The federal government has made “good progress” in removing potential back doors in “high-risk authoritarian technologies” but needs to pivot to a more proactive approach before Australia is compromised, the opposition’s cyber security spokesperson has warned.

Calling out the risks of Chinese products including social media app TikTok, Dahua and HikVision surveillance cameras and DJI drones, Senator James Paterson, Shadow Minister for Cyber Security, warned that such products, “in aggregate, present a systemic threat to our national security.”

“They are all produced by ostensibly ‘private’ companies based in China,” he explained in a speech to industry leaders this month, “but in reality, are functionally arms of the Chinese state which are subject to the extra judicial direction of the Chinese Communist Party.”

“Any one of these products could easily be weaponised to conduct cyber disruptions, surveillance, and large-scale foreign interference.”

And while the government has been moving to reduce its exposure to the products – over 1000 HikVision and Dahua cameras are slated to be removed from Commonwealth sites, hundreds of government DJI drones have been grounded, and TikTok recently banned from government devices – Paterson said the changes had only been implemented after extensive campaigning, and had lagged similar actions by Australia’s allies.

“We need to move beyond the whack-a-mole approach,” Paterson said, “towards something more systemic and forward-leaning.”

The Australian government should, he argued, follow the lead of the UK Government – which this month announced plans to create a National Security Unit for Procurement – by creating a new office specifically designed to “map and remove problematic technology already embedded in government systems, while also assessing emerging technologies before they are deployed to ensure appropriate mitigations are in place.”

This change would create opportunities for domestic suppliers to leverage trust and transparency “as areas of competitive advantage” compared to overseas suppliers whose products are often cheaper but “present more risks due to opaque supply chains and the risk of being compelled by authoritarian governments whose interests are inimical to Australia’s.”

Securing the supply chain

Paterson’s comments come weeks after the Australian Cyber Security Centre (ACSC) joined similar bodies in Five Eyes nations – which have already been proactive in encouraging companies to review and secure their software supply chains – to warn that a Chinese government-backed cyber criminal group is targeting US critical infrastructure operators.

The group is ‘living off the land’, using built-in Windows tools to blend into target networks, stealing data and achieving other strategic objectives unnoticed.

Australian businesses and government suppliers should proactively work to identify and close any potential loopholes that leave them exposed to such attacks – creating an opportunity for domestic suppliers to leverage trust and position themselves as “preferred suppliers of technology and software.”

This included proactively removing high-risk technologies from their own environments: “If it is not safe to have these technologies in government departments because of the espionage risk they represent,” Paterson said, “it’s hard to see why they should be permitted on a system of national significance or an AUKUS supplier.”

Chinese technologies are, however, becoming harder to avoid: a recent update to the Australian Strategic Policy Institute’s Critical Technology Tracker, which benchmarks international research maturity in 23 critical technology areas, found that China is leading “high-impact research” in 19 of the 23 technology areas.

“Across a number of technology areas, China’s lead is so great that no aggregation of countries exceeds its share,” ASPI warned.

Yet in several areas – including autonomous systems operation technology, advanced robotics, adversarial AI-reverse engineering and protective cyber – “the collective strength of the AUKUS countries shifts this picture, and they take the global lead…. highlighting the importance of the accelerating effect of greater collaboration between like-minded partners.”

Ultimately, Paterson exhorted Australia to join AUKUS partners in shoring up government software supply chains before foreign powers exploit unpatched vulnerabilities.

“We need to seize the initiative in times of relative stability,” he said, “to purge our systems of potential back doors that foreign adversaries could use to infiltrate or disrupt our systems.”

“If the worst eventuates and we witness a regional conflict at some point in the future, we will look back with regret that we had not acted to address these vulnerabilities sooner.”