Home Affairs Minister Peter Dutton says the Government is actively considering the domestic use of the highly secretive cybersecurity agency, the Australian Signals Directorate (ASD), to protect critical infrastructure as well as counter cybercrime.
Earlier this month, the Government flatly denied reports that ASD — which operates as part of the Defence Department and primarily eavesdrops overseas — was going to be handed new powers to spy on Australians’ electronic data and communications.
It was claimed the Defence and Home Affairs departments had been canvassing changing the law to allow the ASD to access emails, banks records and text messages if their respective ministers gave their approval.
But while the Government insists it does not plan to snoop on Australians, Mr Dutton has told the ABC’s 7.30 that the idea of using ASD to protect critical infrastructure like the banking network, electricity grids or even the emergency triple-0 network is being debated.
“We live our lives online now and it’s only going to increase obviously,” he said.
“If our banking system was attacked by a state actor, say Russia for example, and our banking system was brought to its knees, [that is] we couldn’t transact at shops, people couldn’t get paid, the transfer system went down for 72 hours, for seven days, the Prime Minister would be saying to me as Home Affairs Minister, ‘What are we doing to help the banking sector recover from this cyber attack?’
“If I said, ‘Well. the ASD has a capacity to deal with that online, has a cyber capacity that none of our agencies do’, I think we would want to look at how we could protect Australians online from cyber attacks from state actors, or from other players, who would seek to do us harm.”
‘It is about how we can keep Australians safe’
The Federal Government announced a couple of years ago that it now had both a strong defensive capability in cyberspace, but also an offensive one. That is, that it was able to go out into international networks and attack and disrupt cybercrime.
But in the case of ASD, this only occurs in foreign networks.
Mr Dutton said in the area of online child exploitation, “If we have someone at the moment who is streaming live content of a child being sexually abused online and the server is run out of somewhere else in world, ASD does have capacity to go online to disrupt and take down that particular server”.
However, “if that server is running out of Sydney or Brisbane or Perth, we don’t have that capacity”.
“My question is: should we have the capacity — whether it is through the ASD or somewhere else, but that technical capacity which doesn’t exist domestically at the moment — should we be able to call on that, given the reality of the threat, the amount of time people are going to be spending online?
“So it is nothing to do with spying on people at all, it is about how we can keep Australians safe, still making sure that we safeguard privacy and the protections that we all hold dear.
“But we need to be realistic about the cyber threat that we face.
“MH17 is a classic example in the current debate.
“If Russia decided to launch an attack on our triple-0 system, if the triple-0 system was brought down and we had the capacity to bring it back online, would we not use that capacity?
“That’s the only context in which we were having the most recent debate about some of the technical capacity that’s contained within ASD.”
‘Are we prepared for that threat?’
Mr Dutton said the best way of proceeding was being discussed.
“You could, for example, create capacity within [the Australian Federal Police]. Maybe that’s the most appropriate way. Maybe it is not,” he said.
“You don’t want to duplicate the efforts, so that can be looked at.
“We’ll have more to say in due course about what might be the best direction.
“But as I say, there is a significant threat online, from state actors including Russia, North Korea, elsewhere, and we need to be realistic about that threat.
“It is part of my portfolio responsibility and we’re not going to shy away from that.”
Asked if the creation of the Home Affairs portfolio was partly a recognition that Government has a similar role in protecting infrastructure in cyberspace as defence does in physical infrastructure, Mr Dutton said the reality was “we do need to protect critical infrastructure”.
“If Russia reacted to us naming an individual that we thought was responsible for bringing down a Malaysian Airlines flight, and they decided to attack us online, if it was to bring down a power grid network in Sydney or in Brisbane or in Perth wherever it might be, if their desire was to attack the banking network or some other critical infrastructure, the public would rightly say, ‘Are we prepared for that threat, and can we counter it?'” he said.
“So all of that stocktake is being undertaken at the moment. There is a lot of work within my department, in concert with the owners of a number of assets — looking at their preparedness and whether or not they have the ability to stop that intrusion into their digital capacity and their online presence.
“Some companies, as you would expect, are at varying stages.
“Obviously some of the telecommunication companies like Telstra, Vodafone, Optus etc are aware of the threat, perhaps more so than owners of bricks and mortar critical infrastructure assets around the country.
“All of that work is underway.”