Cyber Dam Busters could give Australia's military an asymmetric edge

A cyber offensive capability could knock out key infrastructure targets cheaper than conventional military kit, but Australia needs to get its messaging right to avoid triggering the neighbours.

istock-808157766-1.jpg
(Image: gorodenkoff, Getty Images/iStockphoto)

The Australian Defence Force (ADF) has a "distinct battlefield edge" because it has fully integrated its military offensive capability into ADF operations. But a "modest" additional investment would give it "an asymmetric capability against future adversaries", according to the International Cyber Policy Centre (ICPC) at the Australian Strategic Policy Institute (ASPI).

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

"Having synchronised operations with traditional ADF forces, cyber might be able to bring something special to the table," said Tom Uren, a visiting fellow at the ICPC, and co-author of the policy paper Australia's Offensive Cyber Capability released on Tuesday.

"Perhaps you might be able to disrupt some part of an opposing military command and control. Or, and I don't think this is particularly a likely scenario, but in the case of a total war you might be able to disrupt some aspect of critical infrastructure of an opposing state that might give you an advantage that your military didn't otherwise have," Uren told ZDNet.

This wouldn't be one of the all-encompassing Cyber Pearl Harbor scenarios touted in recent years, but more focused attacks on key targets. Offensive cyber operations could provide an equivalent capability more cheaply than convention military kit, although it would also need "considerable investment" in training.

"I think the entire collapse of civilisation based on someone hacking away is totally unlikely, right? But at the same time, we've seen in the [United] States a lot of intrusions into electricity networks, and we've also seen dams in the States, and we've seen Russians flip the switch in Ukraine at least a couple of times," Uren said.

Another example was the August 2017 cyber attack on a Saudi petrochemical plant, which seemed designed to cause physical damage, and was reportedly consistent with attack preparations by a nation-state actor.

See also: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

"It seems that there are well motivated and resourced people who are actually trying to figure out how to cause physical effects, so it seems at least plausible that that would be used if conflicts got hot enough."

Uren said that 30 or more nation-states either have or are working on an offensive military cyber capability, and several have publicly declared that they have one, including the US and the UK. Australia is unique, however, in also acknowledging publicly that it would use the offensive cyber capability against offshore cyber criminals.

Prime Minister Malcolm Turnbull said at the time that doing so "adds to our credibility as we promote norms of good behaviour on the international stage", but the ICPC expressed concern that "poor communications" could have the opposite effect. The government announced the formation of the ADF's Information Warfare Division on the same day, for example "making them appear one and the same thing".

"While some media outlets characterised the announcement as Australia potentially attacking the whole suite of 'organised offshore criminals', the announcement focused only on offshore actors who commit cyber crimes affecting Australia," the ICPC wrote.

"The limited detail and mixed reporting of the announcement ... inadvertently sent the message that it was acceptable for states to launch cyber attacks against people overseas whom they considered to be criminals. This might encourage some states to use crime as a pretext to launch cyber operations against individuals in Australia."

Your writer was among those concerned by the confused messaging. Focused cyber attacks on critical infrastructure in support of ADF operations seemed sensible, akin to creating Cyber Dam Busters to hit precision targets. But hitting organised cyber criminals, essentially civilian targets, seemed like we were moving a step closer to militarising a civilian response, creating an East India Cyber Company.

As the ICPC put it, "ASD [Australian Signals Directorate] capability being deployed against cyber criminals is likely to generate increased interest from corporate Australia. There's a policy question about whether or not Australia's offensive cyber capability should be used in support of Australian corporate interests. Given the finite resources and the tricky situations that could arise, government should consider useful ways industry could engage, clarify the limits of industry engagement, and assess how to handle industry requests to use the offensive cyber capability against actors targeting its operations."

Uren said the real message is that offensive cyber operations are still a sensitive topic for many countries.

"Most offensive capability has grown out of SIGINT (signals intelligence) agencies, and SIGINT agencies are usually the most secret organisations in governments, for good reasons. But [with] offensive cyber, we've got all sorts of countries going around behaving badly, either trying to blow up things, or actually destroying computers, and that's not something that we want to encourage," he said.

"One of the ways we can talk about what's appropriate is to say what's appropriate for us. Communicating that clearly is a good idea, full stop."

"I think it would be inappropriate for the ADF to be going around attacking cyber criminals in other countries. That seemed a bit weird. So we need to make sure that when we are messaging what these capabilities are about that we don't make those mistakes."

PREVIOUS AND RELATED COVERAGE

Security training is useless unless it changes behaviours

Improving an organisation's cybersecurity isn't just about awareness. It's about education that actually leads to behavioural change, and that often means changing the organisation's culture.

Australia needs more cyber in the middle

Government cybersecurity programs usually aim to help big, critical enterprises directly, or improve the cyber awareness of families and consumers. What about all the small and medium businesses?

Australia stepping up foreign cooperation on state-level cyber deterrence

Addressing an inquiry into Australia's trade system and the digital economy, Ambassador for Cybercrime Tobias Feakin said the nation and its neighbours are thinking 'quite actively' about how to join forces on cyber deterrence.

Cyber Research Centre labels Australia's counter-threat capacity 'relatively weak'

The centre's chair has called for an overarching capability that supports federal, state, and territory-based cyber crime-countering efforts, labelling current capacities 'relatively weak'.

These 10 US states will lose the most money to cybercrime in 2018 (TechRepublic)

California will lose as much as the bottom 36 states combined.