Published daily by the Lowy Institute

When cyber defence involves attack: Issues for Australia

How do Australian businesses and corporations deal with unwanted intruders on their networks? Government needs to offer real remedies.

Photo by Flickr user Richard Patterson.
Photo by Flickr user Richard Patterson.

From hacks targeting our medical services and health providers and theft of personal information and credit cards, it seems we can’t go long without a crack appearing in Australia’s cyber-armour. Some days it feels like the Albanese government’s aim of being a world cybersecurity leader by 2030 is a bit ambitious and lacking the necessary muscle.

How far can companies and non-government organisations go to protect themselves from cyber threats? Groups like the Active Cyber Defence Alliance (a group the authors are affiliated with) and Telstra Purple have been calling for legal clarity around the notion of “active cyber defence”, which refers to the use of countermeasures by businesses and corporations to identify, slow down or hinder hackers in executing cyber attacks and malicious cyber activities.

Cyber-criminals who compromise Australian national security are at less legal risk than the organisations who set out to protect against those attacks.

These groups have long advocated for legal permission to use so called “deception” tools – fake but convincing-looking computer networks, enticing documents booby-trapped with malware, and tracers to identify malicious cyber actors to defend themselves. Yet despite growing calls in industry, the government is yet to properly fund or even consider the legality of active cyber defence in this country.

So, what is active cyber defence and is it legal?

Protecting your computer network is a bit like protecting your property from a break in. In Australia, if someone breaks into your house, the law is murky on how you can respond. True, you can legally use force that is “reasonably necessary” to remove them. But the legal definition of what is reasonable isn’t fixed, so homeowners who go too far in restraining an intruder could face criminal charges. Queensland has recently proposed legislation to address this, which would “broaden the circumstances in which an individual can lawfully respond to a home invasion with such force that may result in grievous bodily harm or even death to the intruder”. Of course, if you don’t want to confront burglars or don’t feel safe doing so, you can always call the police – they are trained and equipped to deal with real-world offenders.

But what about in the online world? How do businesses and corporations deal with unwanted intruders on their networks and computers?

That legal position is even trickier. Technically, electronic data isn’t anyone’s “property”, so it can’t be protected in self-defence, either by you or a company on your behalf. If a company tries to protect your data and identifies a hacker in the process, they might be breaching Australia’s Privacy Act 1988 (an Act written 16 years before Facebook was invented!). And if the company tries to use cyber-tools to stop the hacker, the company might be charged with hacking offences.

How do businesses and corporations deal with unwanted intruders on their networks and computers? The legal position is tricky.

There are other risks too. Businesses affected by a cyberattack can’t always kick the attacker out by introducing more stringent access safeguards, as this would compromise their business. Police may not be able to help, especially if the hacker is in a country that doesn’t prosecute those offenders or even encourages malicious cyber-attacks. And businesses don’t always know who is attacking them online – it could be a teenager in a garage, an organised crime group, or even hackers working for a foreign government. Inadvertently or recklessly retaliating against the last of these could cause a diplomatic incident.

So really, all a company can do in Australia is report the incident to Australian Cyber Security Centre and then wait for law enforcement and intelligence agencies to get to work. This is not a real remedy for a company whose business and livelihood is at risk. The lack of government cyber-defences leaves the private sector vulnerable and exposed to cyber-attacks which can finish them off financially, as the recent MediSecure example highlights. This company went into administration just weeks after a large-scale ransomware attack in May.

What can be done? The UK has offered active cyber defence as a free service under the banner of National Cyber Security Centre for six years. The program is entirely transparent, and has already foiled some significant attempts to defraud ordinary Britons.

This is not a new idea. The Morrison government announced in 2020 around $12 million to provide for “active disruption options”. The Australian Strategic Policy Institute even published a report on what internet service providers could be doing better.

While Australia has done some legal work to fix up protections – most notably in the wake of the Optus data breach it could be doing a lot more. First and foremost, Australia needs to clarify precisely what businesses are allowed to do to “actively” protect their cyber environments and the mountains of data they collect about Australians. That needs a concerted effort by the Attorney-General and the Home Affairs Minister to closely examine the laws inadvertently protecting hackers from retaliation.

The lack of legal clarity around protecting our critical infrastructure fosters unnecessary vulnerability and ambiguity. Cyber-criminals looking to compromise Australian national security are at less legal risk than the private organisations which set out to protect against those attacks. This has to change. It requires a more proactive response from government, including providing legal clarity on the use of countermeasures by the private sector.

You may also be interested in