Last night, ASIO boss Mike Burgess made another powerful public statement in delivering the Annual Threat Assessment for 2024. Burgess stated that ASIO has seen "terrorists and spies […] talking about sabotage, researching sabotage, sometimes conducting reconnaissance for sabotage".
He also highlighted the increasing focus on cyber (online methods) as a way that sabotage might be conducted. He said:
ASIO is aware of one nation state conducting multiple attempts to scan critical infrastructure in Australia and other countries, targeting water, transport and energy networks.
This would seem to align with recent reports of Chinese hackers spending up to five years in US computer networks before being detected.
But what exactly is sabotage, and should we be worried?
The legal definition
"Sabotage" is a French term originally used to refer to deliberate acts by workmen to destroy machinery during the Industrial Revolution. Since then, "sabotage" has been used to describe acts that undermine military power without a battle - such as destroying train lines, cutting telephone wires, or setting fuel dumps on fire.
However, the legal definition is a bit bigger than that.
In Australia, sabotage is both a federal crime under the Criminal Code and also a crime under state and territory laws. At the federal level, sabotage has three key elements:
- engaging in conduct that results in "damage to public infrastructure"
- intending to or risking the act will "prejudice Australia's national security" or "advantage the national security of a foreign country"
- an act on behalf of, in collaboration with, or with funding from a "foreign principal" (that is, a foreign government or one of its authorities, such as their intelligence service).
"Public infrastructure" is a broad concept, and includes anything belonging to the Commonwealth, defence and military bases and equipment, and telecommunications.
In some circumstances, it could also include banks, supermarkets, food, farms and other services provided to the public. Essentially, pretty much anything needed to run the country could be "public infrastructure".
These are already considered "critical infrastructure", and must meet strict physical security and cybersecurity guidelines.
New South Wales, Victoria, Queensland, the ACT and the Northern Territory also have specific sabotage offences. Those offences capture deliberate acts to damage or destroy public facilities, where the person intends to cause major disruption to "government functions", major disruption to the "use of services by the public" or major "economic loss".
So what is ASIO doing?
ASIO's annual threat assessment mentioned that sabotage has increasingly been discussed between agents of foreign countries, spies and would-be terrorists. While Burgess did not name which countries have been involved, ASIO has been watching China, perhaps because a hacking group called "Volt Typhoon" has been named as allegedly working on behalf of the Chinese government.
It also appears ASIO is watching "nationalist and racist violent extremists advocating sabotage". This would also fit with recent increases in counter-extremist investigations by the AFP and changes to Defence vetting procedures.
Yet, there have been very few cases of sabotage pursued in the courts.
Unfortunately, there can be several barriers to prosecuting foreign agents who engage in espionage, foreign interference and/or sabotage. These include gathering the necessary evidence that might reveal how the spies were detected, in turn potentially compromising ASIO's ability to operate in the future.
However, foreign agents can still be deterred from engaging in this kind of activity. Just last year, Burgess detailed how a Russian spy ring was expelled rather than prosecuted. In this year's threat assessment, Burgess also said ASIO often puts foreign agents on notice - that ASIO knows what they're up to - or it shines a "disinfecting light" on Australia's adversaries so the public is aware of what they're up to.
However, one of the cases mentioned by Burgess in the assessment - a politician alleged to have "sold out Australia" for a foreign nation - probably won't be identified. That's strange on its own, as Burgess' usual approach in these cases seems to be to "name names" - in going public, ASIO removes the one thing foreign agents need to operate: anonymity.
What more is needed?
ASIO will need to continue (and possibly even ramp up) its surveillance operations in Australia. That in turn will require the attorney-general to step up the review of Australia's surveillance laws, which is yet to get started.
That said, the Albanese government has started consultation on its 2023-2030 Australian Cyber Security Strategy, which will make sure our cybersecurity laws are up to scratch. The Australian Securities and Investments Commission (ASIC) has also already put boards and chief executives on notice that they will prosecute companies for cybersecurity failures.
There are some niche areas in the law that might need some tweaking. Last year, we published research that demonstrated Australia's laws might not protect an act of sabotage that was aimed at our natural environmental assets such as the Great Barrier Reef.
However, we may not need more laws - we just need to better use the ones we have. As Keiran Hardy argues in the context of counter-terrorism laws:
Australia's counter-terrorism laws are already extensive […] If a criminal offence or power is needed to combat terrorism, Australia already has it and more.
More broadly, Australia needs to confront its "this won't happen to us" attitude to national security. Chris Taylor, head of the Australian Strategic Policy Institute's Statecraft and Intelligence Program, recently revived the words of Harvey Barnett (a former boss of ASIO) when he said:
With the simple self-confidence which living in an island state breeds, Australians are sometimes doubtful that their country might be of interest to foreign intelligence services. "It can't really happen here" is a stock attitude. It has, it does, it will.
Those words should resonate with us all.