Policy Brief
Report No. 76/2023
Preface
In 2020, the then Director of ASPI’s International Cyber Policy Centre, Fergus Hanson, approached me to research the views of the 46th Parliament on a range of cybersecurity and critical technology issues. The resulting data collection was then conducted in two parts across 2021 and 2022, with the results analysed and written up in 2022 and 2023. Those parliamentarians who ‘opted in’ completed and provided an initial quantitative study, which I then followed up on with an interview that explored an additional set of qualitative questions. The results, collated and analysed, form the basis of this report.
This research aims to provide a snapshot of what our nation’s policy shapers and policymakers are thinking when it comes to cybersecurity and critical technologies. What are they worried about? Where are their knowledge gaps and interests? What technologies do they think are important to Australia and where do they believe policy attention and investment should focus in the next five years?
This initial study establishes a baseline for future longitudinal assessments that could capture changes or shifts in parliamentarians’ thinking. Australia’s ongoing cybersecurity challenges, the fast-moving pace of artificial intelligence (AI), the creation of AUKUS and the ongoing development of AUKUS Pillar 2—with its focus on advanced capabilities and emerging technologies (including cybertechnologies)—are just a few reasons among many which highlight why it’s more important than ever that the Australian Parliament be both informed and active when engaging with cybersecurity and critical technologies.
We understand that this in-depth study may be a world first and extend our deep and heartfelt thanks to the 24 parliamentarians who took part in it. Parliamentarians are very busy people, and yet many devoted significant time to considering and completing this study.
This was a non-partisan study. Parliamentarians were speaking on condition of strict anonymity, without any identifiers apart from their gender, chamber, electorate profile and backbench or frontbench status. Because of that, the conversations were candid, upfront and insightful and, as a result, this study provides a rich and honest assessment of their views.
Gai Brodtmann
Executive Summary
Some key conclusions can be drawn from the participating parliamentarians’ attitudes towards critical technology and cybersecurity.
1. Parliamentarians share common concerns about Australia’s vulnerabilities and the capabilities and intentions of other state actors.
In the cybersecurity domain, parliamentarians were primarily concerned about state-backed cyberattacks against critical infrastructure. They were next most concerned about the threat of state-backed cyber-enabled foreign interference. They ranked such attacks well ahead of other types of state-backed activity, including cyber espionage and intellectual property (IP) theft. State-backed cyber threats also caused them more concern than either non-state cyber threats or data breaches from poorly designed systems:
‘[I] have a lack of understanding of adversary capabilities—resources, time and personnel—on cybersecurity, particularly China. If there were a broader appreciation it would be easier to counter this area.’
Parliamentarians generally saw Australia’s defence and intelligence organisations, defence industry and financial markets as cyber resilient. Conversely, many saw politicians’ offices, political parties, state and territory governments and local councils as most vulnerable to malicious cyber actors— but still did not prioritise cybersecurity investment in those areas. Instead, parliamentarians prioritised cybersecurity investment into the water and sewerage sector, democracy and national identity institutions, and the energy sector, which were seen as currently having average levels of cyber resilience.
On risk mitigation, all participants agreed that the federal government should have a data management strategy for the public sector, and a majority supported a significant overhaul of the legacy ICT systems that support Australia’s critical national infrastructure.
In the critical technology domain, participants largely agreed on the need for Australian sovereign capacity in specified critical technology sectors—including cybersecurity technology, quantum computing and AI—to secure Australia’s national security and economic interests in a less certain geostrategic environment. Almost all participants also indicated that, where Australian sovereign capacity in critical technologies is lacking or unattainable, it’s important for Australia to have access to reliable supplies from other nations.
Some parliamentarians either did not know what Australia was doing to shape international critical technology standards or did not think that it’s doing enough. Opinions varied on how Australia could best shape global technology standards, from involvement in multilateral forums to having Australia focus its efforts on standards for biotechnology and AI. Some participants indicated that governments had limited influence on technology development and that Australia, in particular, was not a centre of global technology production.
2. Parliamentarians need more education to understand and keep up with the pace of cyber developments and technological advancement.
The study revealed a common concern that parliamentarians and policymakers are not educated on the nature, nomenclature and nuances of critical technology and cybersecurity:
‘Everyone kind of knows about technology but they just accept it in the form that it comes to them. Policymakers need to know more about it, but that’s the difficulty. We have got to find ways to explain it better.’
‘Parliamentarians have a responsibility to lead the debate on this. There’s a reluctance to engage in attribution, but we have to do more of it because we have to make it real for constituents. [We] need to raise [our] literacy levels and awareness about cyber.’
Parliamentarians noted both the importance and challenge of keeping pace with developments in the cybersecurity domain, and how important it is to guiding Australia’s response to these challenges.
They openly admitted to being struck by how little they know about the opportunities and threats in those domains and how quickly those evolving fields are moving beyond their understanding. As one parliamentarian put it, Australian policymakers interested in deepening their understanding of cyber and critical infrastructure security ‘don’t know what they don’t know’ and rely almost completely on experts to provide digestible information and guidance:
‘The best way of understanding is through connecting [us] with examples and showing how Australia is placed to handle it … [This is] an important area for parliament.’
‘[I] want to know more about all of it, and about what we know and what we don’t know. Politicians should know more about this stuff.’
‘It will be a generational change [among parliamentarians]. I think it’s very difficult to get people to go ‘back to school’. You see this in the very large discrepancy in knowledge and technological literacy. Some people have made an effort; some people just throw their hands in the air.’
3. Parliamentarians see a need for an integrated national response.
Parliamentarians agreed that state-backed backed cyberattacks on Australia’s critical infrastructure are a priority threat. However, their views on priority sectors for investing in cybersecurity resilience varied greatly.
Nonetheless, they broadly recognised the need for Australia to keep pace with technological developments to ensure future national security and prosperity. They outlined broad approaches— aside from policy and regulation—required to underpin a national response to the challenges, including:
- developing an overarching integrated strategy to guide Australia’s response, including a coherent approach to data management
- working with allies to set cyber and critical infrastructure standards and ensure ongoing access to critical technologies
- building sovereign capacity
- becoming more active in multinational forums through ‘shaping’ discussion and debate, not necessarily ‘leading’
- reviewing our approach to foreign investment and free trade agreements to protect our sovereignty
- adopting greater flexibility and agility in legislative and regulatory approaches to cope with a rapidly changing environment
- improving the level of cyber awareness and literacy among the Australian public and parliamentarians.
This report sets out our research methodology and key findings, including ‘deep dives’ into thematic areas of most interest to parliamentarians and case studies on cybersecurity and critical technology investment priorities. It concludes with a detailed set of policy recommendations. The recommendations cover two key areas:
- creating an education program on critical technologies and cybersecurity for parliamentarians, drawing on government agencies, civil society and research institutes
- identifying and developing appropriate parliamentary mechanisms to actively engage on critical and emerging technologies, particularly on AI and AUKUS Pillar 2.
Methodology
This study used qualitative and quantitative data collection to gain insight into the participating parliamentarians’ attitudes to two areas that are key to Australia’s future: cyber security and critical technology.
Data collection for the study was conducted during a six-month window between October 2021 and March 2022. In October 2021, the then Director of ASPI’s International Cyber Policy Centre contacted all 227 parliamentarians serving in both houses of the 46th Australian Parliament via email to request their participation in the study. ASPI sent out further rounds of invitations over the following six months, into 2022, to maximise participation.
The study was divided into three parts:
- Quantitative component: a standardised set of questions completed by the participating parliamentarians independently in their own time (2021–22). Participants were asked multiple-choice questions, ranked preference questions and questions for which they were required to indicate their responses on a standard Likert scale, choosing between five sentiments from ‘strongly agree’ to ‘strongly disagree’.
- Qualitative component: a series of open-ended questions via one-on-one interviews with lead author Gai Brodtmann (2022).
- Collation, analysis and write-up of the quantitative and qualitative data collected (2022–23).
The questions in the study were developed in consultation with cybersecurity and critical technology experts from the private and public sectors, academia and parliament. They were also designed to support longitudinal studies (for example, to conduct the same study for each parliament, noting that we’re now in the 47th parliament).
The study posed 25 cybersecurity questions grouped around the following topics:
- Investment in cybersecurity
- Online threats and cyber resilience
- Data management, ownership and storage
- Cybersecurity policies and infrastructure
- Public engagement on cybersecurity
- Future challenges and responses
- Areas of interest in cybersecurity.
The study then posed 21 critical technologies questions grouped around the following topics:
- Investment in critical technology
- Sovereign capacity in critical technology
- Critical technology values and standards
- Future challenges and responses
- Areas of interest in critical technology.
In each case, participants were first asked to provide answers to each question based on a consideration of Australia’s national security interests, and then to revisit the question based on a consideration of Australia’s economic prosperity interests.
An ASPI research assistant or intern attended all interviews to scribe the participants’ responses. Participants were provided with the qualitative questions in advance of the interview to assist with their preparation. Note that, while the study questions contain hyphenated terms including ‘cyber-attacks’ and ‘cyber-security’, this report and its graphs follow ASPI’s style guide in not hyphenating compound ‘cyber’ words.
A full list of the study questions is in Appendix 3. Where participants did not answer the question, we have taken that as an indication of lack of knowledge, rather than lack of interest.
During the data-collection period:
- 24 parliamentarians—10.6% of the 46th Australian Parliament—took part in the qualitative study
- 18 of those 24 parliamentarians—7.9% of the 46th Australian Parliament—took part in the quantitative study.
On review, we’re pleased with this participation rate, particularly given that the study was conducted against the backdrop of a looming federal election and the Covid-19 pandemic. However, we acknowledge that the sample size and demographics impose some limitations on this research, as outlined below.
Full Report
For the full report, please download here.
14 Nov 2023