Image: Asha Barbaschow/ZDNet

The Australian government needs to drop the "national security" framing of its cybersecurity strategy, according to speakers at the inaugural NetThing, held at the University of Technology Sydney (UTS) on Tuesday.

Australia is currently reviewing its national strategy. The Department of Home Affairs published a discussion paper last month, Australia's 2020 Cyber Security Strategy: A call for views [PDF].

Speakers were concerned that the framing of cybersecurity had shifted from that of the original 2016 strategy issued by then-Prime Minister Malcolm Turnbull.

"There's two sort of narratives in cybersecurity and ... states align with one or the other," said Lucie Krahulcova, Asia policy analyst at Access Now.

One is the narrative of national security; a narrative of control, like in China and Russia, as well as in many other governments.

The other is the narrative of the internet as a shared common good and an enabler of civic rights. Under that framing, cybersecurity is about the integrity of the system and the protection of individual users.

"I think Australia teeters on the edge of those," Krahulcova said.

"I would go as far as to say that certain parts of the government aren't quite as aware [of] how much Australia sits with the Chinas and Russias," she said.

"In spite of the cybersecurity objectives which were there since 2016, since 2017, the whole narrative and the way that the government views this space has been about control."

The Australian government doesn't like being compared with China or Russia. Apart from dumping two speakers from CyberCon earlier this month, it also pressured a third speaker to edit his "biased" slide deck.

Lawyer Ted Ringrose, the pressured speaker, had compared Australia's encryption laws with China's, saying that while Australia's looked worse on the surface, they were "just about as bad".

The 2016 strategy said its aim was an "open, free and secure internet", but that wording has been dropped from the 2020 draft.

One action item from 2016 was "Champion an open, free, and secure internet to enable all countries to generate growth and opportunity online". The 2020 discussion paper says this task is "Complete".

"Australia champions an open, free, and secure internet in a range of international forums, bilaterally and in multilateral groups including the UN, East Asia Summit, and ASEAN Regional Forum. Australia has partnered with countries in the region through cyber policy dialogues to advance our advocacy of an open, free, and secure cyberspace," it says.

"Australia has worked with international partners to secure leader-level re-affirmation of key tenets of international stability in cyberspace including the application of existing international law and agreed norms of behaviour."

Job done, apparently.

Australia is continuing to engage internationally on the rules of behaviour in cyberspace, but the discussion paper barely mentions it as a future activity.

Government involvement: More, or the same, but definitely not less

Cryptographer Dr Vanessa Teague from the University of Melbourne said that Australia needs to think about the questions not being asked.

"[The discussion paper] seems to me to be infused with the unshakeable belief that more active government involvement must be a good thing for cybersecurity," she said.

In a section on the government's role, it says that maintaining the confidence of the Australian community is the first priority when considering how and when government should use its cyber security capabilities.

"Key to this is whether you think government could do more to confront cybercrime and protect the networks that underpin our way of life, or whether you think the current arrangements are right," it says.

Less government involvement isn't an option. The same level of government involvement, but under different arrangements, isn't an option either.

"In my humble opinion, what we've seen is over many years of Australian cybersecurity policy is bipartisan support for a series of very bad policies," Teague said.

They include the Defence Trade Controls Act 2012, which restricts the export of new cryptographic ideas, and of course the highly controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 that many in industry believe will damage Australia's tech economy.

"I think we're not just looking at a government that is, you know, well-intentioned but a little bit ineffectual. We're actually looking at a series of policies that have actively done damage," Teague said.

"I don't think they're deliberately doing damage. I think they're pursuing an agenda oriented around surveillance and control, which inevitably has by-product of damaging our cybersecurity."

Any government that's serious about discussing cybersecurity "needs to divorce it from the national security narrative", Krahulcova said.

The room needs to include people from industry, cybersecurity experts, and civil society representatives, not just law enforcement and security agencies who are trying to make their jobs easier.

"Often it's a room full of white guys in suits," she said.

Public submissions to the strategy close this Friday, November 1.

'Reinvigorating' Australia's internet community

NetThing was an attempt to restart collaboration among the country's internet-related civil society organisations following the demise of the annual Australian Internet Governance Forum (auIGF).

Its organiser, .au Domain Administration (auDA), shut down auIGF after the 2016 event following a review of its community activities.

NetThing included representatives from Access Now, Asia Pacific Network Information Centre, auDA, Australian Privacy Foundation, Australian Communications Consumer Action Network, Australian Strategic Policy Institute, Code Like a Girl, Communications Alliance, Democracy in Colour, Department of Communications and the Arts, Department of Foreign Affairs and Trade Digital Rights Watch, Electronic Frontiers Australia, InternetNZ, and IoT Alliance Australia, as well as academics, and commercial organisations including Deloitte, Google Australia, ProductSpace, Telstra, ThoughtWorks, and Vault.

The event had the strap line "Australian internet governance community moving forward". From where your writer was sitting, however, there wasn't much moving forward. At least not yet.

Plenty of civil society players were in the room, both old and new. Problems were reiterated, both old and new. Grievances were aired. And there was some good energy.

"The government is bad, m'kay?" Yes, but what does "The government is good" look like? What happens next? That wasn't clear.

The challenge for all these players will be to keep the momentum going, and quickly. The rolling skateboard needs another push or three, or it'll fall over.

More Cyber From Stilgherrian

'No such thing' as cyber warfare: Australia's head of cyber warfare

Warfare is warfare, espionage is internationally normal, and cyber is just one of a suite of potential capabilities for a military response, says Major General Marcus Thompson.

Australian CEOs are too overoptimistic for cybersecurity, out of touch on privacy

Only 6% of surveyed CEOs think their organisation has suffered a data breach in the last year, but 63% of their CISOs say they have, according to Unisys research. Big disconnect.

Schneier slams Australia's encryption laws and CyberCon speaker bans

Governments breaking encryption is bad, and 'will get worse once breaking encryption means people can die', says one of the world's leading security experts.

AI to 'fundamentally shift' global balance of power

The focus of Australia's cyber diplomacy is expanding to include "grand strategy in technology", as well as engagement with technology firms and governments.

Government interference in Australia's premier cybersecurity conference is a worry

Two 'incongruent' speakers were dumped from Australia's CyberCon. And bizarrely, the media was barred from covering a session explaining a public consultation process.