Is cyber crime a national security issue?
Put simply, cyber security involves protecting the integrity and security of computer systems connected to the Internet. Different entities like Government, organisations and individuals across Australia depend on these connections to the internet.
Consequently, if Australian computer systems were compromised, such impairment could endanger Australia’s national security in a variety of ways, for example:
- A malicious actor who gains unauthorised access to secret commercial information by exploiting vulnerabilities in an entity’s or individual’s computer system could undermine confidence in Australia’s digital environment and economy
- Cyber-attacks on telecommunications systems that affect lines of communication across sea and air routes could inhibit Australia’s international trade and access to externally sourced resources such as petroleum
- Technologically advanced computer tools used to target the Australian Defence Force’s (ADF) information networks (such as ballistic missile defence systems and communications satellites) would also increase the risk of harm to the Australian population
Cyber security laws
Parliament has enacted a raft of legislation dealing with the issue of Cyber Security.
In 2013, the Government legislated for several computer offences in accordance with its international obligations under the Council of Europe Convention on Cybercrime. These offences appear under part 10.7 of the Criminal Code Act 1995 (Cth). The computer offences include:
- Causing unauthorised access, modification or impairment with intent to commit a serious offence;
- Causing unauthorised modification of data to cause impairment;
- Causing unauthorised impairment of electronic communication;
- Causing unauthorised access to, or modification of, restricted data;
- Unauthorised impairment of data held on a computer disk etc.;
- Possessing or controlling data with intent to commit a computer offence; and
- Producing, supplying or obtaining data with intent to commit a computer offence.
In April 2017, the Government’s data retention scheme came into effect. Part 5‑1A of the Telecommunications (Interception and Access) Act 1979 (Cth) requires telecommunications companies to retain certain telecommunications data for at least two years and permits listed Australian Agencies (i.e. ASIO) to access this data.
The retained data includes:
- phone numbers, call duration and location of a phone when a call was made (but not what was said);
- email address and when an email was sent (but not the subject line or content of an email).
Telecommunications companies are not obliged to keep your internet browsing history.
The purpose of establishing a data retention regime is to increase law enforcement’s investigative capabilities in relation to serious national security matters including cybercrime.
New data breach notification laws
To address concerns regarding the data retention scheme’s vulnerability to potential hacks, identity theft and other cybercrime, the Government introduced a mandatory data breach notification scheme under the Privacy Act 1988 (Cth). Listed entities have an obligation to report ‘eligible data breaches’ to the Office of the Australian Information Commissioner and to persons who might be affected by a data breach.
A failure to report an eligible data breach is considered an interference with the privacy of an individual. As a result, there is a significant civil penalty (i.e. 2000 penalty units) for ‘serious or repeated interferences with the privacy of an individual’.
What else is Australia doing to enhance cyber security?
In the 2016 Defence White Paper, Cyber Security was highlighted as one of Australia’s national security priorities particularly given the increase of malicious state and non-state actors attempting to thwart the integrity of Australia’s information systems. Accordingly, the Government has sought to improve digital safety by implementing the goals contained in the 2016 Australian Cyber Security Strategy:
- A national cyber partnership – Governments, businesses and the research community coming together to advance Australia’s cyber security
- Strong cyber defences – build networks and systems that are hard to compromise and resilient to cyber-attacks
- Global responsibility and influence – promote an open, free and secure cyberspace
- Growth and innovation – help Australian businesses grow and prosper through cyber security innovation
- A cyber smart nation – ensure Australians have the cyber security skills and knowledge to thrive in the digital age
Since the inception of the Australian Cyber Security Strategy, a number of achievements have been made:
- Through increased recruitment, the Australian Criminal Intelligence Commission has enhanced its ability to link online cybercrime personas with real world identities
- The Establishment of the Joint Cyber Security Centre
- Release of Australia’s first international cyber engagement strategy; and
- The commencement of comprehensive training for Australian Federal Police to better tackle contemporary cybercrime.
In conclusion, new and complex threats in cyberspace highlight cyber security as a current and pertinent consideration for Australian national security.