Allegations that Russia has been actively probing millions of routers worldwide – supported by the US, UK and Australian governments – lend currency to calls by ASPI for Australia to consider developing an offensive “asymmetric capability” that would see it proactively launching cyber attacks against other countries.
The policy brief – developed in conjunction with the Australian Computer Society – warned that nonspecific cybersecurity capability statements have created “confusion and misperceptions” about Australia’s real policies.
Even the existence of an offensive cybersecurity capability was a quietly guarded secret until 2016, when prime minister Malcolm Turnbull launched the formal Cyber Security Strategy (CSS) with the revelation that it was ready to act against hackers.
“This commendably transparent approach to telegraphing our capability and intentions hasn’t been without challenges,” the report noted. “There’s a disconnect between popular perceptions, typified by phrases like ‘cyber Pearl Harbor’, and the reality of offensive cyber operations, and reporting has at times misrepresented how these tools will be used.”
Authorities were on the offensive this week after revelations that more than 400 Australian companies had been targeted by Russian hackers that were said to have infected millions of routers around the world.
Pressed as to whether Australia would use its offensive cyber capabilities to respond to the allegations – detailed in US-CERT alert TA18-106A – cyber security minister Angus Taylor said the revelations were “a very important escalation” but balked at committing to retaliatory action.
Many within the cybersecurity community have pushed for Australia to develop its high-level cybersecurity skills: security expert Dr Gideon Creech, for one, previously told CSO Australia that the country’s cybersecurity experts need to be “excited about learning” and refining their skills through certifications such as the Cyber Guardian, of which he is one of just 35 people in the world.
Experts like Creech would likely be called upon to play an active role in offensive cyber strikes like those outlined in a white paper by Australian Centre for Cyber Security (ACCS) professor Greg Austin, who has previously argued that Australia’s cyber defences were “slow and fragmented” and that the country’s defence forces needed be ready for “mobilization of the country in very short time to fight a medium intensity, cyber-enabled hot war.”
Writing in support of the latest brief, ACS outreach manager for technology and innovation Ashton Mills said it aimed to “clarify the discussion around Australia’s offensive capabilities and provide recommendations to Government going forward…. Having more clarity about what it is and what it isn’t will hopefully lead to a much more constructive debate and discussion in Australia.”
The report includes six recommendations, including “clarity in reporting and the delineation between military and law enforcement operations; the training, recruitment and retention of skilled cyber personnel, including the raising of salaries and the formation of an alumni pool of reservists; stronger engagement with the private sector; easier information exchange through lowering classification of information; investment in asymmetric capability against future adversaries; and updating policy and legislative frameworks to keep pace with the times.”