Imagine the scene: you run a large multinational company and you’ve just had US$300 million stolen from your bank account. A few months down the track the government steps in and, to much fanfare, names the person who stole your money. And then does nothing else.

Two months later you lose another large chunk of money. This time the government again identified the culprit—a second thief who copied the first thief’s behaviour. After letting everyone know the second thief’s name, again you hear nothing. Another two months later and one of these two thieves is called out publicly again for planning a major attack on your company. For a third time there’s no follow-up.

Unfortunately, this situation is not too far from reality. Yesterday, Australia and its allies racked up their third attribution of a major cyber incident in four months. Russian state-sponsored actors were accused of ‘using compromised routers to … potentially lay a foundation for future offensive operations’. (The Australian Cyber Security Centre issued guidance in August 2017 about the vulnerability, but the united attribution to Russia came today.)

In their joint statement, the UK and the US noted that ‘the targets of this malicious cyber activity are primarily government and private-sector organisations, critical infrastructure providers, and the internet service providers (ISPs) supporting these sectors’.

This followed the public attribution in February that Russia was behind the NotPetya ‘ransomware’ incident and the announcement in December that North Korea was behind WannaCry. As my colleague Tom Uren has noted, the WannaCry worm spread worldwide and seriously affected many industries, notably the UK’s National Health Service. NotPetya caused worldwide damage well in excess of US$1 billion and affected companies as diverse as Merck (US pharmaceuticals), Maersk (Danish shipping), Fedex (US logistics), Saint-Gobain (French construction) and Mondelez International (UK chocolate).

So, these attacks are no small matter. But do we really expect to be able to change behaviour when we do nothing but name the perpetrators? And does naming and shaming work if the adversaries aren’t actually shamed? If the only penalty for committing arson was being publicly named, arsonists would quickly come to expect that lighting fires involved no other cost. Some of them might even enjoy the infamy, making the naming potentially worse than doing nothing.

If there are no costs associated with reckless behaviour in cyberspace, then the behaviour is unlikely to stop. These costs don’t have to be imposed in the cyber domain. There are a range of other options, including diplomatic measures, economic sanctions and, at the extreme, military responses.

But the West needs to get more of its ducks lined up if it’s planning to continue down the attribution path. (Former US State Department Coordinator for Cyber Issues and White House Senior Director for Cybersecurity Policy, Chris Painter, has an ICPC policy brief coming out shortly on the need for consequences if deterrence in cyberspace is going to work.)

Already there’s considerable delay between the actual incidents and the attribution: WannaCry launched in May 2017 and was attributed in December, for example. There can be multiple reasons for such delays that aren’t necessarily linked to identifying the perpetrator (for example, lining up diplomatic support), but this lag is clearly suboptimal and needs to be reduced. But if we’re already going to wait months before making attributions, then we might as well wait a little longer to agree retaliatory measures as well.

The new ‘Command Vision’ from US Cyber Command sets out a much more assertive approach. It builds on a key insight:

The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this ‘new normal,’ our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.

Based on this insight, it notes that the US must ‘defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage’.

Unfortunately, as with many things associated with the Trump administration these days, key leadership on this issue has been lost. Yesterday, the White House confirmed that cybersecurity coordinator Rob Joyce will be leaving (returning to the National Security Agency). This comes a week after his boss, Tom Bossert, was forced out.

In this fluid and evolving melange, Australia and its allies need to move to stage two of our response and start imposing timely and credible costs. Otherwise things will get worse.