Australia’s fight against crime has just been militarised. The Australian Signals Directorate (ASD) has been directed to use its offensive cyber capabilities to “disrupt, degrade, deny, and deter” organised offshore cyber criminals, just as they’d do against foreign military targets or terrorist organisations.
“The recent WannaCry and Petya ransomware attacks have affected governments, businesses, and individuals around the world,” Prime Minister Malcolm Turnbull said on Friday. “Our response to criminal cyber threats should not just be defensive. We must take the fight to the criminals.”
Well Petya certainly caused disruption. Nearly a week later, FedEx’s TNT still can’t deliver freight to Australian businesses, telling ABC News only that they’re “making solid progress” on remediting their systems. In our just-in-time global economy, these supply chains disruptions hit hard.
Apple, for example, reportedly turns over inventory every five days. In 2014 Tim Cook, then chief operating officer and now chief executive officer, said that tech hardware deprecates fast, losing 1 to 2 percent of its value every week. That’s understandable. There’s nothing worse than having to wait a couple days for a new iPhone. You gotta keep that inventory moving.
Critical infrastructure is, by definition, critical to the nation’s economy. Destroying it can represent an existential threat to the nation’s survival, not just that of iPhone owners. But the boundaries between the government and private sectors are very blurry, especially in critical infrastructure operations like ports, telecommunications, power grids, and banking.
Did you know, for example, that when a Royal Australian Navy (RAN) warship visits a foreign port for fuel, food, and a healthy flush of the sewage systems, that’s organised by private-sector logistics companies? Here at home, our army bases are guarded by private security companies. And communications run over private-sector lines.
To defend this infrastructure with shared ownership, it makes sense to share responsibility for its defence.
Now consider Operation Chastise, the famous World War Two “Dam Busters” air raid on water and hydroelectric infrastructure in Germany’s industrialised Ruhr valley by the Royal Air Force. With three dams destroyed or damaged, and two hydroelectric power stations destroyed and several more damaged, that month’s coal production dropped by 400,000 tons. Production did not completely return to normal until four months later.
These days, we’d cyber an attack like that. Same economic disruption, but without killing 600 German workers, around 1000 mostly Soviet forced-labourers, and 600 civilians. And just as with the Dam Busters raid, we wouldn’t care one hoot that the targets were owned by the private sector.
Maybe last week’s Petya attacks were muscle-flexing to demonstrate the power to do an attack like this. Ukraine was the country hardest hit. Ukraine’s security agency, the SBU, has noted similarities to the presumed-Russian attacks on the nation’s power grid in December 2016. They’ve now alleged that the same hacking groups are involved, and that they’re really the Russian intelligence agencies. Russia has denied everything.
Meanwhile, consider what professor Greg Austin of the Australian Defence Force Academy (ADFA) said back in January 2016: Australia was badly lagging in its preparation for such medium intensity cyber-enabled war, and was ill-equipped for the rapid catch-up we needed to make.
I keep hearing that Australia, and by that I mean the ASD, punches above its weight in the cybers. We just lack the weight, and perhaps the effective concentration of the cyberpunch power we do have.
“Australia has also been reluctant to acknowledge the US doctrine of ‘prompt global strike’, a cyber-enabled military strategy,” Austin wrote.
Well, on Friday we also heard that the Australian Defence Force is establishing a new information warfare unit, to be launched within days. As ABC News reports: “It will be tasked with defending Australian military targets from cyber attacks and preparing to launch its own assaults on foreign forces.”
The most interesting aspect of Australia’s new cyber warfare unit for me isn’t the focus on cyber offence. It would be naive to think that the Australian military hasn’t had some sort of cyber offence capability for years, perhaps even back to the 1980s when these ideas started to be talked about.
No, the really interesting aspect is that when you combine these two stories, it appears to represent further blurring of the military-civilian boundary. We already have the RAN searching ships for contraband, and the army providing extra firepower when civilian law enforcement need it, sure. But this feels like something more.
Now when I hear about civilians working directly in military operations, I start thinking about it the other way around.
I think of the military becoming a critical part of commercial operations.
I think of private enterprises themselves being armed with weapons.
I think of the East India Company.
Founded in 1600, the East India Company was granted a monopoly on Britain’s trade with India. But the company’s real focus wasn’t trade, it was building an empire in India.
The company had its own army of 260,000 troops, twice the size of the British army, and a navy that included warships as well as heavily armed merchant ships. Between 1757 and 1858, parts of India were even governed under company rule. You can hear just how much this screwed up India in a recent History Hit podcast.
Here’s an interesting thought experiment.
Portugal has a gross domestic product (GDP) of $200 billion. Its navy has five frigates, seven corvettes, two submarines, and 28 patrol boats. Its air force has squadrons of F-16s and such. And its army numbers 21,000.
Google’s parent company Alphabet, to choose an obvious example, pulls in revenues of around $100 billion, so Google’s cyber armed forces could be … what?
Even if commercial organisations aren’t themselves militarised, the secrecy of tight integration with military operations can provide an opportunity to make lots and lots of money without clear oversight.
So you don’t think that starting down the path of cybering up the private sector could be a problem, even if it doesn’t directly involve Google cruising the cyberseas in their cybergalleons?
Well you just shut your big fat Halliburton.