We are all against cybercrime - criminal offences done with the aid of a computer - are we not? And cyber-terrorism - bad guys, and not only jihadist terrorists, using the internet to recruit, propagandise, communicate and probably transfer money to each other? And do we not also deplore cyber war or cyber sabotage - hacking into computer systems to spy, steal intellectual property and capture control of or damage sensitive national infrastructure or military systems?
So we are, and so we do. They are bad things, and they are problems. No doubt we must do something about them. But simply because government is doing something by no means necessarily guarantees that that thing is the right thing, is in proportion to the supposed danger to the community, or that doing it will make much, or any, difference. Particularly when most of the money will be going to agencies being less than honest in their presentation of the problem, and more than a bit willing to construct bureaucratic empires in the pretence that they are going to do something about it.
There are a few sure clues to the idea that we are being steamrolled, and marketed into the idea that we are facing a serious, and increasing, crisis from outside. There is, for example, a steady cycle of announcements, invariably involving the Prime Minister and sundry others from the police and security systems, declaring threats from abroad (code for China, whose eye we poke with a burnt stick once or twice a day). The instances or proofs of the problem - an external attack on the computer systems of a government department or the ANU - will not be particularly new. Nor will the new measures the government says it will be taking. For more than a year, indeed, ministers have been repackaging old announcements as if they were new, or giving slight details of intended spending from sums long ago appropriated.
What is notable is how much the proffered rationale seems to depend on fighting paedophilia. Even at the police level, the PR doesn't talk of fraud, or identity theft, or, these days, even much about terrorism. But it is as much involved in the security rationale for new powers, new empires and new resources.
The handy thing about paedophilia, of course, is the inherent suggestion that anyone who doubts that the AFP is playing a particularly important role in combating it must be in favour of paedophilia. With most cybercrime having any international dimension, such as the cyber theft of credit card details, the most that police and cyber agencies can do is warn consumers, establish hotlines on which crimes can be reported, then exaggerated, and sympathise afterwards with victims who failed to heed the warnings. That's unlikely to change with the planned spending of several billion dollars in future years, or with the existence of many more cops and officials on the cyber beat.
Ministers' offices have shown they have no restraint in leaking material obtained from the new powers for partisan political purposes.
Sadly, most of the statistics available on the problem of child sex abuse, child sexual exploitation, and the trafficking of images of abuse are not much to be relied on to make the case that the best chance of reducing the damage is by having more cyber cops at the federal level. The overwhelming proportion of crime involving child sex matters is within state jurisdiction, and lacks that "federal aspect" that has given the AFP the right to march uninvited into pretending to "own" the small tiny proportion of cases involving overseas victims or transactions.
We have had a good deal of publicity about victims who were in state, church or social institutions, including schools, over recent years. The record there has shown that police agencies were for a long time inept at detecting the problem, or in doing anything about it, especially if the institutions were well connected. That includes the AFP at the ACT level. For many years, with child sexual offences as well as physical or sexual violence against women, Australian police were more a part of the problem than of the solution, and often downplayed the issue, helped cover it up, or failed to regard it with the resources it deserved. The record has slightly improved in recent years, but the number of new cases (rather than tidying up matters that came to light during the royal commission), does not suggest a great increase in allocation of resources or in police effectiveness.
But, as the royal commission itself emphasised, the serious problems of abuse in institutions, historical or ongoing, was a tiny proportion of the cases of child sex abuse perpetrated by "friends", neighbours and relatives of the victim, as often as not within the victims' own homes. This has been a problem known and understood for many decades, and has been responsible for the creation of welfare agencies focused on child protection, including, in many cases, the further punishment of victims by removing them (rather than perpetrators) from homes, and placing them in institutions.
I want exploited overseas children protected from Australian villains. But if the federal government were truly focused on protecting the greatest number of children, it would be investing money in improving the quality and the quantity of state and territorial police action against abusers. That police activity embraces actions against abusers or consumers of abuse abroad. Indeed, even now most matters "detected" by the AFP go to state agencies for resolution - after the requisite numbers of press statements.
Some might think, however, that potentiation of the AFP role is but a sideshow (if a useful byproduct) to the more important national security work. This is defensive - getting government agencies, businesses, and private individuals to take more care to protect themselves, and detecting, preventing or disrupting the activities, here or abroad, of terrorists. And, perhaps, developing an attack capacity of our own, able to be deployed against our enemies if the occasion arises. "State actors" - Russia, China and North Korea are most often mentioned - are actively using the internet to probe our cyber defences, to hack into systems with vulnerabilities and extract information and intellectual property, and, sometimes, to wage disinformation wars or to seek to influence elections, as in 2016 in the US.
MORE JACK WATERFORD:
If the national security risk is so great, why are those in power so keen on using crime - particularly paedophilia - to garner public support for extensions of powers, and budgets? The bid is to give our spooks more power to monitor, spy on and exchange information about Australians at home. The rationale should be extending the nation's sum of knowledge of what our external enemies are doing - the core function of our intelligence system - rather than fighting conventional crime.
It was only a decade ago that the problem was inverted: national security agencies, including the anti-terrorism arm of the AFP, were getting extra powers to intrude based on the fear of terrorism. Then the AFP rode on those security coattails. It would soon be using such powers - ones it would never have been otherwise given - in ordinary criminal investigations, including cases of alleged welfare fraud.
It might be all very well if there were checks and balances in the system. But Home Affairs Minister Peter Dutton has never seen a police power he does not like, and does not want to see extended. The Prime Minister is a policeman's son, with a policeman's perspective. There is scarcely a genuine liberal or sceptical voice at the political table. It is certainly not the Attorney-General, Christian Porter, who ought to have an eye on fundamental liberties.
Ministers' offices have shown they have no restraint in leaking material obtained from the new powers for partisan political purposes. They are also leaking to friendly media for a current major government project, that is maintaining a heightened sense of national security emergency, possibly running to the risk of war with China. The idea promoted by the Foreign Minister, Marise Payne, that our stance is seriously independent of the United States is absurd.
Looking prepared to go to the brink - in line with the US presidential election timetable - appears to be a political task to which the national intelligence establishment as much as the political establishment is bending itself - in ways mirroring (sometimes anticipating) the line emanating from the White House without anything much in the way of evidence of a new threat.
Other, that is, from signs of China's high annoyance, even exasperation, with the studied and loud criticisms being made by ministers, and the amplification - here and abroad - from NewsCorp. Thank heavens all of our resident geniuses know exactly how far we can go without getting a massive overreaction.
Cyber war: building more empires than it destroys
Seven years ago, the Cato Institute in the US held a conference on dangers to American national security, from nuclear proliferation to terrorism to climate change. It would be fair to say that speakers at the conference were deeply sceptical about whether America was greatly at risk from cyber warfare. Lest anyone, from ignorance, assume that the institute is a typical left-wing think tank, I should add that it is largely funded by the Koch brothers, and is of libertarian small-government bent.
Those who talked up the threats had plenty of practical and theoretical examples of the risks that cyber warfare, or cybercrime, posed. There had been attacks on businesses and agencies, hacks by "state players" and by sophisticated independents. Indeed one of those who spoke at the conference, Martin Libicki, the Keyser chair of cyber security studies at the US Naval Academy, recently remarked that there had been little change in what was happening since the conference. Fresh cases tended to reinforce what many speakers had said seven years ago: "Cyberspace is unlikely to be a national security problem. As with much of life, what has started as an acute problem (rare but intolerable) has continued to evolve into a chronic one (common but tolerable)."
There have been some new abuses. North Korea started out using cyber attacks to destabilise South Korea, but later concluded that stealing money produced more tangible results, hence its $US81 million haul from the Bank of Bangladesh. China has professionalised its operations into a ministry, trimming its ranks of rogue and noisy hackers. Iran still does mischief, mostly in its region.
"Russia's hackers, by contrast, which in 2013 were rarely heard from but considered highly talented, are now heard from a lot. Its cyberspace operations in 2016 against the integrity of the US election were politically if not necessarily technically sophisticated," Libicki said.
"Rarely does a newsworthy cyber attack take place without one or more private cyberspace security companies jumping in to let us know which country - and often which group in which country - is responsible. And, while mistakes were made - many operations initially blamed on ISIS, North Korea or Iran were later found to be Russian false flag operations - the notion of impunity through invisibility has seen better days."
Libicki also demolished the idea that the Stuxnet attacks by Israeli and US intelligence on Iran's uranium centrifuges were an example of success in cyber warfare. The attacks failed to impose lasting damage, much less sabotage, Iran's nuclear enrichment program, he said.
Some notes from other participants or other commentators:
- Even the idea of cyber warfare as adding an extra dimension of war is in doubt. Thomas Rid, writing in Foreign Policy in 2012, said cyber attacks never fitted all three characteristics necessary for an act of war: violence, instrumentality and a political goal. Cyber war had never happened and was unlikely to happen, he thought.
- Several commentators have spoken of the risks of threat inflation, and deliberate attempts to create general alarm. Exaggerating the threat of cyber warfare is often used to justify ever-increasing expenditure to counter the risk. In fact a good deal of the "cost" of cyber warfare and cybercrime comes from the attempts to protect against it: resources now being used to protect systems against cyber criminals might be better spent finding and arresting them.
- Many assertions of the cost of cybercrime come from surveys that are poorly designed and likely to be inaccurate. Losses tended to be extremely concentrated, so that surveys are rarely representative. Estimates of losses are usually based on unverified self-reported numbers. Outliers - even single ones - may massively distort estimates, because those using the surveys tend to extrapolate their results across the whole population. Thus if just one person in an American survey of 1000 people estimates losses of $50,000, that is all it takes to generate a $10 billion loss over the population. One unverified claim of $7500 in phishing losses translates into $1.5 billion.
This is not something that will be resolved by mere public debate. Government, for example, has quarantined defence spending from other cuts to the size of government agencies, and is engaged in unprecedented increases of expenditure, without rigorous analysis. The defence and intelligence establishment have no reason to complain; for politicians the payback is not only a claim of good stewardship of the nation's safety, but the capacity to accuse the other side of being a risk.
The Director-General of ASIO, Mike Burgess, has many irons in the cyber fire, not least from his former role in the Australian Signals Directorate, the establishment of new cyber warfare agencies and systems, largely on his advice, and from the way resources and staff are flooding into the area. Nor is there a steadying hand from the bureaucracy. The head of Home Affairs, Mike Pezzullo, has already cobbled together a security agency of his own (supposedly so as to analyse risks to border security, but with the effect of getting himself a place at the national security table). He is also putting resources into "co-ordinating" the activities of ASIO, AFP and cyber agencies in an effort to get just what we do not want - a pre-agreed, politically arrived-at decision, with everyone singing from the same song sheet - rather than genuine debate from players with different responsibilities and perspectives.
The key problem indeed is that none of the big players have much time for dissent, for argument and debate, or the wisdom that comes from critical analysis of a proposition. It's a formula for stampede at just the wrong moment, for missing signals because everyone wants to avoid duplication, and for ignoring evidence staring one in the face because it opposes the apocalyptic vision of some player or another.
In the cyber sphere, this may not matter, whether in regard to defence or crime, as much as its champions claim. Cyber disruption is an unpleasant fact, but not the end of the world. But the sort of bad, unexamined and unaccountable thinking our planning for it involves presents every risk of making our bullets land in the wrong places, when or if we reach the disaster on which our hawks are so bent.
- Jack Waterford is a former editor of The Canberra Times.firstname.lastname@example.org