Regulation of Cyber Security in Australia in the Light of New Threats to National Defence: From Ransomware to Online Radicalisation

Introduction

“I want Australia to be the most cyber secure nation – a cyber-security superpower – by 2030.”[1] The objective aimed at by the current Australian Minister for Cyber Security, Clare O’Neil, is certainly an ambitious one. However, it undoubtedly reflects an increased awareness that an effective transition towards a digital economy presupposes above all the security of personal data, infrastructures, and essential services, also and especially in the face of a constantly evolving situation where cybercrimes represent the main threat.[2]

Based on the data highlighted in the last cybercrime report for the financial year 2021-2022,[3] drafted by the Australian Cyber Security Center (hereinafter: ACSC) and published on 4 November 2022, compared to the previous financial year there was an approximately 13% increase in reported incidents, which reached a total of 76,000, or one report every seven minutes. And though cybercrimes targeting individual citizens remain the most frequent, ransomware is “the most destructive”. Ransomware is unauthorised malicious software capable of easily infecting a given IT system; it totally or partially blocks access to specific files and is used for the purpose of demanding a ransom – usually in cryptocurrency – to be paid in order to restore access. The dangerousness of this malware also lies in its ability to illegally capture the victims’ sensitive data: in the realm of cyber security, this is defined as a “data breach”. Among the numerous attacks reported to the ACSC, it is worth mentioning the three really large-scale data breaches which, given the large amount of stolen data and citizens involved, caused major repercussions on a national scale. The first attack was launched in September 2022 against one of the largest Australian telecommunications companies, Optus; the second, occurring in October 2022, targeted one of the main private health insurance companies, Medibank Private Limited. The estimates point to personal data breaches affecting 9.8 and 9.7 million customers respectively. As for the third cyberattack, reported in March 2023, against Latitude Financial – an important Australian financial services company – it is presently estimated that data belonging to over 14 million Australian and New Zealand customers were stolen.[4] In April 2023 the company received a ransom demand for the return of the data. The demand was rejected, in line with the most recent recommendations of the ACSC[5]. Indeed, there is no guarantee that stolen data will be returned or deleted, rather than made public or sold on the dark web, in order to be used to commit other crimes.

And today terrorists and violent extremists operate on the dark web. Though terrorism has always represented an international threat, with the development of the internet it has taken on new meaning: the use of the dark web, anonymising technologies (such as bespoke encrypted devices) and the rise of social media have concretely enabled terrorist organisations to foment division, spread propaganda, recruit new members – a tactic to which young people who are both physically and psychologically isolated are especially vulnerable – and radicalise individuals to violence. The use of such technologies for the purpose of displaying, downloading and sharing material that promotes violence is in itself an element of the radicalisation process. “Radicalisation is not a linear, step-by-step process, but rather a multifactorial and contextual phenomenon”[6] and, above all through social media, it is possible to influence opinions and behaviours that serve to fuel and strengthen extremist ideologies. Moreover, the COVID-19 pandemic sparked the creation of online forums in which extremist ideologies have flourished in the absence of opposing views. The constant use by extremists of secure communication tools has posed a complex challenge to law enforcement. Specifically, “the malicious use of encryption and the dark web by criminals has significantly degraded the capacity for Australian national security and law enforcement agencies to access communications, conduct investigations and prevent crimes, including combatting the threat posed by extremist movements and radicalism”.[7] Indeed, these new technologies offer concrete opportunities to criminals to act undisturbed while committing some of the most serious forms of crime, including terrorism – in accordance with Division 102 of the Criminal Code – and engage in other unlawful behaviour associated with violent extremism and radicalism.

Also as a result of such events, today the Commonwealth country is not only in the midst of a cyber security revolution, aimed above all at a rewriting of national security legislation, defined by the Minister for Cyber Security as “bloody useless” – in dealing with the Optus attack – but also at reinforcing deradicalisation through legislative reforms which seek to balance privacy with public security.

In view of the foregoing, in the paragraphs that follow I shall seek to analyse the organisational framework that Australia is putting in place to regulate cyber security and prevent forms of online radicalisation.

The legislative framework

If we look at the legislative framework of reference, in Australia there is no comprehensive law on cyber security or even on violent extremism online. Rather, there is a series of laws pertaining to these areas. The most significant ones are: the 1979 Telecommunications (Interception and Access) Act,[8] the 1988 Privacy Act,[9] the 2001 Cybercrime Act,[10] the 2004 Surveillance Devices Act,[11] the 2018 Security of Critical Infrastructure Act[12] (hereinafter: SOCI Act), the 2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act[13] (hereinafter: The Assistance and Access Act) and the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021[14].

a) Security of Critical Infrastructure

The SOCI Act represents the Federal Government’s response to the need to protect critical infrastructure and improve its resilience. The Australian, State and Territory governments share the following definition of “critical infrastructure”: any physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and simultaneously ensure national security.[15] Therefore, a successful cyberattack against critical infrastructure would be able to paralyse the entire nation, striking at the heart of national security. Based on this awareness, the SOCI Act was amended through two focal reforms – the second of which entered into force on 2 April 2022[16] – aimed at strengthening cyber defence.

First of all, the definition of “critical infrastructure” was extended from the four initial sectors, namely water, gas, electricity and seaports, to another seven – for a total of 11 sectors – including food and grocery, healthcare and medical services and data storage or processing. This choice reflects a clear recognition on the part of lawmakers that the country’s socioeconomic well-being, as well as the ability to guarantee national security, go beyond public services. Moreover, in consideration of the fact that most critical infrastructure in Australia is private or managed on a commercial basis by the federal government, the legislative reforms demonstrate the awareness that tackling cyber threats is a task requiring a joint effort and a responsibility shared between the Commonwealth, the governments of the states and territories and the individual owners and operators of the critical infrastructure concerned.

Secondly, the SOCI Act requires the fulfilment of three Positive Security Obligations (PSOs):

• “Register of Critical Infrastructure Assets”. Managed by the Cyber and Infrastructure Security Center (CISC), the Register is a database of information about critical infrastructure assets that supports the Government to manage risks to critical infrastructure assets. In accordance with Part – 2 of the SOCI Act, the reporting entities (Responsible Entities and Direct Interest Holders) for specified critical infrastructure assets must provide operational information, and interest and control information relating to those assets to the Register (s. 23), and they also have an ongoing obligation to update the Register if information relating to the asset changes (s. 24)
• “Critical infrastructure risk management programs”. Responsible entities are under obligation to adopt, maintain and comply with a written program for managing risks to critical infrastructure (SOCI Act, Part – 2A).
• “Notification of cyber security incidents”. In the event that a cyber security incident has a relevant impact on a critical infrastructure asset, the responsible entity for the asset may be required to give, to the ACSC, a report about the incident (SOCI Act, Part – 2B). In accordance with s. 12M of the SOCI Act, a “cyber security incident” is defined as one or more acts, events or circumstances involving unauthorised access to or modification of computer data or programs, unauthorised impairment of electronic communication to or from a computer and, finally, an unauthorised alteration affecting the availability, reliability, security and operation of a computer or computer data or programs. Furthermore, a distinction is made between “critical” cyber security incidents and “other” cyber security incidents: the incident is considered critical in nature where it has caused a “significant impact”, i.e. where the critical infrastructure asset is used in the supply of essential goods and services and has been materially compromised. Based on this definition, a responsible entity must report a critical incident to the ACSC verbally or in writing within 12 hours of becoming aware of it (s. 30BC), or within 72 hours in all other cases (s. 30BD).

Thirdly, stricter cyber security obligations have been imposed on the so-called “Systems of National Significance (SoNS)”. In accordance with Part – 6A of the SOCI Act, the Minister for Home Affairs has the power to qualify a certain critical infrastructure as an “SoNS”, where the required conditions are met (s. 52B)[17] and after consulting the responsible entity (s. 52C) [18]. Part – 2C of the SOCI Act sets out cyber security obligations that relate to SoNS: the responsible entity for a SoNS may be subject to statutory incident response planning obligations and required to undertake a cyber security exercise and a vulnerability assessment. Finally, the entity must provide access to system information, or it may be required to install software capable of transmitting the information of its own information system or relevant to the system of national significance directly to the Australian Signals Directorate (hereinafter ASD).

b) Preventing violent extremism online

The Assistance and Access Act provides agencies in the sector with tools for effectively moving and operating in the new digital society with the aim of ensuring the security of the entire Australian community. To this end, the Act introduced some key reforms designed to help agencies “access the evidence and intelligence” by “enhancing industry cooperation with law enforcement and security agencies” and “improving agency computer access powers”.[19] In the joint submission to the PJCIS inquiry by the departments of Home Affairs, Foreign Affairs and Trade, and Attorney-General’s department, it is highlighted that, since the Assistance and Access Act came into force on 9 December 2018, “agencies have used the industry assistance framework in a targeted and cooperative manner to resolve technical issues impeding the investigation of transnational, serious and organised crime, cybercrime and serious crimes against the person, as well as on national security matters”.[20]

The Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which came into force on 3 September 2021, introduced three new powers for the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC):

• “Data disruption warrants”: these allow the disruption of data through the modification and deletion of data to prevent unlawful conduct, such as the distribution of child pornography material (Schedule 1 – Data disruption).
• “Network activity warrants”: these allow the collection of information regarding serious criminal activity carried out by criminal networks operating online (Schedule 2 – Network activity warrants).
• “Account takeover warrants”: these allow an individual’s online account to be kept under control in order to gather evidence about criminal activity to further a criminal investigation (Schedule 3 – Account takeover warrants).

These new powers are accompanied by important guarantees centred on the control and surveillance of information thus acquired. More specifically, the Commonwealth Ombudsman is responsible for overseeing the use of data disruption warrants and account takeover warrants, whilst the Inspector-General of Intelligence and Security (IGIS) oversees network activity warrants, given their nature as an intelligence collection tool.[21]

The administrative apparatus

From the “Cyber Defense Index 2022-2023”[22] it emerges that Australia today holds the leading position among countries that have shown a progressive development and commitment towards the creation of a cyber defence environment. The study in question, conducted by MIT Technology Review Insights, ranks Australia in the top position as regards the following three assessment criteria: Critical Infrastructure, Organisational capacity, and Policy commitment.

As far as policy commitment and organisational capacity are concerned, Australian leadership is the natural product of the government’s constant efforts in the cyber security realm. This commitment, first expressed in 2016 in “Australia’s cyber security strategy”,[23] and then reaffirmed in the 2020 strategy,[24] today seems to have been reinforced as a result of political changes. The Australian Prime Minister, Anthony Albanese, has made cyber security the main pillar of his government policy since he came into office in May 2022. A concrete commitment, as is demonstrated by the 9.9 billion dollars of funding – announced for the next decade by the Treasurer Josh Frydenberg – provided to the ASD so that it can build up a strong defensive and offensive capacity in the awareness that cyber security is today one of the main tools for guaranteeing the national defence.[25]

Moreover, the establishment of an ad hoc cyber security department with autonomous responsibility, associated with the Ministry of Internal Affairs, is worthy of note. It represents the flagship within an apparatus that shows to be well structured. The Australian Government, in fact, adopts a “whole-of-nation” approach to cyber defence: cyber security and online protection are a shared responsibility, and many government agencies operate in partnership in this collective effort together with industry, community, states and territories.[26]

In particular, the Ministry of Defence has been responsible for the ASD, a statutory agency in the Defence portfolio – since 1 July 2018.[27] It works across the full spectrum of operations required of contemporary signals intelligence and security agencies: intelligence, cyber security and offensive operations in support of the Government and the Australian Defence Force.[28]

The ACSC is formally part of the ASD’: it is the “Commonwealth body” for cyber security. In particular, the ACSC responds to cyber threats and incidents, collaborates with both the public and private sectors with the aim of sharing information about threats and increasing resilience, works in close contact with the government, industry and the entire community to increase knowledge in relation to cyber security, drafts the Information Security Manual (ISM) – the last one published on 2 March 2023 – intended for professionals, IT managers, and Chief Information Security Officers and, finally, provides consultancy and assistance to all Australians.[29]

Working in collaboration with the ACSC are the eSafety Commission (eSafety),[30] the first government agency in the world – operational since 2015 – tasked with protecting people online, and the Office of the Australian Information Commissioner (OIAC)[31], which investigates online personal data breaches and provides advice to businesses and consumers on how to protect personal data.

It is worth mentioning the Quad Senior Cyber Group (QSCG), set up to facilitate meetings among expert leaders from Australia, India, Japan and the United States. It works to expand cyber security cooperation and to strengthen cyber resilience and critical infrastructure protection in the Indo-Pacific.

The Australian Minister for Home Affairs is the main administrative point of reference when it comes to combating online extremism and assuring that law enforcement and security agencies have the powers necessary to protect Australia from that threat.

In particular, the Australian Security Intelligence Organisation (ASIO) is worthy of note. It is Australia’s security intelligence service; it protects Australia – and Australians – from threats to their security, including terrorism, espionage, and interference in Australia’s affairs by foreign governments. The Director-General provides impartial advice to government on threats to Australia’s national security. The Minister of Home Affairs, Clare O’Neil, is responsible for ASIO.[32] The efforts expended in countering such threats may also be seen from what was stated in the ASIO’s 2021-22 Annual Report; in particular, in the “Summary of Results” we find: “During 2021–22 we saw the terrorist threat further diversify. The online environment is amplifying a range of grievances and the trend of increased radicalisation among young Australians has continued. ASIO remains well positioned to address future challenges in the terrorism environment.”[33]

A look at future policies and some conclusive observations

With regard, finally, to the latest and most relevant new developments of the Australian cyber security system, it should be noted that: Australia leads the first global task force against ransomware (the International Counter Ransomware Task Force, operational as of January 2023[34]); on 17 February 2023, the “Security of Critical Infrastructure (Critical Infrastructure risk management program) Rules”[35] were put into force in order to “switch on” the Critical Infrastructure Risk Management Program obligation. The latter primarily makes it compulsory for the entities responsible for certain critical infrastructure assets (13 asset classes) to put into place a risk management program (under the so-called CIRMP Rules)[36] within six months – by 17 August 2023 – and, secondarily, they are bound to comply with the requirements of standard ISO 27001[37], NIST[38] or an equivalent standard within eighteen months – by 17 August 2024. It is worth mentioning, moreover, that on 27 February 2023 the Prime Minister chaired a “cyber security roundtable”, whose participants included the main leaders of the Public Service and of intelligence agencies, as well as independent professionals from the sector, industry and civil society, gathered together to share common experiences which could give rise to reflections and ideas for defining a new cyber security strategy. The Albanese Government also announced that it will establish a Coordinator for Cyber Security, supported by a National Office for Cyber Security within the Department of Home Affairs, with the aim of ensuring a coordinated approach at the central level to fulfil the government’s responsibilities in respect of cyber security.[39] Finally, the Minister for Cyber Security announced the “Australian’s Cyber Security Strategy 2023-2030” and appointed an advisory committee of experts tasked with providing support to the strategy itself. On 27 February 2023, a related discussion paper was published.[40] Perhaps the most interesting aspect of the latter is the questions included in attachment A. Until 15 April 2023, it was possible to send the government submissions regarding the main thematic issues. Among them we shall mention: the need for a “Cyber Security Act” and the possibility of a further reform of the SOCI Act that would include “customer data” and “systems” in the definition of “critical assets”.

An approach – also promoted by the Prime Minister in the aforementioned roundtable – which reflects the Australian Government’s intention to build a national cyber security system that entails a significant effort and partnership at all levels: government, industry and organised civil society.[41] The Australian Government has shown that it wishes to assure precisely this “opening” towards the society, as it seeks to create a channel for dialogue and exchange which simultaneously instils strong confidence in the Government’s ability to confront cyber security threats and structure a solid national defence. This confidence, expressed especially by professionals in the sector – as also reflected in the Cyber Defense Index – is evidently the natural product of good governance, and provides a fertile basis for reaching the goal declared jointly by the Prime Minister and the Minister for Cyber Security, namely, to make Australia the most secure nation in the cyber security sector by 2030.

The same conclusions may be drawn as far as the fight against online radicalisation is concerned. Over the years, the Australian Government has focused a great deal of attention on deradicalisation and disengagement programs, including those established in the “Countering violent extremism” (CVE) framework.[42] CVE is a joint initiative of all Australian governments, state and federal, overseen by the Department of Home Affairs. The latter – as at February 2022 – estimated that $120 million had been invested in CVE programs since 2013. The objective of CVE is to respond to the threat posed by all forms of violent extremism present in Australia and, at the same time, to discourage Australians from travelling abroad to participate in conflicts. CVE is supported by a website called “Living Safe Together”,[43] which offers clear, simple information about the peculiar features of the radicalisation process and the behavioural signs pointing to its onset; the aim is to provide the proper tools for managing the delicate phenomenon in the best possible way. In this area as well, effective governance is demonstrated by the fact that on 28 November 2022, the ASIO announced that Australia’s national terrorism threat level had been downgraded from probable to possible.[44] A fact worthy of note – as also highlighted by the Minister Clare O’Neil – given that, since the threat level was reported to have increased in 2014, it had never changed until today.[45]

————————————————————————

[1] Australian Information Security Association’s (AISA) Australian Cyber Conference March 2023, transcript at minister.homeaffairs.gov.au.

[2] “2023-2030 Australian’s Cyber Security – Discussion Paper”, p. 10 at homeaffairs.gov.au.

[3] “ACSC Annual Cyber Threat Report 2021-2022”, 4 November 2022 at cyber.gov.au.

[4] Media Release “Latitude Financial” in minister.homeaffairs.gov.au. On 27 March 2023, Latitude Financial reported the theft of 7.9 million driving licenses, over 53,000 passport numbers, over 6 million items of customer data and just over 100 account statements of Australian and New Zealand customers.

[5] https://www.cyber.gov.au. At present the Minister for Cyber Security Clare O’Neil is considering whether to make the payment of ransoms illegal as a deterrent for criminals. This proposal is being hotly debated among those operating in the sector: it is supported, on the one hand, by some professionals in the legal and IT sector, as may be inferred from what Andrew Truswell, director of the technology law firm Biztech Lawyers, stated to the press agency The Australian. But opposed, on the other hand, by the Insurance Council of Australia (CoA) – insurance company lobby – which calls upon the government to weigh this option carefully, as it could lead to undesirable effects.

[6] T. Frissen, “Internet, the great radicalizer? Exploring relationships between seeking for online extremist materials and cognitive radicalization in young adults” in Computers in Human Behavior 114, 2021, p. 2.

[7] “Joint submission to the Inquiry into extremist movements and radicalism in Australia”, by the Departments of Home Affairs, Foreign Affairs and Trade, and Attorney-General’s Department (17 February 2021) at aph.gov.au.

[8] Act No. 114, 1979 “Telecommunications (Interception and Access) Act 1979” at legislation.gov.au.

[9] Act No. 119, 1988 “Privacy Act 1988” at legislation.gov.au.

[10] Act No. 161, 2001 “Cybercrime Act 2001” at legislation.gov.au.

[11] Act No. 152, 2004 “Surveillance Devices Act 2004” at legislation.gov.au.

[12] Act No. 29, 2018 “Security of Critical Infrastructure Act 2018” at legislation.gov.au.

[13] Act No. 148, 2018 “Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018” at legislation.gov.au.

[14] Act No. 98, 2021 “Surveillance Legislation Amendment (Identify and Disrupt) Act 2021” at legislation.gov.au.

[15] Attorney General’s Department (AGD), “Critical Infrastructure Resilience Strategy: Policy Statement”, Canberra 2015, p. 3.

[16] Act No. 33, 2022 “The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022” at legislation.gov.au.

[17] SOCI Act – 52 B. The Minister declares an infrastructure to be an “SoNS” if he deems that the infrastructure itself or the critical infrastructure asset concerned is of national significance.

[18] SOCI Act – 52 C (1). The Minister must, prior to issuing the declaration, give the responsible entity a notice detailing the proposed declaration and inviting the entity to submit its observations within 28 days after the notice is given.

[19] https://www.homeaffairs.gov.au.

[20] “Joint submission to the Inquiry into extremist movements and radicalism in Australia”, by the Departments of Home Affairs, Foreign Affairs and Trade, and Attorney-General’s Department (17 February 2021) at aph.gov.au.

[21] https://www.homeaffairs.gov.au.

[22] “The Cyber Defense Index 2022/2023” at technologyreview.com. It is the first comparative ranking of the world’s major economic powers belonging to the G20 (excluding Russia and including Poland).

[23] “Australia’s cyber security strategy”, 21 April 2016 at homeaffairs.gov.au.

[24] “Australia’s cyber security strategy 2020”, 6 August 2020 at homeaffairs.gov.au.

[25] Budget 2022-2023, Budget paper no. 2 at parlinfo.aph.gov.au. The “REDSPICE” project was announced through this document; in the framework of this project the Government will allocate 9.9 billion dollars to the ASD until the financial year 2030-31 to deliver the “Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers” package. A tailored program aimed at reinforcing and structuring the cyber defence (and offence) capabilities of the ASD, in particular through the recruitment of 1900 employees with specific professional qualifications (such as cyber experts, data and new IT analysts) and investments in the field of artificial intelligence, machine learning and cloud technology.

[26] https://www.homeaffairs.gov.au.

[27] Act No.25, 2018 “Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Act 2018” at legislation.gov.au.

[28] https://www.asd.gov.au.

[29] https://www.cyber.gov.au.

[30] https://www.esafety.gov.au.

[31] https://www.oiac.gov.au.

[32] https://www.asio.gov.au.

[33] ASIO Annual Report 2021-22, tabled in Parliament on 25 October 2022, at https://www.asio.gov.au.

[34] On 31 October and 1 November 2022, the White House hosted the second international summit of the Counter Ransomware Initiative – dedicated to defining a global strategy against ransomware – attended by representatives of 36 countries (including the United Arab Emirates, Ukraine and Israel) and the European Union. Thirteen companies operating in the sector were also present in Washington, including Microsoft and Cyber Threat Alliance. The creation of the International Counter Ransomware Task Force (ICRTF) was announced on this occasion; its aim is to “coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars”, at whitehouse.com.

[35] LIN 23/006 “The Security of Critical Infrastructure (Critical Infrastructure risk management program) Rules (LIN 23/006) 2023 (CIRMP Rules)” at legislation.gov.au.

[36] SOCI Act – Part 2A.

[37] The international standard “ISO/IEC 27001” is the best known in the world as regards information security management systems (ISMS). It defines the essential requirements.

[38] The requirements laid down in the “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology of the United States of America – a U.S. government agency – on 16 April 2018.

[39] Media Release 27 February 2023 at pm.gov.au.

[40] 2023-2030 Australian Cyber Security – Discussion Paper at homeaffairs.gov.au.

[41] “To achieve this goal, the Government is developing the 2023-2030 Australian Cyber Security Strategy, and we want you to be a part of the discussion” in “2023-2030 Australian Cyber Security – Discussion Paper”, p. 4 at homeaffairs.gov.au.

[42]https://www.minister.homeaffairs.gov.au.

[43]https://www.livingsafetogether.gov.au.

[44]“National Terrorism threat level”, transcript, 28 November 2022 at minister.homeaffairs.gov.au.

[45]https://www.austrac.gov.au.