Australia: We've Never Experienced a CyberattackConfused? It Comes Down to a Relatively Narrow Definition of the Term
Australia's latest report on its cybersecurity stance contains intriguing wording that seeks to clarify what it believes constitutes a cyberattack and why the government believes it has never actually experienced one.
To be sure, describing computer security incidents - especially in the context of international law - has been a difficult proposition. Reaching a consensus on defining such terms as cyberwarfare, cyberweapons and cyberterrorism has proven difficult.
"Fortunately, Australia still has not been subjected to malicious cyber activity that could constitute a cyber attack as defined."
Classifying cyber incidents accurately is incredibly important, especially if a country decides to take retributive action against another. The issue of vocabulary is so important that a cybersecurity research center run by NATO in Estonia has published a manual with no fewer than 50 terms with the prefix "cyber" in an attempt to reach agreement.
"There are no common definitions for cyber terms," according to a preface to the guide. "They are understood to mean different things by different nations/organizations, despite prevalence in mainstream media and in national and international organizational statements."
What's a Cyberatttack?
On Oct. 12, the Australian Cyber Security Centre released its second-ever report on threats facing the country. It expends considerable effort in the first few pages to take umbrage at how people describe what I'll now just refer to as cyber incidents.
The ACSC says that in order for the public to have a more mature discussion, "it is important that we get the language right - calling every incident a 'hack' or 'attack' is not helpful for a proportionate understanding of the range of threats and only promotes sensationalism."
Cybersecurity isn't an easy subject to cover, and the closer you follow it, the harder it can be to convey situations, particularly to people with less technical knowledge. Was a person's Twitter account "hacked" if someone else logs in with a victim's login credentials? To a layperson, that description might be fine, but those in the industry know that guessing someone's login credentials or convincing them to divulging the information is more trick than hack.
In 2011, Australia defined a cyberattack "as a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity." That weighty definition underpins a treaty between the U.S. and Australia.
"Fortunately, Australia still has not been subjected to malicious cyber activity that could constitute a cyberattack as defined," the report reads.
Deeper into the report, the ACSC gives the most detailed information released so far about a cybersecurity incident that occurred last year at the Bureau of Meteorology. It apparently does not constitute a cyberattack.
Suspicious activity was detected on two computers, and an investigation by the Australian Signals Directorate showed a remote access tool had been installed. The report says the particular RAT is "popular with state-sponsored cyber activities."
The attackers had copied an unknown number of documents from bureau. The discovery of password-dumping tools led the ASD to conclude that "all passwords on the bureau's network were already compromised at the time of the investigation." It was speculated, though never confirmed, that China was involved.
The report doesn't get into the intent of Bureau of Meteorology hackers, which according to the second half of the government's definition would likely tip opinions in favor of labeling that incident a cyberattack.
But trying to classify cyber incidents wanders into the same squishy territory faced by U.S. Supreme Court Justice Potter Stewart in 1964. When he was grappling with a free speech case over what constituted obscene material that would not be protected by the Constitution, he offered the famous phrase, "I know it when I see it."
The ACSC also takes issue with the way the news media described the distributed denial-of-service attacks that resulted in the disruption of the Australian government's census on Aug. 9. The census, which the Australian Bureau of Statistics had encouraged people to fill out online that day, had to be taken offline following fears that the DDoS attacks might be a warm-up to a larger data breach. Further investigation showed no data had been leaked (see Australian Census Disrupted by DDoS).
"This incident was initially described in some media reporting as being the result of a 'foreign cyberattack' - a description that led to a heightened sense of threat and risk, increased concerns from the public about the security of their personal information and triggered media speculation about nation state motivations, tradecraft and the possibility of further 'attacks'," the report reads.
Keep in mind that in the immediate aftermath of the census failure, the ABS's chief, David W. Kalisch, described the DDoS attacks in an interview as intended to disrupt the census and originating from overseas.
Journalists often defend stories that may not, in retrospect, have had the right tone as the first rough draft of history. But there were undeniably real concerns over the safety of census data, which were also particularly relevant following a fierce debate over changes the ABS made to how it stores data. It also wasn't far-fetched to speculate that a foreign government might be interested in a chance to collect the personal data of 23 million people submitted online through a web-based form.
Unfortunately, the ACSC doesn't offer suggestions for better terminology relating to cybersecurity. But we'll keep an eye out for the first "cyberattack" in Australia that meets the government's current definition.