Countries continue to refine their approach to cybersecurity. Australia is not an exception, with the recent release of its new cybersecurity strategy.

Previously I looked at several countries or organisations (i.e. USA, Ireland, Netherlands, France, ICRC, France, Luxembourg) along different dimensions of cybersecurity. Why is Australia worth a look? It’s an important country in the Western block, at the same while facing interesting challenges, some of them are quite different from other countries (e.g. “Cyberattack threatens Australian wool sales and shipments“), at the same time it’s the country that was among the first to disclose some of its offensive cyber operations during armed conflict.

To the point. Australia wants to allocate $1.67 billion (over 10 years) to improve cybersecurity capabilities in several places, from law enforcement to the economy. The actual document is here. I provide a look at some more or less important points below.

Offensive cyber capabilities and their use


Australia wants to boost offensive cyberattack capabilities (and defensive). Including by creation of new tools. Offensive cyber capabilities are also supposed to be used, including against criminals that use anonymizing technology or encryption:

“Encryption and anonymising technologies allow criminals, terrorists and others to hide their identities and activities from law enforcement agencies.“

“Powers that allow offensive disruption capabilities will allow law enforcement to take the fight to the digital frontdoor of those using anonymising technology for evil purposes. “


Australia is to get the right to operate on remote and foreign servers and work on bypassing some of the encrypted systems (Tor? Or?).

“Australian Federal Police or the ACIC, with a warrant from a court knowing that somebody operating a server, whether it was in Seattle or Sydney (...) would be able to target”,
“If our law enforcement agencies are to remain effective in reducing cyber crime, their ability to tackle the volume and anonymity enabled by the dark web and encryption technologies must be enhanced.” (link)

“Law enforcement agencies will be given greater ability to protect Australians online, just as they do in the physical world, and will target criminal activity on the dark web. The Australian Government will confront illegal activity, including by using our offensive cyber capabilities against offshore criminals, consistent with international law.”


Quotes speak for themselves.


Offensive cyber operations vs Covid19 crime?


Long time ago I wrote why Covid19 theme is a potent cybersecurity risk. Since then, many of these points unfolded. To the extent that these days linking to Covid19 became a popular cyber policy cliché. This cybersecurity strategy is not an exception to this rule


“Australia’s response to the COVID-19 pandemic has shown the importance of secure online connectivity.“


However, it also seems that it confirms  some previous reports that Australia used offensive cyber operations vs some “foreign cyber criminals” that used the Covid-19 themed operations.


“the Australian Signals Directorate (ASD) used its offensive cyber capabilities to disrupt foreign cyber criminals targeting Australian households and businesses. These offensive cyber operations struck back at the foreign criminals behind these COVID-19 themed phishing campaigns, successfully disabling their infrastructure and blocking their access to stolen information.“


So this is confirmed now. We still don't know exactly what actually happened, though. It would reveal parts of how "offensive" is perceived by some.

Training, education for the public


Like many other strategies, this one focuses on the public too by bringing cybersecurity down to the earth:

“The Australian Government will offer a dedicated online cyber security training program, expanding our 24/7 cyber security advice hotline for SMEs and families, and increase funding for victim support services.“


The document contains another interesting bit. “The community” will be expected to “Make informed purchasing decisions”. As far as I remember this is the first in the world cybersecurity strategy that mentions the actual role of the broader community (i.e. the typical people). But I guess they will need some labels on products for the public to understand some details of the purchasing products because how is "the community" supposed to know this:

“Before purchasing an Internet of Things device
— Is it possible to change the password? “


They also found some numbers that indicate that cyber incidents cost “$29 billion per year or 1.9% of Australia’s GDP”. I presume this does not necessarily mean that no cyber incidents equal +1.9% GDP. But posting such numbers in various reports speaks well to policymakers, it seems.


On cyber threat actors


The document notes that:


“ Nation states and state-sponsored actors may also seek to achieve disruptive or destructive effects against their targets during peacetime or in a conflict setting“


While of course true, it’s interesting that the risk of destruction and the conflict setting is mentioned in a civilian strategy. Cybersecurity strategies of the past used not to mention aspects of conflict time.

Australia is also concerned with creation of cyber tools:


“Of particular concern are transnational cyber crime syndicates, which develop, share, sell and use sophisticated cyber tools and techniques.“

On naming actors

“Terrorist groups and extremists are effective at using the internet to communicate and generate attention, but generally employ very basic cyber techniques and capabilities such as distributed denial of service (DDoS) activities, hijacking social media accounts and defacing websites.“

Typically the “terrorist threat of cyberattacks” is sometimes used as a scare-mongering cliché. But this document admits that “terrorists and extremists” actually pose no particular cyber risk. Many previous old reports (including in the press) delivered a message to the contrary (perhaps it was too easy to blame or to use it as a catch-phrase?), which was rather missing the point.

Your “typical terrorists/extremists” rather don’t have access to advanced cyber capabilities, and do not pose a particular risk point. Sophisticated cyberattacks require time and skill. Most operations reported as sophisticated, in fact, aren’t. Also, when was the last time we saw “terrorists and extremists using DDoS”?


On high-impact cyberattacks


About attacking and defending critical infrastructure:

“The loss of an essential service like electricity, water or transport could have devastating impacts across Australia far beyond the targeted business. Although more can be done to raise the overall security posture of critical infrastructure, some nation states or state-sponsored actors are so sophisticated that an attack may be beyond the capability of a single network owner to handle alone, irrespective of its size, expertise and best efforts.“

In case of a big problem (“a sophisticated and catastrophic cyber attack”) the government will be prepared to “use of classified tools“, i.e. cyber-cavalry?

On cyber deterrance

The strategy wants to achieve some things, like:

“Malicious nation states and state-sponsored actors will be deterred from targeting Australia’s critical infrastructure and systems of national significance.“

Of course, this assumes that cyber deterrence works, which is not clear today. But it seems Australia is counting on it.

International cyber norms


Australia will prefer to act in line with international law as regards to cybersecurity:

“will continue to encourage the international community to act responsibly online, including by complying with existing international law, domestic law and norms of responsible state behaviour.”

Also, there will be a continuation of name-and-shame policies as regards to the identified perpetrators:

“The Australian Government will ensure that Australia is not seen as a soft target and will continue to publicly call out countries when it is in our interests to do so. The Australian Government will match its public statements with action through a range of targeted and decisive responses against unacceptable intrusions “

The stick is supposedly to increase:

“The Australian Government will deter malicious activity by imposing stronger consequences for those who act contrary to existing international law and agreed norms when it is in Australia’s national interest to do so.“


Lastly, the strategy has some metrics of success (like, how to measure that an initiative brings effects) which makes it a bit more actionable despite the document not containing details. It’s a strategy, not a detailed plan. What counts is that the money figures are extensively included in the document, quite detailed.


A separate but related recent document about critical infrastructure cybersecurity reveals interesting insight. Such infrastructure is named as the “most critical to the country economy, security and sovereignty“. The document considers dividing“critical infrastructure” into “ Critical Infrastructure Entities, Regulated Critical Infrastructure Entities, systems of national significance” which is interesting but now to the point:


State of emergency due to a cyberattack


“There may be even more limited circumstances where Government identifies an immediate and serious cyber threat to Australia’s economy, security or sovereignty (including threat to life). In these situations, it may be appropriate for Government to declare an emergency.“


State of emergency due to a cyberattack, but based on its impact (and imminency). Not often found around the world.


No retaliation allowed

“Critical infrastructure entities may face situations where there is an imminent cyber threat or incident that could significantly impact Australia’s economy, security or sovereignty ... Critical infrastructure entities will only be directed to take protective or mitigating actions reasonably within their capability to address. Under no circumstances will entities be directed or authorised to take actions against the perpetrator (including ‘hack backs’).


Companies will not obtain the right to active cyberattacks. No hack-back. Offensive operations are to be restricted within the State powers.


Cyberattacks causing loss of life


“At its most extreme, such catastrophic disruption could cause loss of life. Recent events, particularly COVID-19, have demonstrated how threats can have flow on effects across multiple sectors. A deliberate cyber attack could have farther-reaching, more rapid and less visible causes and effects.“

Interesting in itself. Would that warrant a State reply? If so, how and when?


Summary

The landscape changes and so are government actions. What catches an eye is that this cybersecurity enhancement campaign has got a few times more funds allocated than the previous one.

What also matters at the end of the day is to what degree the document is self-consistent. It is still unclear today in which situations cyber operations in or vs foreign infrastructure are in line with international law. We will probably know more about this in the next 10 years :-)

Did you like the assessment and analysis? Any questions, comments, complaints or maybe even offers? Feel free to reach out: me@lukaszolejnik.com