On 21 April 2021, the Australian Government launched its International Cyber and Critical Tech Engagement Strategy, which aims to create a safe, secure and prosperous world enabled by cyberspace and critical technology.
The new Strategy builds on the 2017 International Cyber Engagement Strategy to incorporate critical technology into Australia’s diplomatic engagement. Critical technologies are defined as technologies that have the capacity to significantly enhance or threaten Australia’s national interests, such as Artificial Intelligence (AI), 5G, Internet of Things (IoT), quantum computing and cybersecurity.
The enhanced diplomatic remit is a recognition of the interconnectedness between cybersecurity issues and critical technologies. It is also an acknowledgement that many of Australia’s greatest social, economic and national security opportunities (including challenges) are unfolding through the lens of cyberspace and critical technologies.
The new Strategy is a truly whole-of-government document. While authored by Australia’s Department of Foreign Affairs and Trade (DFAT), it enlists the collective expertise and resources of numerous Government Agencies in its execution. The Strategy illustrates that Canberra officials (across all portfolios and ranks) realise the importance of cyber and critical tech in securing and preserving Australia’s way of life.
Compared to its predecessor, which focused on Australia’s views of the international law and norms in cyberspace, the 2021 Strategy’s funding and initiatives are more focused on practical measures in the Indo-Pacific, pledging AU$37.5 million to secure the region’s cyber defences.
While many of the Strategy's plans are impressive, below are some key areas of focus that will surely contribute to greater cybersecurity in Australia and the Indo-Pacific.
A welcome focus of the Strategy is on regional connectivity and the need to secure that connectivity.
Today, our telecommunication infrastructure underpins almost all critical infrastructure and essential services, including energy, finance, healthcare, transportation, IT, defence, government, manufacturing and retail.
Technologies, such as 5G, promise transformative mobility by enabling the mass digitisation of businesses and industries. This is true in Australia, as well as for our neighbours in the Indo-Pacific.
Although these improvements will yield revenue opportunities for operators and increase productivity and efficiency for business, they also bring cybersecurity risks. An attack on national telecommunication infrastructure could be catastrophic to the day-to-day functions and defence of any nation. Further, the rapid rollout of low-cost, low-power, unsecured IoT and Industrial IoT (IIoT) devices will pose increased security risks for operators, their customers and Governments investing in 5G.
As part of its international efforts, Australia can play a leading role in promoting key concepts. For example, as all nations continue to adopt and roll out their telecommunication infrastructure, including 4G and 5G networks, they must ensure these networks are secure and trusted by design. This approach can help to avoid some of the challenges we face securing today’s 3G and 4G networks, which in retrospect have been difficult and expensive to secure.
Telecommunication providers need to have constant real-time security visibility across traffic passing through their networks and be able to detect and stop in real time cybersecurity threats within that traffic. Including security into 4G and 5G rollouts will go a long way to protect national critical infrastructure assets in the region, helping ensure national economic and social prosperity.
We also welcome the Australian Government’s focus on building capacity across the Indo-Pacific to identify and address supply chain risks associated with cyber and critical technologies.
As the Strategy notes “the next wave of critical technologies… will be more complex, pervasive, and interconnected than current technology. They will be integrated into every aspect of life and have the potential to reshape our economies.” At the same time it notes, technology supply chains are increasingly “global, interdependent, and complex.” Supply chain attacks are also increasingly common.
Perhaps the most recent and notorious attack was that against SolarWinds. SolarWinds saw a malicious actor, possessing a sophistication typically associated with advanced-capability nation states, gaining access to and exploiting the process by which SolarWinds provided software updates to its customer base. Exploiting this “trusted” update set off a series of steps that ultimately enabled the malicious actor to gain access to many of SolarWinds’ most sensitive customers’ networks, including important U.S. federal government agencies. The full magnitude of the breach is still unknown, as is the scope of what data was taken or corrupted. However, it is clear that the consequences to the targeted U.S. entities were significant, and the lessons are applicable to all nations and organisations that need to guard against supply chain attacks.
Governments around the world want assurance regarding the integrity of the technology products and services that they procure and use. The same assurance is needed when considering the use of these products and services by critical infrastructure entities in their countries.
There are measures all Governments can take and encourage the private sector to adopt: internal processes and oversight, hardware manufacturing processes, secure delivery of hardware products, third-party testing and vulnerability remediation and disclosure practices. Governments should consider prioritising ICT vendors' ability to demonstrate product integrity and secure supply chain practices through their procurement practices and policies. Governments must also ensure that their own defenses (and those of their critical infrastructure) are built to identify, protect against, and quickly detect and remediate attacks coming from within their supply chain and IT tools.
The Australian Government is well placed to promote best practices in supply chain security in the Indo-Pacific region. We look forward to working with DFAT on this important policy area.
Finally, we welcome the Strategy’s focus on “enhance[d]...engagement with industry and civil society on cyberspace and critical technology issues.” We support increased and ongoing industry engagement in recognition of the important role that the private sector can play in supporting and delivering international outcomes with respect to cyber and critical technology policies.
The internet transcends state sovereignty and national borders – no single country owns the internet or the technologies that underpin it. While governments leverage ICT and the internet, it is the private sector that operates most of the world’s internet infrastructure. And as key participants in a “multi-stakeholder” internet, it is critical that Governments ensure the private sector is engaged and leveraged in support of mutually beneficial and agreeable objectives.
With the expanded remit of critical infrastructure, it will be even more important that the Government collaborates with industry and draws on the expertise that sometimes can only be found in companies at the forefront of technological innovation. The private sector can and should play a role in supporting and delivering international outcomes with respect to cyber and critical technology policies, particularly with respect to setting standards for the International community.
These are only some of the many important activities in Australia’s new International Strategy. As one of the largest economies in the Indo-Pacific, and a key player on the global stage, Australia’s important diplomacy efforts in cyber and critical technologies will have multiplier effects around the globe. Palo Alto Networks stands ready to contribute our expertise in support of the new Strategy and looks forward to working with the Australian Government on its delivery.
Sarah Sloan is Head of Government Affairs and Public Policy, ANZ, Palo Alto Networks.