The ACSC Threat Report: a useful contribution to the cyber conversation
13 Oct 2016| and

Yesterday the Australian Cyber Security Centre (ACSC) released its second annual Threat Report (PDF), outlining the cybersecurity challenges Australia faces and further developing Australia’s approach to cyberspace. This year’s ACSC report offers a detailed breakdown of cyber terminology, a strategic assessment of the threat environment and a refreshingly candid narrative.

The report emphasises the importance clarifying the language used to describe the cyber threats facing Australia. The ACSC goes to great pains to point out that indiscriminate use of the term ‘cyber attack’ by ‘media, academics and foreign governments’ has undermined a mature understanding of the cybersecurity challenge. The report highlights the range of nefarious behaviours possible in cyberspace and the need to label them accordingly. That echoes the sentiment of Prime Minister Malcolm Turnbull in his keynote speech at the recent Australia–US Cyber Security Dialogue, where he raised the ‘problem of cyber lexicon’ and the importance of standardising terminology across government, business, media and academia. Having a clearer understanding of what the various threat vectors are and of the dangers they pose is useful in creating broader understanding across the community. The report makes a concerted effort to address that issue, categorising cyber behaviours, from state-sponsored aggression to hacktivism, in terms of intent, methods and risk.

However, the addition of ‘cyber terrorism’ as a sub-class of online behaviour has us worried. The term is frequently used by authoritarian governments with a strict interpretation of what represents acceptable ‘freedom of speech’ online. The term is used to facilitate the prosecution of individuals who—within an Australian interpretation—would merely be expressing their opinions online, rather than facilitating or participating in terrorism. Having this term in an official Australian document doesn’t help the discussion around appropriate rules of the road for cyberspace, and makes arguing for an open, safe and secure internet more difficult.

More broadly, the report identifies an important strategic trend: the pattern of malicious actors using cyberspace ‘to seriously impede or embarrass organisation and governments—equating to foreign interference or coercion’. Traditional conceptions of ‘cyber attacks’ focus on the potential link between computer keyboards and kinetic disruption, and rightly direct attention to the cybersecurity and resilience of critical national infrastructure and core government networks. However, as the report points out, the list of potential targets has significantly grown to include political organisations, media and ‘other sectors considered important Australia’s economy and identity’. Recent incidents of state-sponsored hacking and data breaches haven’t been a precursor to, or enabler of, physical conflict, but are instead favoured by adversaries as a low-intensity tool of statecraft by which to achieve broader strategic ends.

Regardless of whether the released information is falsified or authentic, these ‘targeted disclosures’ offer an effective way to conduct information operations and undermine public confidence in organisations and governments. With direct reference to the US Democratic National Committee breach, the report voices concern over the increasing frequency of such ‘brazen’ behaviour and the impact this may have on international norms of behaviour in cyberspace.

Overall, this report offers a transparent look into government cybersecurity, including its weaknesses and capabilities. The report provides surprising specifics on the Bureau of Meteorology hack in December, detailing the methodology of the intruder, the compromise of agency data as well as other government networks, and the admission that ‘the security controls in place were insufficient’. It’s encouraging to see the Australian government leading by example on the importance of breach disclosure, in order to ensure that the private sector continue to do so themselves. Increasing broader awareness of the risks and responses is vital in this area.

The report also offers a fairly bold statement on Australia’s attribution capabilities. It challenges the perceived difficulty of identifying cyber adversaries, and asserts that Australia can achieve detailed attribution, even of individuals, ‘in a timely manner’. But although the report details technical incident response procedures, it leaves us guessing as to what the ACSC would deem an appropriate response to an attributed adversary, should a cyber–physical or cyber-coercion incident take place in Australia. Current deliberations over what action the US should take now that it’s officially attributed the recent spate of cyber intrusions to Russia, highlights the need to address the lack of established post-attribution policy options.

It may be the case, as the report claims, that Australia is unlikely to fall victim to such an incident in the next five years. However, recent international events indicate Australia needs to take seriously the risk posed to both soft and hard power targets, and the government should start developing the technology and policy needed to operate in today’s online threat landscape.

Increasingly careful use of cyber terminology, attention to strategic changes and more open conversations are essential elements of a more secure online environment. The new ACSC report offers important progress in this effort, and reinforces cybersecurity as a policy priority for the Turnbull government.