Director-general of the Australian Signals Directorate (ASD) Mike Burgess has said his agency had recommended that Australia extend its Huawei ban into the 5G realm.
In August, Canberra officially locked out Huawei and ZTE, saying that the vendors were likely to be subject to extrajudicial directions from Beijing, and that the government could not find a set of security controls that would mitigate high-risk equipment in a 5G scenario.
Speaking on Monday night, Burgess said the stakes surrounding 5G could not be higher, and that if 5G delivers on its promise, telecommunications networks will be at the top of critical national infrastructure lists.
“This is about more than just protecting the confidentiality of our information — it is also about integrity and availability of the data and systems on which we depend,” he said in his speech. “Getting security right for our critical infrastructure is paramount.”
Echoing sentiments expressed when the ban came into force, Burgess said the distinction between edge and core networks has diminished, meaning that vendors such as Huawei cannot be confined to the edge of networks.
“The distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network,” he said.
“In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.
“At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks.”
The director-general used the speech to detail how ASD is shifting, and is beginning life as a statutory agency tasked with the twin roles of foreign signals intelligence and providing cybersecurity expertise to government and business.
“We have an important role in advising government how to best navigate major technology and strategic shifts based on our poacher-gamekeeper expertise,” he said.
“As both a poacher and gamekeeper, we know that offence informs defence and defence informs offence. ASD’s strength and capability come from mastering technology and its application.”
Burgess said he is worried by the idea of Australian businesses thinking about hacking back after suffering a cyber attack.
“That should not be part of any organisation’s cybersecurity strategy; that would be an illegal act here in Australia,” he said.
“An obligation to protecting corporate assets does not extend to breaking the law. No board or company should spend a dollar on getting advice on hacking back. I’d recommend you assure yourself you have identified and are managing your cybersecurity risks effectively.”
The majority of hacking cases looked at by ASD are a result of a “known problem with a known fix”, Burgess added, recommending that businesses apply ASD’s Essential Eight mitigation strategies.
Burgess returned to ASD at the end of last year, when he was appointed director-general by former Prime Minister Malcolm Turnbull. He was previously a deputy director of ASD prior to his stint as Telstra chief information security officer.
ASD became a statutory authority reporting to the Defence minister as part of the changes that saw the Australian Federal Police (AFP) and the Australian Security Intelligence Organisation (ASIO) stripped from the Attorney-General’s Department (AGD) and moved into the Peter Dutton-led superministry of Home Affairs.
“The Australian government’s decision to block Huawei from Australia’s 5G market is politically motivated, not the result of a fact-based, transparent, or equitable decision-making process,” the company said.
“It is not aligned with the long-term interests of the Australian people, and denies Australian businesses and consumers the right to choose from the best communications technology available.”
The topic of Australian exporters being avoided in the future due to needing to comply with Canberra’s proposed encryption-busting laws has been raised in recent Senate Estimates hearings, but was dismissed by the Department of Home Affairs.
“When you look at both the United Kingdom and New Zealand, for instance, they have vastly different legislation comparative to what the government has on the table here. Part of those legislative regimes, both in the UK and in New Zealand, involves a direct power to direct companies to decrypt information and content,” first assistant secretary for the Department of Home Affairs national security and law enforcement policy division Hamish Hansford said.
“That’s not what is proposed within the Australian Bill. It’s more about technical assistance and working with the industry.
“So, in striking the balance between working collaboratively with industry and setting out a particular framework and legislation, I think we’ve looked internationally at like-minded countries and come up with a Bill which strikes an appropriate balance.”
Canadian Prime Minister Justin Trudeau has reportedly been warned by two US senators to exclude Huawei from taking part in nationwide 5G mobile network deployments.
Despite reports to the contrary, Huawei says it is continuing to work on 5G tests with Indian carriers while the Indian government remains open and welcoming towards its networking solutions.
The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.
Organisations need to focus on the basics and think five years ahead, says Mike Burgess, director-general of the Australian Signals Directorate.
The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.