Please enable javascript to access the full functionality of this site

NotPetya

Australia's Cyber Warfare Capabilities needs public debate

By Tom Uren

Rogue states — Russia, Iran and North Korea among them — are going on the offensive, attacking Western business and government targets using cyber tools we cannot always defend ourselves against.

State-sponsored hackers have shut down a power plant, robbed a central bank and tried to bring down an energy giant. With the next wave of innovation, the destructive power of these tools will greatly increase — imagine the consequences if a state remotely took control of a fleet of driverless cars or an autonomous tank.

Many states are quietly developing offensive cyber capabilities, but few disclose any details. Australia has been somewhat exceptional in discussing various aspects of its capability, although the public debate has not always been so clear. A more informed debate on these new offensive tools, including when it’s acceptable to use them, is essential. The Australian Strategic Policy Institute’s International Cyber Policy Centre has spent months putting together the most detailed study to date of Australia’s offensive cyber capabilities.

Modern societies, militaries and economies increasingly are interconnected and reliant on information and communications technology. There are many databases, industrial sensors and control systems that are connected to the internet for ease of use and greater efficiency. This makes everyone more susceptible to cyber attacks that can wipe computers, paralyse organisations and factories, and even shut down electricity networks, or worse.

These vulnerabilities open the door to enemy states.

Last June’s NotPetya ransomware virus, for example, was a Russian-sponsored attack spread through a Ukrainian tax accounting software company. Although it notionally was aimed against Ukrainian firms, the financial costs of NotPetya to global companies such as FedEx, pharmaceuticals giant Merck, Danish shipper Maersk and others cost much more than $US1 billion.

Russia also has attacked electricity supply in Ukraine and has been caught preparing to attack US electricity suppliers and electoral systems. Petrochemical factories in Saudi Arabia have been targeted for destruction using malware — only a flaw in the attacking software prevented disaster. And North Korea, which threatens the international banking system, released the WannaCry ransomware in May last year.

These cyber attacks occurred without accompanying military action (beyond Russian aggression in Ukraine), but we are entering a new era of warfare where cyber attacks can be combined with traditional military capabilities.

In 2016 Australia announced it had an offensive cyber capability that was being used against Islamic State, and last June it announced the creation of an Australian Defence Force Information Warfare Division with responsibility for cyber defence and offence. Additionally, it announced that part of Australia’s offensive capability would be used to support law enforcement to tackle organised offshore cyber criminals.

This transparency should be commended for making possible a more mature debate on offensive cyber tools. Today’s release of the report Australia’s Offensive Cyber Capability by ASPI marks another step out of the shadows for our cyber warriors. It builds on official statements and includes detail on the strengths and weaknesses of offensive cyber power.

There are sound reasons the technical and operational details of cyber operations are kept secret. Yet too little information can be destabilising, risking an unconstrained cyber arms race as countries in our region invest in military cyber forces.

The investment in cyber capabilities provides Australia with an ability to defend against and respond to irresponsible or aggressive behaviour in cyberspace. It will complement our traditional military forces. Perhaps most significantly, being transparent about the acceptable use of cyber offence will shape the thinking of regional defence forces and help deter the unconstrained use of cyber attacks occurring elsewhere.

Originally published by: The Australian on 09 Apr 2018