Cyber-attacks by nation states are on the rise and are becoming an increasingly common method of “warfare” and diplomatic disruption. Countries such as China and Russia are developing cyber weapons for use in any future conflicts, while the USA, the UK, France and Israel have also invested in developing cyber capabilities. Australia’s recently launched Cyber Security Strategy 2020 recognised the significant threat posed by nation states to our government and critical infrastructure providers and committed to invest $1.67 billion over 10 years in relation to cyber security (see our analysis of the strategy - Australia’s Cyber Security Strategy 2020: What you need to know). A critical question is how countries such as Australia should defend themselves, and should this defence involve offensive attack?
According to Verizon’s 2019 Data Breach Investigations Report, cyber-attacks by nation states, and affiliated parties, represented 23% of data breaches, up from 12% in 2018 and 19% in 2017. The report also highlighted that a quarter of all breaches were associated with espionage.
Australia's Cyber Security Strategy 2020
Australia’s Cyber Security Strategy 2020 identifies nation states as major threat actors who “seek to compromise networks to obtain economic, policy, legal, defence and security information for their advantage”. It recorded that in the year to 30 June 2020 government entities were the target of approximately 35% of incidents while attacks on critical infrastructure providers (delivering services such as healthcare, education, banking, water, communications, transport and energy) comprised a further 35% of incidents.
A successful attack of this nature could have a catastrophic effect on the Australian economy and our society. For example, the 2015 BlackEnergy attack (which Russia is accused of mounting) against Ukraine cut power to over 700,000 homes for a period while the 2017 NotPetya attacks (also allegedly mounted by Russia) resulted in the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant going offline while Ukraine’s national bank, state power company and largest airport were also affected. You don’t need to be an expert to imagine the fallout from a cyberattack on our financial markets, particularly if financial records are destroyed or altered. Similarly the panic and chaos that would result from any interference with the operations of nuclear plants and water systems, or the interruption of critical transportation systems bringing cities to a halt.
Cyber warfare: An International concern
Against that backdrop, the international community has been grappling with how to deal with cyber warfare for more than a decade. A key issue has been whether and how existing international law applies in cyberspace. In 2013, the United Nations Group of Government Experts on cyber (chaired by Australia, and containing representatives from both China and Russia), recognised that existing international law does apply in cyberspace. However, the ongoing enquiry explores exactly how to apply international law to this entirely new domain.
There has been some consideration of the development of an international agreement to govern international security in cyberspace. However, no agreement has been reached. Without a formal agreement, the most authoritative guidance is the Tallinn Manual, an academic, non-binding study on how international law should be interpreted in the context of cyber warfare. There have been two iterations of this manual. While giving some guidance on the way experts perceive the application of international law to cyber warfare it did not “make law” and does not have the force of law, leaving nation states to make their own decisions in relation to how to conduct themselves and defend against cyber warfare attacks. The most difficult issue governments are grappling with is international responsibility, both in terms of identifying the responsible actor and appropriate counter-measures.
Australia has been at the forefront globally in acknowledging its offensive cyber capability and has used that capacity to target Islamic State and other threat actors. Australia’s offensive cyber capability sits under the Australian Signals Directorate (ASD). It can be deployed directly in military operations, in support of Australian law enforcement activities, or to deter and respond to serious cyber incidents against Australian networks. In June this year, the Prime Minister announced that Australian organisations (all sectors of government, industry, education, health care, essential service providers and critical infrastructure operators) were the subject of a sophisticated cyber-attack by a state-based actor. The ASD used its offensive cyber capabilities to disrupt the attack by disabling the attacker’s infrastructure and blocking access to stolen information.
In this rapidly changing cyber environment of increasing targeted attacks by foreign state actors on national infrastructure and facilities (e.g. hospitals, power supplies and key commodities), as well as against private corporations, a nations response in circumstances where there is no binding international instrument is an area of significant diplomatic sensitivity and potential volatility. There is no doubt, cyber-attacks are the new frontier for warfare and it is important that Australia is not only ready, but as demonstrated this year is willing, to defend itself when (not if) a threat appears.
Australia’s investment in cyber warfare defence
It remains important for government and business to continue investing in skills and training to ensure they are prepared for to take action in relation to cyber-attacks of this nature, which may not have a financial motivation, but are instead designed to cripple critical infrastructure and services. It is also important for Australia to maintain its leadership role internationally in shaping an agreed international framework to protect nation states from attack by state-actors and to regularise the use of appropriate counter-measures – such a framework has the best prospects of ensuring that cyber warfare is inhibited and its potentially catastrophic impacts are limited.