Australia’s ‘black summer’ of bushfires and the Covid-19 pandemic caught authorities and citizens off guard, but they shouldn’t have. Experts were warning about catastrophic fires from mid-2019, while national security agencies have worried about a global pandemic for decades. In each case, the sheer scale of the crisis appears to have made it difficult to imagine and plan for ahead of time.
Scanning the horizon, what other large-scale risks does Australia face? An obvious one is a major, destructive cyberattack.
Last year, the defence force’s head of information warfare revealed that although Australia has strong cyber defences, ‘when it comes to scale, I’m a bit worried’. The bushfire and coronavirus crises have reinforced how difficult it is to manage whole-of-nation emergencies. Coordination problems between state and federal governments impede responses, our national supply chains lack resilience, physical infrastructure can be brittle, and there are subterranean fault lines in our social cohesion. A major cyberattack would expose all of these weaknesses.
A deliberate state-sponsored cyberattack would also differ in important ways. Fires and viruses don’t have geopolitical agendas or make coercive political demands. They don’t intend to hit us where we are most vulnerable, and they don’t adapt their strategy to outfox first responders. Indeed, just as Australian national security analysts will use recent crises as learning opportunities, foreign adversaries are likely also observing our strengths and weaknesses with interest.
So what can be done?
One good policy idea is to organise and train ‘cyber resilience’ volunteers. It’s not a new idea: calls for some form of cyber civil defence have been mooted in Canberra for years, including most recently by the shadow cybersecurity minister writing for this site.
Importantly, this model is nothing like the state-sponsored hackers used by other countries or groups of ‘cyber vigilantes’. Offensive cyber should be left to Australia’s capable and appropriately authorised federal agencies. Volunteers would support whole-of-nation cyber risk reduction and, if needed, response and recovery efforts.
Recent experiences with bushfires and Covid-19 help illuminate four reasons why this idea deserves serious consideration.
First, Australia doesn’t have state or local authorities with significant cyber defence capabilities. In the event of a crisis, the roles and responsibilities of the states, and how private sector talent and infrastructure could lawfully be used, remain unclear.
A volunteer organisation could help bridge that gap. Significantly, volunteers would not only be technical experts—just as not all volunteer firefighters work on the front line. Skills in business, planning, communications, trades and engineering would be essential.
Second, and most important, recent experience has shown us that crisis response and recovery need federal coordination and resourcing, but must also be responsive to local needs. Effective crisis management has a yin and yang: clear top-down direction, plus robust bottom-up capacity.
For bushfires, Australia’s decentralised approach allows communities to be active in risk reduction, and state and volunteer emergency services are experienced with the conditions in their areas. However, as climate change increases the fire season’s severity and duration, state-based services alone are no longer sufficient—a shift evidenced by the government’s unprecedented deployment of more than 6,500 defence personnel this summer.
While the gap in our 2019–20 bushfire response was a lack of early federal involvement, in a cyber emergency the weak link would be the absence of decentralised response and recovery capabilities.
Our top-down approach to cyber defence hinges on federal agencies like the Australian Signals Directorate and the Australian Cyber Security Centre. However, the systems and networks which states, local governments and businesses rely on are as varied and distinctive as conditions in different regions in a bushfire season.
Cyber volunteers could add vital on-the-ground knowledge to response efforts. Their contribution could also help authorities better prioritise federal resources. For example, Defence’s contribution to bushfire recovery assistance allowed state authorities to focus on fighting fires in critically affected areas. In the event of a destructive cyberattack, the inverse could happen: volunteers could help communities and small businesses patch systems or temporarily restore local infrastructure, while federal authorities engaged in the broader cyber fight.
Third, Covid-19 has emphasised the importance of ensuring that government advice and expert information cut through a sea of global misinformation. In fire season, volunteer services play a key role in informing the public via town hall meetings, door-knocking local residents and social media updates.
In a cyber crisis, volunteers could support federal messages by supplying trusted, relevant information to their communities. They could also be a significant conduit for information at all times. Like local fire services do with fire awareness, local cyber volunteers could build cyber literacy within communities and schools, and amplify the government’s cyber safety campaigns.
Fourth, Australians share in a proud volunteer tradition. More than 500,000 of us regularly contribute to non-government emergency organisations. A failure to embrace this volunteer spirit would be a wasted opportunity. Indeed, in a disaster, it’s likely that spontaneous volunteers would look for ways to pitch in. Now is the best time to determine how to harness this goodwill; resolve issues of command and control, quality assurance and training; and draw legal boundaries.
Establishing a cyber volunteer capability would send a powerful signal to all Australians about the need to understand the cyber risks we face and prepare for their consequences so we’re not caught off guard by another foreseeable crisis.