Industry-Based Advisement Panel Urges Australian Government to Take More Action on Cyber Attacks

By Jarren Buendia on August 14, 2020

Executive Summary:

As a follow-up to a previous summary regarding recent cyber attacks against Australia, an industry panel advising the country urges more action from the Australian government. Among the 60 recommendations included in the panel’s report, more transparency, better communication, and attribution where possible, were referenced. While it is ultimately up to Australia’s government to implement any recommendations, these are being put forth by an advisory panel, and not just the general public. Thusly, if the Australian government implements any recommendations put forth by the panel, this situation is an example of how response to cyber incidents include developments in policies relating to the global cyberspace environment.

Open Source Intelligence (OSINT) Details:

As a recap, Australian prime minister, Scott Morrison, spoke about the recent cyber attacks at a conference in Canberra (Hurst, 2020). He stated that, “malicious cyber-activity was ‘increasing in frequency, scale, in sophistication and its impact,” but did not attribute an attacker (Hurst, 2020). Morrison did state, however, that the attacker was “state-based” and had “very significant capabilities” (Hurst, 2020). Targets ranged from every level of government, to education and health organizations, and more (Hurst, 2020).

According to the Guardian, the 2020 Cyber Security Strategy Industry Advisory Panel is meant to, “provide strategic advice and guidance on the development of the 2020 Strategy,” and consists of six members. Members include:

  • Andrew Penn (Chair) – Chief Executive Officer and Managing Director, Telstra
  • Mr Robert Mansfield AO – Chair, Vocus Group
  • Ms Robyn Denholm – Board Chair, Tesla
  • Mr Chris Deeble AO CSC – Chief Executive, Northrop Grumman Australia
  • Mr Darren Kane – Chief Security Officer, NBN Co
  • Ms Kirstjen Nielsen (appointed on 18 December 2019) – Former US Secretary of Homeland Security

(Australian Department of Home Affairs, 2020)

Some of the recommendations pushed forward by the panel include calls for more transparency about cybersecurity, more consistent communication from the government, more proactive cooperation between government and industry, and attribution of cyberattackers, when possible (Taylor, 2020). 

The panel, “called on the federal government to adopt a more ‘forward-leaning posture’ on the attribution of attacks, and deterrence, including using industry-provided information in order to alert the public of cybersecurity incidents. They also criticized the government for their lack of centralized, and inconsistent, communication to the public (Taylor, 2020). The panel also called for allowing companies like Telstra, a telecom company, to, “block malicious websites and other sources of attacks on Australian internet users” (Taylor, 2020). In addition, these companies need to be protected when they are under cyber attack, and should fall under safe harbour laws when sharing information, even classified, with government agencies (Taylor, 2020).

Lastly, the panel set their sights on, “using attribution as a form of deterrence” (Taylor, 2020). Along with utilizing economic and diplomatic sanctions, the panel plainly states that attribution is an important deterrent, and, “countries that conduct cyber attacks against Australia should be named and face serious consequences” (Taylor, 2020). However, the panel did state that attribution is, “‘very complex’ due to the nature of international affairs, and that there is a right time and way to do it (Taylor, 2020).

Potential Impacts:

Based on the short list of recommendations specified, transparency and cooperation are standard points of interest. However, if Australia revises their attribution processes/policies, that could have a much larger impact. According to the Guardian article mentioned above, Australia may not attribute an actor until it can make a joint statement with other countries, which is what they have done in the past (Taylor, 2020). If Australia moves to publicly attribute attackers more frequently, it could follow in the footsteps of the US and start issuing indictments, sanctions, and more, in the name of deterrence (as the panel states). Whether or not this strategy succeeds, Australia could be inviting trade disputes, tarnishing relations, and economic/diplomatic retaliation, themselves.

Significance:

In the previous summary, which focuses specifically on the cyber attacks against Australia, it was found that the Australian government will only attribute an attacker if it was in the country’s best interest (Hurst, 2020). Whether that was to avoid straining relations any further with China, as many experts believe is the culprit, or an attempt to deter the attacker without actually naming them, more frequent attribution would change Australia’s cyber security strategy. In other words, as a response to cyber attacks against the country, the Australian government formed a 2020 cyber strategy advisory panel, to guide development of Australia’s new cyber security policy. Events in the cyberspace has potentially caused change in legislative policy surrounding said space, which is what the Global Cyber research field is all about. Usually, stories about cyber attacks against countries don’t have follow up articles about how the government is looking to revise their cyber policy; at least, there aren’t many public articles about it. For a government-appointed panel to share their report with the public, it shows the importance of cybersecurity as a practice, the significance it has at all levels of government, and finally, how serious it can be when global political actors are the users in these stories.

Sources:

“Cyber-attack Australia: sophisticated attacks from ‘state-based actor’, PM says.” 18 June 2020. Retrieved From: theguardian.com. Retrieved: 30 July 2020. 

“More government action needed on cyberattacks against Australia, including penalties.” 21 July 2020. Retrieved From: theguardian.com. Retrieved: 30 July 2020.

“2020 Cyber Security Strategy Industry Advisory Panel.” 06 August 2020. Retrieved From: homeaffairs.gov.au. Retrieved: 30 July 2020.