Tuesday, 11 May 2021
Last month the Australian government made a significant announcement in relation to cybersecurity threats to Australia. In a joint statement, issued by the Minister for Foreign Affairs, Minister for Defence and Minister for Home Affairs, the Australian government joined with the US and UK in condemning Russia's harmful cybercampaign against the US software firm SolarWinds. The Australian statement followed an announcement in Washington that US President Joe Biden had signed an executive order declaring a national emergency to deal with the threat of Russia's foreign interference, including malicious cyber and naval activities. US intelligence agencies directly attributed the SolarWinds attack to the Russian Cozy Bear hacker group operating for the Russian foreign intelligence service, the SVR. The Australian ministers declared that, in consultation with our partners, the Australian government had determined that Russian state actors were actively exploiting SolarWinds and its supply chains. The foreign affairs, defence and home affairs ministers further declared that over the previous 12 months Australia had witnessed Russia use malicious activity to undermine international stability, security and public safety.
This wasn't the first time that the Australian government had attributed cyberattacks to Russia. Just over three years ago, then defence minister Senator Payne publicly attributed the hacking of more than 400 Australian businesses to unnamed Russian actors, but at the time stopped short of attributing the attacks to agents of the Russian government. The announcement last month represented a shift in Australia's response to its cyberattacks, for the first time joining with other countries to call out a particular foreign government as responsible. This was a step forward. While there have been many warnings about the dangers to Australian and state government agencies, to vital defence capabilities and critical infrastructure, to Australian businesses, universities and community organisations from hostile cyberattacks, the Australian government has been very reluctant to directly identify those responsible for such acts.
While diplomatic sensitivities must be considered, the absence of specific attribution of responsibility for major cyberintrusions and attacks has diminished the government's effort to alert Australians to the importance of cybersecurity. This systematic weakness in their approach to cyberthreats was evident when the government announced in June last year:
… Australian organisations are currently being targeted by a sophisticated state-based cyber actor.
At that time, the Prime Minister said hostile cyberactivity was occurring across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure. The Prime Minister noted that 'there aren't too many state-based actors who have those capabilities', but he declined to name the culprit. The perpetrator was rather like Lord Voldemort, in the Harry Potter novels: too scary to be named.
The government has now been prepared to name Russia, a country with which we only have limited bilateral relations. But the elephant in the room is, of course, China. Former Prime Minister Malcolm Turnbull reflected the reality well in his memoir in which he observed:
… what's become increasingly apparent over the last decade is the industrial scale, scope and effectiveness of Chinese intelligence gathering and in particular cyberespionage. They do more of it than anyone else, by far, and apply more resources to it than anyone else. They target commercial secrets, especially in technology, even where they have no connection with national security. And, finally, they're very good at it.
Although the Australian government is not prepared to publicly attribute responsibility for the cyberattacks directed at numerous federal, state and government agencies, universities and businesses, there is no doubt that the Chinese state, the Chinese Ministry of State Security and the electronic warfare components of the People's Liberation Army have been responsible for a great number of these hostile actions against Australia. So far China has waged this cybercampaign without any effective response from the Australian government, even when the parliament's IT system was hacked. We have strengthened our cyberdefences, spending well over a billion dollars nationwide, but China has suffered no consequences at all. This state of affairs cannot be allowed to continue. If we are to counter China's strategic cybercampaign, there must be disincentives; there must be consequences for Beijing.
Firstly, we need to call out China's behaviour. China will no doubt protest their innocence and engage in a further round of vilification in the Global Times and other Communist Party mouthpieces, but we shouldn't be too worried about that. Our bilateral relationship with China is what you would expect of a cold war. That's the reality. What we need to do is send a very clear message to our allies and friends that we will not lie down and accept electronic aggression from the Chinese government. Cyberwarfare is just that: a form of warfare, short of open hostilities but warfare nonetheless.
Secondly, the government needs to impose targeted sanctions against the individuals and organisations involved in the Chinese state's hacking and cyberwarfare programs. We should be prepared to act in concert with our allies, especially the US, but we should also be prepared to implement our own unilateral sanctions, especially against Chinese telecommunications and IT companies with any connection to China's cyberwarfare activities. Sanctions may not have a large material effect, but they will send a clear message that we regard China's actions as hostile and unacceptable.
Thirdly, the Australian government needs to impose a direct diplomatic price for cyberattacks that can be attributed to the Chinese state or its proxies. Each time such an attack occurs, the department of foreign affairs should expel at least one diplomat from China's Canberra embassy and at least one consular official from each of China's consulates in Australia's state capitals. In the event that China keeps up its cyberattacks, such a policy would at least quickly reduce China's bloated diplomatic and consular presence, larger than that of any other country, which serves as cover for espionage and political interference operations in Australia.
Finally, Australia should be prepared to retaliate in kind. The Australian Signals Directorate has significant offensive cybercapabilities both as a national capability and as part of a wider collective capability amongst signal intelligence agencies of the so-called Five Eyes countries. Those offensive capabilities are a closely guarded secret, but I note that in December 2016 the government made a wideranging disclosure to ABC News about the Signals Directorate's success in hacking and destroying the electronic infrastructure of the Islamic State propaganda unit. In the event that China continues its cyberoffence against Australia on the scale experienced in recent years, the government should authorise targeted retaliation, especially against Chinese state owned enterprises operating outside China, Chinese communist propaganda outlets and Communist Party controlled United Front organisations.
Another focus should be on exfiltrating data from Chinese state agencies that highlight the Chinese state's systematic human rights abuses and the rampant corruption that pervades the top echelons of the Communist Party power structure. The threat of such action might give Beijing pause for thought before they embark on another round of hacking or decide to ratchet up economic pressure on Australia's export industries. One thing is clear: without imposing some consequences, there is no reason to dial back what are unquestionably hostile actions against Australia's national interests. Without consequences they will continue to treat Australia as a hackers' training ground and may eventually secure electronic footholds that may deeply harm our national interest, including defence capabilities. This cannot be allowed to continue, and the Australian government needs to move from a strictly reactive defensive posture to a proactive offensive one.