Last week Foreign Minister Julie Bishop launched the Commonwealth Government’s International Cyber Engagement Strategy, which pulls together a number of cyber policy threads.
The strategy threads a credible path through competing ideas and realities and maps out a compelling vision of regional and international engagement and co-operation.
Battle of the standards
The International Cyber Engagement Strategy quite rightly points to the need for the harmonisation of standards relating to cyber and data security and nails its colours firmly to the ISO 27000 mast.
Curiously, as our major trading and security partner on the other side of the Pacific moves to widespread adoption of the NIST Cybersecurity Framework as mandated by President Trump’s 11 May Executive Order, there is no mention of this framework.
The strategy does however take the opportunity to promote the Australian Signals Directorate’s own conceptually similar publications in this area, including its Essential Eight, recently augmented by the Essential Eight Maturity Model. It also notes that the Essential Eight will be translated into the official languages of the ten member states of the Association of Southeast Asian Nations.
International norms in cyberspace
The International Cyber Engagement Strategy speaks of Australia’s promotion of international norms in cyberspace, including in relation to responsible state behaviour, regulatory approaches to the internet and the need for a free and open internet.
The strategy notes that while there is a role for governments in internet governance, the role “is not one of control”.
Given developments in the Asia Pacific region, such as the proposed internet firewall for Beijing ahead of the 19th Communist Party Congress, laws in Russia and China requiring international operators to store data in country, crackdowns on and censorship of online content and Russian policies to “isolate” a Russian internet from the global internet, Australian diplomats will have their work cut out for them promoting this message and encouraging its adoption in the Asia-Pacific region.
Offensive cyber capabilities
Offensive cyber capabilities have come to the forefront of Commonwealth cyber policies recently and the Strategy reiterates an emphasis on the existence and development of such capabilities.
One interesting aspect of this policy area teased out in the strategy is the potential for the attribution of unlawful cyber activities. Attribution is a particularly fraught area. The strategy notes that “Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity – ranging from the broad category of adversary through to specific states and individuals” (see Part 4 of the strategy, “International Security and Cyberspace”).
Given a general reticence up until now to “name and shame” state actors and agents, it will be interesting to see whether public attributions become more commonplace and if so, how any named party reacts to such attribution.
Such capabilities will need to be exercised judiciously so as not to undermine diplomatic efforts to promote and encourage international norms.