New laws that would allow the Australian government to step in and mount cyber counter-attacks on behalf of Australian companies can’t come soon enough, security experts say.
Last week, The Australian Financial Review reported that the Morrison government was drafting laws that would permit cyber-intelligence agencies such as the Australian Signals Directorate to intervene on behalf of critical infrastructure providers should they come under cyber attack from overseas.
The government can currently act on behalf of Australian companies to prevent a cyber “Pearl Harbour” scenario, even though the companies themselves are also prohibited from mounting the cyber counter-offensives that experts say should form a crucial part of Australia’s cyber defence systems.
Tim Wellsmore, director of government security programs at cybersecurity company FireEye, said that every year the government delays making a concerted effect to protect critical infrastructure providers is “another tens of billions of dollars leaving the Australian economy” – so great is the level of attack Australia is under.
“Something has to be done,” Mr Wellsmore said. “Whatever is being done now isn’t working.”
Laws to allow intelligence agencies to hack back against overseas threats on behalf of Australian companies “should have come in yesterday”, said Mr Wellsmore, who spent 23 years with government cyber security agencies before switching to the private sector.
Government agencies wouldn’t have adequate resources to address all of the cyber security threats facing the Australian economy. The government would need to work closely with the private sector to first scope out the size of the cyber threat, Mr Wellsmore said, then prioritise what should be done about it.
“Offensive measures are certainly the remit of government, but the size and scope of the problem can’t be managed by government alone,” he said.
Professor Matt Warren, deputy director of the Deakin University Centre for Cyber Security Research and Innovation, said that only government agencies should be allowed to mount cyber counter-offensives. Often, he argued, only such agencies were capable of the “cyber attribution” that has to take place before counter measures can be launched.
Cyber attacks were often launched via unwitting third parties, so it was important to use the Australian and overseas intelligence communities to get to the real source of an attack for launching a counter attack.
Cyber warfare should be on an equal footing to traditional warfare, and so government has a role to play.
— Nick Abrahams, Norton Rose Fulbright
“It should be in the realm of government. It acts as a deterrent for state-sponsored hackers, so they know they can’t just attack systems in Australia and think there won’t be any consequences,” he said.
“The Australian government has a duty of care to protect all of Australia, including our citizens, including our corporations,” Professor Warren said. Laws permitting the government to hack back against overseas threats would be in line with what the US government is already doing, he said.
Nick Abrahams, global head of technology and innovation at the law firm Norton Rose Fulbright, said it was important that the government stepped up and helped industry against cyber offensives.
“A lot of the malware that’s coming through now is incredibly sophisticated and it’s clearly being targeted by state actors,” he said.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
“If the government has checks and balances in place, if it can’t act without having due process, cyber warfare should be on an equal footing to traditional warfare, and so government has a role to play.”
Even so, there were plenty of legal issues that would need to be addressed before the government stepped in to defend Australian companies.
“At what level do we move from it being an individual organisation’s obligation to defend itself, to the government stepping in and regarding it as a matter that’s akin to military defence?” Mr Abrahams asked.
John Davidson is an award-winning columnist, reviewer, and senior writer based in Sydney and in the Digital Life Laboratories, from where he writes about personal technology. Connect with John on Twitter. Email John at firstname.lastname@example.org