Critical infrastructure legislation should also define the parameters of cognitive security
In the face of increased threats in cyberspace, the Australian government wants to speed up the adoption of crucial amendments to the Critical Infrastructure Security Act, 2018.
The unannounced information war with China has strained the Five Eyes intelligence gathering alliance in Oceania. The relentless compromise of the private sector, which remains a soft but strategic target, has diluted the conventional boundaries of the conflict, forcing the government to increase its legislative reach.
The Security (Critical Infrastructure) Law Amendment Bill 2020 significantly expands the definition of critical infrastructure, recognizing the complex web of interdependencies that powers the Internet. It also traces the contours of a “sovereign Australian cyberspace” crisscrossing the porous borders of government and civilian networks.
The bill proposes enhanced security obligations for critical industries against cyberthreats and defines the thresholds at which the government signals intelligence apparatus may be required to intervene.
While the controversial issue of access to corporate networks that the Australian Branch of Signals should be offered requires deliberation, the private sector cannot withstand the Category 5 hurricane that a state-sponsored cyberattack could be.
Having led a similar effort in India in 2009 — resulting in the creation of a constitutional body called the National Critical Information Infrastructure Protection Center — I urge the Australian government to challenge the precedents.
Terms like “critical infrastructure” could be mere lexical traps from the political past. This was introduced in US President Bill Clinton’s Executive Order 13010 of 1996. In 1998, the concept was updated to include the cybersphere. US government networks were penetrated by teenagers that year, and a National Security Agency simulation exercise to test for network vulnerabilities disrupted national services.
As the American establishment grappled with this esoteric realm, “Cyber Pearl Harbor” came to denote the impending catastrophe brought on by a foreign adversary that would bring the nation to its knees. It’s strange and funny how the rhetoric hasn’t changed for two decades. We base our response thresholds on the same imagined parameters of digital cataclysms.
But the reality could be much more nuanced and the threat even more insidious.
Senior cybersecurity analysts Andrew Burt and Daniel Geer say something becomes critical infrastructure when adopted by society. “Adoption is the gateway drug to criticality. When enough people depend on something in cyberspace, that something becomes critical.
The idea of criticality emphasizes a cognitive dependence on technologies and systems that society takes for granted, and not just power grids.
When an unflattering comedy film portrayed him, an enraged North Korean dictator, Kim Jong-un, ordered Sony Pictures to be hacked in 2012. US President Barack Obama pledged to provide a “proportionate response. “Against the targeting of, well, an American film studio … far from the usual definition of critical infrastructure.
The attack was seen as a threat to freedom of expression, seen as more crucial than critical infrastructure. The incident had an inescapable cognitive angle and ignoring it could have set unfavorable cyber escalation thresholds for the United States.
Likewise, the 2016 hack of the Democratic National Convention – whose ripple effects on American democracy are still being felt – never quite met the Pentagon’s definition of a cyberattack. Generals imagine it primarily in the spectrum based on the effects of “destroy, deny, degrade” – blow things up. It was a real cognitive operation.
Before and after Russia’s annexation of Crimea in 2014, Ukraine’s power grid was repeatedly targeted with destructive malware. Ben Buchanan notes in his book The hacker and the state, ‘He plunged hundreds of thousands of people into darkness … but did not devastate cities or starve populations.’ Life went on. But the attacks demotivated the population, affecting the will of the people to fight and resist the Russian uprising.
The lights might not go out, but a nation’s democratic core could be sabotaged in front of their eyes.
Many cyber abilities and effects manifest in cognitive dimensions rather than kinetic or physical dimensions. Those in the cognitive dimension not only challenge operational assumptions, but also challenge generalizations about critical infrastructure, conflict thresholds, and deterrence.
Damian Tambini of the London School of Economics writes: “Information warfare is, par excellence, a challenge by authoritarian states to the vulnerabilities of democratic states. It is an attack on open society and liberalism per se.
Recently, an Australian news channel was censored for spreading medical disinformation as protesters flouted Sydney’s Covid-19 lockdown rules.
In the raging pandemic, the impacts of computer propaganda amplifying outlandish vaccine theories are being felt globally. Conspiracy theorists, tribalists and populists are now striking in the corridors of power in liberal democracies.
The rules of the game for unrestrained social movements on the fringes of society and foreign news operations align closely.
Opponents are experimenting with information warfare to erode liberal democracy. The purpose of doctrinal concepts like Russia’s “reflexive control” and China’s “three wars” is to corrupt the epistemic foundations of other nations. They strike the democratic state at the most delicate point: its institutional relationship with truth and objectivity.
Unlike conventional warfare, informational conflict starts out of the blue and thrives in a “gray area” between war and peace. The idea is to achieve a victory without physical conflict by creating the strategic conditions favorable to the foreign adversary in a sustained informational confrontation.
Keir Giles of Chatham House believes that Russia’s new approach to warfare is simply an acknowledgment of the “primacy of the political over the military,” so much so that military force may become irrelevant. In this sense, thanks to its interference in the 2016 US elections, Russia may have achieved a resounding victory in the US information space by achieving the most sacred goal: the destabilization of the regime.
The chairman of the US Senate Intelligence Committee shared a grim prophecy in 2017 that Russia wanted “the two sides to fight in the streets.” The January 2021 siege of the United States Capitol by militant conspiracy theorists was just that battle.
Capturing the essence of disinformation, Corneliu Bjola and Krysianna Papadakis of the University of Oxford write: “[Its aim is] not primarily to change people’s opinions in favor of certain policies, but to bring them into a state of self-destruction and endemic skepticism by undermining the very criteria on the basis of which they develop their cognitive abilities to make sense, to interpret, to shape reality. ‘
Dissent, an essential lubricant of a democracy, can be militarized by the hyperpluralism of social media.
The military in Western democracies have a very strict information operations mandate. Propaganda has generally been limited to specific theaters of conflict in a very tactical manner and counter-propaganda remains prohibited due to the risk of influencing the national population. Political leaders have also struggled to articulate the threat clearly.
Fighting disinformation through repression, censorship or resorting to less liberal positions gives an opponent the advantage.
Bjola and Papadakis studied Finnish resilience to Russian-orchestrated computer propaganda. They concluded that while Finland was as sensitive to emotional issues as any other democracy, it had succeeded in creating a set of checks and balances within government, civil society and mainstream media to reinforce truth and objectivity. . Their conclusion is that “a society is only as resilient to disinformation as its most vulnerable segments”.
Information technology revolutions are often accompanied by decades of social unrest. The printing press fomented the wars of religion in Europe while sowing the Enlightenment.
Thomas Rid, the author of Active measures, a critically acclaimed book on disinformation, points out that democracy’s approach to truth is so critical it becomes an existential question.
Chris Inglis, a former intelligence officer who became the US government’s first national cyber director, offers a compelling point of view: “Diversity beats daring.” If the search for truth is the pillar of democracy, plurality is the glue that holds everything together.
Australia has everything it can ask for: a vibrant, multicultural democracy. Its national security establishment must do everything to preserve this. The discourse on the protection of critical infrastructures must lead to institutional mechanisms of cognitive security.