The Public Square in the Digital Age

Protecting Australia’s Democracy from Cyber-enabled Foreign Interference

Policy Analysis Exercise, Harvard Kennedy School

Executive Summary

Australia faces a threat of foreign interference, greater than at any prior point in its history—even during the Cold War. This paper explores one component of this development: the threat of cyber-enabled interference operations. These operations—which this paper dubs CEI-OPS (pronounced key-ops)—are clandestine or deceptive in nature, and exploit digital technologies to undermine democratic, social, and market institutions. CEI-OPS are used by foreign powers to advance their national interest or foreign policy at the expense of Australia’s sovereignty, and the inherent right of Australian citizens to choose their own future.

This paper addresses the question: how should Australia respond to the rising threat of CEI-OPS? While its focus is Australia, its findings and recommendations are intended to be relevant to a global audience. Australia has already been something of a ‘canary in the coal mine’ in putting the issue of foreign interference on the global agenda. Its geostrategic position—as a democracy in the middle of the increasingly volatile Indo-Pacific region—is likely to ensure it remains on the leading edge of the CEI-OPS threat.

Part 1 defines CEI-OPS, and distinguishes them from related activities like cyber operations, and military information operations. It also makes the normative case for why CEI-OPS are illegitimate.

Part 2 then provides a survey of the global threat landscape. It examines the technology and commercial trends that are likely to make CEI-OPS even more frequent and potent in the future. It explains why democracies are uniquely vulnerable to CEI-OPS, and why revisionist powers are increasingly willing and able to use “grey zone” capabilities like CEI-OPS. Part 2 then combines these insights to build out a taxonomy of the CEI-OPS tactics available to adversaries.

Part 3 homes in on two specific threat actors: Russia and China. It is only possible to respond to a threat by understanding the motivations and capabilities of potential adversaries. Part 3 concludes that China is most likely to use CEI-OPS against Australia to protect China’s vital national interests—and in particular to protect the power and legitimacy of the Chinese Communist Party (CCP). There is also a risk that China could engage in CEI-OPS to reshape regional norms in its favor. China’s existing cyber warfare and domestic propaganda capabilities provide it with the means to conduct CEI-OPS, and there is evidence that it is beginning to do so.

Part 4 then examines how Australia has so far responded to the CEI-OPS threat. It concludes that the response is not well-calibrated to the threat as defined in Part 1, and lacks an overarching, coherent strategy. Australia’s response is also not responsive to the full breadth of CEI-OPS tactics, or to the motivations and capabilities of CEI-OPS adversaries explored in Parts 2 and 3. In particular, the response fails to address the fact that CEI-OPS affect society as a whole and are just as much a threat to individual rights, as they are to national security. If it continues to treat CEI-OPS as mostly either a counter-espionage, or technical cyber matter, Australia will be unable to sufficiently address the threat.

Part 5 recommends a framework for a better response. The overarching thread running through this Part is that a “whole-of-society” response is required to meet what is a whole-of-society threat. The unprecedented CEI-OPS threat demands that all elements of state power be brought to bear on the problem and—crucially—that civic power be mobilized. The foundation to coordinating Australia’s response will be the development of a National Counter Cyber-Enabled Interference Strategy. The paper concludes with 15 recommendations grouped under four pillars to inform this Strategy.

Understand the threat. Raising awareness of the CEI-OPS threat is a prerequisite for all other elements of the response but must be done without inciting fear about government censorship or racial prejudice. The Government should:

• develop a CEI-OPS lexicon;
• educate the public about the nature of the threat;
• educate politicians about the nature of the threat;
• increase intelligence-sharing about CEI-OPS threats; and
• focus public discussion on Australia’s vulnerabilities not on specific adversaries.

Deter adversaries. To reduce the incidence of CEI-OPS, Australia needs a deterrence strategy that alters the decision-making calculus of potential adversaries. The Government should:

• pursue retaliatory counter-measures (but never engage in CEI-OPS);
• respond to covert influence with overt counter-measures;
• use cyber operations to disrupt and degrade CEI-OPS; and
• support norms to constrain cyber attacks that may be precursors to CEI-OPS.

Protect the public square. To make CEI-OPS tactics less effective, Australia must reduce its attack surface. The Government should:

• identify “critical public square infrastructure” and develop best practices for its protection;
• develop a CEI-OPS “early warning” system; and
• regulate social media companies to make their platforms less susceptible to CEI-OPS.

Prepare the public for CEI-OPS. Even if CEI-OPS are used against Australia, by building resilience, it can inoculate itself from their effect. The Government should:

• ensure national media remains well-funded and independent;
• consider creating a “special media forces”; and
• introduce certification standards for audio-visual records.