Tag Archive for: cyberattack

Using open-source AI, sophisticated cyber ops will proliferate

Open-source AI models are on track to disrupt the cyber security paradigm. With the proliferation of such models—those whose parameters are freely accessible—sophisticated cyber operations will become available to a broader pool of hostile actors.

AI insiders and Australian policymakers have a starkly different sense of urgency around advancing AI capabilities. AI leaders like Dario Amodei, chief executive of Anthropic, and Sam Altman, chief executive of OpenAI, forecast that AI systems that surpass Nobel laureate-level expertise across multiple domains could emerge as early as 2026.

On the other hand, Australia’s Cyber Security Strategy, intended to guide us through to 2030, mentions AI only briefly, says innovation is ‘near impossible to predict’, and focuses on economic benefits over security risks.

Experts are alarmed because AI capability has been subject to scaling laws—the idea that capability climbs steadily and predictably, just as in Moore’s Law for semiconductors. Billions of dollars are pouring into leading labs. More talented engineers are writing ever-better code. Larger data centres are running more and faster chips to train new models with larger datasets.

The emergence of reasoning models, such as OpenAI’s o1, shows that giving a model time to think in operation, maybe for a minute or two, increases performance in complex tasks, and giving models more time to think increases performance further. Even if the chief executives’ timelines are optimistic, capability growth will likely be dramatic and expecting transformative AI this decade is reasonable.

The effect of the introduction of thinking time on performance, as assessed in three benchmarks. The o1 systems are built on the same model as gpt4o but benefit from thinking time. Source: Zijian Yang/Medium.

Detractors of AI capabilities downplay concern, arguing, for example, that high-quality data may run out before we reach risky capabilities or that developers will prevent powerful models falling into the wrong hands. Yet these arguments don’t stand up to scrutiny. Data bottlenecks are a real problem, but the best estimates place them relatively far in the future. The availability of open-source models, the weak cyber security of labs and the ease of jailbreaks (removing software restrictions) make it almost inevitable that powerful models will proliferate.

Some also argue we shouldn’t be concerned because powerful AI will help cyber-defenders just as much as attackers. But defenders will benefit only if they appreciate the magnitude of the problem and act accordingly. If we want that to happen, contrary to the Cyber Security Strategy, we must make reasonable predictions about AI capabilities and move urgently to keep ahead of the risks.

In the cyber security context, near-future AI models will be able to continuously probe systems for vulnerabilities, generate and test exploit code, adapt attacks based on defensive responses and automate social engineering at scale. That is, AI models will soon be able to do automatically and at scale many of the tasks currently performed by the top-talent that security agencies are keen to recruit.

Previously, sophisticated cyber weapons, such as Stuxnet, were developed by large teams of specialists working across multiple agencies over months or years. Attacks required detailed knowledge of complex systems and judgement about human factors. With a powerful open-source model, a bad actor could spin-up thousands of AI instances with PhD-equivalent capabilities across multiple domains, working continuously at machine speed. Operations of Stuxnet-level sophistication could be developed and deployed in days.

Today’s cyber strategic balance—based on limited availability of skilled human labour—would evaporate.

The good news is that the open-source AI models that partially drive these risks also create opportunities. Specifically, they give security researchers and Australia’s growing AI safety community access to tools that would otherwise be locked away in leading labs. The ability to fine-tune open-source models fosters innovation but also empowers bad actors.

The open-source ecosystem is just months behind the commercial frontier. Meta’s release of the open-source Llama 3.1 405B in July 2024 demonstrated capabilities matching GPT-4. Chinese startup DeepSeek released R1-Lite-Preview in late November 2024, two months after OpenAI’s release of o1-preview, and will open-source it shortly.

Assuming we can do nothing to stop the proliferation of highly capable models, the best path forward is to use them.

Australia’s growing AI safety community is a powerful, untapped resource. Both the AI safety and national security communities are trying to answer the same questions: how do you reliably direct AI capabilities, when you don’t understand how the systems work and you are unable to verify claims about how they were produced? These communities could cooperate in developing automated tools that serve both security and safety research, with goals such as testing models, generating adversarial examples and monitoring for signs of compromise.

Australia should take two immediate steps: tap into Australia’s AI safety community and establish an AI safety institute.

First, the national security community should reach out to Australia’s top AI safety technical talent in academia and civil society organisations, such as the Gradient Institute and Timaeus, as well as experts in open-source models such as Answer.AI and Harmony Intelligence. Working together can develop a work program that builds on the best open-source models to understand frontier AI capabilities, assess their risk and use those models to our national advantage.

Second, Australia needs to establish an AI safety institute as a mechanism for government, industry and academic collaboration. An open-source framing could give Australia a unique value proposition that builds domestic capability and gives us something valuable to offer our allies

The new ‘Geneva code’ for hackers on the cyber battlefield

There’s been plenty of debate about why Russia’s invasion of Ukraine never devolved into the full-blown cyber Armageddon many expected at the start of the war, and what that suggests about the role of cyber operations in kinetic warfare.

Yet, while the cyber elements of the conflict may not have played out as anticipated, Ukraine is still very much fighting a constant cyberwar. And one of the more surprising aspects of this battle has been the number of civilian hackers from all over the world who have joined in.

When Russia first invaded Ukraine, there was a free-for-all as volunteer hackers descended on the digital battlefield launching uncoordinated cyberattacks against both sides. These activities added further layers of chaos and disruption to the war as each side tried to figure out who was responsible for which attacks and how to respond appropriately and proportionally.

While Russia has long had notoriously close (if not direct) ties with various pro-Russian hacking groups and appears to be happy to let them run rampant, Ukraine rallied hackers on its side to come together as a volunteer force. The IT Army of Ukraine now has hundreds of thousands of members working together to coordinate cyber defences and direct cyberattacks in support of Ukraine’s military objectives.

However, the participation of these hackers on both sides has blurred the lines between civilians and combatants, creating a complex legal dilemma that is playing out in real time. The fog of war is hard enough without the extra confusion that arises when civilians in third countries launch cyberattacks against military assets or critical infrastructure like hospitals or energy facilities that could result in losses of innocent lives—let alone the potential for more significant attacks that could have even bigger consequences.

In an attempt to rein in the chaos surrounding the role of civilian hackers in the Russia–Ukraine conflict—as well as the broader rise of private actors joining other digital battlefields—last month the International Committee of the Red Cross issued eight rules for civilian hackers to follow during armed conflict. The rules are:

  1. Do not direct cyberattacks against civilian objects.
  2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.
  3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians.
  4. Do not conduct any cyber operation against medical and humanitarian facilities.
  5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.
  6. Do not make threats of violence to spread terror among the civilian population.
  7. Do not incite violations of international humanitarian law.
  8. Comply with these rules even if the enemy does not.

In the same statement, the Red Cross also reminded states of their international legal obligations for civilian hackers—namely, that states are liable for hackers operating under their direction or operating in their territory or jurisdiction. States must also prevent breaches of international law and have obligations to stop and prosecute activity taking place within their territory.

Neither the rules for hackers nor the reminders for states are new or revolutionary—they draw on established international law and an enormous body of work on how international law applies to cyberspace. However, they do distil this work into clear and simple language that’s easy to understand.

The voluntary principles for both hackers and states also reflect an acknowledgement of the evolving nature of warfare and the necessity to uphold humanitarian principles, regardless of the domain in which hostilities occur. The rules apply to all armed conflicts—not just the Russia–Ukraine war—signifying a recognition of the permanent and growing role that cyber operations and civilians play in modern warfare. They also seek to draw attention to the risks civilian hackers bring upon themselves by participating in armed conflict.

Ideally, these rules would result in hacking groups restricting their activities to official or military targets rather than civilian infrastructure, which in turn would dramatically reduce the number of destructive cyberattacks that affect non-combatants.

However, the effectiveness of these rules ultimately hinges on the hacking community’s adherence to them. This raises a crucial question: will civilian hackers abide by this new ‘Geneva code’?

It’s not clear that they will. Hackers’ initial reactions to the rules were negative. The pro-Russia Killnet group asked why it would listen to the Red Cross, while Ukrainian hackers voiced concerns about being at a disadvantage if they followed the rules, given that pro-Russian groups frequently violate the principles. Killnet and the IT Army of Ukraine have both now committed to adhering to these rules. Other hacktivist groups around the world have said they won’t.

Indeed, despite the rules’ release, within hours of Hamas launching its devastating attack on Israel last month, civilian hackers had joined the conflict on both sides. This activity has continued and there has been a rise in hacking tied to states such as Russia and Iran.

While the decentralised and often anonymous nature of hacking makes enforcement a challenge, the Red Cross’s initiative is ultimately still a significant and welcome step towards establishing a normative framework for civilian engagement in cyber operations during armed conflicts.

Criminal or state actor, there are major lessons in the Optus cyber breach

Optus, Australia’s second-largest telecommunications company, yesterday notified the media that the data of its customers had been compromised in a cyberattack. It remains unclear how many customers are affected, but CEO Kelly Bayer Rosmarin said it might be up to 9.8 million users in a ‘worst case’ scenario, while stressing the breach involved ‘a very small subset of data’.

Customers’ names, dates of birth, phone numbers, email addresses, driver’s licence numbers, passport numbers and postal addresses are among the information reported to have been accessed.

Given the scale of the breach, the nature of the personal information and the utility of this data, a key question is whether a state or criminal actor was behind the attack.

A state actor would be able to make very productive use of this data, especially if it included records of who people had called. It’s a little unclear from Optus’s statement whether ‘phone numbers’ means an individual customer’s phone number or the phone numbers customers have called.

In places like the US, we’ve seen China steal the records of security cleared officials, and hotel and health records. Joining these datasets together has the potential to provide rich pickings for states, enabling them to knit together useful details about key individuals, and understand patterns of behaviour and communication across groups of interest. It requires affected countries to think carefully about how these data breaches might be used against them in future. The scale and level of detail of Optus’s customer data would make it highly valuable to a state actor.

The other possibility is that this is the work of cyber criminals. ITnews reported that while Optus notified the media of the breach yesterday, the data of its customers appears to have been posted for sale online since 17 September. That could suggest the work of a cybercriminal gang. However, Optus has told the media that it hasn’t received a demand for a ransom, which would be the obvious thing for a criminal group to do.

Rosmarin said this morning that it was too early to tell whether it was a criminal or state actor, but described the attack as ‘sophisticated’. This is now standard language used by anyone who is successfully penetrated, so it is difficult to read much into that remark.

For Optus customers, the implications of the breach depend to a significant extent on which type of actor was behind the attack. If it was a criminal gang, customers are likely going to be exposed to the significant risk of identity theft, requiring them to spend many painful hours making whatever changes they can to their personal data to minimise their vulnerability—which will be difficult to do entirely. If it’s a state actor, the impact on individual Australians will likely be less apparent, though it may be more pernicious for politicians, business leaders, government officials and anyone else whom the state actor deems a potential target of influence or intelligence-gathering.

Even if this turns out to be the work of cybercriminals, they might see profit in selling the data to state actors. It would therefore be wise to prepare for both eventualities.

So, what are the lessons from this episode?

First, and most obviously, the incentives for businesses that hold large amounts of highly valuable personal data to keep that data safe are still not well enough aligned either to consumer protection or to the wider national interests of Australia. In May, the Australian Securities and Investments Commission successfully challenged an Australian financial services firm in the federal court over the adequacy of the firm’s cybersecurity risk management. The firm was ordered to pay $750,000.

This was an important first in Australia. However, it raises the questions about the strength and consistency of our framework for ensuring there are consequences for cyberattacks. There should be consequences for companies if it’s found that they were deficient in protecting consumers’ data. When it comes to perpetrators, there has been an inclination not to name state actors. In this case, though, the data stolen is the personal information of Australians. It’s reasonable to argue that we should be told who was behind the attack, regardless of the perpetrator.

Second, there’s a growing argument to create an ‘Office of Future Threats’ within the government to look at all the data that has been stolen from businesses, civil society and governments by various state actors, and to plan for scenarios in which this data might be used against Australian interests.

Finally, there is an opportunity to look at streamlining solutions for Australians who are victims of identity fraud so that less time (and heartache) is spent fixing the mess created by these sorts of massive failures. For example, Australians who have had personal data stolen must, in many circumstances, pay for new documents including passports. This should not happen. In a world in which large-scale data breaches are an unfortunate reality, Australians should not be disadvantaged when they are forced to remediate a situation that was never within their control.

It’s still early days for cyber

Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber.

For some years after September 2001, when concerns over cyber were overtaken as a national security priority by terrorism, cyber tended to be seen a secondary concern, most worrying when it merged with other threats like cyberterrorism.

That seemed a fair conclusion. Terrorism is a tool of the weak. Cyber is similar—an attack can be launched with little more than a laptop and an internet connection.

And there is indeed a thriving criminal industry comprising individuals, loosely affiliated networks and more established gangs, trading in exploits, malware and stolen data. Ransomware, with its prospect of fast and easy financial return, is a major incentive in a hypercompetitive criminal cyber industry.

The motives that drive criminal elements, however, differ from those of nation-states in cyberspace.

Cyber has become a valuable tool in the larger armoury of governments. Nation-states compete for access and influence in cyberspace. Some governments focus on their own people and political rivals. More generally, cyber is one element of grey-zone activity, or hybrid warfare.

For example, cyber offers both material and a means by which Russia can undertake its long practice in influence and disinformation operations, maskirovka. China has used cyber operations to steal valuable intellectual property, fuelling its own technological competitiveness and economic growth. North Korea uses its cyber capability for financial gain, to fund its nuclear program and to evade sanctions.

By its nature, cyber activity and effect can be hard to discern. It is the dark side of digital: the same technology and systems that generate new business models, greater efficiencies and increased capability, connectedness and capacity inherently carry vulnerabilities, misconfigurations and points of access that can be exploited by an adversary.

But even as governments find cyber useful as a tool and appreciate its potential threat, the usual policies and traditional frameworks of national security have difficulty gaining traction in cyber, because of the nature of the domain.

The operating environment for cyber is vast and everchanging. Policymakers can’t conceive of their strategic objectives or plan for specific outcomes in cyber as they can for land, sea, air or even space. In those domains, technology is built to operate in, on or through physical terrain.

In cyber, the technology is the terrain. Changing the technology—the logical structure, content and connections of systems and applications—alters the terrain. And that occurs every instant, creating or closing opportunities, threats and means of action within that domain.

Yet cyber isn’t free of the physical world. It is tethered in data centres, fibre networks and sensors. It is shaped by the dependencies inherent in supply chains.

Cyber is also embedded in the social world: human interaction with technology—the access and use of systems, applications, devices and data—adds further complexity and dynamism.

The combinatorial complexity of technology, the physical world, and social purpose and interaction generates, for all intents, an infinite space of possibility. Structure does matter, but attackers don’t want for opportunities.

Because change is constant, opportunities, and the advantages they may confer if exploited, are fleeting. That fundamentally alters the calculus of risk, cost, benefit, resourcing and outcome.

In the cyber domain, nation-states have little understanding of or control over their own assets and vulnerable threat surface. Governments must deal with considerable tech debt, accumulated since information and communications technologies became commonplace as business tools and control systems, more than 60 years ago.

Legacy ICT includes infrastructure and applications that remain in organisations but are no longer supported by vendors and often neglected. Some legacy systems run operations, industrial systems and critical equipment. Such systems are often bespoke, written without security in mind and unable to be patched.

Then there is shadow ICT, which lies outside official channels and awareness—the server under the desk, the software-as-a-service purchased with a corporate or personal credit card, the ‘free’ use of online storage.

The stock of large and growing amounts of legacy, operational and shadow ICT is a product of a fast-moving, easily accessible, affordable digital environment. But it means that ‘official’ ICT, even within government organisations, captures a comparatively small area of the overall vulnerable threat surface of systems, operations and data.

And with few exceptions, a nation-state’s information technology base is not designed, developed, maintained or controlled by governments, but by private industry, obscuring further its scale, scope, vulnerabilities and opportunities.

There’s no single government body that has a good understanding of what needs defending—or what assets the government has at its disposal—except possibly in the abstract.

That’s unlike other domains of power, where military, diplomatic and intelligence assets, including the physical borders of a country, are carefully accounted. Changes in those assets are often slow; they are rarely ephemeral, or intangible, in the way that a cyber advantage or tool may be.

The strategic logic of operating in this environment continues to evolve. Strategies—and the ways of thinking, planning and controlling activity—in the conventional domain are likely to be ill-suited to the cyber domain. If applied without understanding or care, they could even prove detrimental to the interests of a nation and its citizens.

New strategies, norms, ways of operating, systems of governance and policies are needed to at least complement, if not replace, conventional frameworks when dealing with the cyber domain.

And a strategic approach based on anticipation, speed and transience in an intangible environment that transcends physical boundaries presents significant challenges to existing norms and institutions. Those include many at the heart of liberal democratic governance and society: evidence-based decision-making, the means of civilian control, the process expected through law, notions of sovereignty, the accountability demanded of democratic institutions, the responsibilities of the private sector, the freedoms of civil society, and the engagement due allies and partners.

Working through all these means that we’re in only the early days of cyber.

So far, governments have focused on the practicalities of interests, threats and operating in the cyber environment. While such difficulties shouldn’t be underestimated, it’s not enough to focus on those alone. Careful thought needs to be given to governance, policy, statecraft and strategy if the challenges of a very different domain of security, one that intrudes into every facet of daily life, are to be managed effectively.

ASPI’s decades: Cybersecurity

ASPI celebrates its 20th anniversary this year. This series looks at ASPI’s work since its creation in August 2001.

In the language of strategy and defence, the information space has become the battle space.

Cyberspace is a new military domain where heavy blows—‘kinetic effects’—can be inflicted.

In this crowded domain, governments seek to direct, demand, defend—and attack.

Tech giants grow gargantuan. Businesses swarm. Spies and criminals throng.

And billions of people can act as individuals as well as groups.

The cybersphere today, and the tomorrow of quantum computing, are a manifold expression of what Marshall McLuhan saw 50 years ago: ‘Electric circuitry has overthrown the regime of “time” and “space” and pours upon us instantly and continuously the concerns of all … It has reconstituted dialogue on a global scale.’

The cyberworld can be specific and infinitely individual, a realm where a lone terrorist can become radicalised and act.

Australia’s first national security statement in 2008 said e-security was one of the top security priorities, referring to cyberwarfare, cyberattacks, electronic espionage, threats to critical infrastructure running on computer systems, and computers used by terrorists.

An ASPI paper on threats and responses in the information age, by Alastair MacGibbon, said Australian cybersecurity policy had been outstripped by the take-up of technology by the public, industry and government—and its abuse by criminals and foreign powers.

Canberra had relied on business for security solutions via industry self-regulation and a failed belief in ‘light touch’ regulation of telecommunications. A narrow policy focus on the legal definition of cybercrime missed broader problems, MacGibbon said, causing a widening gap between the cybersecurity problem and the national capacity to deal with it. Australia faced a greater level of risk because of ‘the incremental nature of government policy-making which can’t keep up with the speed of information and communications technology innovation, and more importantly, how such systems are abused’.

Surveying cybersecurity in 2011, Andrew Davies judged that Australia had acted ‘after the event’ to ‘catch up’. Awoken by ‘consistent penetration of national and commercial systems and substantial commercial losses’, the elements of a national strategy had emerged.

Using expertise from cyber operations in defence and national security, Canberra could provide guidance, build regulatory frameworks and even offer technical help and tools. The outstanding issues, Davies wrote, were whether the governance mechanisms in place would be sufficient as the problem evolved and grew, and whether the resources brought to bear were proportional to the threat.

At the 2011 AUSMIN talks in San Francisco, marking the 60th anniversary of ANZUS, the alliance extended into cyberspace: ‘[O]ur Governments share the view that, in the event of a cyber attack that threatens the territorial integrity, political independence or security of either of our nations, Australia and the United States would consult together and determine appropriate options to address the threat.’

It was the first time outside NATO that two allies had formalised cooperation in the cyber realm, Carl Ungerer wrote, while cautioning that classic deterrence wouldn’t work in this new domain:

The real cybersecurity threat is not from a single weapon of mass destruction but from the persistent and pernicious combination of online crime and espionage that is undermining financial systems, compromising the identity of individuals and stealing important intellectual property rights from corporations and governments. The classic deterrence theory of holding at risk the things that an adversary values fails in the cyber world because would-be attackers operate with an assumed level of deniability that changes their risk calculus.

ASPI convened a conference of Australian and American experts in Washington in 2011 to discuss the future of cyber conflict and defence. Lydia Khalil wrote that the alliance would have to define what type of cyberattack would be a threat to territory, politics or security:

[T]here’s an important blurring between espionage and attack in cyberspace that doesn’t exist in the physical space. The same intrusion method that’s used to extract information from a network can also be exploited to conduct an attack to disrupt that network. This is a critically important distinction that policymakers must be aware of and account for. While every cyberintrusion can’t be labelled as an ‘attack’ per se, it’s critically important to assess whether or not an intrusion has exploited a vulnerability that could also be used to disrupt or destroy networks.

ASPI thought Canberra had to offer more coherence and clarity on the cyber challenge. The institute’s response was to create the International Cyber Policy Centre, in August 2013, with Tobias Feakin as director.

Peter Jennings said that the centre was ASPI’s first major expansion as a think tank, giving it a wider remit. Cybersecurity, he said, was emerging as ‘one of the most significant strategic challenges faced by Australia’. Jennings and Feakin wrote that ASPI saw a pressing need to be involved in emerging policy debates:

There are two such debates: one at an often very highly classified government level, and one that encompasses a wider group in civil society but is often limited to those with deep specialist knowledge about information technology and security. There’s a need for a broader dialogue among people interested in many aspects of the impact of cyber issues on public policymaking.

The International Cyber Policy Centre would have four aims:

  • Lift the level of Australian and Asia–Pacific public understanding and debate on cybersecurity.
  • Provide a focus for developing innovative and high-quality public policy on cyber issues.
  • Provide a means to hold Track 1.5 and Track 2 dialogue on cyber issues in the Asia–Pacific region.
  • Link different levels of government, business and the public in a sustained dialogue on cybersecurity.

Jennings and Feakin set out a creed for the cyber centre based on needs and ambition:

These efforts will be at the national and international levels and look to enhance the cybersecurity of Australia and the region. There’s currently no centre in Australia or Asia that provides a focused research and strategic outreach program on the national and international development of the ‘rules of the road’ and confidence building measures for the cyberdomain.

One of the ASPI International Cyber Policy Centre’s core principles will be to ensure that both private sector and public sector voices are heard and considered. The internet is mainly in the hands of the private sector and civil society, so their opinions are essential if we’re to build lasting cyber norms that don’t constrain innovation and commerce, and that make cyberspace a secure place.

Visiting Washington in January 2016, Prime Minister Malcolm Turnbull announced a new US–Australia Cyber Security Dialogue to be convened by ASPI and the Center for Strategic and International Studies.

As co-chair of the first dialogue, Feakin said it responded to a newly central policy interest. The two allies realised more could be done using the public and private sectors and academics. Unlike traditional security issues, cybersecurity could not remain purely the purview of states:

[R]esources must be pooled and expertise and information shared. In the online world, Australia faces a strategic picture filled with foes constantly rewriting the rule book as to what can be achieved though disruption and disinformation online. But governments are not the exclusive targets. States looking to gain a competitive economic advantage are targeting the private sectors of other nations in pursuit of the nugget of information or intellectual property that will guarantee a domestic payday.

In November 2016, the Turnbull government announced the appointment of Australia’s first ambassador for cyber affairs: ASPI’s Toby Feakin.

Drawn from the book on the institute’s first 20 years: An informed and independent voice: ASPI, 2001–2021.

Global industry united in concern about nation-state cyberattacks

Attacks on information and communications technology infrastructure are becoming more common, as the recent spike in ransomware attacks affecting supply chains and the integrity of core information infrastructure has demonstrated.

In fact, according to numerous reports, 2020 was a record-breaking year for cybercrime. The FBI’s Internet Crime Complaint Center reported a 69% increase in submissions to its hotline last year. The UK experienced a 31% increase in cybercrime from May to June 2020, a trend replicated globally.

While the rise in reporting is disturbing and requires immediate action, there are long-term developments that are worrying cybersecurity experts. Cyberattacks are becoming increasingly sophisticated, and the range of targets has expanded to include government agencies, the defence industry and critical-infrastructure providers. But the most destabilising trend is the surge in cyber operations carried out by nation-states and groups sponsored by governments.

Since 2006, the Center for Strategic and International Studies has been recording significant cyber incidents—those affecting government, defence and high-tech companies, or occurrences resulting in a loss of over US$1 million. In the first four months of 2021 alone, 50 significant incidents were recorded. But this is just the tip of the iceberg. The majority of cyber incidents remain under the radar, as only the most significant attacks are reported in the media.

To understand whether businesses are aware of this growing threat and their susceptibility to cyberattacks for political–military intelligence or economic theft and coercion, the Cybersecurity Tech Accord partnered with the Economist Intelligence Unit in 2020 on a study titled Securing a shifting landscape: corporate perceptions of nation-state cyber-threats.

The Cybersecurity Tech Accord, a leading alliance of over 150 technology companies dedicated to increasing cybersecurity, recognises the critical role of private industry as the first respondents to significant cyber incidents, and as the front line for protective measures. The survey included responses from 500 director-level or above executives from businesses in Asia–Pacific, Europe and the United States.

The study, completed before the most recent high-profile attacks ignited media reporting on the issue, found that cyberwarfare has indeed become part of corporate consciousness. The survey revealed that private-sector leaders and security experts are concerned about falling victim to a state-sponsored cyberattack, irrespective of their industry and location.

Across all regions in the survey, 87% of executives said they were ‘concerned’ or ‘very concerned’ about their organisation falling victim to state-led or sponsored cyberattacks. Out of the four Asia–Pacific countries surveyed (Australia, India, China and Japan), executives from China viewed this problem with the least concern, although the number was above 70%. Similarly, 85% of executives from the region said they were ‘more concerned’ about the threat from state actors than they were five years ago, and that the coronavirus pandemic had heightened the risk further. This figure is 5 percentage points above the global average.

The respondents in the region also expected that in five years, state actors would pose the gravest cyber threat to their industry, immediately after organised crime groups. Today, most company boards still focus on the risk of individual hackers seeking financial gain or hacktivists. Australian and Japanese executives felt that in five years’ time state actors would be the biggest threat.

They are rightly concerned. Their perceptions mirror the priorities of Australia’s cybersecurity strategy and track with the Cybersecurity Tech Accord’s observation that states are increasingly seeing cyberspace as a domain of conflict.

This, coupled with the comparatively accessible price of cyberweapons, means that we’ll see the number of active state and state-sponsored groups grow over the coming years. More and more states have significant resources at their disposal that greatly exceed most of the budgets that go into individual companies’ cybersecurity defences.

Moreover, advanced tools and technologies developed by states frequently find their way into the hands of organised crime to be repurposed or are leveraged by other state actors and state-sponsored groups.

But it’s important to recognise that motivations driving state actors tend to differ from the monetary incentives that drive criminal actors. The survey respondents viewed the leak of confidential materials and loss of crucial information as a top potential consequence. Nation-state actors, however, may have a broader intent that could include degrading and destroying infrastructure—and that can change the risk-management calculations. These concerns were particularly high among Chinese executives, at 20% more than the global average.

The results highlight the need for a fundamental shift in cybersecurity planning to ensure these considerations become central to any IT deployment and a core part of broader risk-management functions. This holds true even though roughly 74% of respondents in the Asia–Pacific region also felt their organisation was ‘very prepared’ or ‘completely prepared’ to deal with a nation-state attack. Indian executives were even higher than the average at 90%.

Unfortunately, these results are likely expressing quite a false sense of security. Even when some may believe they wouldn’t be a target for a state-led cyber operation, they can still be faced with the impact in the form of collateral damage such as reduced public trust and confidence, disruptions in the supply chain, or increased costs of patching and insurance.

The impact can go beyond individual companies, because their investments in cybersecurity defences form a key part of national cyber resilience. The survey confirmed this view, which also recognised that more organisations now see government action, nationally and internationally, as crucial to increasing the long-term security of the online environment.

Sixty per cent of executives said their country only offered a ‘medium’ or ‘low’ level of protection from state-led cyberattacks. These numbers were particularly low in China and Japan, where only 30% of respondents felt their country provided adequate protection.

Company executives also expressed an urge for stronger international economic and political cooperation. Many mentioned the need for an international treaty to rein in dangerous actions by states and cultivate a more secure and stable online environment. The one exception in the region was Japan; only 17% believed this would be a helpful path forward, and most saw stronger national cybercrime legislation as a preferable option.

These findings underscore the reality that only through multi-stakeholder collaboration can the international community preserve the internet as a global public good and enforce commitment to commonly agreed rules, norms and standards of behaviour.

Exfiltrate, encrypt, extort: the global rise of ransomware and Australia’s policy options

Ransomware attacks are now a global epidemic and Australia is a prime target. That’s because ransomware is scalable, ransomware attacks can be commoditised and ransomware criminals are essentially ‘guns for hire’.

Bringing a huge organisation to a grinding halt can cost as little as $66—the measly outlay for some ‘advanced’ ransomware tools sold on the dark web. It’s a low cost for a potentially lucrative reward. On the flipside, the cost for victims to respond and recover from ransomware attacks can run into many millions.

Over the past 18 months in Australia, major logistics company Toll Holdings has been hit twice; Nine Entertainment fell prey, struggling to televise news bulletins and produce newspapers; and global meat supplies were affected after Australian and international operations of JBS Foods were brought to a standstill.

In a new policy report for ASPI’s International Cyber Policy Centre, Anne-Louise Brown and I argue that there’s a policy vacuum in Australia that makes it an attractive market for ransomware attacks, and that the problem will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed. The number of attacks will continue to grow if urgent action isn’t taken to reduce the incentives to target Australian companies and other entities.

All governments, civil-society groups and businesses—large and small—need to know how to manage and mitigate the risk of ransomware, but organisations can’t deal with the attacks on their own. There is a central role for government to play.

While there’s no doubt ransomware is difficult to tackle using traditional law enforcement methods because the criminal actors involved are usually located offshore, there are domestic policy levers that can be pulled to support cybersecurity uplift across the economy. Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response.

There needs to be greater clarity regarding the legality of ransomware payments, increased transparency when attacks do occur, the adoption of a mandatory reporting regime and incentivisation for businesses to bolster their cyber defences through tax, procurement and subsidy measures. Australia would also benefit from the establishment of a dedicated cross-departmental ransomware taskforce, similar to that recently launched by the US Department of Justice.

When a ransomware attack occurs, any payment made has legal implications, but in Australia the legality of such a payment is murky at best. This is an issue that needs to be addressed with haste, without the burden of bureaucratic process and a regulatory quagmire. Importantly, criminalising ransomware payments isn’t the solution. Mandatory reporting of ransomware attacks, however, should be considered. A non-punitive model would foster an information-sharing culture without fear of legal consequences for organisations that pay ransoms, not punish victims twice.

Transnational cyberattacks are a serious concern for Australians. The recently published results of the 2021 Lowy Institute poll found 98% of respondents viewed ‘cyber attacks from other countries’ as a critical (62%) or important (36%) threat to Australia over the next decade. That makes transnational cyberattacks the highest ranking of the 12 threats to Australia’s vital interests respondents were asked about—more of a concern than climate change, global pandemics, international terrorism, severe economic downturn and Australia–China relations.

As it stands, there’s a dearth of official public data relating to ransomware attacks in Australia. For example, in 2019–20 the Australian Cyber Security Centre reported an increase in the number of domestic ransomware attacks, but no specific metrics were released. This is in stark contrast to the US, which has a much more transparent reporting system. The FBI publicly reported that it recorded 2,474 ransomware incidents in 2020, amounting to US$29.1 million in economic losses.

Ransomware isn’t an abstract possibility. In Australia, the threat’s right here, right now and isn’t going away. There’s a key role for the Australian government to play in leading the way, but tackling ransomware is a shared responsibility.

While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support.

The ongoing ransomware attacks that continue to strike unabated around the world must act as a red flag. And, because we’ve been warned, we need a plan.

Covid-19 is just one of the invisible enemies Australia must face

Coronavirus is an invisible enemy, a threat that changes how we live and work, how our children go to school and how we expect our governments to respond to crises. It is wreaking havoc across the globe on developed and developing nations alike.

While the threat of a global pandemic has always loomed, its impact on Australia’s sovereignty and security has not been at the forefront of this government’s mind.

In a speech in March 2019 outlining the future national security challenges Australia faces, Home Affairs Secretary Michael Pezzullo warned of the ‘seven “gathering storms” of the 2020s’. Not one of these was a global pandemic.

In seven years of being in power the government has not run a national pandemic exercise. The Home Affairs Department was briefly made responsible for national crisis coordination, but then the prime minister gave the job instead to the National Covid-19 Coordination Commission. It’s unclear what was achieved through this or what the impact has been on our national security.

There are three other national security threats which, just like the coronavirus, have the potential to undermine Australia’s safety, security and democracy. None is new, but in a pandemic-stricken world, the threat of each is growing to an unprecedented size and scale.

The first is foreign interference. In February, as the coronavirus began to take hold across the globe, ASIO Director-General Mike Burgess warned in his first annual threat assessment that ‘almost every sector of our community is a potential target for foreign interference’. He even went as far as to say the threat is ‘higher now than it was at the height of the cold war’.

Despite this stark warning, the government has done little to communicate with and educate the public and private sectors about, and equip them to deal with, the threat posed by foreign interference. Even less appears to have been done about the problem itself—despite the government’s establishment of an $87.8 million taskforce in December and new espionage and foreign interference laws, passed with Labor’s support in 2018.

Local, state and federal agencies—along with businesses and communities—need to be aware of how foreign actors can manipulate and influence their actions so they can protect themselves. A starting point would be to provide a form of practical education to elected representatives, public servants and the private sector, something even Liberal MP Gladys Liu asked for following her election last year.

Three weeks ago, Prime Minister Scott Morrison stood before Australians and levelled with them on another significant invisible enemy: cyberattacks. We have been, and continue to be, under cyberattack by a sophisticated state-based actor. Criminal groups round out the cybersecurity threat, exploiting weaknesses that have arisen during the Covid-19 pandemic.

The invisible enemies that threaten Australia’s cybersecurity can no longer be ignored. However, we still do not have a new cybersecurity strategy in place—the 2016 strategy expired in April—and we have not had a dedicated cybersecurity minister since 2018.

A more informed public will strengthen our cyber resilience and an approach to cybersecurity that treats it as a threat to public health will strengthen the responses of all levels of government. But leadership is required to achieve this. Just as public health experts recognise the collective benefits of improving the overall health of a population, cybersecurity experts recognise the collective benefits of lifting a nation’s cybersecurity capabilities.

Finally, right-wing extremism, which was once an invisible enemy, is now finding new opportunities to rear its ugly head.

While the home affairs minister has said the dark web is fuelling right-wing extremism, the reality is far simpler, but equally sinister. Nazi memorabilia is being sold on Facebook Marketplace and ASIO’s director-general has said, ‘In suburbs around Australia, small cells regularly meet to salute Nazi flags, inspect weapons, train in combat and share their hateful ideology.’

Covid-19 has fuelled the spread of extremist messages, and we’ve seen an undeniable rise in nationalist, xenophobic sentiment that right-wing extremists are exploiting. The nature of a global pandemic also affords these groups an unprecedented opportunity to recruit socially isolated people who are spending increasing amounts of time online.

On a broad level, the government should back the calls of peak multicultural bodies for a national, bipartisan anti-racism campaign to help ensure racist narratives can’t be used by right-wing extremists as an on-ramp to more extreme ideologies.

On a community level, the government could fund community-based programs and provide practical advice to parents, teachers, youth workers and even local churches to recognise and combat the rise of right-wing extremism.

The proscription of a right-wing organisation—international or domestic—would also send a powerful message that these extremist views will not be tolerated. Currently, 25 of Australia’s 26 proscribed groups are Islamist, with the other being the Kurdistan Workers’ Party, or PKK. But as we’re hearing regularly from our security agencies, these groups are not the sum total of the problem. If acted on by the government, Labor would support measures to proscribe extreme right-wing organisations.

These invisible enemies threaten Australia’s safety, security and democracy and require a thoughtful and united approach. Labor stands ready and willing to work with the government, including through the parliament and its Joint Committee on Intelligence and Security, in the interests of all Australians.

There have been very few seismic events in our history like this pandemic that have touched the lives of all Australians. But while we recognise the obvious challenges posed by Covid-19, we must be vigilant to the more covert challenges it may present. We cannot risk being underprepared and falling victim to any other invisible enemies.

The cyber threat to satellites

The Australian Defence Force has a heavy dependence on satellite communications for force coordination at long range. Satellites such as those that make up the US GPS network are critical for weapons guidance and joint command and control and space-based intelligence. Surveillance and reconnaissance is vital for understanding the battlespace, including adversary operations, and other satellite services such as meteorological support are essential for military operations.

The loss of those capabilities as a result of counterspace actions would render the ADF unable to fight in a joint and integrated manner or to take a modern, information-based approach to warfare. It would force us back to a more industrial level of warfare, where casualties are high, hostilities prolonged, and victory is anything but assured.

Counterspace capabilities are emerging in the Chinese and Russian militaries. One trend is towards the development of ground-based and space-based (co-orbital) ‘soft kill’ counterspace capabilities. Satellites could be targeted through electronic warfare (jamming and spoofing), microwave weapons, laser dazzling and, perhaps most worryingly, cyberattacks.

The prospect of cyberattacks on satellites dramatically expands the scope and risk of counterspace threats for a number of reasons. Countries like China and Russia, and even Iran and North Korea, are highly experienced in waging cyberwarfare, and directing such attacks against satellites is something they could do now, and at relatively low cost. Cyber-based counterspace capabilities can proliferate to non-state actors. It’s easy to imagine terrorist groups—or an individual hacker—exploiting such a capability to strike at the heart of US and allied military capability, or to attack Western economies and infrastructure.

The nature of cyberwarfare means that a state can conduct ‘grey zone’ operations in orbit with a low risk of detection or even complete anonymity. And it doesn’t require a declaration of war—vulnerabilities in supply chains, for example, could be exploited months or even years before a conflict begins, particularly if Western states depend on foreign suppliers of vital components. The reliance of Western armed forces on commercial satellites to augment bandwidth makes this an even greater concern.

The effects of a cyberattack can be swift even if it’s executed before the outbreak of hostilities. The rapid effects generated as cyberweapons are unleashed through networks can deliver a first-strike advantage, and the need to move quickly to defeat countermeasures means there’s a cyber imperative that will drive a cult of the offensive—whoever strikes first wins.

Cyberattacks on satellites, unlike physical attacks, don’t create massive clouds of space debris. If the attack is successful, the target satellite is disabled, disrupted, damaged or even potentially hijacked to provide false information, but remains intact. Cases of GPS spoofing attacks by Russia against NATO have already occurred and show a willingness by adversaries to flout international norms of non-interference in the space capabilities of other countries.

Australia must prepare for such attacks. Understanding the nature of threat is the first step. Australia’s defence and strategic policy community must ask how cyberwarfare in space might emerge and what the likely impact of cyberattacks on satellites will be, both on the ADF’s ability to fight and on Australian society more broadly.

Analysis must also be undertaken on how can the ADF respond to this threat. The US is pursuing a deterrence approach which emphasises building resilience in space and developing the means to pursue both defensive and offensive counterspace capabilities. How Australia could play a role alongside the US by burden-sharing to meet the cyber threat in orbit is an issue that needs further thought. Any Australian response should also consider putting an increased emphasis on formulating new, stronger legal mechanisms that would potentially support a control regime in the future.

It will be critical to develop enhanced intelligence to detect and defend against soft-kill offensive counterspace threats, including cyber threats. The 2016 defence white paper highlighted that Australia already plays an important role in space situational awareness by monitoring space activities out to geostationary orbit. But this monitoring is largely done through optical and radar imaging from the ground. Having the ability to identify adversary activity in space, including ground-based actions in cyberspace and across the electromagnetic spectrum, would be an obvious next step. It would contribute towards denying anonymity to a would-be attacker, even in cyberspace.

The transformation of the global space sector through Space 2.0 and the rapid commercialisation and democratisation of space mean that many more space actors, both state and non-state, are at risk from counterspace threats. This is a complicating factor given the likely dependence of western military forces on commercial systems for new types of capability. For example, commercial ‘mega-constellations’ of thousands of small satellites in low-earth orbit will be essential for supporting the ‘internet of things’ that will underpin future logistic and command-and-control networks or support autonomous systems. If these commercial space systems can be hacked, much of our military capability may become inoperable.

There are legal challenges, too. Using existing laws and agreements, it’s difficult to effectively verify and monitor ground-based counterspace capabilities such as cyberattacks. A state can gain international goodwill by signing a new space law agreement, or supporting space arms control, for example. But if those agreements can’t be monitored, it’s easy for the same state to violate them by covertly developing and employing counterspace capabilities in a grey-zone-type operation. If a satellite begins behaving oddly, or is failing to send data, is it a technical fault or a cyberattack? If it’s a cyberattack, who’s behind it? How do we respond to non-state cyber threats against satellites? The fragility of norms and legal regulations is an issue which proponents of laws and arms control measures as means to stop proliferation in space don’t seem to have answers for.

India’s test of a direct-ascent anti-satellite weapon in March led to an international outcry because it generated space debris and went against desired norms towards non-weaponisation of space. Soft-kill threats such as cyberattacks are more insidious and potentially more dangerous, because they can be used without the fallout of space debris, and offer scalable, potentially reversible effects. Australia must understand and meet the challenge of soft-kill counterspace threats to its critical space systems, including those in the cyber domain.

Internet hijacking: it’s nothing personal

When you type a website address into your browser, you expect that it will take you to the site you’re trying to visit. Increasingly, however, criminals and even state-backed hackers are using a technique known as DNS hijacking to trick browsers onto false websites.

Every website has both a name and a number. When we type a website address (domain name) into our browsers, our computers use that domain name to look up the corresponding number (internet protocol, or IP, address) in a series of virtual phonebooks called the domain name system (DNS). When you enter the domain name for your bank into the browser, the DNS points your browser to the unique number assigned to that name. That takes you to your bank’s website, where you can safely log in.

The problem is, hackers have figured out how to (at least temporarily) rewrite the DNS phonebook, or use a different phonebook altogether, fooling browsers into visiting the wrong number. And that means the attackers can send you anywhere they like—including to a website which looks just like your bank’s website, so that they can get your credentials (user name, password and other personal data) when you log in.

The DNS is being maliciously manipulated to fool, cheat or steal from us. It can be an enabler for surveillance, and it can be turned into a weapon against us.

In January 2019, reports were published by technology security companies, such as FireEye and CrowdStrike, detailing widespread malicious manipulation of the DNS to enable criminal activities. Cisco’s Talos research organisation has identified manipulation of the DNS in a widespread cyber espionage campaign, known as DNSpionage. According to Brian Krebs at Kerbsonsecurity.com, in the last few months of 2018 over 50 Middle Eastern companies and government agencies were compromised during the DNSpionage attacks, including some associated with the Egyptian Ministry of Defense and the National Security Advisory of Iraq.

In an emergency directive posted on 22 January, the US Department of Homeland Security told federal agencies to ‘mitigate DNS infrastructure tampering’ within 10 days to ‘address the significant and imminent risks to agency information and information systems’.

A month later, on 22 February, in light of what it described as ‘a pattern of multifaceted attacks,’ one of the key global governing bodies for the internet, ICANN (the Internet Corporation for Assigned Names and Numbers), called for immediate action to secure the DNS on a global scale: ‘The organization believes that all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet.’ ICANN is asking network infrastructure administrators to deploy DNS security standards with urgency. The standard that ICANN calls for is a technology that protects against unauthorised changes to the DNS, referred to as DNSSEC. Although DNSSEC won’t mitigate all threats, it will raise the overall level of defence.

Worldwide adoption of DNSSEC has, in the words of Techcrunch, been ‘glacial’: statistics from various sources indicate that less than 20% of the world’s major networks or websites have this standard enabled. However, DNSSEC is a standard that works best when it’s deployed at scale.

The trouble with deploying DNSSEC is not so much technical complexity or cost implications—rather, it’s that most of us are not aware of or concerned enough about the situation to demand its protection.

Even those who are concerned about this online criminal activity aren’t marching in the streets to insist it be stopped—but perhaps they should be.

Countries that seem to be leading the way with DNS security have deployed a government strategy of ‘lead by example’, circumventing the need to drum up public concern. In its 2012 information security action plan, Sweden stated that it aimed to introduce DNSSEC into the majority of public organisations by the end of 2014. Sweden now reports one of the highest levels of DNSSEC deployment overall. Earlier this month, the Australian Signals Directorate issued a tender for ‘Protective DNS for the Australian Cyber Security Centre’. While this indicates an awareness of the urgency of protecting the DNS, there remains no government-sponsored drive to increase DNSSEC adoption in Australia.

It’s time for government agencies to take the lead to advocate, support and encourage adoption of secure internet standards in Australia. The DNS needs to be secured before our trusted online destinations become the victims of hijack—or, worse still, fall foul of a weaponised attack on the heart of the internet infrastructure.