At Australian Defence Magazine’s 3rd Cyber Security Summit this week, members of the shadowy cyber world gathered to swap war stories and scare one another silly with worst case scenarios. The thought that every major country in the world has hidden malicious code in power generators around the world and can remotely hit self-destruct is hardly a comforting thought. This would produce nuclear-like fallout in many respects, according to Scott Borg director and chief economist at the US Cyber Consequences Unit.
Estimates are that most first world economies can cope for 3-4 days without power. Anything more than that, and social order dies a rather quick death. Given that most of the huge and complex power generators are built in China and India and have rather a long lead-time to produce (anywhere from months to years), a powerless Australia for up to a year is a daunting prospect.
Cyber has become an increasingly popular topic in the media as more attacks become known. But there’s a culture of keeping attacks quiet. Getting Defence, government or even industrial players to talk on the record about cyber attacks can be very difficult. Verifying their accounts when they do speak is also hard. These bodies don’t want to be seen as vulnerable or untrustworthy. Would you trust a bank that announced every other week that they had suffered from millions of cyber attacks daily and they’re pretty sure they caught them all? ‘Pretty sure’? Really?! Yet that’s exactly what the situation is.
There’s no mandatory reporting framework when it comes to the world of cyberattacks, let alone for cyber warfare. And there’s some confusion in the general populace about the difference between cybercrime and cyberattacks. The NATO Cooperative Cyber Defence Centre of Excellence has been bringing together cyber experts for the last three years to look at how cyber warfare fits into the Laws of Armed Conflict framework. They’ve now produced what’s known as the Tallinn Report. The basic gist of the document is that cyber is covered under the Laws of Armed Conflict and is interchangeable with kinetic means. As in other realms of warfare, proportionality of response is still a key defining factor, meaning that concepts like mutually assured destruction still hold true. The US announced in 2011 that a cyberattack can be met with a kinetic response. The Pentagon’s Cyber Command, which was stood up in 2010, currently has about 1,000 people. They now have funding to take that workforce up to 5,000 people.
Australia has had a go at getting its cyber act together in the past 12 months, with a range of papers and agencies coming together. The most well known is the Australian Cyber Security Centre (ACSC), announced by the Prime Minister in January, which will have a coordinating effort between all government departments. No new funding was provided for the centre, with monies coming from existing cyber budgets within the bodies involved in the new centre.
Leading it will be the Australian Signals Directorate (ASD, formerly known as the Defence Signals Directorate or DSD). Other agencies involve include representatives the Defence Intelligence Organisation, ASIO, the Department of the Attorney-General’s Computer Emergency Response Team, the Australian Federal Police and the Australian Crime Commission. They’ll be housed in one place, probably the new ASIO building. Of which, incidentally, I understand that, despite recent reports, the plans to this new facility haven’t been stolen by another nation state. But as to what was actually stolen (if anything), nothing can neither be confirmed nor denied it seems. The cyber bogeyman holds much power, and the reluctance of governments (and other parties) to say much of substance doesn’t help.
One of the reasons for the silence might be the fragility of techniques used—cyber isn’t a one-way street. But that doesn’t help the business and wider government community to combat threats. There is of course the ASD Top 35 measures for cybersecurity, which will catch most threats it seems, but advanced persistent attacks are beyond these simple measures. There’s no forum where companies, who control so much critical infrastructure, and government can come together and speak openly about their cyber issues. One can only hope the ACSC can help fill this gap. It would be nice to hold a cybersecurity summit one year where no-one felt compelled to describe the imminent end of the world.
Katherine Ziesing is the Editor of Australian Defence Magazine, an independently published magazine on Defence capability and procurement. She is also a board member of the Sir Richard Williams Foundation, an air power think tank. Image courtesy of Flickr user Jared Klett.