Screenshot: Stilgherrian
A UK-style national Active Cyber Defence program (ACD) and a volunteer-driven Civilian Cyber Corps (C3) are two key components of a cyber resilience program being discussed by the Australian Labor Party.
“It’s not just about critical infrastructure or government departments, although that’s obviously a very big and important part of our cyber resilience,” said Shadow Minister for Home Affairs, Immigration and Citizenship, Senator Kristina Keneally.
“As COVID-19 has shown, we need to think about how we protect small businesses, and the people who form the basis of our community and our economy.”
Australia needs to push beyond the traditional defence and national security paradigm for cybersecurity, Keneally said, and start adopting a more “public health approach”.
“When I say public health approach, I mean an approach that looks at the risk and the susceptibility of the nation as a whole rather than principally focusing on critical infrastructure or big-ticket capabilities, an approach that lifts the baseline cybersecurity capability throughout the nation.”
On Friday Labor released a policy discussion paper titled National Cyber Resilience: Is Australia Prepared for a Computer Covid-19?.
It builds on last month’s comments from the party’s Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, Tim Watts, who had wondered how Australia would cope with a cyber-corona outbreak.
Watts was referring to a scenario where thousands of organisations fall victim, disrupting supply chains with similar effects to the coronavirus pandemic currently sweeping the planet.
Hoping to emulate the UK’s active cyber defence ‘big wins’
“Active cyber defence could be a good initiative for improving the collective security of the Australian internet,” Watts said in a roundtable hosted by the Australian Strategic Policy Institute International Cyber Policy Centre.
“The [ACD] framework is designed, in the words of the NCSC [National Cyber Security Centre, part of the Government Communications Headquarters], to take away most of the harm from most of the people most of the time.”
ACD has been at the centre of the UK govrenment’s cyber defences since 2016. It aims to raise the cost and risk of mounting commodity cyber attacks in the UK, and reducing return on investment for those criminals.
One of the NCSC’s earliest ACD projects was to deploy the Domain Message Authentication Reporting and Conformance protocol (DMARC) across the .gov.uk domains to help eliminate spam and other email spoofing attacks.
NCSC began monitoring internet routing to stop DDoS attacks and route hijacks in 2018, and since then has had some big wins. They’ve even proposed building an automated national cyber defence system.
“Simple things done at scale can have a difference,” said NCSC technical director Dr Ian Levy in 2018. “My job is not to beat cybercrime. It’s to send it to France.”
Last month the NCSC took down 2,000 coronavirus scammers as part of a major phishing campaign.
Watts says that the current state of Australia’s cyber resilience is “very varied”. The Australian Signals Directorate (ASD) and the big banks are “great, they’re well placed”, but ASX 50 companies are “a bit more mixed”.
“When you look at Commonwealth entities, they’re a decidedly mixed bag. We’ve got a very substantial body of evidence from the Australian National Audit Office there,” Watts said.
“And then when you look at small business, they’re really not able to protect themselves from commodity cyber attacks, let alone anything more sophisticated.”
From cyber posse to cyber civil corps
Watts is “personally attracted” to the potential of some sort of civilian cyber defence organisation.
“It’s a volunteer-driven organisation with a professional framework that allows part time [or] retired volunteer people with cybersecurity skills to leverage up their expertise and build capacity through their organisations,” he said.
“Whatever we’re doing in this post-COVID-19 space in national cyber resilience, our view is that it needs to work fundamentally through the broader community.”
The C3 concept is not dissimilar to the Rural Fire Service (RFS) or State Emergency Service (SES) organisations that already exist in Australia at the state level.
It’s also a concept that has some history.
Back in 2012, critical infrastructure security expert Emeritus Professor Bill Caelli suggested forming a cyber posse when needed.
Under common law, Caelli argued, police or other authorities could simply enlist any technically adept citizens and form a posse to deal with the bad guys.
In 2016, Professor Greg Austin, then at the Australian Centre for Cyber Security (ACCS) at the Australian Defence Force Academy (ADFA) in Canberra, proposed an Australian Cyber Civil Corps.
The corps would consist of organised volunteer “rapid response teams” to deal with “extreme cyber emergencies” in the civil sector.
“Extreme cyber emergencies in the civil sector in cyber space are of such low probability that a full-time standing response force cannot be justified, even if Australia could afford it,” Austin wrote.
Austin sharpened his call for such an organisation in 2019.
The Research Group on Cyber War and Peace at the University of New South Wales Canberra Australian Defence Force Academy, which he led, noted that Australia was “not adequately prepared” for a so-called “cyber storm”, or multi-vector, multi-wave destructive cyber attack against the country’s infrastructure.
“The benefit of the SES model is that it brings together disciplined structures of command authority through a relevant Minister, the commissioner, zone commanders, local commanders and unit commanders,” the research group wrote.
“The current practice of appointing retired military commanders to commissioner roles in some states also provides a useful pointer for cyber civil defence policy. In the current New South Wales SES Act, state police are subordinated to the SES Commissioner in the event of emergency.”
Watts sees a preventative role for 3C organisations, including community outreach and education.
“New America Foundation, the US think tank, has published a piece where they articulate a model where groups like this could actually do testing, assessments, and exercises with local not-for-profits, with small businesses,” he said.
“Once you build that capability throughout the society, you also have this potential for an on-call expertise resource … if there is a large scale cyber incident.”
Labor stressed that the discussion paper is not a commitment to policy positions.
“We want to put forward some ideas to explore as we seek to develop our policies,” Keneally said.
“We want to ensure that we are thoroughly investigating as a party, as an opposition, as a party of government, and with key stakeholders, what the Australian government should be looking at now, and how we should be prepared for cyber threats in the future.”