Cybercrime, deterrence and evading attack

Australia’s 2020 cybersecurity strategy says the government will publicly call out, when it is in the nation’s interests to do so, countries responsible for unacceptable intrusions or activity. It’s appropriate for the world’s 13th largest economy to have that capability and to be prepared to use it. But what are the options for economies that are much smaller or less developed?

When an organisation or government detects malicious online activity or a breach of cybersecurity, the first question often asked is who is behind the attack. Significant resources and capabilities must then be engaged to identify and disable the perpetrator.

The quest to know one’s enemy makes sense for strategic reasons and also for assessment reasons. Knowing the origins or originator of an attack can facilitate counterattacks and enable assessments of whether it is a lone wolf, an issue-motivated group, an organised criminal syndicate or a state-sponsored actor. A country like Australia can choose either not to respond or to adopt ‘a range of targeted and decisive responses’. The diplomatic options range from keeping the knowledge confidential to public naming and shaming. For countries with lower capabilities, the options are more limited.

The confidential or ‘quiet diplomacy’ response to state-sponsored interference can be criticised as weak, ineffectual and unlikely to result in anything more than a denial from the accused government. While it might seem to be at the flaccid end of the spectrum of possible responses, a confidential response can nevertheless serve a useful purpose.

When one government tells another that it’s aware of malicious cyber activity originating from one of its agencies, it lifts the veil of anonymity and introduces a threat of consequences if the activity continues. At the very least, it introduces distrust, or affirms existing distrust, in the bilateral relationship, making attainment of foreign policy objectives more difficult. And if the bilateral relationship is already antagonistic or distrustful, the affected country might well be encouraged to opt for public naming and shaming, which has the added sting of informing and thereby warning the rest of the world.

But many countries—and especially small and developing countries (though not all developing countries)—lack the resources and capabilities to track and investigate the origins of a cyberattack or other malicious online activity. For these countries, the enemy remains unknown or, even if a nation is suspected, unverifiable. In other words, they have no actionable information.

Faced with an asymmetric threat, they may well heed the advice of Sun Tzu in The art of war and try to evade the enemy who is superior in strength. But what does a strategy of evasion look like for a country with a low level of cyber maturity that lacks effective cyber-related infrastructure, policies, legislation and organisations?

In an era when the international rules and norms governing relations between states are being challenged, strengthening the self-defence mechanisms of small and medium-sized countries becomes more urgent. Globally, most cybersecurity breaches are due to human error, such as employee negligence or malicious acts, rather than the vulnerability of computer systems. An evasion strategy needs a focus on human error and human behaviour to control cyber breaches. Countries with a low level of cyber maturity have limited response options, but raising cybersecurity awareness and encouraging safe online practices are within their reach.

In its international cyber engagement strategy, Australia commits to working with developing countries ‘to build their technical, legislative and institutional capacity to fight cybercrime’. The cyber cooperation program accompanying the strategy funds programs to implement this commitment. Both the strategy and the cooperation program recognise the importance of online security for economic development and the prevention of losses from cybercrime.

One of the first projects funded under the cooperation program was a cybersecurity capacity- and awareness-raising project in Myanmar led by Monash University in collaboration with Myanmar organisations. The primary aim of the project was to minimise ‘cyber errorism’, and rather than engender fear it provided actionable and doable information. More than seven million users were reached by the campaign. The main lesson learned was that for a campaign to be effective (that is, to change online behaviour) its design needs to based on a thorough understanding of the individual country’s situation, especially its level of cyber maturity, and cultural factors. And this requires locally designed and produced content.

Arguably, a focus on minimising human error through widespread adoption of safe online practices is a more feasible pathway to cybersecurity than a focus on institutional strengthening if capacity and incentives are weak and bureaucratic inertia make effective implementation uncertain.

That said, a cybersecurity strategy is strongest when it has many components, including public awareness, government and private sector cooperation, legislation, global harmonisation of cybercrime laws, and international cooperation. When a range of measures are assembled, the vulnerabilities are closed off and the nation’s or organisation’s defences against cyberattack and malicious online activity are strengthened and the unknown enemy can be evaded.