News

Go back

The Borderless World of Cyberspace

Published 15 Sep 2024

On Tuesday 10 September, the current interns at AIIA NSW debated the proposition that ‘It is in Australia’s best interest to prioritise “offensive” cyber measures over “defensive” measures in the current threat environment.’

 The affirmative team – Singithi Herath, Matthew McKelvie and Numan Mousa – took as their starting point the severe problems being caused to Australian individuals, institutions and government by cyber attacks. These were affecting community health, government security and financial stability. For this reason, an “offensive”, proactive approach was needed. Lowy Institute polling had demonstrated that the Australian public viewed cyber crime as a major threat. Action needed to be taken before this became a cause of community division and doubt.

Despite growing awareness of the problem, cyber crime continued to be high. The current “defensive” response was inherently reactive and was not sufficient to obstruct and deter the threat. There had been too many instances of bits and bytes disappearing into cyber space while Australian defence authorities were planning their reactions. What was needed was preemptive action. This need not be escalatory; it was not warfare.

A more assertive approach, as well as serving Australian interests, would be welcome to our regional neighbours. An “offensive” approach to cyber security would be coordinated with our allies and compliant with international standards of behaviour. It would not be targeted at other countries, but at criminal actors wherever they are. This offensive response to cyber crime would be proportional, legal and ethical. It would depend on intelligence gathering and agile, proactive responses. It would include increased community awareness and education. Individuals’ rights would not suffer: the target would be illicit networks which are putting at risk everything that the Australian community has achieved.

The negative team – Jacob Sukiennik, Paloma Hawkins and Ethan Pooley – argued that it would not be in Australia’s interests to adopt an “offensive” approach to cyber security: such an approach would not be proactive, but provocative. This could result in increased insecurity by provoking a belligerent, confrontational reaction from potential cyber criminals. The range of defensive possibilities was considerable. What was important was picking the right priorities and adopting a considered, preventive, prophylactic approach to forestalling breaches.

Australia had a crucial role to play in international cyber diplomacy, avoiding an offensive approach which risked resulting in further attacks. There was a parallel with the US/Israeli attacks on Iran’s nuclear facilities in 2013 which had provoked retaliatory attacks by Iran on international financial institutions. Similarly, attempts by Ukraine in 2017 to counteract Russian cyber attacks had provoked Russian responses which had caused worldwide disruption.

A key dilemma with an offensive approach was the problem of attribution: who could be identified as actors? An offensive, aggressive approach risked punching into the dark. A defensive approach, based on cyber hygiene and a readiness to take meaningful action – for example, by fortifying systems and giving leadership in international cooperation to protect critical infrastructures – was the productive path to follow. An offensive, combative, escalatory approach to cyber security would be disproportionate and unrealistic. Resources would be better devoted to defensive action by Australia as a middle power in accordance with prevailing international norms. The Australian people’s preference was for a defensive approach, not attack.

In his adjudication Dr Thom Dixon, AIIA NSW vice president, praised the considerable work each team had put into defining such concepts as national interest and the meanings of “offensive” and “defensive” in the cyber security context. The outcome of the debate had come down to the extent to which each side had tested the other’s propositions in these regards. The affirmative case had made substantial points in favour of their arguments (including deft use of the Optus case, in which they had suggested greater preparedness would have made for a better outcome) and the negative team had not fully contested these claims. Dr Dixon thanked all the participants for their presentations but awarded victory to the affirmative team.

 Questions from the audience tested elements of both cases. In response to a suggestion that “offensive” cyber actors tend to undermine operating within a rules-based international order, the negative team argued that it was possible for Australia to leverage that framework to establish norms in the “wild west of cyberspace”. On the question of cyber regulation in international law, the affirmative team highlighted the promises and limitations of the Convention on Cybercrime (the Budapest Convention), adopted by the Council of Europe in 2001, which now has almost 100 parties and signatories, though these do not include China, Russia or India. It remained to be seen how the Budapest Convention could respond to the complex and evolving threat of cyber insecurity: there were few examples of the Convention being successfully invoked, arguably due to the issue of attribution raised throughout the debate.

 

 

AIIA NSW interns July-December 2024
(from left) Jacob, Matt, Paloma, Singithi, Numan and Ethan