National Security Overview - Australia

Transcription

1 Submission to the National Commission of Audit from the Australian Strategic Policy Institute (ASPI) regarding National Security Overview This submission addresses the National Commission of Audit s terms of reference in the area of national security with particular reference to policing and cyber security. Australian society s conception of security changed as it became richer and more technologically advanced over the last two decades or so. Today, security is no longer exclusively about existential threats like nuclear or major war, although these threats remain. A broader range of concerns now occupy our thinking, ranging from those posed by terrorism, crime and threats generated via the internet. This broadening of the concept of security introduces three new dynamics into Australia s political debates. These dynamics will continue to influence the priorities and resources of all Australian governments, and make closer cooperation necessary among them and with our international partners. The first dynamic concerns the broadening of the security agenda. During the Cold War, Australia policymakers grappled with the existential threat of nuclear war, and a very significant concern about how decolonisation in Asia might work against western interests. But this situation changed as the international community recognised China, Southeast Asian states became more internally coherent, and, ultimately, Soviet-US tensions reduced after These same changes also allowed different non-state and state actors to pursue their own interests with fewer constraints, leading to a number of internal wars and another round of international atomisation. As a consequence, Australia launched or participated in a number of overseas operations designed to meet political, economic and humanitarian objectives, and used a broad mix of national capabilities on these operations including diplomats, police, aid workers and the Australian Defence Force (ADF). The second major dynamic is the broader range of vulnerabilities inherent within today s society. Wealth, connectivity and convenience have increased the potential for disruptions to everyday life, and also the electorate s expectations of its government. Increasingly, the vulnerabilities of infrastructure critical for our highly-networked financial, energy, water and food systems are even harder to manage on a daily basis by their predominantly commercial operators. That these vulnerabilities can also be exploited by maleficent actors for political or economic gain, or by increasingly common and severe natural events, makes government s role essential. But demarcating the government s responsibility is difficult and far from objective as public expectations increase. The third major dynamic is the way security concerns can touch people, everyday. While the Australian people still remain affected by war and could be so again these relatively rare events have only required a little sacrifice from most. But today, and increasingly into the future, security threats such as organised crime, cyber-crime and the impact of border security challenges can and will present in Australian neighbourhoods and homes. Further, values, diasporas, increasing connectivity and the power of traditional and new media make 1

2 global problems more immediate. This dynamic makes security a mainstream concern and a regular not exceptional part of Australian political life. In short, people are looking to government to protect their way of life, and sometimes to advance their ideals, to a more individual and more immediate level. But our understanding of these dynamics, and importantly how Australian governments will work together to meet these challenges, is both not particularly well understood and only slowly evolving. What are Australia s key national security priorities? The first is to get a better understanding of how these dynamics affect Australia s interests. This means understanding change across the globe, across the region and within Australia itself. It requires detailed consideration of how information flows, technology, resources and money actually move. It also requires an ability to make a cold-eyed calculation about where change really affects Australia s security and an ability to explain why the latest problem should not consume our resources. At present, Australia s ability to perform this critical analysis is mature and generally very effective, although there is a bias towards understanding the interaction and intentions of nation-states over other important actors, especially sub-state groups who are not directly involved in conflict. Creating a twenty-first century response to these challenges is also important. Our constitution has proven relatively robust so far, in that it allows the Commonwealth government to act against most challenges. However, our national system of governance is proving less efficient and somewhat of a constraint when it comes to action. The crosscutting nature of contemporary security challenges means state and federal cooperation on security issues is even more important than ever. But the mechanisms for cooperation have grown in an ad-hoc, issue-by-issue way. This means we have a plethora of overlapping committees at the ministerial and officials levels, especially in the policy development space. It also means the Commonwealth must provide funds if the nation as a whole is to build security capabilities to manage these threats: it has done so in an inconsistent way to date. The need to develop consistent, nation-wide security capabilities can be seen in a number of key areas and Commonwealth leadership is essential. Today, we have a situation where criminals are able to exploit gaps in legislation among jurisdictions. Also, the ability of state and Commonwealth law enforcement and other relevant agencies to exchange information seamlessly is limited by technical, legislative and cultural barriers. While the state governments may show goodwill to change, they will be unlikely to take effective action without Commonwealth leadership. We ll return to this point later. The need for leadership is also clear in areas where the Commonwealth clearly has sole responsibility, such as in the cyber domain, coordination has been patchy at best. New thinking which builds national awareness, ensures capability is present to meet threats when and where needed, links the substantial criminal information holdings of Australian governments, and sensibly joins related challenges to enhance economies of effort, is needed. Also needed is a more effective way to engage the business and community sector in security efforts. There have been some good examples of this, especially in critical infrastructure protection, but the effort needs to come on a broader basis. This should see attention given to organised crime, as well as enhanced efforts in the cyber domain. Further efforts to counter violent extremism are also needed, and these need to be conducted in increasingly sophisticated ways. 2

3 Resourcing national security The Commonwealth government s allocation of resources to their stated risk is currently heavily skewed towards defence spending. This is understandable given the long lead-times and increasing cost of defence capability. But the Commonwealth s own National Security Strategy shows that six of the seven major risks are not primarily some, not even slightly defence related. While we can t compare the risks objectively as there is no detail about either the likelihood or consequence of each, we can infer a two points that have a great importance for resource allocation across the national security community. Figure 1: The National Security Budget Foreign Affairs - 1 3% ASIO 1% ASIS 1% ONA 0% Federal Police 4% Foreign Aid 16% Defence 75% Source: Cost of Defence, ASPI Defence Budget Brief Firstly, national security risks with a primarily domestic focus receive only a small part of the Commonwealth s money. Indeed, it would be fair to infer that risks such as domestic terrorism, organised crime, critical infrastructure and cyber security might only account for three or four per cent of the Commonwealth s national security spending. Of course, state governments bear a reasonable share of the burden too in some risk areas. But any objective assessment of the risk is likely to find that these dimensions of security are not sufficiently resourced and therefore may not be addressed in a way that seeks to reduce the actual level of risk. It s also important to note that the language used in the paragraph above was heavily qualified. That s because the Commonwealth has not presented a clear explanation of the relative risk between each of the eight challenges listed in the National Security Strategy. This means it is impossible to identify whether resource allocations are actually following risk assessments, or whether these allocations remain bound by historic spending patterns. So the second major point is that better information would help to create more rational arguments for resourcing priorities. The National Commission of Audit might wish to consider asking for this assessment as its members consider where the Commonwealth can best place its emphasis in the security realm. 3

4 Policing and law enforcement One clear trend of the past century has been a steady expansion of the range of crimes that can be perpetrated against both the community and the nation. Australia s state governments were able to deal with most major crime areas at Federation: and most of these major crime areas still exist today. But the onward march of technology, Australia s increasing absolute and relative prosperity, and the growing irrelevance of domestic and international borders to criminal enterprise have increased the importance of the Commonwealth s role in law enforcement. This continuity and change has major implications for all Australian governments, and makes close cooperation among them essential for the continued development of Australia s society, economy, security and reputation. The change in the extent, vectors and nature of crime have made the Commonwealth s powers bought more directly relevant to law enforcement at the local level. For example, the Commonwealth s responsibility for telecommunications is now critical to combatting cyberfraud and identify theft; its corporations powers are used to prosecute major economic crimes; and its responsibility to protect the states from domestic violence has acted as a rallying-point in the national fight against terrorism. Less noted has been the generation of criminal intelligence, which is shared among the jurisdictions and is both an efficient and effective way of handling this delicate material. Also similarly efficient is the way the Commonwealth leads on overseas law enforcement partnership arrangements, and provides practical assistance to develop policing and legal capability for neighbours and others. These trends are unlikely to be reversed, and they may be accelerated in some places. In particular, the number of instances where the states may actually refer powers to the Commonwealth could increase as it becomes clear that new legal innovations such as unexplained wealth laws are best pursued from a national basis. There is also a pressing need for the Commonwealth to lead the multi-jurisdictional effort against organised crime by encouraging consistent, nation-wide policing capabilities. Overseas, the increasing fragility of some states, and the need to build effective rule of law in these, is likely to see governments wish to use their law enforcement instruments to achieve national policy objectives perhaps in place of, or at least in addition to, the traditional military contributions to these situations. While the Commonwealth should not seek new power unjustifiably, it must be alert to where its mandate and resources can be best used to ensure a national approach to fighting crime. One particularly important contribution that the Commonwealth government makes, and makes available to the state governments and international partners, is criminal intelligence. The Commonwealth has already made a major contribution to this function and product. Notably, the breadth of inputs to this intelligence is expanding, with the inclusion of taxation, immigration, customs and social security information. This kind of aggregation will require careful management, especially in relation to privacy, but it will provide an essential weapon for law enforcement officers. Yet the resources being devoted to this function, especially through the Australian Crime Commission, is decreasing. This is a false economy. Cyber Security In a globalised, world, the key that keeps much of our economies, infrastructures, lines of communication, defence, security, intelligence and social capital enabled is the cyber domain. Cyberspace has created intimate interdependencies between states and new 4

5 avenues for governments to achieve their policy objectives. As cyberspace empowers individuals, non-state actors and the private sector, a large-scale cooperative approach between public and private sector stakeholders is required. And as technology develops in quantum leaps, questions remain about how we should manage the cyber front both at home and abroad. The ability to leverage cyberspace is one of the twenty first century s most important sources of power. State and non-state actors can use this power to achieve financial, military, political, ideological or social objectives in cyberspace or the physical world. These objectives can be for both positive and negative purposes. Like most technologies, cyberspace is agnostic to politics and ideology, but is a powerful transfer mechanism for both. The twenty first century is going to be defined by the cyber domain. There will be a great responsibility to ensure that those that wish to exploit cyberspace for negative purposes are denied as much operating space as possible. This must be achieved without reducing the openness and freedom that the cyber domain has enabled. Cyber power is attractive to the whole spectrum of actors, be they large nation states, or small non-state actors, primarily because of its low relative cost, high potential impact and general lack of transparency. Powerful actors can combine cyber power with existing military capabilities, economic assets. Less powerful actors states, organisations, individuals, can gain asymmetrically in cyberspace by inflicting extensive damage on vulnerable targets. For a relatively small investment, networks can be bought down, valuable information stolen and interfered with. The threats in cyberspace are crossing multiple national jurisdictions with increasing frequency. This places stress upon the state to be able to cope with the cross-boundary nature of the threat, and requires states to cooperate with other to achieve mutually beneficial outcomes. It is up to the different levels of government to work with counterparts in other jurisdictions to achieve success in the prevention and alleviation of cyber insecurity. Australian Context Cybersecurity is rapidly emerging as a high-priority policy challenge for the Australian Government. The National Security Strategy released in January 2013 listed malicious cyber activity as the third of seven key national security risks and called for closer partnerships with the business community to develop a more effective response. One of the problems inherent in cybersecurity is the sheer number of government and private sector entities that have a legitimate interest in the field. This adds enormously to the complexity of cyber policy development. The Australian Government s 2009 Cyber Security Strategy lists nine agencies, units or committees with critical cybersecurity responsibilities, but the number s really much larger and growing. i The Intelligence Services Act 2001, which governs DSD s operations, gives the agency responsibility for information security across all government operations, not simply Defence. DSD s Cyber Security Operations Centre was established in 2009 to create a single gathering and reporting point for information on detecting and defeating cyberthreats. Within the Attorney-General s Department (AGD), a computer emergency response team was rebranded in 2010 as CERT Australia, to provide a single point of contact on cybersecurity information for Australian businesses and individuals. 5

6 In January 2013, the then Prime Minister announced the creation of the ACSC, which, she said: will be the hub of the government s cyber security efforts. It will include, in one place, cyber security operational capabilities from the Defence Signals Directorate, Defence Intelligence Organisation, Australian Security Intelligence Organisation, the Attorney-General s Department s Computer Emergency Response Team Australia, Australian Federal Police and the Australian Crime Commission. These measures point to a consolidation of cyber functions, particularly at the operational level, where information technology specialists detect cyber intrusions and deploy countermeasures. The bulk of government investment in strengthening cyber capability has happened at that highly technical level. The ACSC also aims to build stronger, practically focused links with the private sector. The goal to have the new stand-alone facility operating by the end of 2013 looks unlikely to be achieved, but the focus on practical technical matters is one important part of a holistic policy response. Sadly, the story is much less positive at the level where governments, agencies and businesses develop cyber policy the handling strategies needed to support good-quality decision-making on cyber matters. As cyber lifts in national priority, the need is to ensure that our policy development capacities also increase. In the past few years, however, responsibility for cyber policy has been shifted between no fewer than three departments. The most recent organisational reshuffles in cyber policy were announced in May in the 2013 Defence White Paper with the renaming of DSD to the Australian Signals Directorate, and in the announcement of the creation of the ACSC in January The white paper said that the Centre will be overseen by a Board, led by the Secretary of the Attorney-General s Department, with a mandate to report regularly to the National Security Committee of Cabinet. ii In effect, we ve returned to the situation that applied in 2009: AGD has the lead in reporting cybersecurity issues to government, this time through a board rather than through the Cyber Security Policy and Coordination Committee. Most concerning, though, is that the drive for a Cyber White Paper has been lost and the skill base for policy work in the major departments has been eroded through constant changes of role. The new ACSC will focus on operational matters rather than on policy, so AGD will report to government on cyber incidents rather than on shaping policy choices. The answer to the question Who owns cyber policy? is that no department or agency has a strong grasp on that area right now. It s not surprising that the Business Council of Australia s submission on the Digital Economy White Paper rather sharply said that the white paper should present a coherent government strategy to deal with cyber security, drawing together multiple existing initiatives. iii 6

7 i Australian Government, Cyber Security Strategy, 2009, available from %20for%20website.pdf. ii DoD, Defence White Paper 2013, para. 2.90, p. 21, available from iii Business Council of Australia, Submission to the Department of the Prime Minister and Cabinet regarding the Digital Economy White Paper, January 2013, available from 7