In this interview we speak to Fergus Hanson, co-author with Tom Uren of the Australian Strategic Policy Institute’s (ASPI) Policy Brief #3: Australia’s Offensive Cyber Capability and we discuss the launch and implications of Policy Brief #4 Deterrence In Cyberspace – Spare the costs, spoil the bad state actor by Chris Painter. Recorded at the Australian Computer Society, Sydney, Friday 1 June 2018.
Researchers have identified more than 100 states with military and intelligence cyber units, ranging considerably in capability and compliance with international law. The US Cyber Command’s action arm, the Cyber Mission Force, is building to 6,200 military and civilian personnel, or about 10% of the ADF, and for the 2018 financial year requested a US$647 million budget allocation. China has been accused of stealing enormous quantities of intellectual property, North Korea has used cyber tools to steal money, and Russia is accused of using a range of online methods to influence the 2016 US presidential election.
This policy brief seeks to further clarify the nature of Australia’s offensive cyber capability. It recommends improving communications, using innovative staff recruitment and retention options, deepening industry engagement and reviewing classification levels in some areas.
The report is structured to the following parts:
- What’s an offensive cyber operation?
- Organisation, command and approvals
- Operations against declared targets
- Risks
- Checks, balances and compliance with international law
- Strengths and weaknesses
- Future challenges and recommendations.
Australia’s Capability
On 30 June 2017 Australia became the first country to openly admit that its cyber offensive capabilities would be directed at ‘organised offshore cyber criminals’ and the then Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, announced the formation of an Information Warfare Division within the ADF.
Australia has declared that it will use its offensive cyber capabilities to deter and respond to serious cyber incidents against Australian networks; to support military operations, including coalition operations against Daesh in Iraq and Syria; and to counter offshore cybercriminals. Given ASD’s role in intelligence gathering, operations can integrate intelligence with cyber operations—a mission critical element.
Offensive cyber operations in support of [ADF] operations are planned and executed by ASD and Joint Operations Command under direction of the Chief of Joint Operations. Targeting for offensive cyber operations occurs in the same manner as for kinetic ADF operations. Any offensive cyber operation in support of the ADF is planned and executed under the direction of the Chief of Joint Operations and, as with any other military capability, is governed by ADF rules of engagement.
Decisions on which cybercriminal networks to target follow a similar process to those for military operations, including that particularly sensitive operations could require additional approvals, although the exact processes haven’t been disclosed. Again, these operations would have to comply with domestic law and be consistent with Australia’s obligations under international law.
In contrast to Australia’s model, the UK’s National Offensive Cyber Programme is a partnership between the Ministry of Defence and the Government Communications Headquarters (the latter organisation’s minister is the Secretary of State for Foreign and Commonwealth Affairs). In the US, the offensive cyber military capability is housed within Cyber Command, which will be raised to the status of a unified combatant command for cyberspace operations.
Recommendations
The Policy Brief, alongside other ASPI publications, is a worthwhile compass point and provides six recommendations, summarised as:
- The Australian Government should be careful when publicly discussing the offensive capability, particularly to distinguish the military and law enforcement roles.
- Recruiting and retaining Australia’s top technical talent is a major hurdle. A pool of alumni working as cleared reservists could be used as an additional workforce without the significant investment required in conducting entirely new clearances.
- There’s a policy question about whether or not Australia’s offensive cyber capability should be used in support of Australian corporate interests.
- The government should continue to scope the potential benefits from lowering the classification of information associated with offensive cyber operations.
- Consider conducting a cost–benefit analysis on the relative value of substantial further spending on cyber to provide it with an asymmetric capability against future adversaries. This would need to include a considerable investment in training.
- There appears to be scope to update the existing policy and legislative framework that governs the employment of offensive cyber in deployed operations to support those kinds of activities.
POLICY BRIEF: DETERRENCE IN CYBERSPACE – Spare the costs, spoil the bad state actor: Deterrence in cyberspace requires consequences; Australian Strategic Policy Institute, Chris Painter
As the report cover suggests, ‘spare the costs, spoil the bad state actor: Deterrence in cyberspace requires consequences.’
Deterrence in cyberspace is a complex issue. One of the most widely cited reasons for the lack of action is the actual and perceived difficulty in attributing malicious cyber activity.
An effective deterrence framework involves strengthening defences (deterrence by denial); building and expanding the consensus for expectations of appropriate state behaviour in cyberspace (norms and the application of international law); crafting and communicating—to potential adversaries, like-minded partners and the public—a strong declaratory policy; timely consequences, or the credible threat thereof, for transgressors; and building partnerships to enable flexible collective action against those transgressors.
The key recommendations are:
- Shorten the attribution cycle.
Making progress on speeding technical attribution will take time, but delays caused by equity reviews, inter-agency coordination, political willingness, and securing agreement among several countries to share in making attribution are all areas that can be streamlined. Often the best way to streamline these kinds of processes is to simply exercise them by doing more public attribution while building a stronger political commitment to call bad actors out.
- If attribution can’t be made or announced in a fairly brief period, couple any later public attribution with at least one visible responsive action.
Attribution six months or a year after the fact with the vague promise of future consequences will often ring hollow, particularly given the poor track record of imposing consequences in the past. When attribution can be made quickly, the promise of a future response is understandable, but delaying the announcement until it can be married with a response may be more effective.
- Mainstream and treat cybersecurity as a core national and economic security concern and not a boutique technical issue.
If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world. It is telling that Prime Minister Theresa May made public attribution of the Salisbury poisonings in a matter of days and followed up with consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame. Obviously that was a serious matter that required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don’t understand the impact or importance of cyber events or have established processes to deal with them. Mainstreaming also expands and makes existing response options more effective.
- Build flexible alliances of like-minded countries to impose costs on bad actors.
A foundational element of this is improving information sharing, both in speed and substance, to enable better collective attribution and action. Given classification and trust issues, improving tactical information sharing is a difficult issue in any domain. However, a first step is to discuss with partners what information is required well in advance of any particular incident and to create the right channels to quickly share that information when needed. It may also require a re-evaluation of what information must absolutely be classified and restricted and what can be shared through appropriately sensitive channels.
- Improve diplomatic messaging to both partners and adversaries.
Improved messaging allows for better coordinated action and serves to link consequences to the actions to which they’re meant to respond. Messaging and communication with the bad actor while consequences are being imposed can also help with escalation control. Of course, effective messaging must be high-level, sustained and consistent if the bad actor is to take it seriously. Sending mixed messages only serves to undercut any responsive actions that are taken.
- Collaborate to expand the toolkit.
Work with like-minded states and other stakeholders to expand the toolkit of potential consequences that states can use, or threaten to use, to change and deter bad state actors.
- Work out potential adversary-specific deterrence strategies.
Actual or threatened responsive actions are effective only if the target of those actions is something that matters to the state in question, and that target will differ according to the particular state involved. Of course, potential responses should be in accord with international law.
- Most importantly, use the tools we already have to respond to serious malicious cyber activity by states in a timely manner.
Imposing consequences for bad action not only addresses whatever the current bad actions may be but creates a credible threat that those consequences
(or others) will be imposed in the future.
We must change the calculus of those who believe this is a costless enterprise. Imposing effective and timely consequences for state-sponsored cyberattacks is a key part of that change.
Policy Brief #3 available https://www.aspi.org.au/report/australias-offensive-cyber-capability
Policy Brief #4 available https://www.aspi.org.au/report/deterrence-cyberspace