrastructure against cyberattacks by malicious actors, but perhaps it ought to pose a broader question about the functionality of our critical infrastructure.

If the federal government is inclined to impose income management on remote communities in the NT, it follows that it has a responsibility to ensure the functionality of the necessary systems, at least at a level that doesn’t prevent Australians from accessing food and emergency services. It seems that there’s a disconnect between Canberra, which is abuzz with the risk of intentional and malicious large-scale cyberattacks, and regional and remote towns, which are decidedly not abuzz with anything, due to mundane outages and lacklustre responses.

Malicious and deliberate cyber emergencies are clearly an enormous threat to our way of life and national security, and that risk must be managed. But benign, accidental disruptions of digital and physical critical infrastructure, while not as dramatic and exciting, are endangering lives in rural and remote Australia, especially in the NT.

Decisive action is needed to protect all essential systems from all kinds of threats. The difficulties brought by the physical distance of population centres from Australia’s southeast to the north can be minimised by effective and functional critical infrastructure, but only if it works. If we want a united, equitable Australia, the residents of Wadeye need to be able to participate as fully in the economy and the nation as anyone else, and the resilience of critical infrastructure needs to be protected as much and as fiercely as that for defence and national security.

Securing data to protect Australia’s critical infrastructure

In the recent JBS cyberattack, an American subsidiary of a Brazilian meat processor was hacked from Russia, causing operations in Australia, Canada and the United States to shut down. This crime provides a timely reminder that Australia’s critical infrastructure is only as strong as the weakest link in its international digital supply chains.

The government is proposing a complete overhaul of the way owners and operators of Australia’s critical infrastructure ensure the resilience of the physical facilities, supply chains and ICT they rely on, and on which our society and economy depend.

The proposed legislation before parliament will extend the regime under the Security of Critical Infrastructure Act 2018 beyond its outdated narrow focus on utilities to include other critical sectors of the economy, such as communications, transport, banking, healthcare and groceries. Industry-specific rules and standards will follow to improve security and resilience across these sectors. For the most vital infrastructure systems, the legislation will give the government a ‘last resort’ power to intervene in their operations in order to defend against a serious cyberattack.

These reforms are a necessary response to the risks that now confront society given the interconnections and interdependencies between the physical and the digital. Data is the nexus between these worlds, from personal information and metadata about consumers, to internal corporate emails, information about research and development, and the supervisory control systems used to operate industrial infrastructure.

Indeed, data is effectively the economy’s critical infrastructure. The proposed legislation recognises this new reality by including data storage and data processing in the expanded list of critical sectors.

However, the bill only partly protects the data controlled by these sectors and treats it inconsistently, erroneously focusing on its physical nature. This has the potential to create a dangerous gap in which we lose control of our data.

In practice, a critical infrastructure provider will either manage and secure its own critical business data or outsource some or all of those responsibilities to a third-party data processor, cloud service provider or data centre operator. That third party may store and maintain the data in physical facilities in Australia or overseas. A combination of these arrangements may be used for the primary and backup data stores to provide additional redundancy in case of disaster.

Data faces similar risks under each scenario, so it’s reasonable that equivalent security expectations and standards apply whether it’s stored onsite, outsourced to a third party, or moved offshore. Unfortunately, the proposed legislation doesn’t consider this and creates very different expectations around data security depending on how and where it’s stored.

Under the bill as currently drafted, an Australia-based third party becomes a critical infrastructure provider if it knowingly stores government data or the critical business data of another provider. It’s a case of ‘tag, you’re it’. A critical infrastructure provider’s data is so crucial to national security that the mere fact that it’s stored with an Australian-based service provider makes that third party a provider too.

That provider (rightly) will be subject to stringent legal requirements concerning cybersecurity, the security of its physical facilities, the resilience of its supply chain, and the trustworthiness of its employees and contractors.

A critical infrastructure provider that manages and secures its own data on-premises will be subject to a positive security obligation to manage and mitigate risks to its critical data assets, but not necessarily to the same standard that applies to data held by third-party service providers. Hence, the Australian Cyber Security Centre advises organisations to consider the security risks of not shifting data to the cloud.

In stark contrast, a third party that stores and maintains a critical infrastructure provider’s critical business data overseas will not be expected to do anything to secure that data. This is because the new regime won’t apply to Australian data stored overseas.

Australia should not be so timid. Under the US CLOUD Act, the US government extends its jurisdiction over all data in the possession or control of American cloud providers wherever in the world it’s stored. And the European Union’s General Data Protection Regulation applies to data processing undertaken outside the EU if it relates to the supply of products to Europeans.

Besides the obvious security gap, Australia’s proposed legislation creates a perverse incentive for critical infrastructure providers—and their suppliers—to shift critical business data stores offshore to avoid security regulation under the regime and the associated costs. This is at odds with the emphasis placed on data security when physical critical infrastructure assets are sold to foreign investors.

Whereas the draft legislation doesn’t safeguard Australian data stored overseas or require its repatriation, the Foreign Investment Review Board will often make its approval of investments in critical infrastructure conditional on the data being kept in Australia in certified secure facilities. There should be no inconsistency here. After all, it’s the same data, just different custodians.

The proposed reforms are necessary and overdue. But given the increasing importance of data from a national security perspective, a critical infrastructure provider’s data should be treated as a critical asset regardless of whether it’s managed in-house, hosted by a third party or located offshore. It should be subject to equivalent security expectations and standards.

Ensuring this data is always stored and secured in Australia will not in itself prevent it from being targeted or compromised. But if Australia’s laws and authorities are to help secure and defend Australia’s critical data, it must first be brought within the new security regulatory regime.

To do otherwise is to surrender our sovereignty over data when it has never mattered more.

Huawei highlights China’s expansion dilemma: espionage or profit?

The Australian government will soon announce its decision on whether to allow Huawei to participate in Australia’s 5G network. It’s one of the most important policy decisions the prime minister will make this year. And it’s complicated. 5G is the next generation of cellular technology. It will be faster and more responsive, and will provide us with better coverage. It will underpin our future economy and will supposedly be up to 1,000 times faster than current 4G networks.

So, it’s critical national infrastructure. Of course, a number of Australian and international companies want a piece of it—including state-owned and state-supported companies from China that loom large in the global telecommunications field. Huawei—now the largest telecommunications equipment manufacturer in the world—is the most dominant of these.

If all things were created equal, Huawei would be a competitive participant in Australia’s 5G network. But all things aren’t equal, particularly when it comes to critical infrastructure. From the Australian point of view, there are geopolitical and security issues to consider. Much of the public debate has zeroed in on cybersecurity, the potential for backdoors and the need to check Huawei’s equipment and software. Those are serious concerns, but there’s an issue far bigger than Huawei itself.

Ironically, China’s own laws make Huawei unsuitable to participate in Australia’s 5G network. As first detailed in The Strategist by ICPC fellow Elsa Kania, Article 7 of China’s 2017 National Intelligence Law (国家情报法) declares:

All organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of. The state will protect individuals and organizations that support, cooperate with, and collaborate in national intelligence work.

A company might have the best of intentions—work hard, foster a good reputation, make a profit—but this law undercuts those intentions by making it clear that Chinese organisations are expected to support, cooperate with and collaborate in national intelligence work. They must also keep the intelligence work they’re aware of a secret. In return, the Chinese state will protect them.

How can Australia policymakers working on 5G sidestep this declaration? The law obviously could be used to Australia’s detriment.

The law makes things surprisingly easy for the Australian government. It provides the prime minister with uncompromising evidence that Huawei—and any other Chinese company for that matter—isn’t a suitable participant in the 5G network and other public infrastructure.

Of course, the timing of the announcement will be tricky. The bilateral relationship isn’t in a great place, and the government’s announcement will be another major pothole. It will, of course, kick off a new series of Global Times articles and tweets criticising and threatening the government and Australian businesses (thankfully, though, there are creative options to help break this Australia–China media feedback loop).

There may be moves to double-down on the Chinese Communist Party’s famed ‘boycott diplomacy’ that seeks to coerce policy change in foreign governments by punishing private industry. Or we could see a consumer-led netizen boycott spread online—the examples of which are endless—targeting Australian products or companies. Governments and global industry should be prepared to be on the receiving end of such boycotts. They’re common, and just another input that needs to be considered as part of any company’s risk matrix for operating in China. We’ve seen versions of such boycotts targeting products in Australia (wine), Norway (salmon), Japan (cars, electronics, retail), the United States (fast food chains), France (supermarkets), South Korea (supermarkets, cars, entertainment, tourism) and Taiwan (tourism, students).

But the decision—particularly if the announcement references this law—will be hard to credibly refute by the Chinese government and its state-owned media. After all, the government has only itself to blame. By introducing expansive and aggressively ambitious intelligence laws, it has locked in a potentially powerful intelligence-collection system. More organisations and individuals collecting material on behalf of the state means a more diverse collection and more intelligence feeds flowing into government. That’s great news for the state, particularly China’s intelligence analysts and national security policymakers.

But it’s a double-edged sword for China. Requiring individuals and organisations to support, cooperate with and collaborate in intelligence activities, of course, comes at a cost. And that cost will be the international expansion plans of Chinese companies—state-owned and private— which have been well and truly boxed into a corner with this law. The CCP has made it virtually impossible for Chinese companies to expand without attracting understandable and legitimate suspicion. The suspicion will be deeper in countries that invest in countering foreign interference and intelligence activities. Most developed countries, including Australia, fall into that category.

This fascinating tension—between commerce and intelligence collection—will only intensify and will eventually force some tough decisions. What’s more important to the CCP? Using Chinese companies operating overseas to collect intelligence or supporting the international success of those companies?

A little from column A and a lot from column B is probably the ideal mix for any government. But betting big and hoping for roaring global success on both fronts is a crucial mistake. The two just don’t go hand in hand. There will be a loser. And this year, at least in Australia, it will be Huawei.

Asleep at the wheel: Australia’s fuel vulnerability all our own making!

The inadequacy of Australia’s liquid fuel reserves is like a bothersome itch that won’t go away.

Recent reporting of serious concerns about Australia’s liquid fuel vulnerabilities by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and the International Energy Agency (IEA) isn’t the first time that this issue has been identified as a fundamental security issue for the nation.

Since 2012 organisations as varied as the NRMA, Engineers Australia and ASPI have been alerting the public to the unsustainable nature of our fuel policy and our ever-increasing reliance on maritime supply chains to deliver imported supplies.

Media attention to this issue has been sporadic. Generally there’s a story or two, then a seeming loss of interest and return to business as usual. Perhaps there’s an assumption that because nothing has gone wrong previously, nothing ever will. A sense of complacency based on historically reliable supply has deadened public interest.

It shouldn’t. The IEA mandates that all countries should hold 90 days’ fuel in reserve as a minimum. We’ve been non-compliant since 2012. Australia has less than half of that minimum, has no strategic oil stocks and doesn’t place any stockholding obligation on industry. But on 31 May 2016, we tabled a compliance plan to the IEA’s Governing Board.

The plan outlined both immediate actions and a forward work program leading to full compliance by 2026. It should be noted that the government has allocated $23.8 million to the first phase of the program.

If a week is a long time in politics, then eight years is multigenerational in terms of current geopolitics and international trade uncertainty. This is especially so given the trade brinkmanship displayed by China and the US in recent days.

President Donald Trump has tweeted that ‘trade wars are good, and easy to win’. If oil supplies are affected in a trade conflict, then the United States may be in a good position. It has expanded its shale oil industry extensively in recent years and maintains stockholdings greater than IEA requirements. China is also insulated by its substantial home-grown oil refining capability and significant stockholdings.

An unescapable fact is that we’re an island nation heavily reliant on refined fuel imports from Southeast and North Asian suppliers. Much of that supply comes to us via shipping that moves through or near the increasingly contested South China Sea.

The suspected deployment by China of communications jamming equipment onto Fiery Cross Reef in the Spratly Islands should cause assumptions that maritime supply chain continuity isn’t an issue in the near term to be re-examined.

During a 2015 Senate hearing on Australia’s transport energy resilience and sustainability, industry representatives offered this view:

There is no evidence that the substantial cost of an emergency stockpile is justified on energy security grounds, given industry’s efficient and reliable performance to date with no widespread or prolonged fuel shortages being experienced in Australia for decades. Even during international crude oil and petroleum product supply disruptions, such as in the aftermath of Hurricane Katrina in 2005, Australian fuel supplies have not been disrupted.

That view appears too self-congratulatory. Australia sourced some imported fuel at the time of Hurricane Katrina from Middle Eastern fuel markets. The limited impacts in 2005 may have been due to that region’s scalable production capacities, which may not always be available.

We can’t be complacent. Australia’s National Energy Security Assessment (NESA) considers risk and vulnerability factors relevant to the industry. The last was completed in 2011. After seven years of great economic and geopolitical change, the next NESA is expected this year. It may very well note that we seem to want the accolades of energy wealth without paying attention to the downside vulnerability.

The PJCIS suggested that Australia’s existing fuel production assets be included within the coverage provided in a proposed critical infrastructure bill to ensure protection from foreign coercion or even sabotage. The PJCIS also advised that steps are needed to ensure access to continuous supplies of fuel to meet national security needs.

Those suggestions have merit. Other economies have a wider selection of infrastructure components and services listed as critical. For example, for more than 20 years the US has had ‘national’ continuity planning requirements to recover capacity after major disturbances.

We need to get serious about our assumptions of the ongoing availability of imported liquid fuel and our in-country reserves of oil and fuel stocks. One or two problems in the maritime trade that flows through the South China Sea could have dire implications for business as usual and our national security. A surprise-free existence isn’t compulsory.

Digital in danger

The world’s digital heritage is in danger, with serious gaps in in its protection, particularly during times of war or conflict.

The concept of destroying cultural assets isn’t new. Throughout history, warfare has damaged and destroyed assets vital to a nation’s cultural heritage and to its national identity. What’s new is that these artefacts are now digital, and becoming more so.

The physical destruction of archives, monuments, artwork and other cultural assets can be a by-product or a specific tactic of war. And while immediate physical damage is often very clear, the damage done to a nation’s identity—its history and cultural memory—can be irreparable.

While these attacks are easily seen, attacks on digital cultural heritage—the stories, the websites, the histories, the digital evidence of a nation—are less obvious, and the objects arguably more vulnerable. And it may not occur only during a time of obvious physical conflict, but during nation state against nation state conflict in cyberspace.

In Syria, ISIS was successful in not only causing incomprehensible destruction and devastation to entire cities and its citizens, but also in severely damaging or destroying key historical sites such as the World Heritage–listed site Palmyra, as well as the shrine commemorating the 1915 Armenian genocide.

Similarly, the city of Mosul in Iraq has been completely devastated. Many of its libraries, museums, mosques and churches were deliberately attacked by ISIS, both to steal and traffic cultural assets and as a means of cultural terrorism. A report by RASHID to the UN special rapporteur on cultural rights recounts the intentional and systematic nature of ISIS attacks on cultural heritage and the consequences for national identity and human rights.

While there are a number of conventions and charters aimed at protecting cultural heritage, there’s little in the way of similar protection for digital heritage.

UNESCO is the main international body that aims to protect cultural heritage threatened by armed conflict. Three UN conventions mandate the protection of cultural heritage in a variety of forms—tangible, intangible and natural.

The 2016 Abu Dhabi Declaration on heritage at risk in armed conflict was adopted at the end of the International Conference for Safeguarding Cultural Heritage in Conflict Areas. It calls for two measures to safeguard cultural heritage: an international fund to protect endangered sites and a network of safe havens where artefacts could be stored temporarily if a state can’t protect them during a conflict.

The International Committee of the Blue Shield, the cultural equivalent of the Red Cross, also protects and rescues cultural heritage in armed conflict, emergencies and natural disasters. And the International Council on Monuments and Sites is a global non-governmental organisation that researches and advocates for the conservation of architectural and archaeological heritage, as well as being an advisory body to the World Heritage Committee on the implementation of the UNESCO World Heritage Convention.

These international frameworks and organisations place immense value on cultural heritage. We need to ask the question, where are similar conventions and organisations for digital heritage? And are there measures in place that actively seek to protect digital heritage?

Government websites and classified government data are already the target of cyberattacks, often for the purpose of espionage. The motivations can be politically, socially, religiously or economically fuelled and there’s no shortage of examples, most recently the attacks on the German government. The Council on Foreign Relations documents such cyberattacks, showing that digital assets are vulnerable and can be subject to manipulation and exploitation. Digital cultural assets haven’t escaped the hit list. In 2014 Sony was hacked and confidential documents and data from its internal network were distributed online.

The 2003 UNESCO Charter on the Preservation of Digital Heritage is one international framework covering the threat of losing digital heritage—not from attack, but from technological malfunctions and obsolescence.

UNESCO’s Memory of the World program aims to protect the world’s documentary heritage, preserving and providing access to manuscripts, political constitutions, maps, photographs and religious texts. It acknowledged the emergence of digital heritage and incorporated a digital component in 2016. Its Persist program, which promotes the sustainability of digital information for future generations, calls upon governments, memory institutions and the ICT industry to develop best practice on the preservation of digital heritage.

Additionally, the Vancouver Declaration, created during the Memory of the World in the Digital Age: Digitization and Preservation conference in 2012, focuses on the accessibility, preservation, authenticity, reliability and accuracy of digital materials.

There’s a clear drive to preserve digital information for the future, but the overlap with protection doesn’t seem to be enshrined in international frameworks.

Within the private sector there have been attempts to push for global cyber conventions. Most notable is Microsoft’s call for a Digital Geneva Convention. And the recent Charter of Trust released by nine global companies outlines three key principles for a secure digital world: protecting the data and assets of individuals and businesses; preventing damage from people, business and infrastructure; and increasing trust in a connected and digital world.

In the international community, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security has produced reports outlining the importance of improving dialogue and collaboration on cybersecurity issues. Despite the fact that international law applies to cyberspace, only 20 of the 193 UN member states are members of the experts group.

One of the few frameworks that addresses cyber warfare is outlined in the Tallinn manual 2.0 on the international law applicable to cyber operations. The manual argues that international laws governing armed conflict, human rights law, peace and security—including protection of cultural assets—can be applied to the cyber domain. That provides legitimate grounds for a state to respond to cyberattacks and to violations of international law in cyberspace.

A cyberattack is a legitimate form of warfare. Digital archival cultural and political records are legitimate sources of national identity. Without protection, these records could be lost forever. So, any state attack, cyber or physical, that destroys or severely compromises assets central to our national digital heritage and identity could be considered an act of war.

Critical infrastructure protection: is everyone ready?

Some watershed changes have been announced across our national security domain this year. A home affairs department is being established to act as a ‘portfolio agency’ for ASIO, the AFP, the Australian Border Force, the Australian Criminal Intelligence Commission, AUSTRAC and the Office of Transport Security. We’re also getting a new Office of National Intelligence (maybe better badged as the Office of Surprise Management), headed by a director-general who will be the prime minister’s principal adviser on matters relating to the national intelligence community.

But one national security development has largely flown under the radar. In January, a Critical Infrastructure Centre was set up in the Attorney-General’s Department to assess the risk of sabotage, espionage and coercion on telecommunications, electricity, water and maritime ports arising from foreign involvement in those sectors.

While media attention has been elsewhere, there’s been a flurry of legislation—newly enacted, drafts released for comment, and new pieces to be put before parliament—all with relevance to the new centre.

One of those is a recently released draft bill on the security of critical infrastructure. It aims to strengthen the government’s capacity to manage the national security issues that arise from foreign ownership of key categories of infrastructure, while minimising the regulatory impact and maintaining an open investment policy.

The bill provides for two central measures. The first is the development of a register of critical infrastructure assets covering maritime ports, electricity and water in the states and territories. Owners and operators will be required to provide information about the groups and individuals that have a direct interest (legal, equitable, lease or licensing) in an asset, including the level of control they have over the asset.

The second measure provides for a federal minister to issue a ‘last resort’ directive to the owner or operator of a critical asset if security vulnerabilities are detected and aren’t corrected or if there are no existing regulatory frameworks that can be used to enforce risk mitigation. Unaddressed vulnerabilities such as gaps in the quality of institutional security policies (including data and physical security); the effectiveness of security audit regimes; and the adequacy of emergency management plans, regulatory regimes and control systems may be the sorts of conditions that would trigger a ‘last resort’ directive.

In addition, last month the government passed legislation that will oblige telecommunications service providers and intermediaries to protect the networks and facilities they own, operate or use from unauthorised interference or access. The aim is to ensure the availability and integrity of facilities and their control networks, and so protect the confidentiality of information stored in or carried on them.

Allied with the protective focus of these legislative steps are a series of sanctions soon to be introduced into parliament targeting the ‘so-called “sub-espionage” level of foreign interference such as individuals covertly lobbying, infiltrating or donating to political parties on behalf of foreign governments’.

While the logic of this trifecta of legislation seems sound, implementation may not be straightforward. At least one state has noted that ‘significant details in the design and implementation of the proposed reforms are still being developed’ and that ‘the best result will be achieved through ongoing and structured consultation with the states and territories’. This view suggests that federal intent is moving faster than state readiness currently allows.

But are there instances where a ‘last resort’ federal intervention is warranted? A recent Queensland Audit Office assessment of the adequacy of cybersecurity controls in potable water and wastewater services suggests that there are. The Audit Office concluded that while infrastructure operators were able to self-assess their capability to respond to information security incidents, they weren’t well prepared to effectively respond to, or recover from, intentional cyberattacks.

Those findings raise concerns about a repeat of an incident more than a decade ago when an intentional cyber disruption of a waste treatment plant’s control systems in the Maroochy Shire in southern Queensland resulted in a significant release of raw sewage into the community.

However, coercive federal intervention with state-based water-related utilities might not be a simple step because most local government water assets are incorporated as regional statutory bodies with local councils as shareholders. Thus, governance across three levels of government may add complexity if federal intervention into local-government-controlled assets is questioned.

The federal government has begun a very busy legislative phase and the policy agenda aligned to the work of the Critical Infrastructure Centre is progressing quickly. The many moving parts in Australia’s national security community create the potential for uncertainty in the application and interpretation of the suite of new and proposed legislation.

It’s also unclear whether the Critical Infrastructure Centre, as a new entity, has the expertise and capacity to both inform foreign investment review decisions and protect infrastructure from intentional disruption. Those are two very different tasks.  The Critical Infrastructure Centre can’t be expected to cover all bases.

The Kremlin and the US election

In early November, US President Barack Obama reportedly contacted Russian President Vladimir Putin personally to warn against cyber attacks aimed at the American presidential election. The previous month, the Director of National Intelligence, James Clapper, and Jeh Johnson, the Secretary of Homeland Security, publicly accused Russia’s most senior officials of using cyber attacks to ‘interfere with the US election process.’

In the aftermath of the November 8 election, no firm evidence has emerged that hacking interfered with voting machines or other electoral machinery. But in an election that turned on 100,000 votes in three key states, some observers argue that Russian cyber interference in the political process may have had a significant impact.

Can such Russian behavior be deterred in the future? Deterrence always depends on who and what one is trying to deter.

Ironically, deterring states from using force may be easier than deterring them from actions that do not rise to that level. The threat of a surprise attack such as a “cyber Pearl Harbor” has probably been exaggerated. Critical infrastructures such as electricity or communications are vulnerable, but major state actors are likely to be constrained by interdependence. And the United States has made clear that deterrence is not limited to cyber retaliation (though that is possible), but can target other sectors with any tools it chooses, ranging from naming and shaming and economic sanctions to nuclear weapons.

The US and others, including Russia, have agreed that the laws of armed conflict apply in cyberspace. Whether a cyber operation is treated as an armed attack depends on its consequences, rather than on the instruments used. It would have to result in destruction of property or injury or death to individuals.

But what about deterring operations that are not equivalent to an armed attack? There are gray areas in which important targets (say, a free political process) are not strategically vital in the same way as the electrical grid or the financial system. Destroying the latter could damage lives and property; interference with the former threatens deeply held political values.

In 2015, a United Nations Group of Government Experts (including the US, Russia, China, and most states with significant cyber capabilities) agreed to a norm of not targeting civilian facilities in peacetime. This agreement was endorsed by the G20 countries at their summit in Turkey in November 2015. When an anonymous cyber attack interfered with the Ukrainian electric grid the following month, some analysts suspected the Russian government of using cyber weapons in its continuing hybrid warfare against Ukraine. If true, it would mean that Russia had violated the agreement it had just signed.

But how should one interpret Russian behavior in regard to the American election? According to US officials, Russian intelligence agencies hacked into the email accounts of important Democratic Party officials and provided the materials to WikiLeaks to dribble out over the course of the campaign, thereby ensuring a continuous steam of news stories that were unfavorable to Hillary Clinton.

This alleged Russian disruption of the Democratic presidential campaign fell into a gray area that could be interpreted as a propaganda response to Clinton’s 2010 proclamation of a ‘freedom agenda’ for the Internet or retaliation for what Russian officials saw as her critical comments about Putin’s election in 2012. Whatever the motive, it looked like an effort to skew the US political process—precisely the type of nonlethal political threat that one would want to deter in the future.

The Obama administration had previously made efforts to rank the seriousness of cyber attacks, but without sorting out the ambiguities of these gray areas. In 2016, Obama faced difficult choices in estimating the escalatory potential of responding with cyber measures or with a cross-sector response such as sanctions. The administration did not want to take steps that might themselves disrupt the election. So, eight days before the vote, the US sent Russia a warning about election meddling over a hotline—created three years earlier to deal with major cyber incidents—that connects the Nuclear Risk Reduction Centers in both countries.

Because Russian hacking activity seemed to slow or halt, the Obama administration cited the warning as a successful exercise in deterrence. But some critics say the Russians had already achieved their main goals.

Three weeks after the election, the administration said that it remained confident in the overall integrity of America’s electoral infrastructure, and that the election was free and fair from a cyber-security perspective. But intelligence officials continued to investigate the impact of a broader Russian information-warfare campaign, in which fake stories about Clinton appeared intended to influence voters. Many of the false reports originated from RT News and Sputnik, two state-funded Russian outlets. Should this be treated as traditional propaganda or something new?

A number of critics believe that the level of official Russian state involvement in the 2016 US election process crossed a line and should not be dismissed as a form of tolerable gray-area behavior. These critics have urged the Obama administration to go further in naming and shaming, by providing a fuller public description of what US intelligence knows about Russia’s behavior, and by imposing financial and travel sanctions against high-level Russian officials who are identified. Other US officials, however, are reluctant to jeopardise the intelligence means used for attribution, and are wary of escalation.

Russia’s involvement in the 2016 US election was a watershed. With important elections coming in a number of Western democracies, analysts will be watching closely to see what lessons the Kremlin draws from it.