Russian ransomware operators need to be called out and suffer real consequences, according to retired general Keith Alexander, former head of the US National Security Agency (NSA) and US Cyber Command.
"Right now, the ransomware guys, in Russia predominantly, get off pretty much free. There is very limited downside for them," Alexander told a seminar at the Australian Strategic Policy Institute's International Cyber Policy Centre last week.
"We have to attribute who's doing it and make them pay a price."
"Imagine if we indicted and put their picture up, and said, 'That's the guy, and if we can, we will arrest you. You can't move out of Russia. You're gonna have to stay there for the rest of your life'."
Alexander has always sat at the hawkish end of the cyber spectrum.
In 2013 he echoed then-McAfee vice-president Dmitri Alperovitch's description of cybercrime and cyber espionage as the greatest transfer of wealth in history -- perhaps forgetting for a moment the vast empires of the European colonial powers.
Now he notes the importance of international cooperation against the cyber forces of nation-states and their puppets.
"All the attacks that are going on there [in Australia], here [in the US], in Europe, the theft of intellectual property, this is something that we need to collectively get out in front of," he said.
Alexander described the July 1 speech by China's president Xi Jinping as "a gauntlet being laid down that said there would be bloodshed and bashing of heads". If the West pushes China over Taiwan or the South China Sea, "there's no limit to where they will go".
"I think we have to set that red line, and we have to work together to do it."
That cooperation has to extend into the private sector, he said.
Incident response is not a defensive measure
"I think the biggest problem that I faced in government, and that we face today, is governments -- not just ours but yours as well -- can't see attacks on the private sector. Yet the government is responsible for defending the private sector," Alexander said.
"How are you going to defend that which you can't see? Incident response is not a defensive measure. That's after everything bad has happened."
The SolarWinds supply chain attack is a prime example. The government didn't find out about it until after the fact.
"Now people push on the government, 'Hey, why didn't you know?' And the answer is because the government doesn't have the authority, nor the capability, to see all the attacks on critical infrastructure," Alexander said.
"We need ... I'll call it an event generator, that shows events that are hitting companies at network speed, that can be anonymized, pushed up to the cloud, and create a radar picture, so you can now see all the companies where these types of events are hitting."
Needless to say, the conversation was peppered with words such as "behavioural analytics", "expert system", "machine learning" and "artificial intelligence".
Overcoming fears of sharing data with governments
This need for cooperation, partnerships, and information sharing has been cited at every conference since the cybers were all in Roman numerals. But if everyone agrees that it's a good thing, why doesn't it just happen?
"The real key issue is what are we talking about sharing?" Alexander said.
If you're talking about sharing the details of cyber events as we know them today, that is, things that you're blocking, then that sharing is "almost useless", because you're already blocking it.
Alexander says we have to share "all the things you don't know".
To your correspondent, that sounds like private sector organisations having to share a lot more raw data with government agencies. Data about things they don't yet know are a threat.
Data which they might prefer, for whatever reasons, to keep out of government hands.
The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, has noted a reluctance for organisations to share data with the agency. Sometimes they even lawyer up to prevent ACSC involvement in a breach investigation.
"Perhaps there's a commercial stigma or reputational stigma about reporting and alerting the public, and therefore shareholders, about a weakness," Bradshaw said.
"We've made it super, super clear that the ACSC is not a regulator," she said.
"The consequence of that is I become very boring in media interviews, because I refuse to talk about the juiciest case that's come along. And apologies to all journalists, but it's something that I will continue to defend."
It's no accident that IronNet, the company Alexander founded when he left the NSA in 2014, has developed a "collective defense platform" which "leverages advanced AI-driven network detection and response capabilities to detect and prioritize anomalous activity inside individual enterprise network environments".
The obvious pitch is that governments could engage such a private sector system to correlate both government and non-government data, perhaps allaying some of the fears that would surround a purely government-owned platform.
Bradshaw said that one of "the best parts" of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and its architecture is that there's a "clear separation" between the regulators and the ACSC in its cyber assistance and response function.
The Department of Home Affairs has repeatedly requested for that the Bill be rushed through Parliament. However, the Parliamentary Joint Committee on Intelligence and Security has recommended it be split in two so it's more controversial aspects can be discussed in more depth.
AUKUS and The Quad: not a modern jazz combo
Alexander also praised the recently announced AUKUS defence technology agreement between Australia, the US, and the UK.
At the heart of AUKUS is an intention for Australia to obtain a fleet of eight nuclear-powered submarines, but other technologies will be shared as well.
"Cyber is going to be hugely important for our future," Alexander said.
"It's the one area where adversaries can attack Australia, and the United States, without trying to cross the oceans. They can do it in cyber, and we have tremendous vulnerability. So getting out in front of that, I think is hugely important."
Alexander envisages a cyber radar picture that covers not just the AUKUS nations but other allies such as the Quadrilateral Security Dialogue (the Quad) of Australia, India, Japan, and the US.
"Imagine if we could build, and we built, a radar picture for cyber that covered not only what impacts Australia, but what impacts other countries. And we could share in real time threats that are hitting our countries, and protect from that," he said.
"I think when you start thinking about the Quad and other things, that's the type of thing I would say, as we move forward, that's where our partnership has to go."
- US and EU to cooperate on tech standards, supply chain security and tech development
- Australia's Defence Industry Minister Melissa Price adds science and tech to portfolio remit
- Quad countries announce slew of tech initiatives including shared cyber standards
- Taiwan's bid to enter CPTPP meets firm opposition from China
- Australia's trade minister says vaccinated Australians can travel overseas by Christmas
- China formally applies to join CPTPP trade pact
- Australia, UK, and US form trilateral pact focused on security in Indo-Pacific