The Cyber Brief: cyber wars - a Prime Minister's perspective, with Malcolm Turnbull

Dom: So, Malcolm, in 2016, as prime minister, you launched Australia's first National Cyber Security Strategy, investing over $230 million across 33 initiatives, and integrated the Australian Cyber Security Centre into the ASD. What motivated those actions at the time and what was the most important decision you made in that strategy?

Malcolm: Obviously, cyber security is vitally important, and there had never been a cyber security strategy; I felt it was underdone. This is not to say the federal government was unaware of the issue. Of course, they were keenly aware of it, but it needed pulling together and coordination. And so that was what the cyber security strategy sought to do. And, as you said, it had a lot of measures in it. What was the most important? Look, it's hard to say. I mean, among the most important was increasing the authority of the Australian Signals Directorate, making it an executive agency, giving it a bigger budget, appointing, you know, a National Cyber Security Advisor, you know, Alastair MacGibbon, but there are a host of other measures, as you said, and the overall goal was to raise awareness of cyber security across the country, particularly with the private sector, where, you know, awareness is patchy, or was patchy then, probably still is a bit patchy. And also to encourage, and there were measures there to encourage and promote Australian cyber security businesses, you know, startups, technology, because this is obviously a massive industry, as we all know, and I wanted to make sure that Australia was part of that, and that was, of course, consistent with a big set of economic policies I'd released the previous year, which was the National Innovation and Science Agenda.

Valeska: And with the benefit of hindsight, 10 years later, is there anything you would have done differently or more of?

Malcolm: I'd say the National Innovation and Science Agenda was very successful; you know, I think it was a big inflection point for the tech sector and the innovation sector. I think it's a pity, you know, that the subsequent governments haven't had the same emphasis on innovation, or been able to make the same impact on innovation as mine did, but in terms of cyber security, no, I don't think so. I think we're off to a good start. I mean, we, but more has been done, you know? I mean, there's obviously, as time has gone on, there's been more money invested. I think the subsequent cyber security strategies have not had quite the same emphasis on the private sector as mine did. But, you know this, there's a web, there's a whole massive, as you guys would know, Allens better than anyone. There's, you know, there's a massive legislation that touches on this now, including the SOCE legislation, security of critical infrastructure legislation, which, you know, that whole focus on critical infrastructure was another thing that started when I was PM, too. So, you know, all of these things are linked.

Valeska: Little-known fact, Malcolm, but we actually launched our Allens Accelerate practice for high-growth companies off the back of your innovation agenda back in the day. So, thanks very much.

Malcolm: Oh, that's very good.

Dom: I think we launched it and then you immediately announced your agenda.

Malcolm: No, that's good. Well, that was the whole purpose. I mean, that the whole purpose was, I mean, the prime minister has the biggest megaphone in the country, if he or she wants to use it. And if you can, you know, talk up innovation technology, and do so, you know, persuasively, enthusiastically, that can have as big an impact, or bigger impact than, you know, any particular bit of legislation or, you know, government initiative. So, that was, you know, that was part of the plan.

Valeska: So, back in 2016, you also, for the first time, announced that Australia had an offensive cyber capability. And at the time, you also said that even just acknowledging that fact is really part of our deterrence arsenal. Why are offensive capabilities so important? And how effective do you think they've been?

Malcolm: Our offensive cyber capabilities are very effective, and they have been very effective, but I can't tell you any more than that, you just have to take my word for it, but at least, you know, up to when, when I left office—I'm no longer privy to what they're up to—but, yeah, it is very important. in the cyber realm, it is very important to be able to respond in kind. But this is particularly for governments. But, you know, a lot of people like, let me put it this way. A lot of people will say, if an adversary, say a foreign state adversary, uses, you know, malware, to systematically take down your electricity, you know, Australia's electricity network, or large chunks of it, that could have the same impact economically as if somebody had fired a missile into a few substations and switchyards and power stations. Now, if they'd done, fired missiles, you'd know where they came from. You know, people would be up in arms. We'd be at war, basically. With cyber, there's always the problem that even though you know, well, you, your agencies may know, they don't always know, but let's say they may know who has been responsible for this, so they can make a very reliable attribution. By and large, unless the other party put their hand up and said, Yep, it's me they can plausibly, or you might say, implausibly, deny responsibility. And so it'd be very hard to get the political and public support to respond kinetically to, you know, cyber interference. I mean, it's not impossible. I'm just saying it's harder. So, it is really important to be able to deter, you know, in kind. And so, offensive cyber operations are very important. I mean, there are all sorts of angles with this and clearly another very important one—this particularly applies to ransom, you know, to criminals, typically ransomware criminals—is to be able to identify who they are and then find them and charge them and arrest them. Now, you know the problem is, if they're hanging out in Russia and not leaving that jurisdiction, that can be pretty challenging. But, as you know, there have been a couple of cases where people have been arrested when they went on holidays, and also, the other important thing is to be able to track down the money. Signals intelligence agencies, if that's the generic term, have got to be both. They've got to be both a shield and a sword, absolutely.

Valeska: And, I mean, it's certainly consistent with what we've seen; President Trump recently published his cyber strategy for America, and offensive capabilities was a key plank of that as well. But, of course, there's also a risk that it can trigger escalations or retaliation in ways that are hard to control. How do you manage that escalation risk? And how do we do that in Australia, where both the US and other adversaries and ourselves are engaging in these offensive activities?

Malcolm: Well, that's, you know, they talk about in every area of conflict, whether it's, you know, outright war, you know, kinetic conflict, or a grey zone, which I guess is what we're talking about here. You know, you talk about the ladder of escalation, and it's a calculation, a lot of judgment's called for. You want to escalate enough to send the message and deter but you don't want to escalate so much that you then get a, you know, you then get escalation after escalation building up, and suddenly, you know, you've got the missiles flying and so forth. So, yeah, it requires a lot of judgment. I think the interesting thing that came out of Trump's cyber security strategy was, it implied, but did not expressly state that the private sector would be able to engage in offensive cyber operations. Now, you know, I would think that would need, you know—you're more current lawyers, your practising certificates are up to date, unlike mine. But I think you, at a private company, would need to be pretty sure that they had, they were legally covered, before they engaged in activities like that. I thought there was, there seemed to me a few question marks over that document, not uncommon for publications of this administration.

Valeska: It was, it was pretty interesting. I think they spoke about unleashing the private sector to identify and disrupt the adversary, which, as you say, sort of ramps things up another, another few notches.

Malcolm: Well, the private sector can certainly identify and they do that all the time. I mean, again, it's, it's very difficult. I mean, you take a big company like Microsoft, whose operating system, software, is everywhere, including, you know, widely used by adversaries. If an adversary exploited a vulnerability in Microsoft code in the United States or Australia, is Microsoft going to say, Oh, well, we know there's a couple more vulnerabilities in the code that's being used in the adversary's country, we'll exploit that. I think they'd be pretty wary about that, but having said that, they would go along and they talk to the NSA and FBI and, you know, ASD and whatever, and sew them onto the adversaries, I would think.

Valeska: And information sharing, I guess, is one thing, but delegating coercive control to the private sector is another thing entirely.

Malcolm: I mean, I would be really interested to hear what you say, because, you know, you guys are much more on top of the day-to-day current situation in the sector than me. I mean, I've always been a great admirer of the ISAC structures in the United States. And I sought to, you know, we sought to, you know, achieve something like that with our own legislation and approaches, particularly with the ACSC. But how do you think Australia is going in that regard, currently, as of 2026, and how do you think we match up in terms of information sharing?

Valeska: I think we are sharing intelligence much more effectively and on a much more widespread basis than we were even a few years ago. And there's been recent regulation as well that I think gives organisations a bit more comfort around their sharing of information, especially in the wake of cyber incidents, so part of our limited use regime. But there's still a long way to go, and many organisations that perhaps don't have the cyber risk awareness or maturity to even know what information they have that can be really valuable as well. So, there's certainly more to do in that space.

Malcolm: I've noticed, I shouldn't mention any names, but I have, I've been surprised in recent years because I'm quite involved with number of cyber security companies, and I try to stay close to this area, but again, not as close as you guys would be. I've been surprised that some Australian companies are pretty complacent about the risk, you know? And I guess that's, you know, that's part of the problem, isn't it? I mean, there's always going to be some people that are much more on the front foot than others.

Valeska: Yeah, it's  an issue that's been picked up recently in the independent review into the SOCI Act as well, that there's quite a big spectrum, and there are, and this is not, absolutely not the case across the board, but that review said that there are some critical service operators that just don't have that awareness or the mentality around their role in defending, protecting the nation. And so, there's work to do, from a hearts-and-minds perspective, to make sure that we are actually approaching it in the right way. Which is also a hard ask for industry that are not defence in the traditional sense, but are absolutely under attack, including from various nation states, it is a very different mindset to, you know, them going about their best of ordinary business.

Malcolm: Yes, no, it is, I mean, I think the telco sectors should be better. They should be better attuned to it, because they've always, you know, interference has always been part of their environment. You know, unlawful interference. And, of course, lawful interception is one of the things they they're required to do from time to time. Yeah, no, no, I agree. I agree, you know. But, you know, part of the problem is that everything … software is, you know, Andreessen said, software's sort of eaten the world, you know, if you think of so many of these systems that we rely on, you know, whether it's the lifts in a, you know, office block or, you know, the systems that run the public—you know, run the metro—and, you know, hospitals, etc, etc. I mean, everything is vulnerable to interference, and often it is being, the software is being, has been written and is being, you know, monitored, updated from outside Australia too. So that's another dimension to the security issue.

Dom: I think that brings us to the important topic of sovereignty. You've previously said that Australia's forces need to become a genuine sovereign force that's capable of defending the country without relying on US support. Does that same logic apply to cyber?

Malcolm: Well, yes, I mean, it would, but I think the cooperation under the Five Eyes is very, very intimate. We have to be self-reliant, I would say that ASD—I know this is a very common thing that Australians say, but ASD definitely does box way above its weight, and that's partly because of the calibre of the people that we employ in the Australian Signals Directorate, and also it is, by definition, an asymmetric domain. You know, I mean a smaller, smaller countries and economies and, indeed, criminal groups. You know, can, you know, undertake extraordinary exploits. Because it's not, it isn't, you know—cyber is, is you've got enormous leverage, you know. I'm, you know, I'm not saying the, you know, the clever but wicked kid, you know, in his bedroom hacking into the nuclear power stations server is a real-life example. But there is that issue of leverage. So, yeah, I think, I think we do, I think we do absolutely pull our weight in cyber security, but we cannot assume that we are always going to be able to rely on assistance from the Americans. In particular, there is still this sort of dreamy, lazy, complacent attitude, particularly in Canberra. In Canberra more than anywhere else in Australia, and there's some recent research that sort of kind of confirms what I'm saying to you, Canberra is more complacent about the US relationship than anywhere else in Australia, because they're so invested in it, particularly in the national security sector. And they just don't want to know. They don't want to know that the world is changed.

Dom: And do you have a view on how far away we are from building a genuine sovereign offensive and defensive capability?

Malcolm: Well, we do have a sovereign offensive and defensive capability. We absolutely do. Look, let me tell you about me and cyber security and signals intelligence, a bit of background. So, I got into parliament when I was 50, so I was definitely a grown-up. I had a lot of different careers. And in the course of that, I had, together with Sean Howard, you know, who's the technical genius, and Trevor Kennedy, we started a company called OzEmail, first big ISP in Australia. And through that, I'd got very interested in and pretty knowledgeable in cyber security matters. You know, at an early stage of the internet, obviously, Lucy and I defended the old spy Peter Wright and Spy Catcher case, 40 years ago this year, I might add, and so we had a long-standing interest in signals intelligence, espionage, that kind of thing. And so, when I got into parliament, I was more … I wasn't, I'm not a techie, but I was more familiar with this area and, above all, keenly interested in it, than most politicians, and frankly, most officials and, you know, curiously, when, when we were in opposition, you know, this is when Abbott was leader, after I'd been deposed, and I was shadow communications minister, Stephen Smith, then the Labor defence minister, you know, facilitated my getting regular briefings from the ASD, and I spent quite a bit of time with them, and, you know, it was really good of him to repose that trust in in me and I, and would never let it down, let that, that trust out, that confidence down. But so, I, I was always very keenly aware of the importance of this domain, and, you know, and I can say Australia does have considerable sovereign capabilities in this field. Do we benefit from the intelligence sharing with the US and, you know, and the UK and, you know, to a lesser extent, Canada and New Zealand? Yes, of course, we do, absolutely. But do they benefit from the relationship with us? You bet they do. If you were to compare our cyber capabilities, what you might call our kinetic capabilities, relative, you know, in terms of sovereignty, you know, self-reliance, etc, we are more sovereign and self-reliant in the cyber domain than we are in the kinetic domain. And that's, you know, partly because the dollars, you know, are so much bigger; you know, submarines and F-35s and missiles, you know, cost a lot of money.

Valeska: Malcolm, I'd like to talk a bit about cyber war, and you touched on this before as being a grey-zone area.

Malcom: Yeah. I mean, I'm not sure that's a great term. Interestingly, at the sovereignty and security forum we had in Canberra, one of our panellists, basically said, I hate grey zone. Stop using the term grey zone. There's nothing grey about it, but, you know, it's probably not a great term, but it's really means, you know, that space that is between peace and war; war meaning, you know, bombs and missiles and explosives. And, you know, that's quite a big domain nowadays, and a lot of damage can be done in that domain.

Valeska: And I think at the same time, there was a comment made about the fact that a lot of these threat actors are essentially declaring war in an undeclared way. And so perhaps that is, that is the grey in it and, of course, we saw with the Russia–Ukraine war, that was probably the first time that cyber played such a significant role in a hybrid war like that. And we're seeing it play out in the Middle East as well. And cyber warfare obviously has some unique characteristics. It can be undertaken at scale from a distance. It can be hard to attribute. It can also be contributed to by civilians from a distance as well and at scale. But I'm wondering how you're seeing the role of cyber warfare evolve as a domain of overall warfare and how or whether traditional rules and international norms are keeping pace with that.

Malcolm: It's importance is enormous, and it will become, you know, bigger and bigger as time goes on. So, there's no question about that. It is a potentially very effective tool of coercion. It's because there, you know, there are so many vectors of attack, and I mean, some of them are spectacular, like the, you know, the pager exploit that the Israel's Mossad deployed against Hezbollah a few years ago. But, you know, again, but at the end of the day, if you have an adversary that's dug in and determined to fight, you know, you've got to, you know, send in the infantry and the tanks and so forth. I mean, as the Americans are finding out in Iran. I mean, they, you know, the aspiration that they would be able to affect regime change in Iran simply through a aerial bombardment. You know, that's been proved, at least to date, to be unrealistic.

Valeska: And what about some of those precursor activities, or possibly not even precursor but sort of ongoing adjacent activities where we've seen, you know, the Pentagon hacked and American dams, and water supplies affected by the state-based actors, but there still appears to be some reluctance that there's, I think, much more appetite to attribute it to certain nation states and call it out. And we've seen various advisories come out that Australia has been a part of as well, but also a reluctance to put it in the zone of war, in the way that we see with kinetic wars. Why is there that reluctance?

Malcolm: Well, it's a political question. Let's say, you know, a power grid in the United States was taken down and, you know, black-out over, you know, three or four or five states, and it was all done by, you know, the insertion of malware into the system, you know, essentially turned the system off. You know, affected considerable damage. Took days and days to repair, and let's say it was clearly identified as being, you know, in minds of the agencies, NSA in particular, clearly identified as being done by China, for example. Now, if the Pentagon—speculating about what an American president may do in this context of Mr Trump is pretty difficult, because he's unpredictable. But if the American president were to say, right, I am going to respond to that by firing missiles into, you know, so many parts of the Chinese electricity infrastructure, and take it down kinetically, that would be regarded politically by the public, by everyone, as a massive over-escalation. You know, I mean, even though you know the effects of the two things, that the cyber attack and the kinetic response could be the same, and so that gets back to the importance of offensive cyber. Because if, on the other hand, you were to do the same to the Chinese side and take down, if you had the, you know, you obviously would have had to have the malware in place and all that stuff. But if you were able to reply tit for tat, that's going to be regarded as a better response.

Dom: I think that probably brings us back to the question of Five Eyes, and the current levels of Five Eyes cohesion, perhaps. The Trump cyber strategy references cyber activities the administration took as part of its mission to, and I'm quoting, obliterate Iran's nuclear infrastructure, and also in its January operation to capture Nicolás Maduro in Venezuela, really framing offensive cyber as directly integrated with broader geopolitical coercion. I guess, given that current strain on traditional Alliance structures, are you concerned that a more unilateral and perhaps transactional US cyber posture could draw Five Eyes partners like Australia into operations, perhaps without consultation or otherwise leave us strategically exposed.

Malcolm: I am concerned about that. I mean, Trump, I mean, I dealt, you know, I guess, a lot, extensively, I suppose you could say as far as an Australian prime minister with Donald Trump in his first term, and it's the same man in the second term, but he is much less constrained. You know, he, this time round, he controls the Republican Party. The Congress, at least, you know, at least until the midterms, is no check on him at all. In the first term, he had advisors around him, many of whom were politically aligned broadly with the Republican agenda, but were independently minded and were able to say to Trump, no, this is not the way to do it. You know, take a different, perhaps more prudent path. This time around, he's surrounded by yes men. You know, there's no one there telling him stop, go back and, you know, he feels he can do anything. And he says he can do anything. I mean, he believes that might is right. And he says so, he does not believe that international law applies to the United States. And he says it doesn't apply. He was asked, you know, what limitations were there on his international activities. And he said, just my morality. So, you know, we're dealing with an extraordinary situation. So, yes, all of all those concerns are very real. And I just want to sort of pick up on an adjective you used, 'transactional', which is often used about Trump, and I've used it myself in the past. And I've, to be honest, I found him transactional in his first term, but a lot of people now, particularly in Europe, and I'm sure the Middle East, particularly among the Gulf states, are saying, hang on, transactional. Transactional means I give you this, you give me that, and we agree that that's the deal. Problem with Trump is that he doesn't think anything's binding on him and, you know, he is not, he is prepared to burn allies and relationships. But this, this war, has done untold damage to that region. You know, just that it's not just the sort of physical damage to the infrastructure that's, you know, happened now, which, given time and money, can be repaired. But, you know, their whole business model, if you like, is based on the proposition that they're little, little island oases of stability in that region. And they had American bases on their soil, many of them as part of that, and yet those bases have resulted in them being attacked by Iran in this, in this war that the Americans started without consulting them. So, you know, we're in a very, very dangerous world. And this is why, you know, this is the point I've been making for some years now that, you know, it is one of the great tragedies of Australian public policy that we that, you know, this is exemplified by the AUKUS deal, that right at the time when the United States was becoming less dependable, we made ourselves vastly more dependent on it. Now, that was that was true when Biden was president, by the way, but it is just obviously off the charts now with Trump. So, you know, self-reliance, resilience, independent sovereignty are all critical, and it's one of the tragedies that there isn't a proper debate about this in the federal parliament. We haven't got enough people at the moment looking in a clear-eyed way at Australian sovereignty.

Valeska: Malcolm, you've operated, obviously, at the highest level of government, where secrecy around cyber activities is paramount. But there's obviously an inherent tension between that secrecy and then the public's right to understand the threats that we face, and also what the government is doing to address those. How should governments, do you think, navigate that tension, and are we getting those settings right?

Malcolm: Well, I think we should need to be more transparent. You know, I've got a simple slogan. I wasn't the prime minister given to three-word slogans, as you know, but I think you build trust, which is critical in politics or in anywhere, life, with two things, truth and transparency. So, you've got to tell the truth, but you've got to be transparent about it. You know, in other words, you've got, you can't just say, you know, the situation is, x, y, z, without saying why you're saying that, or what, what your basis for saying that is, we are lacking in transparency on national security matters in Australia and, in fact, the Americans are vastly more transparent because of the way their system works. That the administration has got to go to Congress every year to get the money, they make a lot of disclosures, some of which were in camera, of course, but a lot of disclosures publicly to the various congressional committees, you know, say, in the, you know, the Intelligence Committee, the services committee, and so forth, and so, if you want to know what's happening, say with AUKUS, which I mentioned earlier, no point trying to find out in Australia, because the government, the Defence Department, will just give you warm words, and, I don't know, word salads, basically, but you can find out a great deal from the Congressional Research Service, the Congressional Budget Office, and the testimony of, you know, naval and other personnel to the Congress. So, yeah, transparency, I think we underdo transparency.

Dom: I think in this discussion, we can't not talk about AI, in some respect; it's both an accelerant for adversaries, it's increasingly a must-have capability for defensive strategies. How are you seeing AI reshape the cyber threat and defence landscape?

Malcolm: Changes everything, right? I mean, it enables so many things that, you know, took many, many human hours of work, coding, for example, to be done, you know, at vastly lower cost, very, very, very quickly. So, it's, no, I think it's a superpower, and we have to, you know, you really have to embrace it. So, yes, and I'm sure you know, our agencies are doing that. It is a challenge. I mean, a good question is, do we need a sovereign AI?, I mean, France has done that with Mistral. We haven't got an equivalent in Australia. I'm not an expert, to say the least. I'm barely even a novice. But it's perfectly obvious that this is another technological revolution.

Valeska: That's where we'll leave Part One. In Part Two, we turn from geopolitics to innovation, what it will actually take to build Australia's cyber security ecosystem to support a sovereign capability. We hope you'll join us.

Thanks for listening to this episode of The Cyber Brief. Check the show notes for resources from this episode, or visit allens.com.au/cyber for our latest thinking; don't forget to follow to keep up to date on what's ahead for cyber risk governance and emerging threats as we interview some of the most respected voices in the industry.