What, who and why: explaining the cyberattacks against Australia

On 19 June, Prime Minister Scott Morrison, in concert with Defence Minister Linda Reynolds, announced: ‘Australian organisations are currently being targeted by a sophisticated state-based cyber actor.’ This was occurring ‘across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers, and operators of other critical infrastructure’, they said.

Morrison avoided using the word ‘attack’, and in the related advisory the Australian Cyber Security Centre stated that its investigation had ‘identified no intent by the actor to carry out any disruptive or destructive activities within victim environments’.

ASPI International Cyber Policy Centre staff Danielle Cave, Tom Uren and Jocelinn Kang discuss and debate this development.

What was the significance of the government’s briefing?

Tom: Given the sensational nature of the announcement—reported as the nation being under cyberattack—it was a remarkably content-free press conference. It was really designed to send a message to two different audiences.

To all Australians, particularly those involved in decisions regarding cybersecurity, the message was: ‘Cybersecurity is important, we need to improve, and we all need to be wary of capable and determined adversaries.’ Chief information security officers should be using this press conference to push for more resources.

To the nation-state conducting these activities, the message was: ‘Our government is concerned about these activities at the highest levels and we want them to stop.’ Although Morrison carefully avoided naming a culprit, his language was far tighter than in the past and he noted that ‘there aren’t too many state-based actors who have those capabilities’. The government is in no doubt about who’s responsible, and is foreshadowing the possibility of directly naming them.

Danielle: The statement was significant because it was public. That hasn’t always been the case, and it’s an important shift that is long overdue. Cybersecurity threats—particularly those involving nation-states—haven’t always been well articulated to the public.

Some of this has been due to a lack of whole-of-government coordination. We’ve seen an uptick in cyber and technology-related policy activity in Canberra over the past few years, across a range of departments. But the architecture that drives strategy and coordination, and that decides who leads on and announces what, is still settling.

Other times, the lack of public messaging is deliberate, as when governments have tried to balance the complicated mix of cybersecurity, geopolitics and diplomacy. Historically, it’s meant we’re far more comfortable calling out Russia for cyber intrusions occurring far from our shores, while going to great lengths to avoid the ‘C’ word. But it’s China that has long dominated this space in Australia.

And to gain insight into what this threat looks like, the Australian public is currently reliant on snippets provided by former politicians and senior intelligence officials. Such as this passage from former prime minister Malcolm Turnbull’s autobiography:

[W]hat’s become increasingly apparent over the last decade is the industrial scale, scope and effectiveness of Chinese intelligence gathering and in particular cyberespionage. They do more of it than anyone else, by far, and apply more resources to it than anyone else. They target commercial secrets, especially in technology, even where they have no connection with national security. And, finally, they’re very good at it.

Jo: The announcement was made in response to not a single incident but an increase in malign cyber incidents, across the board. This indicates that there’s a persistent and ongoing campaign targeting Australia.

Our growing reliance on digital communications means that we must all be aware of the threats to the technology and take steps to protect it if we want to continue to use it comfortably and securely. This is a whole-community effort: it includes individuals and businesses, as well as our government agencies, which hold a wealth of personal data on Australians and operate an increasing number of digital services that .

We need only to look at the situation the Covid-19 pandemic has thrown our society into. Even in these times of crisis, there’s an expectation that government services will continue to operate. In fact, especially during a time of crisis, our society looks to the government for support.

Who is responsible and how do we know?

Danielle: Immediately after the government’s press conference, journalists across the country were reporting that China was believed to be behind the activity, citing government sources. In my mind, that’s still an attribution—it’s just an attribution to the media rather than directly to the public.

This type of attribution is far less complicated. It won’t lead to demands to make the full suite of evidence public (which you don’t want to do because it reveals capabilities), and it doesn’t require wrangling allies to take the world stage with you.

The Chinese state is the only ‘sophisticated state actor’ with the combination of skill, capacity and motivation and an extensive track record of conducting widespread malicious cyber activity in Australia. Russia, North Korea and Iran tick some of those boxes, but only some. Importantly, most others lack the motivation—Australia just doesn’t make their shortlist of priorities for intelligence collection and foreign interference.

No one should be surprised to see that analysts and academics—whose job it is to publicly examine such developments—make their own assessments based on these facts.

Tom: There’s an army of analysts in both private industry and government who work to understand the nuts and bolts of a breach or compromise. Over time, analysts collect clues about the people behind the compromises and that mass of information can lead to high-confidence attribution. Government intelligence agencies can use secret methods to achieve perfect attribution, but commercial entities can also achieve very high confidence.

From a geopolitical point of view, it can only be China. Although many countries have cyberespionage capabilities, very few have it at the scale the government described. And only China has an extensive recent history of cyberespionage across all the sectors that the prime minister mentioned, coupled with the motivation to focus on Australia.

Jo: Over the past six months, reporting from cybersecurity companies has associated a Chinese military cyber threat group, Naikon, and a state-sponsored group, APT41, with a lot of cyber campaign activity, including the targeting of Australian entities. Both groups have a history of conducting cyberespionage, and APT41 also conducts cybercrime.

Is attribution a diversion?

Jo: The main message that all Australians—individuals, businesses and government—should take away from the prime minister’s announcement is that Australia faces a persistent cybersecurity threat and the number of incidents is only increasing. All of us need to take immediate action to better protect digital assets and engage in a culture of cybersecurity.

Although discussions of attribution can be a distraction from the information security issue, it’s still an important, although admittedly difficult, political issue. Actions by states in cyberspace should be seen as similar to actions taken in the visible, physical space. If there was a foreign warship making its presence known off Australia’s shores, and the government knew which nation it belonged to, wouldn’t the Australian public also want to know?

Without attribution, how can there be retribution for these actions? Or at least an incentive for the perpetrator to cease.

Danielle: I’m sympathetic to the argument that the key message the public should take away is that we must all invest in lifting our cybersecurity, rather than focus on who did it or why. However, that argument holds less relevance in this case. Why? Because government officials told journalists immediately that China was behind this activity, so if it’s a diversion, it was one of the government’s own making, given it was part of the strategy.

Also, this isn’t just about cybersecurity—and when nation-states are involved, it never is. Some of the activity, for example, described by the prime minister and detailed in media reporting goes far beyond standard intelligence collection and spills over into foreign interference. This activity is about multiple things–including international relations—that force many, both within and outside of government, to work on the why and the who.

What I thought was an interesting diversion was the one created by the Chinese government’s chief propagandist, Lijian Zhao, who claimed ASPI was behind any accusation that China was the source of cyberattacks against Australia. This year, the Chinese government, including Zhao, have increasingly turned to disinformation and fringe media outlets to push propaganda and conspiracy theories, including when attacking journalists, NGOs and research institutes.

Australians are savvy enough to recognise outright propaganda and disinformation when they see it, but few in the media provided this context when reporting Zhao’s accusations related to ASPI. Such public attacks and smears on civil society organisations that report and conduct research on China consistently fail to engage with or rebut the work and research of these groups. But such attacks on civil society will continue to escalate and we will need to get wiser to them.

Tom: From a business sector point of view, understanding whodunnit after the fact is a waste of time. Better to spend the effort fixing security. But understanding the motivations of those who might want to compromise you beforehand is useful in prioritising security effort. From a government point of view, understanding who is conducting particular cyber activity is key. We can’t respond at all if we don’t know who to respond to.

I’m not sure that officially naming China would be productive—a coalition of countries including Australia called out China for widespread hacking of IT service providers (Operation Cloudhopper), but that doesn’t seem to have deterred further operations.

On the other hand, our default strategy of avoiding formally naming China has failed, so it might be worth trying a different approach. Ironically, as our relationship with China deteriorates we’ll have less to lose, so it might make a formal attribution more likely.

There is, however, tremendous value in reasonable voices explaining the reality of the situation. Most cybersecurity practitioners can’t speak about these issues for diplomatic or commercial reasons, so we’ve been in the ridiculous situation where the Australian government knows we’re being hacked, the Chinese government knows we’re being hacked, and it’s only Australian companies and people who are kept in the dark.

To take advantage of the economic opportunities of China, all Australians need to understand the risks so that we avoid being robbed blind. We might have reached some happy place where there’s no formal attribution, but there’s also no doubt about who is responsible.

Should the Australian government do more? What would be the next step?

Danielle: The government needs to be consistent here and it needs a strategy (and the 2020 cybersecurity strategy is due out soon). Australia public cyber attribution has been patchy. It has also been poorly communicated, with information hosted on different government websites and often disappearing as the ministers who were involved in these announcements move on to other portfolios. This could be easily streamlined and rectified.

The prime minister’s press conference should spark the beginning of an ongoing conversation that the government has with the Australian public on the breadth and depth of malicious cyber behaviour that has long occurred in Australia, but too rarely been talked about by our parliamentarians and senior officials. If the government has knowledge about the threats we face, including how certain actors—state and non-state—are targeting critical infrastructure, industry and civil society, they have a duty of care to provide the public with information about what these threats look like, and where they are coming from.

Heads of government departments have a vital role to play here. A lesson to be learned from the government’s August 2018 decision to ban ‘high-risk vendors’ from the 5G network should be this: if you put out a media release on a big policy decision, but fail to follow up and publicly explain the decision, don’t be surprised to find the decision rehashed and reanalysed over and over as the media tries to make sense of what just happened. By saying so little at the time, the government only had itself to blame for keeping the spotlight on a sensitive policy issue for the rest of 2018 and most of 2019.

Here, the government should learn from that and change tack: talk to the public now and explain what’s happening. Senior officials like the director-general of the Australian Signals Directorate and the head of the Australian Cyber Security Centre (also under ASD) are expertly placed to flesh out the government’s 19 June announcement. This also provides them with the opportunity to add further context about the changing nature of the global landscape in which malicious actors are operating. It would add enormous value to hear more from them.

Tom: This event resets expectations around the 2020 cybersecurity strategy and I expect it will be a lot more robust than the 2016 version. Why spend $50 billion-plus on the future submarines if we can’t protect the intellectual property that will underpin the economy we need to afford those subs?