Why the Current Cyber Attacks in Australia highlight the Global Information Sharing Crisis in Cybersecurity
On June 19, 2020, the Australian Prime Minister, Scott Morrison, came out with an announcement. He said that Australia is under a massive cyberattack from an undisclosed state actor. This announcement sparked many debates. Let us unpack what was actually said: (i) recently, Australia experienced a series of organised attacks; (ii) the attacks were orchestrated by "a sophisticated state-based actor"; (iii) the attacks targeted Australian organisations.
The reactions to this news were diverse. Some people raised concerns about the level of transparency and argued that the state actor in question should be named. Others speculated that there is no point to disclose the adversary, as there is a high likelihood that it was either China, Russia, or North Korea. A third group was insisting that each organisation and individual needs to take the warning constructively, concentrate on the problem at hand and implement extra cyber security measures instead of trying to second-guess the attribution. A forth group argued that it was impossible to effectively protect cyber assets without knowing where the threat is coming from. I also heard the view that "these are Australian internal problems, not of interest to the global community", which I suspect represents the fifth point of view. I am sure there are many more others. I know that within the frame of this post I am not going to resolve the differences between these groups. Yet, several things are clear.
It is clear that we are now in a state of a crisis. But this crisis is not a cybersecurity crisis and it is not "just an Australian crisis”. It is a global crisis. And this crisis stems from the information sharing disconnect between governments, businesses, law, law enforcement agencies, and citizens. And it will not go away until we develop appropriate avenues to share information about cybersecurity and cyber threats effectively.
Why Attribution Argument Is Secondary to Information Sharing Argument
Was it the right thing for the Prime Minister of Australia to warn the community of the threat, and if so, should he have gone an extra mile to disclose the attribution? There is no easy answer to this question. There are several reasons for this:
1. Attribution in cybersecurity is very difficult: People who work in cybersecurity understand very well what it takes to attribute a cyberattack to a particular adversary. They also understand what it takes to collect proof which will be acceptable in the court of law. Yes, we do have entry points, VPNs, other forensic evidence, which we sometimes are able to gather when the attack is in progress or scramble some additional evidence from the Dark Web. So, in the best-case scenario we have the digital footprint. Yet, it is not like we are dealing with fingerprints. Even when we talk about individuals, it is challenging to collect evidence that someone is engaging in hacking or cybercriminal activity. Also, in this case, you at least have an opportunity to potentially get to their computer and find some traces there. However, when we are talking about state actors, it is next to impossible to gather "undeniable" proof.
2. Attribution does not help: Even if you have proof of a state-actor wrongdoing, there are very limited options when it comes to doing something about it. We know that in physical spaces state-actor attribution is not always helpful. You might remember a recent case, when two tourists went to see Salisbury cathedral in the UK and what consequences this visit had. In that situation, there was physical evidence, video footage, etc. Yet, even then the best thing the Prime Minister of the UK (at the time it was Teresa May) could do was to publicly lay out allegations against the country, which was believed to be behind the attack. And what happened as a result? The state in question simply denied any wrongdoing. If this can happen in the physical space, you can only imagine how easy it is to deny anything that happens in the cyber space. At the moment, we have no way to enforce international cybersecurity: we simply do not have institutions, which would be able to deal with this. In this situation, game-theoretically, it is probably the dominant strategy to make some sort of public announcement, but this announcement is not directed at internal organisations or individuals. Rather, it is directed at the adversarial state in question as well as the international community.
3. Information may hurt: As an academic, I am a great supporter of open-sources, transparency, full disclosure. I am also a firm believer that information is instrumental in enabling us to solve problems. Yet, as someone who does research in cybersecurity I always ask the question about whether what I put out there as a piece of research can actually be used by adversaries. This is a very sensitive issue and a very difficult balancing act. Sometimes what may seem a completely benign piece of code in the wrong hand may become a very dangerous tool. Think of Farooq Alvi brothers, who wrote the Brain virus to stop piracy, yet, in the end, they equipped many generations of cybercriminals with a very dangerous tool. Attribution information might also be very damaging when shared in not very well thought-through ways. For example, in attribution we often can get to money mules in the cybercriminal ecosystems, but not to masterminds. Essentially, disclosing information about the known part of the ecosystem may completely jeopardise tracing the crime all the way to the organisers and masterminds. So, not all information about cybersecurity can and should be in the public domain. But what should be and who determines this? That's the big question.
4. It is about information sharing: With all these debates about whether the cyber adversary of Australia should be named or should remain anonymous, we are missing the point. The problem is that we do not have any systems or processes, which would enable us to effectively share information and protect ourselves from constantly emerging threats. Information sharing is one of the most important problems preventing state-business-citizen ecosystems to collaborate on building secure and safe cyber spaces, thereby offering significant advantages to adversaries who, unlike us, excel in information and intelligence exchange. This concerns relationships between governments and businesses, governments and citizens, between businesses, within organisational structures, as well as communication between businesses and customers.
Obviously, there are many ways in which different tools and methodologies can contribute to solving the problem. To concentrate on behavioural science, it can contribute to improvement of information sharing by understanding information flows through the prism of behavioural theories; modelling risk associated with information sharing; development of algorithmic solutions for information sharing rooted in behavioural science models. Yet, for the purposes of this short review, the most obvious application of behavioural science we can mention relates to ways in which behavioural segmentation can contribute to solving the information sharing problem.
Behavioural segmentation is a simple approach used to group individuals or organisations according to a menu of common behavioural characteristics into “types” and then use these “types” to (i) predict; (ii) understand; and (iii) influence a wide range of behavioural outcomes. Behavioural segmentation can contribute to optimising information sharing behaviour in government-to-business; business-to-business; within business; as well as business-to-individual layers.
The current Australian cyberattacks case highlights issues around information sharing at multiple levels. What chance of succeeding against adversaries do we have, if we cannot even design appropriate ways of communication? It would seem that if we do not use the current situation as an excuse to improve things for the future, it will be (yet another) missed opportunity. This missed opportunity will have global consequences.