Australia’s military defence must include cyber defence

Our political leaders are warning of armed conflict in the Indo-Pacific.  But there’s more to worry us than bombs alone.

Critical infrastructure (aviation, rail, telecoms, electricity, ports, etc) are always prime targets in any armed conflict.  When the Japanese hit Darwin in 1942, it was to knock out the city’s seaport and airfields and cripple its trade and defence capability.

In the Ukraine, nuclear, electric and hydro infrastructure was among the first hit.

Here, Australia’s second round of amendments to the Security of Critical Infrastructure Act 2018 (SOCI) came into effect earlier this year.  Now it includes data centres among critical infrastructure, recognising that they are key to our national security.  Central to the thinking behind these amendments is the steady growth in cyber attacks on Australian targets conducted by criminal individual and hostile state actors in recent years.

SOCI aims to more closely integrate the Australian Signals Directorate (ASD) with private sector critical infrastructure.  Key corporations in the infrastructure space are now required to report to the ASD their assets and security and risk mitigation plans.  They must also share information on any cyber incident.

At the end of the day, it is all about data security.

All major organisations rely on data and this invariably will involve data centres.  This dependence has only increased during the COVID emergency amid the rise of remote-working and therefore the need to secure data has also grown.

The Security 2025 Report by the Australian Security Research Centre highlighted cyber vulnerabilities as a crucial element in Australia’s overall security arrangement.  It called on all governments, the private Security Industry and the corporate sector to work as a team and bring about meaningful and lasting reforms in regulations, knowledge and practice.  Afterall, many private companies work for government agencies and much of the work is conducted online. The SOCI amendments are not enough on their own and the private sector must ensure that mechanisms are in place to defend against cyber-attacks and promptly report them.  This is not merely a software solution provided by an IT professional.  Registered and licensed security professionals are needed to analyse an organisation through a security lens rather than relying on an IT professional, who might not have any kind of security clearance at all.

Critical infrastructure and security go hand in hand.

In the event of general mobilisation, critical infrastructure will be hit first but that will be more than the railway lines, ports and airfields.  Several joint cybersecurity advisories warn that key data service providers in Australia have been targeted by malicious cyber actors.

The Australian Security Industry Association Ltd (ASIAL) was one of several organisations invited to consult in the first draft of the Australian Defence Department’s General Mobilisation Design Directorate.  Together with representatives from oil and gas, logistics and transport, water and electricity infrastructure providers, representatives from the private Security Industry highlighted the need to ensure best-practice security measures at Australia’s critical infrastructure both in terms of physical protection and cyber security.

The SOCI amendments reflect that the new front in cyberwarfare is key infrastructure.  The Act has expanded the policy framework to protect valuable information needed for Australia’s continued operation.

Steve Cropper is a Strategic Communication Adviser to the Security Sector and an Information Operations Contractor to the Australian Army.