Finger-pointing may seem only tangentially relevant when a CISO is working to ramp up and execute an effective a cybersecurity response—but with many nation-states still less than committed to evolving international norms, Australia’s chief cybersecurity negotiator has said that attribution has become more important than ever in protecting common national interests.
Despite progress years ago that had pushed towards a United Nations consensus that international law applies equally online—including the formalisation of 11 norms of “responsible state behaviour in cyberspace”—Tobias Feakin, Australia’s ambassador for Cyber Affairs and Critical Technology, warned that some countries had been less dedicated to upholding those norms than others.
“The problem we have is that many countries—and some countries in particular that we’ve been dealing with—whilst signing these agreements and agreeing to them, have not been willing to agree to the letter of what they’ve signed up to,” Feakin told the recent AISA CyberCon 2021 conference in Canberra.
“So, we’ve been going through processes of trying to ensure that we’re squeezing their operating space, publicly attributing and trying to deter our adversaries from feeling such freedom to operate.”
The Australian government’s careful approach to attacker attribution
At a national level, however, publicly blaming another country’s government requires both evidence and political tact—which have been present in varying measures over the past year as large Australian businesses and government agencies stumbled from one cybercriminal attack to another.
Despite Prime Minister Scott Morrison’s refusal to name the “sophisticated state-based actor” he said was attacking government and industry, the cybersecurity industry wasted no time filling in the blanks—and has done so each time another high-profile breach is reported.
The recent attacks on Nine Network, for example, were variously blamed on China, Russia, and North Koreaby security practitioners even as the government’s Australian Cyber Security Centre (ACSC) remained tight-lipped. “At the moment, our entire focus is on trying to identify what the point of entry was, closing that down, ensuring the actor is out, and then getting the systems up and running again,” ACSC head Abigail Bradshaw told ABC Radio National in the wake of the Nine attack.
Noting that it was still “early days” and reiterating the importance of “very careful forensic analysis” to understand the particular tactics, techniques, and procedures used in the attack, Bradshaw said, “what we have seen is a large conflation of cyberattacks as if they’re all homogenous—and they’re not.”
She added, “Analysis on who did what is a much lower priority. My experience is that there are different actors which will use those particular methods.”
Going too far? Nation-state cyberattacks target the healthcare sector
Even as government sources remain circumspect about naming names, Feakin said, the growing online boldness of many nation-states during the last year of the pandemic had seen many cybercriminals “capitalise on this environment and mask their activity through a COVID-19 fog”.
“Some state-based actors are actively now targeting health-sector organisations around the world to try and understand a various array of needs” such as intellectual property around vaccine development.
“Health infrastructure, as far as we’re concerned as a government, should be out of bounds,” Feakin said, “and it’s certainly something that we’ve raised through various multilateral channels, including the UN.”
Yet healthcare organisations, CrowdStrike’s recent 2021 Global Threat Report noted, took the brunt of a surge in global cybercriminal activity last year that brought 19 new cybercrime groups onto the company’s radar—increasing the total number to 149—and saw 18 ‘Big Game’ strains of ransomware infect 104 healthcare organisations worldwide last year alone.
China-linked cybercriminal groups are focusing on compromising national supply chains in academia, healthcare, technology, manufacturing, and aerospace, CrowdStrike concluded, while North Korean firms are “motivated to enhance cyber operations in 2021” to counter food shortages due to COVID-19’s disruption.
Yet while blaming a nation-state may be a reflexive action, it’s important to remember there are other attackers: A recent wave of attacks on French hospitals, for example, was recently blamed on organised crime groups rather than nation-state actors.
Time for governments and industry together to ‘draw the line’ on cyberattackers
Ultimately, regardless of which organisations are responsible, “organisations must take decisive action to control access and protect data in order to outmanoeuvre adversaries,” said CrowdStrike senior vice president of intelligence Adam Meyers, even as the firm noted that “adversary groups, and methods for defending against their [tactics, techniques, and procedures], will be a primary focus in 2021”.
Yet even as company CISOs focus on keeping the lights on amidst an avalanche of cybercriminal attacks, Feakin said higher-level efforts were uniting like-minded international governments and engaging private-sector organisations as partners in efforts to draw a line. “To see that states and others are looking to exploit that environment is something that we think is pretty apparent and needs to be challenged,” he said.
Yet despite growing consensus that action needs to be taken, he said, “often I get stuck in conversations with countries where they say, ‘We weren’t in the room when these things were signed, so we’re not quite sure that they apply to us’.”
Greater co-operation across government and industry, with its many multinational ties, would help address these ambiguities, Feakin said. UN negotiations are “something that probably seems quite distant from the everyday work that [security professionals] do,” Feakin said, “but some of the most recent attack patterns equally affect the private sector as much as they do the government—and that means we need to be working in partnership to respond to these kinds of incidents.”
Industry groups should engage with work by cybersecurity standards bodies, for example, as well as working with the Australian government on regional development projects that will help drive broader consensus. “If we can think about values from the start in the way that technology is developed,” he said, “it will play directly into what kind of technology environment we end up with. There has been progress, but we need to make more.”