The Australian Government is currently developing our nation’s next Cyber Security Strategy in its efforts to protect Australians from cyber threats.
The 2016 Cyber Security Strategy was a four-year plan to improve the nation’s cyber security. The government made a $230 million investment that was largely spent creating new agencies focused on cyber security and assisting business and industry with the development and implementation of cyber security strategies and practice.
The Department of Home Affairs received 213 submissions in response to the Australia’s 2020 Cyber Security Strategy discussion paper. The public submissions are available online on the Home Affairs website. Open forums will be held this week in Brisbane, Sydney and Melbourne.
Undoubtedly, the 2016 Cyber Security Strategy has been successful in so far as business and industry are better prepared to carry out commerce online and to utilise the internet without the catastrophic data breaches that were common until recently.
It was only through the introduction of the Privacy Amendment (Notifiable Data Breaches) Act 2017 that business and industry were prompted to act positively and expend the resources necessary to reduce data breach occurrences.
About 200 to 250 data breach notifications under the Act have been reported to the Office of the Australian Information Commissioner for most quarters since the commencement of the Act.
The statistics are for Australian entities that fall under the Act’s jurisdiction and do not include the data breaches suffered by companies that reside overseas.
Cyber security is, in many ways, about trust, transparency, verification and credibility.
Before the Notifiable Data Breaches Act, government, business and industry had a trust deficit that existed because cyber incidents including data breaches were common-place and little was seen to be being done to remedy the situation.
Only with the threat of fines has there been a move by government and industry to effectively mitigate cyber threats.
The trust deficit remains however, because government has been reluctant or slow to tackle the increasingly complex cyber threat environment. It is not just about what government is doing, it is the end result of this effort, and too many Australians are still falling victim to cybercrime today.
An increasingly difficult trend to remedy is the reduction in transparency by both governments and businesses. It is only through legislation, regulation, whistle-blowers and former Prime Ministers that we get a glimpse of what is actually going on behind the scenes.
In some ways, cyber security is linked to national security, and this is a logical and pragmatic approach to take when cyber threats from foreign state actors are a major concern today.
Unfortunately, the threat to national security due to cyber threats appears to have been extended without clear justification by the Australian security agencies, in concert with US security agencies, to telecommunications infrastructure, equipment and systems.
The lack of transparency surrounding the rationale for the Huawei bans from the National Broadband Network and the 5G rollouts has been instrumental in reducing trust over the past decade.
The cost of the Huawei 5G ban could be as high as $300 million per annum according to a report by the UK Oxford Economics that was commissioned by Huawei.
Over the past five years the reasons provided by the government and some of the heads of security agencies have slowly unravelled, and one-by-one have been found to be untrue or over-blown.
This diminishes the trust that Australians have in what their being told.
Statements that Huawei have been found to be involved in cyber security incidents in a number of countries were found to be of no substance.
Arguments that Huawei would be able to utilise telecommunications networks to steal intellectual property, carry out data breach operations or to sabotage the nations critical infrastructure have all unwound over time.
In a turn of events, the former Prime Minister Malcolm Turnbull recently told BBC Radio 4 that “It’s not a question of saying, is Huawei doing bad things at the moment? The real question is, not looking for a smoking gun, but asking whether this is a loaded gun, and whether you want to have that risk.”
In making this statement, the former Prime Minister has finally put to bed much of the nonsense coming from Canberra about Huawei.
How can we trust what we’re being told by the government and its representatives when the evidence indicates otherwise?
Mr Turnbull went on to put to rest the question of Huawei being an immediate national security threat when he said “The issue is actually not so much a question of interception, because increasingly end-to-end encryption means that data that can be intercepted can’t be read.”
“The real issue is network availability. If you have another party who may not always have your best interests at heart, choosing to shut down or remove access to a part of your economy, a part of your network — that’s a very fundamental risk,” Mr Turnbull said.
“We made this decision quite independently of the Americans.”
To say that the Australian Government made a national security-related decision independently of the US nearly discredited Mr Turnbull’s statement entirely, but for the first time we have an actual reason for the Huawei bans that might be believable.
This is at least something that we can digest and debate.
However, when it comes to verification and credibility, the 2016 Cyber Security Strategy was deficient, and there is every indication that the 2020 strategy will also be fundamentally flawed.
Mr Turnbull states that Huawei might have the capability to “shut down or remove access to a part of your economy, a part of your network” and that this was a fundamental risk that led to the decision to ban Huawei from the NBN and 5G.
How would Huawei do this?
And is it not possible for the equipment and systems provided by Cisco, Ericsson and Nokia to be similarly turned off at say, the behest of another government?
What evidence is there to show that there are no backdoors into equipment provided by Cisco, Ericsson and Nokia that are being exploited by the US National Security Agency? Surely not? It has happened before.
And we must remember that software bugs have been found and continue to be found in abundance in most commercially available systems today. Many of these bugs are exploitable and some have been used maliciously over past decades.
But to argue that Huawei was banned because Huawei, at the behest of the Chinese Government, might “turn off” our telecommunication networks? Flimsy at best.
Does Huawei have a way to turn telecommunication networks off? No.
If Huawei stopped providing updates and equipment maintenance, then Telcos would transition their networks to another vendor. This process is not new and has happened in the past when vendors have gone broke and ceased trading.
As Mr Turnbull correctly points out, the increasing use of end-to-end encryption mitigates the potential for effective interception.
Verification and credibility have been a challenge for the Australian Government and the telecommunications industry.
If you ask a Telco if their network is secure, they will answer yes, it is. Similarly, if you ask a Telco if they’re in total control of the operation of their network, they will answer yes, they are.
If the Australian Telcos are operating insecure networks that they’re not fully in control of, then we would have a really big problem.
So how can the government justify the Huawei ban?
Of course, what is missing is verification and credibility. Australian does not have a telecommunications security assurance capability.
I’ve been calling for an investment by the Australian Government and the telecommunications industry in this capability for over a decade, but have been met by silence, with the occasional guidance by the government that the security of the telecommunications networks is the responsibility of the industry and the telcos that operate carrier networks.
Many other nations, including the UK, EU and Canada now have telecommunications security assurance centres, but we don’t.
Now let us turn to consideration of credibility. For the past decade, we’ve been provided with a range of reasons as to why Huawei should be banned. Mr Turnbull has finally put paid to the endless guff coming from Canberra.
The underlying reason it appears is that the Australian Government and the telecommunications industry does not want to invest in verification – that is the development of a telecommunications security assurance.
The question of whether the Huawei bans were made solely for reasons of national security remains. The idea that Chinese companies are now striking out ahead of other global telecommunications suppliers is anathema to many, especially in the US business community.
Recently, a group of US senators introduced a bill to set aside US$1 billion for “western-based alternatives” to the Chinese telecommunications vendors, Huawei and ZTE.
The US and China trade negotiations and the reasons why “western-based alternatives” are not available should not be an Australian national security matter. China remains Australia’s major trading partner and it is likely that Australia will continue to see growing investment in Chinese technical systems.
For an academic that has been actively involved in trying to decipher what is going on in Canberra over the past decade regarding telecommunications policy, there remains a trust deficit.
It is timely that Mr Turnbull has taken the time to provide some light on what is really going on and why, even if the reasons remain dubious.
Mark Gregory is an Associate Professor in the School of Engineering at RMIT University and is the Managing Editor of the Journal of Telecommunications and the Digital Economy
Do you know more? Contact James Riley via Email.
Thanks for your comment. Just to let you know, we didn’t disclose the fact that RMIT has been a partner with Huawei, (partly because we didn’t know) and partly as the university (as you probably know) partners with hundreds of other institutions and corporations – with many different agreements in place. Also, Prof Gregory’s opinions may not reflect those of his employers, partners and institutional investors. We do disclose alignments with Innovation partners and or sponsors when we commercially benefit from any of readership of such content.
I am curious to know why the article does not include a disclosure of the fact that Prof Gregory’s institution, RMIT University, along with its fellow members of the Australian Technology Network of Universities, has been a partner with Huawei in its ‘Seeds for the Future’ program since 2016. This program provides funding each year for students to travel to China where they spend their time ‘studying Mandarin and learning about Chinese culture at the highly prestigious Beijing Language and Cultural University before being flown to Shenzhen where they will spend time at Huawei’s headquarters gaining key insights on how the company operates its global business’: https://www.huawei.com/au/press-events/news/au/2019/huawei-australia-opens-doors-to-seeds-for-the-future-2019-program.
While I do not believe that institutional relationships, or funding arrangements, should necessarily preclude academics from commenting on matters that are clearly within their fields of expertise, surely disclosure is in order? It is particularly ironic that such disclosure is lacking on an article that accuses the Australian government and telcos of a lack of transparency, written by an author who has previously intimated that the Huawei ban may be motivated by pressure from the US to ensure that equipment used in 5G networks is supplied by ‘friendly’ companies from the US, Europe and South Korea (see https://thenewdaily.com.au/news/national/2019/01/29/huawei-cold-war-heats-up/). The exercise of ‘soft power’ by Chinese organisations – including programs such as ‘Seeds for the Future’ – is something that should be of as much concern to Australians as the covert exercise of more conventional forms of influence by our traditional allies.
There is considerable merit to many of the points raised by Prof Gregory. Certainly, excluding Huawei from competing to supply 5G equipment will increase the costs of building and operating Australia’s telecommunications networks. On the other hand, these systems and components are incredibly complicated, and operators are inevitably dependent upon ongoing involvement of their software and hardware vendors in maintaining, managing and operating their networks. The risks represented by compromised hardware or software are real, as demonstrated by the infamous Greek wiretapping affair of 2004-5 which (regardless of who was ultimately behind the breaches) quite possibly involved some form of infiltration of the company Intracom, which had developed software for the Ericsson equipment exploited by the perpetrators (see https://web.archive.org/web/20080101075450/http://www.spectrum.ieee.org/print/5280, particularly the sidebar ‘An Inside Job?’).
In this context, Prof Gregory’s views appear somewhat pro-Huawei. This does not mean that they are not a useful contribution to the discussion, as a counterpoint to the anti-Huawei rhetoric from the government and some sections of the media. Even so, readers are surely entitled to full disclosure from an author advocating transparency.
It is disappointing that again in this review the Government and the media continue to fail to focus on the critical issue for Cybersecurity which is the legacy authentication that the computer software and hardware industry continue to cling to. It needs to be replaced with encrypted unique multilevel graphics keys. As we explained in our submission to this review this will prevent the majority of attacks that permeate the internet that are the cause of the majority of financial losses as identified by Verizon research over more than a decade. The Telcos can claim they are secure and have no responsibility but the truth is they cannot be held accountable for security because they are not in control of all layers in the stack. Never the less they should at the very least lead by example to encourage other participants to secure their networks. They can do this by requiring multilevel authentication on the devices that they allow to connect to their networks. At present disappointingly they simply refuse to do this. We have approached Malcom Turnbull before during and after his Prime Ministership when he self appointed himself as the Cybersecurity Minister. He has ignored us at every turn it is disappointing that someone who is supposed be to so enlighten would act with such indifference on such a critical issue. What it does demonstrate is that while he might be an adept user of technology, he and so many others who claim expertise in these matters do not really understand, you are missing the critical point and are instead addressing the symptoms of poor security and fail to recognise the cause which is the defective 1960’s legacy authentication that needs to be replaced if networks are to be effectively secured.