Assessing Australia’s Cyber-Attack Attribution Issues
Note: This article was originally published by Divergent Options, a national security website based in the United States that provides unbiased analysis on national security issues. You can find the original article here. I have kept the original DO formatting.
Author and / or Article Point of View: The author believes that without more proactive and novel thinking by decision makers, strategic competition in the grey-zone is likely to continue to outpace meaningful policy responses.
Summary: Recent years have proven that China can prevail over Australia in the threshold below war, particularly through cyber-attacks that go without attribution. Without building trust between agencies, implementing the right training and education, and properly conceptualizing cyber warfare to bolster political will, Canberra will not strengthen attribution capabilities and achieve greater strategic agility in the cyber domain.
Text: Making an official attribution of a cyber-attack is one of the key techno-political challenges faced by governments today. Using China-Australia tensions as a case study, one can analyse how capability gaps, technical expertise, and political will all play a role in shaping attribution and assess how one state prevails over another in the grey-zone of conflict below the threshold of war. Thus far Australia has favoured freeriding upon its more powerful allies’ attribution capability vis-à-vis China, rather than make attributions of its own[1]. Unless Canberra greatly expands its cyber security and attribution capabilities it will not accrue more agency, independence and, ultimately, strategic agility in this domain.
Over the past three years Australia has been the victim of numerous large-scale cyber campaigns carried out by China, targeting critical infrastructure, political parties, and service providers. While Australian Prime Minister Scott Morrison did state that a “sophisticated state-based actor” perpetrated these attacks, his government has thus far never made a public attribution to China[2]. Senior Australian officials have confirmed to media that they believe China is behind the attacks, raising questions around the lack of attribution[3].
Australia’s situation is representative of a wider strategic environment rife with frequent and sophisticated information operations, with China being a leading perpetrator of offensive cyber -attacks. Chinese hybrid warfare is undoubtedly inspired by Soviet political warfare dating back to the early 1920’s, but is perhaps grounded more in the concept of ‘unrestricted warfare’ posited by Liang and Xiangsui in 1999[4]. This concept manifested in the ‘Three Warfares’ doctrine of the early 2000’s, with offensive cyber operations being used as a key strategic tool since the PLA formed their Informatization Department in 2011[5]. Though described as ‘kinder weapons’, their ability to ‘strike at the enemy’s nerve center directly’ has indeed produced kinetic effects in recent years when used to sabotage critical infrastructure[6]. Whilst it is widely accepted that China is responsible for large-scale cyber operations, proving this can be a monumental task by virtue of cyber forensics being technically intensive and time-consuming.
In 2014, Thomas Rid and Ben Buchanan captured the nuance of cyber attribution excellently when they stated that ‘attribution is an art: no purely technical routine, simple or complex, can formalise, calculate, quantify, or fully automate attribution’[7]. While the art statement is true, technical routines exists to build attribution capability upon, and this is the crux of China’s prevailing over Australia in recent years. Canberra’s ‘freeriding’ on capabilities outside of the government and lack of streamlined inter-agency processes and accountability has severely limited their effectiveness in the cyber domain[8]. Attempts to remedy this have been made over the past two decades, with a number of agencies agreeing to communicate more and share responsibility for bringing an attribution forward, but they have been hamstrung by endemic underinvestment. Consequently, Australia’s response to a greatly increased threat profile in the cyber domain ‘has been slow and fragmented, thus ‘Australia’s play-book is not blank but it looks very different from those of pace-setter countries’[9].
Improving the speed and integrity of an attribution begins with ensuring that cyber security practitioners are not over-specialised in training and education. Though it may seem counterintuitive, evidence suggests that the most effective practitioners utilise general-purpose software tools more than others[10]. This means that organisational investment into specialised cyber security tools will not translate directly into improved capability without also establishing a training and work environment that pursues pragmatism over convoluted hyper-specialisation.
Attribution is less likely when there are low levels of trust between the government and civilian organisations involved in cyber security as this does not foster an operational environment conducive to the maturing of inter-agency responses. Trust is particularly important in Australia’s case in the relationship between more centralised intelligence agencies like the national Computer Emergency Response Team (CERT) based out of the Australian Cyber Security Centre and the civilian-run AusCERT. In 2017, Frank Smith and Graham Ingram addressed trust poignantly in stating that ‘the CERT community appears to have lacked the authority and funding needed to institutionalise trust – and thus depersonalise or professionalise it – enough to grow at scale’[11]. Trust between organisations, as well as between practitioners and the technology available to them, underpin the development of a robust and timely cyber security capability[12]. Without robust information sharing and clear lanes of responsibility failure will occur.
Attribution requires political will but competition in the cyber domain remains somewhat nebulous in its strategic conceptualisation, which constrains meaningful responses. If cyber war remains undefined, how do we know if we are in one or not[13]? Conceptualisation of the grey-zone as on the periphery of power competition, instead of at the centre of power competition itself, similarly confuses response thresholds and dampens political will. In 2016, James K. Wither stated that although information operations are non-kinetic, ‘the aim of their use remains Clausewitzian, that is to compel an opponent to bend to China’s will’[14]. Wither develops this point, arguing that within a rivalry dynamic where an ideological battle is also present, revisionist states wage hybrid warfare against the West ‘where, to reverse Clausewitz, peace is essentially a continuation of war by other means’[15]. Adopting this mindset is key to building political will, thus improving attribution external to technical capability.
Finally, it is best to acknowledge Australia’s geopolitical environment may make attribution a less preferable course of action, even if a robust case is made. Foreign Minister Payne has stated that Australia ‘publicly attributes cyber incidents’ only ‘when it is in our interest to do so’[16]. Until attribution is tied to concrete consequences for the perpetrator, Canberra’s strategic calculus is likely to weigh potential Chinese economic and diplomatic retaliation as heavier than any potential benefits of making an official attribution. Nevertheless, it creates more options if Canberra possesses rapid and robust attribution capabilities, combined with political will to use them, to compete more effectively under the threshold of war.
Endnotes:
[1] Chiacu, D., & Holland, S. (2021, July 19). U.S. and allies accuse China of global hacking spree. Retrieved from https://www.reuters.com/technology/us-allies-accuse-china-global-cyber-hacking-campaign-2021-07-19/
[2] Packham, C. (2020, June 18). Australia sees China as main suspect in state-based cyberattacks, sources say. Retrieved from https://www.reuters.com/article/us-australia-cyber-idUSKBN23P3T5
[3] Greene, A. (2021, March 17). China suspected of cyber attack on WA Parliament during state election. Retrieved from https://www.abc.net.au/news/2021-03-17/wa-parliament-targeted-cyber-attack/13253926
[4] Liang, Q., & Xiangsui, W. (1999). Unrestricted warfare. Beijing, CN: PLA Literature and Arts Publishing House Arts. https://www.c4i.org/unrestricted.pdf
[5] Raska, M. (2015). Hybrid Warfare with Chinese Characteristics. (RSIS Commentaries, No. 262). RSIS Commentaries. Singapore: Nanyang Technological University. https://hdl.handle.net/10356/82086 p.1.
[6] Liang, Q., & Xiangsui, W. (1999). Unrestricted warfare. Beijing, CN: PLA Literature and Arts Publishing House Arts. https://www.c4i.org/unrestricted.pdf p.27.
[7] Rid, T., & Buchanan, B. (2014). Attributing Cyber Attacks. Journal of Strategic Studies, 38(1-2), 4-37. doi:10.1080/01402390.2014.977382 p.27.
[8] Smith, F., & Ingram, G. (2017). Organising cyber security in Australia and beyond. Australian Journal of International Affairs, 71(6), 642-660. doi:10.1080/10357718.2017.1320972 p.10.
[9] Joiner, K. F. (2017). How Australia can catch up to U.S. cyber resilience by understanding that cyber survivability test and evaluation drives defense investment. Information Security Journal: A Global Perspective, 26(2), 74-84. doi:10.1080/19393555.2017.1293198 p.1.
[10] Mcclain, J., Silva, A., Emmanuel, G., Anderson, B., Nauer, K., Abbott, R., & Forsythe, C. (2015). Human Performance Factors in Cyber Security Forensic Analysis. Procedia Manufacturing, 3, 5301-5307. doi:10.1016/j.promfg.2015.07.621 p.5306.
[11] Smith, F., & Ingram, G. (2017). Organising cyber security in Australia and beyond. Australian Journal of International Affairs, 71(6), 642-660. doi:10.1080/10357718.2017.1320972 p.14.
[12] Robinson, M., Jones, K., & Janicke, H. (2015). Cyber warfare: Issues and challenges. Computers & Security. 49. 70-94. 10.1016/j.cose.2014.11.007. p.48.
[13] Ibid, p.12.
[14] Wither, J. K. (2016). Making Sense of Hybrid Warfare. Connections: The Quarterly Journal, 15(2), 73-87. doi:10.11610/connections.15.2.06 p.78.
[15] Ibid, p.79.
[16] Payne, M. (2018, December 21). Attribution of Chinese cyber-enabled commercial intellectual property theft. Retrieved from https://www.foreignminister.gov.au/minister/marise-payne/media-release/attribution-chinese-cyber-enabled-commercial-intellectual-property-theft