Image courtesy of TheDigitalArtist/Pixabay.
On April 7, the Australian Minister of Defense acknowledged – for the first time ever – that the Australian Signals Directorate (ASD) used its offensive cyber capabilities to disrupt foreign cybercriminal infrastructure responsible for malicious cyber activities exploiting the COVID-19 pandemic.1 While details on the operation are sparse, what we do know is that ASD “stopped the criminals from accessing their own systems and prevented them from accessing information they stole.”2 What we do not know is the how, the where, the when, and what exactly triggered ASD into action.
Given the absence of these details, many cybersecurity researchers were initially skeptical about whether the Minister of Defence actually understood what she was saying. The skepticism was further reinforced by the almost non-existing media coverage of the statement and the non-reaction from other governments.
In hindsight, the Minister’s statement included all the right language to bring the message clearly across. It also perfectly aligned with Australia’s interpretation of the due diligence principle under international law and the ASD’s mission “to prevent and disrupt, by electronic or similar means, cybercrime is undertaken by people or organizations outside Australia,” as outlined in the Intelligence Service Act.3 But the ASD’s conduct was far from business as usual.
There are essentially two lines of thought on leveraging offensive cyber operations against cybercriminals amidst a pandemic.
The first line of thought puts cybercriminal conduct in the national defense box. Meaning, threats to the national health care system have to be eliminated rapidly and forcefully – ideally before criminals have their tooling in place to execute their malicious campaign. This thinking essentially applies the concept of persistent engagement/defending forward – as practiced by US Cyber Command since 2018 as a means to create friction within nation state actors and terrorist groups alike – to the cybercriminal sphere.4 Curiously though, US Cyber Command has not expanded its mission profile to include cybercrime yet – at least officially. A letter sent on April 20 by a bipartisan group of US Senators to Cyber Command and the Department of Homeland Security might change this calculus, as it urges both agencies to “evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.”5
The second line of thought encompasses two boxes. The signal intelligence box is supporting national defense, and the law enforcement box fights cybercriminal conduct. While there are significant overlaps between both boxes – including intelligence agencies sitting on criminal infrastructure to collected information – they are kept separate for a reason.
Imagine for a moment you were the Head of the Dutch National High-Tech Crime Unit. For weeks you have been closely cooperating with your US and European counterparts on taking down a notorious cybercriminal group. You only need a few more weeks to accumulate enough evidence to legally kickstart a coordinated campaign that would lead to the simultaneous arrest of 30+ suspects across the globe. Then, out of nowhere, the infrastructure that you have been surveilling gets taken out. Files are encrypted, data is deleted, passwords do not work anymore, and suspects start to vanish. Two days later, the Chinese Ministry of Foreign Affairs announces to the world that the Ministry of State Security took out cybercriminal infrastructure across Europe and North American that persistently targeted Chinese citizens amidst the severe economic downturn in the aftermath of COVID-19. The Ministry further explains that European and US law enforcement agencies were contacted, but that “they were too slow to take decisive action.” Given this unresponsiveness, Beijing took matters into their own hands.
The crux of the matter is this: if the intelligence box interferes with the law enforcement box, the lines between domestic and foreign start to blur, notions of sovereignty start to evaporate, and offensive cyber capabilities – rather than arresting criminals – become a valid solution to every cybercriminal problem emanating from abroad. For better or for worse, the second line of thought does not want such a scenario to occur. You can call it the ‘multilateral way’ – as it emphasizes law enforcement cooperation and deconfliction, diplomatic solutions, and apprehension toward persistent engagement/defending forward and the use of offensive cyber capabilities.
So, what are the positions of governments around the world on the ASD’s unprecedented conduct? I asked 25 Ministries of Foreign Affairs and a few responded.6 The replies had three themes in common. First, governments were aware of the ASD’s conduct. Second, they expressed concern over cybercriminals using the COVID-19 crisis for malicious purposes. And third, they viewed the ASD’s action as Australia’s sovereign decision in line with their own interpretation of international law applicable to cyberspace. Curiously, the Estonian MFA was the only one that highlighted that “more attention should be paid to international cooperation to fight cybercrime” and specifically pointed out the ongoing discussions on the 2nd Additional Protocol of the Budapest Convention on Cybercrime.7
In sum, if the multilateral way exists and is supposed to survive in the post-COVID-19 world, then governments need to be vocal about their own efforts, their own red lines, and how many boxes they feel comfortable living with. Meaning, out of the 27 EU member states, only a handful maintain offensive cyber capabilities, and so far, all of them have shied away from even having the appearance of a political discussion on using offensive capabilities against cybercriminal infrastructure abroad. Yet those same governments are endorsing the ASD’s conduct as a legitimate mean under international law – something they refuse for themselves and would vocally oppose if China or Russia were to conduct them. Since 2018, EU member states have been struggling to find an answer to persistent engagement as exercised by US Cyber Command. Staying silent this time around may prove fatal to the ‘multilateral way’ in the long run.
3 https://www.dfat.gov.au/sites/default/files/application-of-international-law-to-cyberspace.pdf, p. 2; https://www.legislation.gov.au/Details/C2020C00029, Section 7 (c)
6 The inquiry was sent to 25 MFAs. At the time of writing, only the German MFA, International Cyber Policy Coordination Staff, Danish MFA, Cyber Coordinator, EEAS, Cyber Policy Sector, Estonian MFA, Ambassador at Large for Cyber Diplomacy, have responded with an answer. The US State Department’s Office of the Coordinator for Cyber Issues directed me to the DoD. And both the Swiss EDA and Dutch MFA are still working on an answer. None of the other MFAs responded despite follow-up.
The inquiry was also sent to the four other Five Eyes intelligence agencies – which all declined to comment. As well as 3 law enforcement agencies (FBI, UK NCA, German BKA). The FBI did not reply, and both the NCA and BKA have a policy in place not to comment on foreign government activities.
7 Email response received on April 20, 2020
Stefan Soesanto is a Senior Researcher in the Cyber Defense Team at the Center for Security Studies (CSS) at ETH Zurich.
For more information on issues and events that shape our world, please visit the CSS website.