Another day sees yet another announcement of a major cyber breach at a government agency, this time unfortunately on Australian soil at the Bureau of Meteorology (BoM).
While specific information about the attack has not been revealed, it bears all the hallmarks of Chinese cyber methods and harks back to the events of 2011 when Chinese intelligence agents maintained access to Parliamentary networks for up to a year. Australians should expect ongoing attacks and the continued exploitation of our sensitive networks and data until we establish clear and meaningful costs to deter the perpetrators.
China has long been accused of cyber attacks similar to that on the BoM by governments around the globe, and yet the attacks continue. But why would we expect that they might stop? Cyber espionage is a low cost, high return effort. China has yet to suffer any meaningful consequences for its global cyber adventurism while bolstering its intelligence apparatus and supporting military and economic growth with stolen data.
It is only recently that even the US has been successful in spurring any tangible response from the Chinese, albeit limited and largely dissatisfying. Regardless, the actions of the US, and more importantly the strategic and diplomatic thinking behind them, offer some useful lessons to inform Australian responses to China's ongoing, unacceptable cyber behaviour.
The primary driver behind China's overall security strategy, including its cyber strategy, is the longevity of the Chinese Communist Party (CCP), as my colleague Amy Chang made clear in a CNAS report last year. Australia therefore needs to find specific ways it could impose costs against the CCP for Chinese cyber adventurism. Such costs will need to be carefully calibrated so as not to unduly escalate tensions or negatively impact important Australian interests with China in trade and regional stability.
But Australia does possess some useful leverage. [fold]
In the first instance, the Australian Government should be particularly forthright in sharing detailed information (as much as security allows) to clearly attribute these attacks, both those that succeed and those we manage to repel. Hopefully, this is already occurring behind close doors, but Australia should also consider making such attribution data painfully clear to all, or at least threaten to. As we have seen though, naming and shaming is often insufficient.
Based on strong attribution, Australia could take a further step, following the precedent set by the US, and indict Chinese Government representatives. The indictment of five PLA officers by the Department of Justice clearly upset the Chinese and resulted in the suspension of ongoing bilateral cyber discussions. But, a year later, the CCP has pledged not to engage in commercial cyber espionage and claims to have arrested the perpetrators of the Office of Personnel Management hack. The sincerity of some of those claims is certainly questionable, but it shows that the Chinese Government has changed its response behaviours and that counts as progress.
In addition to these initial efforts, Australia will need to develop and communicate stronger deterrent actions that escalate according to the severity of the cyber attack. For example, establishing links between China's cyber behaviour and Australia's willingness to increase our military-to-military partnership or approving port leasing arrangements. Such links could be established all the way up to the potential reconsideration of aspects of our trade relationship — although, if not well considered, that would be a particularly significant and potentially self-damaging step.
Regardless of the specific costs Australia might seek to impose, the Australian Government needs to start considering an asymmetric deterrent strategy now (responding symmetrically to cyber attacks is rarely prudent, particularly against a nation state in possession of both a 'great firewall' and 'great cannon'). The planning exercise alone would be valuable, forcing a whole of government consideration of the true costs of cyber attacks and what steps we are truly willing to take to stop them. Openly discussing the types of costs we could impose for certain cyber attacks would in itself be a useful deterrent activity, with responses from China and others offering valuable insight into their strategic calculus. Most importantly, we need to develop a generation of government officials comfortable with using the tools of policy, strategy and diplomacy to ensure our cyber interests are an important element of our national interests.
Effective responses and cost imposition strategies to deter Chinese hacking, or that of any other nation, can only occur if we maintain a strong foundation of technical competence in both our cyber defenses and attribution methods. Australia possesses capability in both of these areas on a whole of government basis and continues to invest in maturing technical capabilities. But no cyber defence is perfect and, even with strong technical measures in place, sophisticated adversaries will continue to gain access to our networks and data. Therefore, what we and many other nations require, and do not yet possess, is the ability to combine technical, strategic and diplomatic measures to effectively deter such actions in the first place. Until we do, keep watching the news for the next major cyber attack.
Photo by Bill O'Leary/The Washington Post via Getty Images