The Australian Government is currently developing our nation’s next Cyber Security Strategy in its efforts to protect Australians from cyber threats.
The 2016 Cyber Security Strategy was a four-year plan to improve the nation’s cyber security. The government made a $230 million investment that was largely spent creating new agencies focused on cyber security and assisting business and industry with the development and implementation of cyber security strategies and practice.
The Department of Home Affairs received 213 submissions in response to the Australia’s 2020 Cyber Security Strategy discussion paper. The public submissions are available online on the Home Affairs website. Open forums will be held this week in Brisbane, Sydney and Melbourne.
Undoubtedly, the 2016 Cyber Security Strategy has been successful in so far as business and industry are better prepared to carry out commerce online and to utilise the internet without the catastrophic data breaches that were common until recently.
It was only through the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 that business and industry were prompted to act positively and expend the resources necessary to reduce data breach occurrences.
About 200 to 250 data breach notifications under the Act have been reported to the Office of the Australian Information Commissioner for most quarters since the commencement of the Act.
The statistics are for Australian entities that fall under the Act’s jurisdiction and do not include the data breaches suffered by companies that reside overseas.
Cyber security is, in many ways, about trust, transparency, verification and credibility.
Before the Notifiable Data Breaches Act, government, business and industry had a trust deficit that existed because cyber incidents including data breaches were common-place and little was seen to be being done to remedy the situation.
Only with the threat of fines has there been a move by government and industry to effectively mitigate cyber threats.
The trust deficit remains however, because government has been reluctant or slow to tackle the increasingly complex cyber threat environment. It is not just about what government is doing, it is the end result of this effort, and too many Australians are still falling victim to cybercrime today.
An increasingly difficult trend to remedy is the reduction in transparency by both governments and businesses. It is only through legislation, regulation, whistle-blowers and former Prime Ministers that we get a glimpse of what is actually going on behind the scenes.
In some ways, cyber security is linked to national security, and this is a logical and pragmatic approach to take when cyber threats from foreign state actors are a major concern today.
Unfortunately, the threat to national security due to cyber threats appears to have been extended without clear justification by the Australian security agencies, in concert with US security agencies, to telecommunications infrastructure, equipment and systems.
The lack of transparency surrounding the rationale for the Huawei bans from the National Broadband Network and the 5G rollouts has been instrumental in reducing trust over the past decade.
The cost of the Huawei 5G ban could be as high as $300 million per annum according to a report by the UK Oxford Economics that was commissioned by Huawei.
Over the past five years the reasons provided by the government and some of the heads of security agencies have slowly unravelled, and one-by-one have been found to be untrue or over-blown.
This diminishes the trust that Australians have in what their being told.
Statements that Huawei have been found to be involved in cyber security incidents in a number of countries were found to be of no substance.
Arguments that Huawei would be able to utilise telecommunications networks to steal intellectual property, carry out data breach operations or to sabotage the nations critical infrastructure have all unwound over time.
In a turn of events, the former Prime Minister Malcolm Turnbull recently told BBC Radio 4 that “It’s not a question of saying, is Huawei doing bad things at the moment? The real question is, not looking for a smoking gun, but asking whether this is a loaded gun, and whether you want to have that risk.”
In making this statement, the former Prime Minister has finally put to bed much of the nonsense coming from Canberra about Huawei.
How can we trust what we’re being told by the government and its representatives when the evidence indicates otherwise?
Mr Turnbull went on to put to rest the question of Huawei being an immediate national security threat when he said “The issue is actually not so much a question of interception, because increasingly end-to-end encryption means that data that can be intercepted can’t be read.”
“The real issue is network availability. If you have another party who may not always have your best interests at heart, choosing to shut down or remove access to a part of your economy, a part of your network — that’s a very fundamental risk,” Mr Turnbull said.
“We made this decision quite independently of the Americans.”
To say that the Australian Government made a national security-related decision independently of the US nearly discredited Mr Turnbull’s statement entirely, but for the first time we have an actual reason for the Huawei bans that might be believable.
This is at least something that we can digest and debate.
However, when it comes to verification and credibility, the 2016 Cyber Security Strategy was deficient, and there is every indication that the 2020 strategy will also be fundamentally flawed.
Mr Turnbull states that Huawei might have the capability to “shut down or remove access to a part of your economy, a part of your network” and that this was a fundamental risk that led to the decision to ban Huawei from the NBN and 5G.
How would Huawei do this?
And is it not possible for the equipment and systems provided by Cisco, Ericsson and Nokia to be similarly turned off at say, the behest of another government?
What evidence is there to show that there are no backdoors into equipment provided by Cisco, Ericsson and Nokia that are being exploited by the US National Security Agency? Surely not? It has happened before.
And we must remember that software bugs have been found and continue to be found in abundance in most commercially available systems today. Many of these bugs are exploitable and some have been used maliciously over past decades.
But to argue that Huawei was banned because Huawei, at the behest of the Chinese Government, might “turn off” our telecommunication networks? Flimsy at best.
Does Huawei have a way to turn telecommunication networks off? No.
If Huawei stopped providing updates and equipment maintenance, then Telcos would transition their networks to another vendor. This process is not new and has happened in the past when vendors have gone broke and ceased trading.
As Mr Turnbull correctly points out, the increasing use of end-to-end encryption mitigates the potential for effective interception.
Verification and credibility have been a challenge for the Australian Government and the telecommunications industry.
If you ask a Telco if their network is secure, they will answer yes, it is. Similarly, if you ask a Telco if they’re in total control of the operation of their network, they will answer yes, they are.
If the Australian Telcos are operating insecure networks that they’re not fully in control of, then we would have a really big problem.
So how can the government justify the Huawei ban?
Of course, what is missing is verification and credibility. Australian does not have a telecommunications security assurance capability.
I’ve been calling for an investment by the Australian Government and the telecommunications industry in this capability for over a decade, but have been met by silence, with the occasional guidance by the government that the security of the telecommunications networks is the responsibility of the industry and the telcos that operate carrier networks.
Many other nations, including the UK, EU and Canada now have telecommunications security assurance centres, but we don’t.
Now let us turn to consideration of credibility. For the past decade, we’ve been provided with a range of reasons as to why Huawei should be banned. Mr Turnbull has finally put paid to the endless guff coming from Canberra.
The underlying reason it appears is that the Australian Government and the telecommunications industry does not want to invest in verification – that is the development of a telecommunications security assurance.
The question of whether the Huawei bans were made solely for reasons of national security remains. The idea that Chinese companies are now striking out ahead of other global telecommunications suppliers is anathema to many, especially in the US business community.
Recently, a group of US senators introduced a bill to set aside US$1 billion for “western-based alternatives” to the Chinese telecommunications vendors, Huawei and ZTE.
The US and China trade negotiations and the reasons why “western-based alternatives” are not available should not be an Australian national security matter. China remains Australia’s major trading partner and it is likely that Australia will continue to see growing investment in Chinese technical systems.
For an academic that has been actively involved in trying to decipher what is going on in Canberra over the past decade regarding telecommunications policy, there remains a trust deficit.
It is timely that Mr Turnbull has taken the time to provide some light on what is really going on and why, even if the reasons remain dubious.
Mark Gregory is an Associate Professor in the School of Engineering at RMIT University and is the Managing Editor of the Journal of Telecommunications and the Digital Economy