22 Jul 2017
Secrecy surrounds cyber warfare team in Canberra basement
Underground, below a nondescript building in Russell, Canberra, is where you’ll find the headquarters for Australia’s official cyber warriors. Housed within the secretive Australian Signals Directorate, sometimes called the jewel in the crown of the Department of Defence, the place hums with the sound of computers and human brains ticking over. Light from the wall-to-wall screens illuminates the room. Only a few countries possess this capability to wage 21st-century cyber warfare.
The group’s existence at all was publicly acknowledged only a little more than a year ago, in a single reference by Malcolm Turnbull.
Unsurprisingly, given its role at the forefront of Australia’s cyber offensive capability, public references to the group attract attention. In November last year we learned this unit would be deployed against Islamic State. Last month we were told it would be deployed against cyber criminals.
While the group’s activities and abilities, understandably, are shrouded in secrecy, the fleeting public references have led to speculation and confused media reporting.
The International Cyber Policy Centre at the Australian Strategic Policy Institute is preparing a detailed report on Australia’s offensive cyber capability to shed some light. Some initial findings follow.
Two things are immediately striking: the sophistication and integrity of the process surrounding the use of cyber warfare.
When most people think about this subject they conjure up images of Russian hackers taking down something like a Ukrainian power plant. For Australia’s cyber warriors there are two things immediately wrong with this example, and they both speak to the strengths of our program. First is the ready identification of Russia as the perpetrator. Our cyber warriors are fastidious in hiding their identity. If you are hit by Australia you have next to no chance of knowing who hit you, and you may not even notice you have been hit. Subtlety is preferred to sledgehammer.
Second is the indiscriminate damage that bringing down a power plant would wreak. Killing the power supply isn’t just an inconvenience; it can kill people at hospitals, in freezing nursing homes and in cities with no traffic lights. Australia’s offensive cyber capability easily can inflict carnage on the scale of a Russian power plant attack, but indiscriminate attacks that lack proportionality are not used. This self-imposed restraint means Australia has to invest more in careful targeting of its cyber operations. It ensures actions are consistent with international law and would not breach public trust.
Australia has a spectrum of conventional tools and weapons at its disposal, and it is the same with its cyber capability. At the soft end are intrusions that target the mobile phones and laptops of our enemies. At the hard end are destructive and disabling capabilities that can affect a range of physical infrastructure. These are the operations that would reach the government’s high threshold of an official cyberattack. It defines a cyberattack as “a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”.
Integration with our traditional capability is advanced. Australia is one of a handful of states capable of deploying offensive cyber operations in direct support of military operations. This is an important advantage as almost everything on the battlefield goes digital. By this measure not even large cyber players such as Russia are considered to have this capability. While Russia has used cyber tools in its invasions of Georgia and Ukraine, the cyber component has not been integrated with the ground manoeuvre and has been indiscriminate in nature (for instance, taking down government websites and targeting civilian populations with power outages).
The integrity of the process governing the use of offensive cyber capability in Australia is essential to the maintenance of public trust and confidence. What is reassuring about Australia’s approach is the integration into existing Australian Defence Force processes applying for the use of conventional weapons. Targets for operations are chosen the same way as regular ADF operations: through a targeting board convened by the Chief of Joint Operations, who is a three-star officer, responsible for the Joint Operations Command. Every offensive cyber operation is signed off by lawyers in the Attorney-General’s Department and the Defence Department, who assess it to ensure it is proportionate, discriminates, is necessary and is consistent with Australia’s obligations under international law.
Unsurprisingly, nation-states that attack Australia in future would become obvious targets. And we know Islamic State has been a target, although not in much detail. During Senate estimates in May when senator Kimberley Kitching asked how many times Defence had used its offensive cyber capabilities, the answer from Chief of the Defence Force Mark Binskin was: “We will not talk about operational matters.”
The third group we know will be targeted are cyber criminals. It is here where great confusion has spread. In some media outlets this was translated to mean Australia was suddenly going after the entire category of “organised offshore criminals”. That would have been a radical departure from traditional law enforcement protocols that pay respect to the sovereignty of states and give the state from which a criminal is operating primacy when it comes to law enforcement.
The truth, lost in the reporting, is less revolutionary. Australia’s offensive cyber capability will be deployed in support of law enforcement agencies (rather than the military) against a narrow range of actors: cyber criminals who are targeting Australia, whose operations are transnational and who are beyond the reach of traditional law enforcement, such as in failed states.
So mafia bosses and drug lords working in traditional organised crime can relax: for the moment they are not in the crosshairs of Australia’s cyber warriors (although the Australian Federal Police may be another matter). More likely are subtle online operations against networks of significant cybercrime syndicates, aimed at disrupting their ability to operate and sowing doubt about the integrity of their networks.
However, the limited detail and mixed reporting surrounding the announcement that Australia would deploy its offensive cyber capability against transnational cyber criminals was unfortunate. Australia became the first state openly to admit it would target overseas cybercrime networks. While most people may agree with going after these hard-to-reach villains, it is another thing to make it public.
By being sloppy with the detail, Australia has created a rod for its own back. Australia often provides shelter to people, such as human rights and political advocates, who are sometimes deemed criminals in their home countries. If these nation-states start conducting cyber operations against these individuals, it will be harder for us to dispute the breach of our sovereignty. Some states may use any act they deem a “crime” as a pretext to conduct cyber operations against individuals in Australia.
It is a reminder how new these technologies are; everyone is still feeling their way forward.
Australia’s offensive cyber capability is an important new national security capability and a valuable addition to the ADF. While most of its work will remain a secret, a little more clarity around its broad role and objectives will help ensure a more informed debate about its utility and need. It will also help frame international standards of acceptable behaviour.