Targeting cyber criminals

The government's new cyber security strategy discussed in The Australian puts a focus on building capacity and capabilities to deal with cyber security and the inclusion of an offensive capability is vital to identify cyber criminals and to bring them to justice.

Read the full article below

Over the past two decades, industrialised nations have been systematically pillaged by enterprising nations and criminal organisations that had the foresight to see the opportunities arising from the growth of the internet. The amount of money, personal information and intellectual property stolen annually is staggering.

Last week the Prime Minister Malcolm Turnbull launched a new cyber security strategy to meet “the dual challenges of the digital age — advancing and protecting our interests online” and announced $230 million in government funding for 33 new initiatives that would result in 100 new jobs to “boost the government’s cybersecurity capacity and capabilities.”

The government’s investment in cybersecurity “complements the $400 million over the next decade — and roughly 800 specialist jobs — the government has committed to improve Defence’s cyber and intelligence capabilities through the 2016 Defence White Paper.”

Cyberattacks now cost nations about $US400 billion annually according to Lloyds of London CEO Inga Beale and companies pay about $US2.5bn in premiums on insurance policies to protect companies from losses resulting from cybercrime. IBM Australia and New Zealand Managing Director Kerry Purcell stated that IBM research indicates that “the average data breach results in losses of nearly $3.8m, 23 per cent more than two years ago” and in the last year a billion personal data records have been stolen.

For the past decade successive governments have failed to adequately respond to calls from security experts for more to be done to introduce a unified cyber security regime that encompasses business, industry and government.

The government’s announcement adds some of the missing components and strengthens the capacity and capabilities of security forces, the Australian Signals Directorate (ASD), the Federal Police, and the Australian Cyber Security Centre (ACSC) that was opened in November 2014 as “the next evolution of Australia’s cyber security capability.” The additional cyber security capacity and capabilities should improve information flow about cyberattacks and will facilitate early action, threat reduction and event mitigation.

Getting business and industry on board

While the government’s announcement has been cautiously welcomed by business and industry there is still some way to go before Australia has a unified national cyber security regime in place.

Concerted and ongoing opposition by business and industry groups to elements of the government’s cyber security strategy reflects their members lack of willingness to adequately fund cyber security, confront the need to keep customers informed about loss of personal information and to participate in a national cyber security information sharing arrangement.

Over the past five years, business and industry groups have been vocal in stating concerns that the proposed legislation for mandatory data breach notifications would be counter-productive, possibly leading to a loss of consumer confidence in companies breached in a cyberattack and the potential for an increase in unwanted privacy related court actions.

In June 2013 the former Labor government introduced mandatory data breach notification legislation called the Privacy Amendment (Privacy Alerts) Bill 2013 into Parliament but time ran out for this bill to be voted on by the Senate in the run up to the September 2013 election.

After sitting on the bill for more than a year the government decided to rebrand the bill as one of its own, launched a new call for feedback and in December 2015 an exposure draft of the new bill, which is substantially the same as Labor’s Privacy Alerts Bill, was released. In a re-run of what happened before the last election, the government appears set to introduce the new bill during the winter session of Parliament commencing on May 1. It’s highly likely the government will enter caretaker mode after the budget is delivered on May 3 so the mandatory data breach notification legislation is not likely to be passed before the election.

Labor recently committed to voting for a mandatory data breach notification bill at the earliest opportunity so business and industry are on notice that legislation is likely to be enacted later this year or early next year at the latest.

Focus on the perpetrators

The pillaging by enterprising nations and criminal organisations continues unabated and an undeclared war now exists between nations on an electronic battlefield that includes the internet and much of the world’s digitally connected infrastructure.

During the cyber strategy launch Turnbull stated the government can respond to cyberattacks using law enforcement, diplomatic or economic measures and when these are not a sufficient deterrent “an offensive cyber capability, housed in the ASD, provides another option for government to respond. The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.”

“Acknowledging this offensive capability, adds a level of deterrence. It adds to our credibility as we promote norms of good behaviour on the international stage. And importantly, familiarity with offensive measures enhances our defensive capabilities as well.”

The government’s resolve to build cyber security credibility is vital not only as a means to respond to cybercrime but also to build the capacity and capability needed to respond to the unwanted cyberattacks from enterprising nations.

On May 19 2014, the US charged five Chinese army officers with cybercrimes in the first cyber espionage case of its kind and in doing so the US brought out into the open the extent of the ongoing cyber war with China. The US approach to “name and shame” is not likely to stop or even reduce what is happening but could be an important step towards more transparency.

It would be wrong to believe that China is the only country involved in cyber espionage. All nations are, to some extent, active in the chaotic undeclared war that exists over the global digital networks and it is prudent for Australia to develop the capacity and capability to deal with all eventualities including taking offensive action.

The international community will need to put in place agreements that define cybercrimes and tackle the thorny issue of how participants in cyber warfare are to be classified. It is highly likely that the five Chinese army officers were acting under orders so will the international community put them into the same category as cyber criminals? Unlikely.

More needs to be done internationally to stop cybercrime by identifying cyber criminals, freezing their assets and when the opportunity arises bring them before a court. There should be no hesitation to “name and shame” the nations that host criminal organisations, key players and facilitate cybercrime by permitting cyber criminals to carry out their illegal activities with impunity.

In Australia, there is a national security imperative for business, industry and government to actively participate in a unified national cyber security regime that will provide police and security forces with the information, capacity and capabilities needed to respond to cybercrime and cyber warfare. It is time for collective action and the government’s cyber security strategy is a positive step.

Mark Gregory is a senior lecturer in the School of Engineering at RMIT University.