Blaming Russia for NotPetya was coordinated diplomatic action

Australia is developing international partnerships to help deter 'inappropriate behaviour' in cyberspace. Naming and shaming is part of its deterrence framework.
Written by Stilgherrian , Contributor
(Image: Getty Images/iStockphoto)

In February, within days of each other, seven nations including Australia attributed the NotPetya cyber attacks to Russia. It was no coincidence, according to Australia's Ambassador for Cyber Affairs, Dr Tobias Feakin.

"That represented the largest coordinated attribution of its kind to date," Feakin told the Australian Cyber Security Centre (ACSC) Conference in Canberra on Thursday.

The governments of the US, the UK, Denmark, Lithuania, Estonia, Canada, and Australia called out Russia in official statements. Official statements of support came from New Zealand, Norway, Latvia, Sweden, and Finland.

"That had followed also an additional coordinated calling-out of DPRK [North Korea] as responsible for the WannaCry incident," Feakin said.

"What we're doing is maturing this approach in order that the consequences will be felt further in the future. So another key part of deterrence is signalling to another country, to provide clear, consistent, and credible messaging to adversaries that there will be repercussions for the behaviour that they're conducting."

Australia has been a leader in the rapidly-developing field of cyber diplomacy.

In October 2017 it launched an International Cyber Engagement Strategy, making clear it will "deter and respond to unacceptable behaviour in cyberspace". The hawkish language has raised the question of whether we risk triggering a regional cyber arms race.

"States' malicious activities in cyberspace are just another element of how they are attempting to exert power and influence across the world," Feakin said.

"When you get into this whole area of work, it's seeing cyberspace as not just some special bolt-on in the international system. It's a core part of business, and it needs to be perceived more in the light of these big-change events than just this specialist area of work. And the rules-based international order applies equally in cyberspace as it does in the physical space, and we have to hold countries accountable for what they do in this regard."

Australia was instrumental in developing the UN-agreed 11 international norms for nation-state behaviour in cyberspace, and continues to support them, but has found that unilateral action against transgressors hasn't been effective.

"We're trying to examine how you increase the cost of inappropriate behaviour and malicious activities which overstep the mark. And recent events are suggesting to us that malicious actors believe their improper behaviour in cyberspace is completely immune to any kind of punishment. So we're looking at developing greater international cooperation and coordination between nations, and like-minded countries especially, to respond to these kinds of malicious activities," Feakin said.

"We need countries thinking twice about, well, 'Do I press go on this particular set of malicious activity? Is it worth the repercussions?'"

Such responses don't have to be cyber.

"It could involve a whole range of different levers of government, be they economic, legal, political, diplomatic, or God forbid, military measures as well at the top end of the scale. But it really does all depend on the severity, the impact, the nature of the incident being dealt with," Feakin said.

"Responses should be creative in thinking about how you combine the different kinds of policy responses, and the fabled prospect of -- or if you like, line that I'm sure you've been given many times, but perhaps not in this regard -- is how do we cooperate and collaborate with the private sector in a deterrence framework?"

Feakin emphasised that Australia's response would always be "consistent with international and domestic law", as well as with the 11 international norms of behaviour.

"A key requirement of this deterrence framework is accurate attribution, and it's a form of deterrence in itself. Naming and shaming, by calling out countries who flaunt the rules, is an important part of this framework," he said.

"There is a bit of a myth saying that attribution is impossible, and it's perpetuated by countries who really want to continue to operate in cyberspace with impunity. It's often the response you get when you call out particular countries. 'You don't have the evidence. This is complete fabrication.'

"Well I'm sorry, it's not, and we know it's not, because we wouldn't be saying these things in the international environment just for the fun of it. It's the fact that we have evidence to prove that this activity is attributed to you."

In October 2017, foreign minister Julie Bishop stated that Australia can pinpoint the individual humans responsible for a cyber attack. You can assume that the other Five Eyes nations -- the US, UK, Canada, and New Zealand -- have access to that same capability.

Related Coverage

Cyber Dam Busters could give Australia's military an asymmetric edge

A cyber offensive capability could knock out key infrastructure targets cheaper than conventional military kit, but Australia needs to get its messaging right to avoid triggering the neighbours.

Supporting digital trade a key element of Australia's cyber diplomacy: Feakin

'Global in perspective, regional in focus' is the mantra underpinning Australia's forthcoming International Cyber Engagement Strategy -- but with trade come norms of behaviour, and enforcement.

Australia stepping up foreign cooperation on state-level cyber deterrence

Addressing an inquiry into Australia's trade system and the digital economy, Ambassador for Cybercrime Tobias Feakin said the nation and its neighbours are thinking 'quite actively' about how to join forces on cyber deterrence.

Australia also points finger at Russia for NotPetya

The Australian government has joined the United Kingdom and the United States in blaming the Kremlin for NotPetya attacks.

Bad Rabbit: A new Petya-like ransomware that's spreading, but beatable (TechRepublic)

A new Petya variant is spreading through Eastern Europe, but with the proper security precautions it is entirely possible to avoid a serious ransomware outbreak on your network.

Editorial standards