Beyond cyber espionage lies cyber sabotage and cyber disinformation
"Cyber espionage is a fact of life internationally. And the fact that it continues to be a fact of life internationally is a product of the fact that it has been so successful internationally."
So said David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), at Fortinet's Security 361° Symposium in Sydney on Wednesday.
Latest Australian news
News of cyber espionage is commonplace now, with nearly every story pointing the finger at unspecified nation-state actors. Well, unless they straight-up finger China. Or Russia. Or Iran.
Irvine mentioned the breach of the Australian parliamentary network in 2011, and the breach of the Bureau of Meteorology revealed in 2015. But he was particularly impressed with the breach of the US Office of Personnel Management (OPM), revealed in 2015.
"If you're in the intelligence business, you really do have to admire the theft by a foreign intelligence service of the personal details of 25 million US government employees, including details of their security clearances," Irvine said.
"This was an extraordinary attack on the ability of intelligence services to defend the national security [of the US]."
But while cyber espionage has been grabbing the headlines, less attention is being given to the cyberisation of another two traditional intelligence-service activities: sabotage and disinformation.
"We don't think so much of state-based sabotage, but in fact the disruption or disabling or destruction of key infrastructure, to weaken our war-fighting capabilities, or our national and social cohesion, is a significant element of warfare in the planning books of every military anywhere in the world today," Irvine said.
It's traditional at this point to cite allegedly Russian efforts. The attacks on Georgia's internet infrastructure in 2008, for example. Or the well-planned attack on Ukraine's power grid in late 2015.
Other nations are presumably at it as well, but we don't talk about cyber sabotage alleged to have come from the Five Eyes nations. Except Stuxnet, I suppose.
"The wars of the 21st century will be fought in cyberspace," Irvine said, perhaps before engaging any of the other four domains of land, sea, air, and space.
But there's another old issue creeping onto the stage in cyber clothes, Irvine warns, and that's attempting to covertly influence political developments.
"Now this has long been an element of the art of intelligence. Find ways to influence your opponents or whatever to do things you want, rather than things they want to do. But the internet has provided a new vector for doing this," Irvine said.
"I would suggest to you that a classic example of covert influencing is -- and if the reports are true that it was Russian intelligence -- it's the penetration of the Democratic National Committee's entire email system, and then using our good friend Mr WikiLeaks to release it to the rest of the world in ways that were severely embarrassing to the Democratic Party, caused its party chairman to resign, and campaign chairman to resign, [and] which contributed in some measure to perceptions of the Clinton campaign," he said.
"The same thing didn't happen with the Trump campaign. I'll leave you to draw your conclusions about that."
The internet means we can now flood the world with misinformation and disinformation. And because the internet is such a democratic institution, it's difficult to filter the correct from the incorrect, or the deceptive from the normal.
"We need to be looking at that notion of covert influencing very carefully," Irvine said.
Quite.
There's one big difference between the spooky operations done the traditional way and their new cyber forms, however. No longer are they restricted to the well-funded national intelligence organisations.
"It's not just a question however of nation-states [doing] the sort of things that I was dealing with primarily when I was in the security business," Irvine said.
"The tools that are available to nation-states are also available to non-state actors. The tools to conduct espionage, the tools to conduct sabotage, the tools to covertly influence, to commit crimes and so on, are there, and they're available.
"A key issue in terms of what I call civilian espionage, and non state-based espionage, is the theft of intellectual property. It's done by both state and non-state actors. Some states do it on an incredibly industrial scale. You would be amazed at how the tentacles of cyber espionage can spread, all from the one place, and all directed to one end."
There were no new stories in Irvine's presentation. We've reported them all before. But what Irvine did was to speak with the authority of someone who's been there and done that.
Espionage, sabotage, and covert influence have always been part of the spying game, and now they've all gone cyber. Now everyone's doing it, they're doing it now, and they're doing it to you with their cyber tentacles.
Get used to it. And then do something to defend against it.