We are in a new age of competition. The advance of digital spaces across physical, political, socio-cultural and economic structures challenges traditional understanding of sovereignty and national interest. The digital revolution exposes the growing prevalence and complexity of non-traditional security issues which complicate Australia's traditional geopolitical and ideological approach to defining threats.
The digital revolution in the Pacific represents myriad opportunities for improving Australia's engagement with the region for mutual benefit. Cyberspace enfranchises diverse communities, empowers economic participation, and offers pathways to address persistent developmental, humanitarian and climate crisis-induced challenges. Increased access to, use of, and control over digital spaces accelerates regional stability.
Simultaneously, increased connectivity further increases Pacific states' risk of a range of sophisticated (and potentially devastating) cyber threats.
Australia is rightly invested in the ability of Pacific states to respond to these challenges. The Defence Strategic Review (DSR) and recent comments by Foreign Minister Penny Wong reiterate the criticality of a secure and stable Pacific region.
While undeniably welcome, these comments belie Australia's current capacity to secure the cyber defences of our Pacific neighbours.
As a regional partner with longstanding link to our Pacific neighbours, Australia has demonstrated its commitment to the region, particularly in moments of crisis. In Bougainville, Timor-Leste, and Solomon Islands, we provided diplomatic, military, and policing support. In the face of recent humanitarian disasters - in Tonga, Vanuatu and Fiji - Australia responded with urgency. Australia's commitment to Pacific security is more than words; it is demonstrable and decisive action.
But the Australia security guarantee to the Pacific has limited capacity to respond to a cyber contingency. We have neither the expressed intent nor legislative foundation to aid a Pacific partner in the wake of a serious cyber incident.
Notably though, the government is considering how to update the Defence Act 1903 to enable Australia to respond in a more flexible way to non-conventional, non-kinetic attacks. This provides an impetus for Australia to think seriously about how security assistance can be provided against cyberattacks existing in the grey zone beyond the threshold of conventional war.
The DSR also provides new, and welcome, immediacy to our conception of threat. Clear delineation of our sovereign interests and the means to secure them means Australia can act with greater purpose in the exercise and use of our Defence capabilities. It allows us the opportunity to redefine our interests in the Pacific; categorising cyberattacks as attacks on Pacific sovereignty affords greater latitude to ensure a stable and secure region.
Expanding Australia's Pacific security guarantee to include cyberspace is both warranted and sound policy. A recent ransomware attack in Vanuatu crippled government services and operations for weeks. The volcanic eruption and tsunami in Tonga severed communications for a month. A sophisticated, targeted and sustained cyberattack on the critical infrastructure of a Pacific nation would be politically, economically and socially devastating.
With legislative backing and political intent, Australia can communicate to our Pacific neighbours our commitment to assist in the event of a cyberattack.
Expanding our security guarantee would require the introduction of important safeguards. Firstly, changes to the Defence Act would enable Australia greater flexibility to use cyber capabilities in a measured response. Secondly, any Australian assistance must comply with international principles of attribution, distinction, and proportionality. Last, we must underwrite internal Pacific efforts to address all emerging challenges in cyberspace.
Incorporating cyber into Australia's existing security aid to the Pacific would be a step change in our security posture and relations with the region. It would require bold leadership from politicians, Defence and DFAT alike. But in practicality, it can be achieved through existing mechanisms.
Following ratification in 2018, the Boe Declaration on Regional Security is the Pacific's blueprint for addressing traditional and non-traditional security challenges. It affirms an expanded concept of security with increased emphasis on cybersecurity, "to maximise protections and opportunities for Pacific infrastructure and peoples in the digital age." The Boe constructs eschews complex bilateral arrangements and multilateral forums that currently categorise the security architecture int he Pacific. It is an ideal mechanism on which to enshrine our cyber security guarantee and advance and promote a Pacific approach to cybersecurity.
Adapting existing Australian-funded regional mechanisms would enable Australia to support Pacific partners more readily in a cyber contingency. The Cyber and Critical Tech Cooperation Program is funded by Official Development Assistance (ODA) to strengthen regional cyber resilience and capacity. Its flagship program is the (PaCSON), which promotes collaboration, information-sharing and incident response capabilities across regional cyber security incident response professionals.
PaCSON is already being utilised by all Pacific Island Forum (PIF) members to share information on cybersecurity. The Australian Cyber Security Centre (ACSC) represents Australia in PaCSON and is a critical vector to enable and deployment of cyber capabilities to respond to a significant regional cyberattack. PaCSON also works with the Pacific Fusion Centre, the Australian-funded and PIF-endorsed regional security assessment agency. With a security guarantee enshrined under Boe, endorsed by PIF and operationalised through PaCSON, Australia could effectively bolster the cyber deterrence and the Pacific and ensure the ongoing security and stability of the region.
An expanded security guarantee is an indispensable instrument to set international standards about collective security against non-traditional threats. This particularly relevant for the Pacific, where the catastrophic effects of the climate crisis have precipitated countries like Tuvalu exploring the concept of a 'digital nation;.
These moves provide unique opportunities to promote an international consensus on 'digital sovereignty' and the inalienable rights of citizens of a digital nation. It is also an opportunity to set expectations on how the security guarantee applies in a digital world. Australia could and should promote the perpetual and eternal sovereignty of countries like Tuvalu facing geographic collapse. A security guarantee to the region with an expanded cyber scope is a useful means to achieve this.
Pacific countries are not monolithic, but they do share unique security challenges that converge in cyberspace. As the climate crisis forces countries to exist within digital boundaries, an evolving concept of sovereignty will pose unique challenges. As small formal economies separated from major markets and with a high reliance on development assistance, the devasting effects of a cyberattack are heightened. And as countries with underdeveloped law enforcement capacity, the Pacific is particularly susceptible to transnational cybercrime.
In the face of these challenges, the cybersecurity of the Pacific is vital to ensure continued economic development and socio-political stability. Australia will continue to respond as we have int he past to security threats in the Pacific - domestic unrest, humanitarian aid and disaster relief, illegal fishing - but we lack the means and stated intent to respond to a sophisticated cyberattack.
With government reinforcing the centrality of the Pacific in our conceptualisation of interests, and the Defence Act reform modernising our ability to deploy non-traditional Defence resources, Australia is well placed to formalise an expanded security guarantee. Working with our Pacific partners and leveraging existing, proven mechanisms, Australia can help ensure Pacific countries and secured against cyberattacks that threaten their critical infrastructure, economy and sovereignty.
Nicholas Campton-Smith is a member of the Defence, Strategy and Industry Practice at Synergy Group with five years' experience in the defence industry. Nicholas is practised in policy development, capability sustainment tendering, maritime domain awareness and open source intelligence. He has a master's with Excellence in Strategy and Security from UNSW Canberra in the Australian Defence Force Academy.
