Prime Minister Malcolm Turnbull’s announcement last year that Australia has the capability to conduct cyberattacks came as no surprise to regular observers of the Australian Defence scene. Recent Defence White Papers mentioned cyber warfare, even if only as something to be defended against, and the ADF added the use of offensive information operations (a polite term for cyberattacks) to its own doctrine in late 2013.
Just how our military and bureaucratic decision makers intend to use cyberattacks in the defence of Australia and its interests is, like many defence and intelligence matters, discussed little outside of the national security community. This lack of public scrutiny increases the likelihood that cyberattack policies will be developed with a short-term mindset.
What are cyberattacks? As a relatively new form of warfare, there is a lack of agreement on the answer to this. To some, a cyberattack is an attempt to enter a network not owned by the ‘trespasser’. For others, it is the act of entering a network to view or collect information. For decades, countering espionage has been the raison d’etre of organisations such as the Australian Signals Directorate (ASD). More sinister perhaps are cyberattacks that enter a network to manipulate the information within. The effects of this can harm an adversary, by way of creating confusion, shaping opinion (foreign and domestic) and disrupting data and services.
The aim of these cyberattacks is to introduce uncertainty in the minds of decision makers and cause them to become hesitant or make mistakes. At the extreme, effects can be physical destruction that could be considered an armed attack or use of force.
To plan and conduct cyberattacks there are several concepts to be aware of.
Concept One: Ensure your cyberattacks will have a meaningful effect. In 2007, following the decision to move a statue commemorating Russia’s role in the Second World War, Estonia experienced several weeks of cyberattacks. These attacks (blamed on Russia) disabled their internet connectivity, including the country’s banking system, and created concern amongst Estonian decision makers.
Similarly, before and during the Russian invasion of Georgia in 2008, the country was the target of cyberattacks, also blamed on Russia. But the effects of these cyberattacks did not extend beyond the symbolic, such as defacing the website of the Georgian President and limiting access to government websites.