The Australian Government and even the corporate world should have legal backing to retaliate against online attacks, according to a cybersecurity report released on Friday.
(670 image by Tomer Gabel, CC BY-SA 2.0)
"Domestic law needs to be reviewed so that agencies and corporations can engage in active defence," said Gary Waters, a former Air Commodore and co-author of the Kokoda Foundation report, which was released on Friday, but foreshadowed by ZDNet Australia earlier this month. "We need to be able to say my critical infrastructure is off-limits and if you hammer me I will hammer you back."
"Nation-states under cyber attack have a right to attack — arguing what that is precisely needs to occur."
Counter-attacks would act as a deterrent to online attacks sponsored by the governments of other countries, Waters said, much as attacks work in traditional warfare.
He said that, at present, industry and governments shy away from the role counter-attacks play in legitimate defence of private and state infrastructure. He believes laws must be reformed to legalise active-defence under certain conditions to improve national security.
"Increased dialogue and clearer legal guidance in this area is needed to ensure that self-defence actions are not illegal and potentially damaging to Australia's national interests where such activities result in collateral damage to other nations," said the report.
In some cases, the origin of an attack may not be clear, as it may be routed through another country. Waters said that in such a case, the country that the attack was routed through could be considered as "part of the attack".
He proposed an international cybersecurity taskforce be established similar to those used to combat terrorism to combat network attacks.
But Internode network engineer Mark Newton said the concept of counter-attacks, or active-defence, is unethical and that the tactic is not effective online because of the anonymity of attackers.
"I think it is a terrible idea," Newton said. "In the offline world we wouldn't empower BHP to counter-attack protesters."
He said this would be the duty of law enforcement, but even then, counter-attacks would inevitably affect innocent users.
"I can't see an effective way that this can work. It is not warranted or effective".
Both the Kokoda Foundation and the influential New York-based EastWest Institute have called for the creation of rules for state-sponsored network attacks, from simple "norms" to an online Geneva Convention.
The EastWest Institute released a report last week by joint Russian-American security experts detailing the need for the humanitarian principles in the Geneva and Hague Conventions to be applied to the Laws of War online.
"Today, nearly all critical civilian infrastructure is online, from the electricity grids that support hospitals to the systems that guide passenger planes through the air," the paper's US lead research Karl Rauscher said. "And, by and large, it is not protected by international norms."
The Australian Kokoda Foundation report did not push for the conventions to be applied online, because they already apply in cyberspace, according to Waters. Instead, the paper espoused "normalised" conduct where countries agree not to attack each others' critical infrastructure.
"Cybersecurity should be tackled through norms not more treaties," Waters said.
The report said such norms could see distributed denial-of-service (DDoS) attacks treated akin to chemical weapon attacks "because of the low cost of entry and inability to discriminate — that is, they are never admissible under international law".
"A second norm might be that national power grids and other critical infrastructure can be attacked only in an openly declared state of 'kinetic conflict'. A third might be that financial grids are to be treated in similar vein to hospitals," the report said.
Waters said the concept of an online-only "cyberwar" will never eventuate.
But he said Australia is in a good defensive position because of its diplomatic ties to the US and within the Asia Pacific.
The report, co-written by former Air Vice-Marshal John Blackburn, also recommended all transport, power, water and energy Supervisory Control and Data Acquisition (SCADA) systems be disconnected from the "wider internet", although it noted that the move would both "simplify the problem space" and be a "very expensive and disruptive option to implement".
(Carousel image credit: Soldier rifle firing image by Gopal Aggarwal, CC2.0)