From the alleged US penetration into Russia’s electricity grid, to Russia’s online campaigns to disrupt US elections and China’s frequent dabbling in digital espionage, cyberwarfare is increasingly emerging as one of the main tools employed in countries’ jostle for power.
If Trump’s recent decision to call off air strikes in favour of a cyberattack against Iran is anything to go by, online offensives can be a more palatable strategy than physical attacks. They add another option when sanctions and other forms of diplomacy fail.
Before considering whether Australia is prepared to defend itself against these threats, it’s important to understand what cyberwarfare entails and the many ways that it can play out.
Browsing history
While cyberwarfare is considered to be any online-based attack linked to a nation-state, there is some dispute about the exact definition. It comes in several different forms, with online sabotage being one of the most confronting. For example: the “distributed denial of service” (or DDoS attacks) against Estonia in 2007, or the 2008 attacks targeting Georgia and other nations. In both cases, a large number of government and other important websites were disrupted, defaced, or used to distribute spam.
Cyber attacks can also cut off essential services or damage critical infrastructure, such as when an Iranian cyberattack shut off power to 40 million people in Turkey in 2015. In 2012 an attack — also by an Iranian group — against Saudi Aramco oil affected 30,000 computers in an attempt to halt oil production. The US and Israel are in on the action as well, collaborating on Stuxnet, a computer worm that caused significant damage to Iran’s nuclear program in 2010.
Espionage is another key part of cyberwarfare, exemplified by the US’ massive data collection program, XKeyscore. Cyberwarfare can also take place as online propaganda. The most notable example is Russia’s social media campaigns during the 2016 US election. If US prosecutors are correct, then cyberwarfare has even been used in a bank heist. North Korea is believed to be linked to the attempted $1 billion theft from the Bank of Bangladesh.
While these attacks have already caused large amounts of damage, it’s not unreasonable to suspect that the effects of cyberwarfare could get much worse if global tensions heat up. Both the US and Russia have been poking around in each others’ electricity grids. This indicates that they are at least looking for critical flaws, whether or not they have any immediate plans to act on them.
How does Australia fit into the picture?
Australia’s biggest threat is China, which in just the last year has been implicated in major attacks against both Parliament and the Australian National University. Since Australia is already under attack, an effective cyber defence strategy is paramount.
Unfortunately, Australia’s safeguards are lagging behind. The country’s cybersecurity strategy was disorganised and far from comprehensive until 2014, when the Australian Cyber Security Centre (ACSC) was launched. It aimed to act as a central hub where government agencies could collaborate.
This was complemented by Australia’s Cyber Security Strategy which was announced in 2016. The strategy included enhancements to information sharing, new threat research centres, cybersecurity guidelines and funding to address the skills gap.
Australia’s Cyber Engagement Strategy followed in 2017, which outlined Australia’s expectations from other nations in cyberspace, the code of conduct for Australia’s online offensive operations and other key digital policies.
Looking to the future
While this initial flurry of activity was promising, it didn’t achieve enough, and cyber policy has seemingly fallen by the wayside in the ensuing years.
In a 2017 report, Australia’s Cyber Security Strategy was criticised by the Australian Strategic Policy Institute. It pointed out flaws in the strategy’s overall design, its lack of measurable outcomes and insufficient funding to adequately achieve its aims.
Although some new research centres have opened since then, and more funding has been granted to various cyber-related initiatives, there haven’t really been any major moves in national policy. If anything, the government’s focus on cyber security could be backsliding.
In 2018, under Scott Morrison’s cabinet reshuffle, the position of Junior Minister for Law Enforcement and Cyber Security disappeared. Itnews alleges that the Department of Home Affairs has also removed the position of National Cyber Security Adviser. It was held by Alastair MacGibbon, who also led the ACSC; however his replacement, Rachel Noble will not be filling both roles.
These moves seem to indicate that national cybersecurity policy is far less of a priority under the Morrison government. Given the threats heating up around the world and that Australia is already facing damaging acts of cyber warfare, this lack of commitment poses a severe national security risk.
Unless the government takes a strong approach toward cyber defence, Australia will continue to have important data stolen through Chinese espionage and could even fall victim to devastating attacks against its critical infrastructure.
Wow, but maybe God will save us.
Josh’s article rightly points to our government’s culpable neglect of Australia’s cyber defence capacity.
For a description of the different fronts in cyber warfare see this recent paper from Chatham House:
https://www.chathamhouse.org/sites/default/files/2019-06-27-Space-Cybersecurity-2.pdf
Here’s a quotation from the paper:
“Policy influencers and policymakers are struggling to grasp the full impact of cyber vulnerabilities in the context of both space-based assets and strategic systems. Just as with physical attacks on space-based assets – such as anti-satellite weapon (ASAT) strikes – cyberattacks have the potential to wreak havoc on strategic weapons systems and undermine deterrence by creating uncertainty and confusion. Cyberthreats pose a significant and complex challenge due to the absence of a warning and speed of an attack, the difficulty of attribution, and the complexities associated with carrying out a proportionate response.”
The focus over the past week on Hugh White’s recommendation for more military “big iron” has drawn attention away from this more arcane and unfamiliar aspect of modern warfare.
For a summary of the Chatham House paper see this article from Forbes:
https://www.forbes.com/sites/zakdoffman/2019/07/05/u-s-military-satellites-likely-cyber-attacked-by-china-or-russia-or-both-report/#344b99e8dd32
So Josh is right about the government’s culpable neglect. But there is Parliament’s neglect as well. AND the battle front is broader and deeper than Josh had space to cover.
I cannot believe how naive my contemporaries are re cyber attacks & security. There’s an excellent series on SBS TV (usually screens at a dead time in the late afternoons) called Cyberwar. Most instructive interviews with international experts at the top of the IT tree – it should be compulsory viewing.
Wake up, Australia.
Cybersecurity? dutton? None! Home Affairs on Dutton’s watch has persistently failed — or refused — to adhere to the government’s own cybersecurity requirements.
Dutton inherited but has failed to address a long-standing problem: in 2014, the immigration department, after an ANAO audit critical of its cybersecurity, assured a parliamentary committee it would fix the problems. But in March 2017, a follow-up audit revealed the department (along with the Australian Tax Office) was still in breach of the government’s cybersecurity mitigation strategies at a time when the government was warning of the increasing online threat from other states, organised crime and terrorists.
The Joint Committee of Public Accounts and Audit, declaring cyber-resilience a “strategic priority”, subsequently reported it was “most concerned that the audit found that the ATO and DIBP are still not compliant with the mandatory ‘Top Four’ mitigation strategies”. Worse, immigration “could not provide a date for when full compliance with all of the ‘Top Four’ mitigation strategies would be achieved, despite previously advising the Committee that full compliance would be achieved by December 2016”.
This government is too busy wanting to hack its own citizens to look over its shoulder for real threats.