INTRODUCTION

The launch of Australia’s International Cyber Engagement Strategy (the Strategy) in October 2017 followed the appointment of that nation’s first Ambassador for Cyber Affairs, Dr Tobias Feakin, in early 2017 and updates and expands upon the 2016 Cyber Security Strategy – a flurry of activity reflecting the role that digital networks increasingly play in Australian international relations, trade and investment, and security and strategic concerns. This chapter discusses the Strategy, its priorities and progress to date, in the context of Australian foreign policy, with an emphasis on cyber security, governance and cooperation, and human rights and democracy online.

Australia’s Strategy is partly a response to current developments and partly a consequence of persistent geo-strategic realities. Australian foreign policy is based on three pillars: the security alliance with the United States, including the 1951 ANZUS Treaty; the pragmatic (if at times wavering) commitment to middle-power multilateralism through international and including regional institutions; and a deepening, broadening economic and cultural connectivity with the Asia-Pacific (or Indo-Pacific) region. These foreign policy pillars, and the 2017 Foreign Policy White Paper which is the most recent expression of how Australia pursues its security and prosperity in contemporary circumstances, are the essential background for understanding and evaluating the Strategy.

Australia is, and has been since colonial days, highly dependent on international networks of capital, trade, people and information. This outward-looking global connectivity remains a source of Australia’s prosperity and enriches the country culturally. However, these connections are also potential pathways for unwelcome or malevolent actors. Thus, the Strategy seeks to enhance Australia’s advantageous participation in global markets and governance, including through support for the technological and multi-stakeholder governance systems that underwrite the Internet, while protecting Australia from those same systems’ apparent risks and emerging threats.

Australia’s place in the Asia-Pacific means the Strategy must include and prioritise engagement in a region that is large and diverse – from micro-states in the Pacific to continental powerhouses – as well as being dynamic, turbulent, and potentially dangerous. The re-emergence of China as a global power is the dominant feature of this region’s trading and security landscape. For Australia, this is keenly felt: for the first time in its history, Australia’s major trading partner, China, is an authoritarian state while Australia’s major security partner, the United States, is China’s strategic rival. Cyber security, including cyber warfare, and the threat of malicious interference with national political systems, have prompted legislative responses in Australia and rank high among national security priorities. China’s use of digital means of surveillance and control is also at odds with Australia’s commitment to a free and open internet. Other nations, notably Cambodia and Myanmar, are similarly exploiting online methods of state control that place democracy and human rights at risk. Non-state actors, from terrorist networks to growing cybercriminal threats, pose increasingly alarming risks for Australia and her partners in the region.

In its Strategy, Australia has outlined how it perceives these risks, threats and opportunities, as well as how it will address them. This paper situates Australia’s Strategy in these contexts, outlining the rationale for its approach. It also charts some of its progress to date by considering programs and achievements from the first year of its implementation.

THE STRATEGY AND ITS CONTEXTS

The Strategy is structured around eight related themes: digital trade; cyber security; cybercrime; international security and cyberspace; internet governance and cooperation; human rights and democracy online; technology for development; and comprehensive and coordinated cyber affairs. Each of these themes contains a key goal and a number of related aims (see Table 1 in the PDF).

The strategy is in part an expression of how Australia’s traditional interests have been transformed by the inexorable rise of digital communications technologies. This is certainly evident in the sections that discuss the importance of international trade and the support for digital industries, including cyber security but extended to encompass the digitalisation of all aspects of commerce, trade and investment. This aligns with Australian moves to diversify its economy, itself a response to the decline of manufacturing and growth in service industries like international education and tourism, and takes advantage of new tech-related opportunities. These sections of the Strategy that promote trade and global governance are therefore logical extensions of pre-existing, largely bi-partisan and long-standing Australian policies that favour and promote the systems of global governance and market conditions that underpin international engagement in trade and investment and bring these up-to-date bearing in mind new opportunities and risks arising out of digitalisation.

The strategy is more noteworthy as an expression of new confluences of national and international, especially regional, interests that arise out of new kinds of security threats associated with digital communications networks. National security interests are traditionally predicated on Australia’s close relationship with powerful friends and allies as well as good relations with neighbours. In this Strategy, they are placed in a new context, one that is characterised by the rise of new types of risk and from a wider variety of international actors, using electronic networks that make borders, and thus security, less easily secured.

The security risks the Strategy seeks to confront are three-fold: criminals, operating for profit; non-state actors, motivated by ideological or political interests, including terrorist organisations and similarly motivated individuals; and foreign states seeking to infiltrate, interfere or threaten national institutions and democratic processes. According to reports from security agencies, affected companies and the Australian Government, concerns about such threats are rising. For example, in May 2018 Australian Security Intelligence Organisation (ASIO) Chief Duncan Lewis described the threat of foreign interference as being at “An unprecedented scale”. In November 2018 the Australian Cyber Security Centre (ACSC) and Austal, an Australian shipbuilder and defence contractor supplying the Australian, American and Omani navies, announced a hacker had stolen personnel information and (non-sensitive) ship drawings in an extortion attempt.

Australian Government efforts to address such threats include the reorganisation of the intelligence community, including placing the Australian Signals Directorate (ASD) with its offensive cyber capabilities into the Defence portfolio5, and the introduction of new laws that specifically address foreign interference. In his speech introducing the legislation to parliament, the then Prime Minister Malcolm Turnbull underscored the cyber threat – “The very technology that was designed to bring us together, the internet, is being used as an instrument of division” – and named China and Russia as countries of concern. China in particular has also been identified as involved in cyber espionage, often targeting the intellectual property of companies supplying Australia’s defence forces. China was reportedly behind cyberattacks on the Australian National University in 2018 and Australia’s Bureau of Meteorology as far back as 2015. And Chinese telecommunications giant Huawei has twice had bids rejected by Australian governments because of concerns about security, the most recent being the effective banning of Huawei from Australia’s 5G network due to the likelihood that it could be required, under Article 7 of China’s 2017 National Intelligence Law, to secretly collaborate with Chinese intelligence services.

For its own part, Australia’s hands are not entirely clean when it comes to the use of cyber espionage capabilities. Past allegations include spying on then Indonesian President Susilo Bambang Yudhoyono, his wife and other senior officials in 2009, bugging the Timorese Cabinet offices during negotiations over a maritime boundary in 2004, and monitoring mining giant Rio Tinto’s negotiations with a Chinese bank during the 2008 financial crisis. Despite these indiscretions, Australia has positioned itself as a trusted partner.

The rising threat to security, whether from criminals, terrorists or countries, is the context for the Strategy and helps explain its sense of urgency and thoroughness. However, the Strategy’s emphasis is less on naming cyber attackers – China is included as a potential partner, its statements in support of agreements against cyber theft highlighted – and more on the role that Australia can play in promoting and assisting with cyber security in Asia and especially the Pacific. The logic is clear: under-resourced Pacific Island Nations may prove a weak link in the chain of security required to keep the internet safe. Australia can and in its own interest should address this as a matter of national security, as well as a matter of international diplomacy and development.

CYBER SECURITY, CYBER CRIME, AND INTERNATIONAL SECURITY IN CYBERSPACE

These three closely interconnected themes are the areas where the Strategy is at its most innovative and internationally connected – a measure of how the issues around crime and security are prompting significant transformations in approaches, resourcing and relationships.

Australia defines cyber security as “measures relating to the confidentiality, availability and integrity of information that is processed, stored and communication by electronic or similar means”, and nominates it as “the foundation for the achievement of Australia’s entire cyber affairs agenda”. The fundamental elements of this theme and its goal and aims speak to the core of the entire strategy, firstly in outlining the seriousness of the threat and the consequent need for robust and resilient responses, and secondly in the intrinsic interconnections between national, regional and global actions required. Australia’s strategic response to cyber threats, therefore, is a combination of robust domestic defensive – and offensive – capabilities and a forward-defence through international engagement.

Australia’s cyber security efforts are in concordance with their overall security and strategic positions in that, more than the other themes, they are related to the alliance with the US and the close relationships with their fellow members of the “Five Eyes” intelligence sharing network. The ANZUS Treaty is affirmed in the Strategy as applying to cyberattacks. Since April 2016, Australia has acknowledged that it has an offensive cyber capability and in November 2016, Australia’s then Prime Minister Malcolm Turnbull confirmed that these offensive capabilities were used to target the Islamic State. In 2017, Australia became the first nation to disclose that its offensive cyber capabilities would be directed at “organised offshore cyber criminals”.

Australia’s international engagement prioritises the Asia-Pacific because that is where it has identified threats and vulnerabilities but also because that is where it can have the greatest impact. As with Australia’s aid programs, the closer to home, the more engaged Australia is. Papua New Guinea (PNG), a growing, resource-rich nation with considerable social and political challenges separated from Australia at its closest point by a mere five kilometre stretch of water, is a clear priority. Australia has already committed AU$14.4 million (US$10.4 million) for an advanced cyber security package for PNG (encompassing technical, policy and training elements, and the establishment of a cyber security operations centre) as part of its focus on cyber-resilience in the Pacific through its Cyber Cooperation Program (CCP).

Elsewhere in the Pacific, Australia is also supporting the Solomon Islands to establish a cyber security operations centre, and Vanuatu and Tonga to establish national Computer Emergency Response Teams, and has assisted Tonga to develop stronger cybercrime laws, a model approach to more robust legislation for other countries in the region.

More widely, throughout the Asia-Pacific, the CCP includes support for the Asia-Pacific Network Information Centre (APNIC), the Forum of Incident Response and Security Teams (FIRST) to provide cyber security training, including incident response training across the Pacific, and the Pacific Cyber Security Operational Network (PaCSON), launched in April 2018, comprised of government-designated cyber security incident response officials, which shares information, tools, techniques and ideas. The Australian Cyber Security Centre was re-elected as Chair of the Asia-Pacific Computer Emergency Response Team (APCERT) Steering Committee in Shanghai in October 2018, indicating Australia’s commitment to, and the region’s acceptance of, its leadership in Asian cyber security.

At the ASEAN Regional Forum in August 2017, with Malaysia, Australia cosponsored a proposal to establish a cyber Point of Contact database to facilitate communication in times of crisis – one of the Strategy’s goals – and will pilot the concept in 2018-19. In August 2018, Australia and Indonesia signed a Memorandum of Understanding, with an associated Action Plan, regarding cooperation over the next two years. A Cyber Capability Engagement Program, which has provided training to 20 Indonesian government officials in partnership with the Australian National University’s National Security College, is already underway. The ASD’s Essential Eight, a checklist of strategies to mitigate cyber risks, is scheduled for translation into the ten official ASEAN languages.

Beyond the Asia-Pacific, Australia has established key working-level partnerships to confront cybercrime. The Five Eyes Cyber Crime Working Group shares best practices and operational resources and an Australian Criminal Intelligence Commission (ACIC) Cybercrime Analyst is posted at the FBI International Cyber Crime Coordination Cell in the United States. Another is posted at the National Cybercrime Unit at the United Kingdom’s National Crime Authority. Diplomatically, Australia participated in coordinated action to protest unacceptable behaviour by North Korea WannaCry ransomware (December 2017) and Russia (inter alia, US Democratic National Committee email hack, 2016 NotPetya malware, February 2018; and cyber operations against the Organisation for the Prohibition of Chemical Weapons and the investigations in the Malaysian Airlines plane shot down in the Ukraine, October 2018). Australia also works closely with the International Telecommunications Union (ITU) and is at the time of writing standing for re-election to the ITU council.

Australia’s approach to cyber security demonstrates a combination of international cooperation through leadership and modelling responsible practice, and a capacity and robust willingness to confront threats.

HUMAN RIGHTS, DEMOCRACY AND DEVELOPMENT

The human rights and democracy platforms of the Strategy are based on Australia’s proclaimed commitment to international human rights standards. It aims to meet its human rights commitments and to promote human rights internationally through advocacy and capacity building. It does this in part through collaboration with the Australian Human Rights Commission, an independent statutory body, and its equivalent national human rights bodies in the region. Australia’s engagement with and support for human rights includes participation in the Freedom Online Coalition, a network of 30 governments promoting internet freedoms, and the Digital Defenders Partnership, which provides emergency funding for human rights defenders who are under threat because of their online activities. A key achievement to date is supporting the Human Rights and Technology Conference in Sydney in July 2018, bringing together ten representatives from ASEAN and Pacific nations. The conference produced an issues paper, with an aim to invite participation and feedback and to publish a final report in 2020 – an indication that this area is one still requiring extensive consultation and leadership.

In this context, the Strategy’s approach taken toward human rights online has some weaknesses. Foremost among these is the assertion that “human rights apply online as they do offline” and that democratic debates occurs online “just as it does offline”, which occludes – perhaps inadvertently – the specific and new types of threats to human rights because of changes in the techno-social landscape. While making mention of the capacity for governments to use digital means to monitor, harass, intimidate, censor and even persecute citizens (often in the name of national security), the strategy does not adequately consider how information and communications technologies pose additional risks. These risks include, inter alia, the potential for Artificial Intelligence and Big Data systems to make discriminatory decisions; the rights of privacy relating to data access, ownership and use; the role of the internet in spreading hate speech and violent extremism; the debate between protection and participation online with respect to child’s rights; and the labour rights of those involved in the extractive and manufacturing industries that are part of the supply chain for digital devices. Access Now, a digital human rights Non-Governmental Organisation, has directly criticised the Strategy on the basis that the explicit right to privacy is not afforded an adequate level of consideration and connects this to Australian governmental efforts to access private citizens’ data in the name of policing efforts and national security.

Notable also through omission are sufficient considerations given to the role that the major social network platforms play in undermining human rights and democracy, and what Australia’s interventions should be, and should aspire to achieve, in this regard. There are good reasons to believe that engagement with digital media companies, especially Facebook, is desirable and feasible and would promote human rights and democracy in the region. A recent human rights impact assessment of Facebook use in Myanmar, commissioned by Facebook and undertaken by BSR, a business consultancy and research network, makes several recommendations as to how the social media platform could address underlying systemic problems which lead to abuses being facilitated by social media in Myanmar and elsewhere, especially in the ASEAN countries. Because of Australia’s ongoing engagement with ASEAN on cyber security matters, this is an area in which Australia could provide assistance through advocacy, networking, and provision of expertise and program funding.

Australia’s efforts to promote technology for development include the provision of technical expertise and financial resources to improve digital infrastructure and access. Examples of this include fibre-optic submarine cables for Fiji, Samoa and the Republic of Palau and improved mobile phone coverage in the Solomon Islands and Kiribati. Through the Department of Foreign Affairs and Trade’s innovationXchange, Australia collaborates with private sector and university partners to identify and develop projects aimed at upskilling populations in the Asia-Pacific, with a focus on young people, women and girls, and people with disabilities.

CONCLUSIONS

The Strategy provides a clear articulation of Australia’s priorities, intentions and capabilities. In part, it is an expression of how the country will continue to pursue its national interests in the new techno-social trading and strategic environment. The key pillars of Australian foreign policy, in one sense, have not changed much: the US alliance, its position as a middle-power engaged in and supporting global cooperation through multilateral institutions, and its key relationships in the AsiaPacific region.

In another sense the Strategy clearly sets out a new purposefulness to Australia’s engagement, especially with its near neighbours. Its clarity is also a conscious effort at putting into practice one of its core values: transparency. Together with the 2016 Cyber Security Strategy and successive Foreign Policy White Papers, the Strategy explains Australia’s intentions and outlines its capabilities in an effort to reduce the risk of miscommunication with, and to encourage greater candidness from, other international actors. This is one of the Strategy’s most laudable objectives.

All nations, governments and policies are faced with the conflict between pragmatism versus principles. The strategy has elements of this in the scant attention to privacy rights. The omission of certain state actors as risks – either to their own people (Myanmar, Cambodia) or to other nations (China, Russia) – can be chalked up to diplomatic prudence. And the shortage of due attention given to digital platforms such as Facebook may be a product of timing – the abuses in Myanmar and the risks to democratic processes both being associated with social media only quite recently. These are, however, areas which Australia’s Cyber Ambassador and his department may wish to give further attention to.

Despite these slight concerns, Australia’s combination of good standing and comparatively hale resources make its leadership feasible, the interconnectedness of the issues at stake makes its engagement necessary. The purposefulness and thoroughness of the Strategy are in large part cause for confidence; its implementation thus far, likewise.

***

Dr. Damien Spry is a Lecturer in Media and Communications at the University of South Australia and a Visiting Fellow at the Digital Media Research Centre at the Queensland University of Technology. He has previously held academic positions in Hong Kong, Japan, South Korea and the United States of America. His scholarly research focuses on digital media impacts on international politics and diplomacy. He has developed the Facebooking diplomacy database for this purpose. He is a regular contributor to think tanks, including the Lowy Institute and the Australian Strategic Policy Institute, and has consulted for several multinational companies, including Google, Facebook and Amnesty International, as well as to several governments.

This article was published in Panorama. Insights into Asian and European Affairs, 2/2018: Digital Asia

For the full article including footnotes and tables, please see the PDF.