SPECIAL REPORT

April 2012 — Issue 46

ANZUS 2.0 Cybersecurity and –US relations

Papers by Andrew Davies, James Lewis, Jessica Herrera-Flanigan and James Mulvenon. Lydia Khalil, Visiting Fellow in ASPI’s National Security Program prepared the introduction and conclusion. Introduction conflict and maintenance of national security would also be within the cyber domain and At the 15 September 2011 AUSMIN talks in San that the ANZUS treaty could be invoked in Francisco, Australian and US officials took that context. advantage of the 60th anniversary of the signing of the ANZUS Treaty to announce the Yet the joint statement raised more questions alliance would now extend into cyberspace. It than it answered. What exactly are ‘mutual was the first time, outside of NATO, that two threats and challenges’ in cyberspace? What allies had formalised their joint cooperation type of cyberattack would qualify as one in cyberspace. that would ‘threaten the territorial integrity, political independence or security’ of either The then Foreign Minister Kevin Rudd, nation? Do Australia and the US view these Defence Minister Stephen Smith and their threats differently? What type of collaborative US counterparts, Secretary of State Hillary military response would be appropriate, given Clinton and Secretary of Defense Leon the difficulties of attribution in the cyber Panetta, issued a joint statement outlining domain? How do the respective governments this transformation of the alliance: define a cyberattack? What are the Mindful of our longstanding defense international cyber-norms that both countries relationship and the 1951 Security Treaty will promote? between Australia, , and In an effort to explore some of these issues, the of America (ANZUS ASPI convened a conference of Australian Treaty), our Governments share the view and American experts on 9 December 2011 that, in the event of a cyber attack that in Washington DC. We brought together a threatens the territorial integrity, political panel of experts from the defence, academic independence or security of either of our and scientific fields to discuss what this nations, Australia and the United States means for the future of conflict and defence would consult together and determine in cyberspace and how allies perceive and appropriate options to address the threat. respond to mutual threats.

This is a critically important evolution of the In this Special Report we’ve compiled papers ANZUS alliance. As more and more of our from Dr Andrew Davies, Director of ASPI’s lives are carried out on computer networks, Operations and Capability Program; Dr James it makes sense that the potential for future Lewis, Director and Senior Fellow, Technology 2 Special Report

and Public Policy Program at the Center for to Lewis’s assertion that many nations Strategic and International Studies; Jessica have adapted cybercapabilities into their Herrera-Flanigan, a former federal prosecutor military and intelligence portfolios and that and congressional adviser now working for cyberactions must be reviewed within the the Monument Policy Group; and Dr James framework of an ‘escalation matrix’. Mulvenon, a specialist on the Chinese military But there’s also agreement that very few and cyberwarfare who is the Vice-President of states are currently capable of creating Defense Group Inc. physical damage or serious disruption Two papers in the report deal with the through cyberattack. Many of those nations Australian and US perceptions of the are deterred from launching frivolous cyberthreat, written by Andrew Davies and cyberattacks and are unlikely to use James Lewis. Two others deal with legal and cyberattack techniques outside of a ‘regular’ military responses. Jessica Herrera-Flanigan armed conflict. writes of the legal and normative issues both In responding to cyberthreats, it’s equally countries must pay attention to and promote important to acknowledge the legal and in cyberspace. James Mulvenon articulates normative issues permeating cyberspace. how Australia and the US can respond Differences in domestic legal systems as allies. can hinder cooperative responses, and an In assessing the US and Australian perceptions agreement on international norms needs of the cyberthreat, it’s useful to highlight to be negotiated so that both countries can some of the similarities and differences. promote common interests effectively within Both countries see threats emanating from the international system. a wide variety of actors, from nation-states It’s equally important to note, as to hackers, and in many forms, from Herrera‑Flanigan points to in her paper, that cyberespionage to potential attacks on critical the effort of the US and its allies to define infrastructure. Both countries struggle with cybersecurity and norms in cyberspace how to define such threats and order their stands in contrast to the efforts of China and severity, but cyberwarfare or cyberattack in Russia to put forward their own competing pursuit of or within the confines of traditional paradigm. As she states, ‘underlying any war is seen as the highest order threat, more global effort to put together legal norms so than cyberespionage and cybercrime. This for cybersecurity is an inherent conflict is despite the fact that the latter two types between promoting internet liberty and of activity are currently the largest breaches assuring internet sovereignty.’ Although the in cybersecurity. Lewis makes the point that US seeks to promote an internet freedom cyberespionage, particularly by China, is the agenda, capacity building and security in most immediate current threat facing the US. economic transactions, Russia and China However, it’s unlikely that even high order define cybersecurity as the control of content, cyberespionage would be enough to trigger communication and interaction in cyberspace the ANZUS alliance. so that they don’t undermine domestic Davies’s conclusion, that ‘it’s hard to come up governance and political stability. with credible scenarios that put cyberattacks This makes it even more critical for those into the same league as threats to territory countries with shared values and perceptions or national security as it’s traditionally of cybersecurity threats to develop common been understood’, stands in some contrast strategies and policies for addressing those ANZUS 2.0: cybersecurity and Australia–US relations 3

threats. That’s why, as Mulvenon points Although the communiqué stopped short out, ‘we should first align and normalise of formally tying cybersecurity to ANZUS, cybercooperation among ourselves before Australian Defence Minister Stephen Smith pursuing the more difficult challenge of did so when he said that a substantial cyberdialogue with adversary states.’ cyberattack on Australia or the US could cause the ANZUS Treaty to be triggered.2 It is hoped that this compilation will contribute to what will be a continuing These statements extend the notion of attack dialogue between allies as they navigate the into cyberspace, but the practical implications difficulties and opportunities of operating aren’t clear. The aim of this paper is to in cyberspace. examine the issues that will come up when governments try to establish realistic policy settings to operationalise the joint statement.

An Australian perspective on ANZUS ANZUS and cyberthreats The ANZUS Treaty was formulated in 1951 Andrew Davies with the aim of securing the Pacific region, at a time when the events of World War II were Last year produced one of the more intriguing uppermost in strategic thinking. Australia was announcements to have come from an especially concerned about the possibility of a Australia–US ministerial meeting. Along with resurgent Japan and was seeking reassurance the usual restatements of the importance of that the US would again come to its ANZUS, the security treaty between Australia, assistance should that occur.3 In that context, New Zealand and the US, and the enduring the treaty is understood as a device intended alignment of both countries’ interests, there to deal with state-on-state conflict. was—for the first time—a joint statement on cyberspace. For the purpose of scrutinising the joint statement on cybersecurity, the most Some of it was entirely uncontroversial—that important clauses of the ANZUS Treaty are Australia and the US seek a ‘secure, resilient Articles III, IV and V:4 and trusted cyber space that ensures reliable access for all nations’ isn’t exactly a surprise. Article III: The Parties will consult But the statement continued with an together whenever in the opinion of any agreement on cybersecurity that linked it of them the territorial integrity, political explicitly (if not formally) to the ANZUS Treaty: independence or security of any of the Parties is threatened in the Pacific. Mindful of our longstanding defense relationship and the 1951 Security Treaty Article IV: Each Party recognizes that an between Australia, New Zealand, and armed attack in the Pacific Area on any the United States of America (ANZUS of the Parties would be dangerous to its Treaty), our Governments share the view own peace and safety and declares that that, in the event of a cyber attack that it would act to meet the common danger threatens the territorial integrity, political in accordance with its constitutional independence or security of either of our processes … nations, Australia and the United States Article V: For the purpose of Article IV, would consult together and determine an armed attack on any of the Parties is appropriate options to address the threat.1 deemed to include an armed attack on 4 Special Report

the metropolitan territory of any of the Both the potential targets and the possible Parties, or on the island territories under perpetrators of cyberattacks constitute its jurisdiction in the Pacific or on its broad spectrums. Figure 1 shows the possible armed forces, public vessels or aircraft in range of targets of illicit cyberactivity, the Pacific. arranged in increasing order of centrality to the nation-state. At the left there are end The treaty clearly distinguishes between users and service providers in the community threats to security and armed attack. The and general business sectors. At the other onus on the signatories is to consult when extreme there are systems that form part of faced with a threat and to ‘act to meet the the state’s national security apparatus. common danger’ in the event of an attack. Interestingly, the language used to draft the As well, cyberattacks can vary enormously in joint statement echoes Article III (threats impact. At the lower end (in terms of national to security) rather than Articles IV and V security) there’s nuisance or criminal activity (armed attack). The possible reasons for that against individuals or businesses, perpetrated distinction are explored below. by other individuals or criminals. At the higher end, there are state-backed activities against Who, where, what? government systems. Even within those categories there are important distinctions One difficulty in applying the ANZUS to be made. For example, in the formulation to the cyberworld is that there’s form of efforts to obtain sensitive or classified a much finer continuum of activities that information falls into a different category could be construed as an attack in cyberspace from attacks on military systems designed to than there is in the realm of armed conflict. degrade or disable them. The first task is to decide what constitutes an attack. Even that isn’t straightforward. Defence Minister Smith explained that the ‘Cyberattack’ is a compact phrase, but it thinking behind the recent announcement actually contains a multitude of possibilities. was very much focused on the latter: In fact, one of the problems with the broad …we’re talking here at a level which is topic of cybersecurity is that there isn’t a much higher than for example people shared understanding of the various terms using the internet, using cyberspace to that are used. steal commercial or state secrets. We’re Lumping everything under the single talking about a significant attack upon the heading of ‘cybersecurity’ makes the domain communications fabric of a nation … In simultaneously seem more homogeneous particular, to thwart the communications than it actually is and intractably large. system of the military—the national Ideas that are in practice quite disparate security apparatus, the national security are conflated and, as a result, policy arrangements of a country. prescriptions are too general to be useful. That’s a helpful clarification, but some In this environment, it’s not surprising questions remain—for example, does this that the joint statement is a little vague. formulation apply when the perpetrators are But when cyberattacks are elevated to the non-state actors? Or would a state-sponsored level of ANZUS, it’s especially important to attack on civilian infrastructure—electricity understand precisely what’s meant. supplies or air traffic control, for example— fall outside the new ANZUS rubric? ANZUS 2.0: cybersecurity and Australia–US relations 5

Figure 1: The potential targets of cyberattack

Whole of Critical civilian Instruments of Community Business government infrastructure infrastructure state power

Sovereignty

It’s also not entirely clear how the severity of the ANZUS Alliance … just as we did for an attack would be measured. For example, example in the triggering of the ANZUS would a half-hour outage of a national air Alliance after September 11 … defence system caused by an external actor There are practical difficulties here. In the constitute a ‘significant attack’, or would it case of state-on-state activity, in which need to be accompanied by other hostile military or government systems are used activity? In practice, it would depend on the to launch a cyberattack on the systems of details of the attack and the broader context another military or government, it’s fairly in which they arise—loss of life, or threats to straightforward—a response, either ‘in lives, would likely be an important factor. kind’ or by some other means, could be appropriate. But if the attack comes from a Non-state cyber actors non-state source or is vectored through the The post-9/11 ‘global ’ provided systems of an actor not directly involved, a precedent for non-state actors becoming probably involving civilian communications the subject of a response under the ANZUS infrastructure, the appropriate response isn’t framework when Prime Minister Howard so clear-cut. As with conventional armed invoked the treaty immediately after the force, both the potential for collateral damage attacks in New York and Washington. That and the rules of armed conflict would need to invocation recognised the application of be considered carefully. ANZUS beyond the Pacific region in the case The public discussion of the Pentagon’s of an armed attack on the metropolitan first cyberstrategy began in May 2011. That territory of either party. Cyberattacks are document includes the statement that perhaps less clear cut. For example, American ‘certain aggressive acts in cyberspace’ coming military networks can have nodes anywhere from another country might justify the US forces are deployed, and the attacks invocation of the right to self-defence under can be routed through terrestrial, undersea the UN Charter—a view that would allow a or space‑based communications systems. traditional military response if the US judged It’s possible that for ANZUS purposes the it to be ‘equivalent’ to a traditional military consideration would be the location of attack. Of course, that’s entirely consistent the most dramatic effects of the attack— with the inclusion of cyberattacks within although even that could be widely dispersed. the ANZUS framework, but it’s not very clear The 9/11 precedent was evoked by the Defence how ‘equivalence’ is defined. A cyberattack Minister at the time of the announcement of would probably have to cause death or the new arrangements: destruction to be used as justification for a ‘kinetic’ response with high explosives or … a substantial cyber attack can open other weapons. up the prospect of invoking or triggering 6 Special Report

And there’s a question about what constitutes might prove to be primarily a 21st century ‘war’ when one of the parties is not a extension of electronic warfare. state. Because the threshold for entry into Electronic warfare is a technical discipline cyberactivity is much lower than for other used to attack electronic systems to disrupt ‘traditional’ military capabilities, civilians with the ability of an adversary to accurately nationalist or other motives, either alone or gather information, target its weapon collectively, could participate in cyberattacks systems or communicate. It isn’t an end in against national security systems. Adversary itself and is typically used as an adjunct to states could take advantage of the ‘greyness’ operations that deliver kinetic effects. By of cyberspace and could establish ‘cyber reducing the effectiveness of an adversary’s Hezbollahs’—groups that are state sponsored systems, it allows military and civilian targets but which operate outside of traditional to be attacked with greater effectiveness and military or government structures. Figure 2 lower risk. shows the spectrum of potential players in cyberspace, arranged by degrees of There’s already some evidence that organisation or state control. yesterday’s electronic warfare is morphing into today’s cyberwarfare. There are striking Cyberspace and war similarities between the operational approaches of the Soviet forces that States use cyberspace for a variety of intervened in Czechoslovakia’s ‘Prague purposes, including communications, spring’ uprising in 1968 and those used in the conducting espionage or as a command 2008 Russian intervention in South Ossetia, and control channel for their military forces. Georgia. A US Defense Intelligence Agency In that sense, it’s like the electromagnetic study into the former noted ‘the Soviet spectrum—a medium that’s used to enable Army’s extensive use of electronic warfare other activities. In that respect, cyberwarfare

Figure 2: The potential originators of illicit cyberactivity

State military or intelligence tion State-sponsored

ganisa activists

Politically

ee of or motivated groups

Degr Criminals

Individuals

Degree of state control ANZUS 2.0: cybersecurity and Australia–US relations 7

and jamming during the invasion’,5 which doing that—defacing a defence department was used to degrade the Czechs’ capability to or other government website, for example. coordinate their response or to communicate Used as an enabler, however, a cyberattack what was happening to the wider population. could cause the temporary degradation of The 2008 conflict in South Ossetia has other capabilities that rely on the target been described as being ‘among the first computers, temporarily reducing the cases in which an international political situational knowledge and effectiveness and military conflict was accompanied, of a military force and rendering it more or even preceded, by a coordinated cyber vulnerable to attack. Of course, taking down offensive’.6 The Russians used cyberattacks a computer network for an extended period to disrupt Georgian command and control is possible if the underlying infrastructure networks (as well as the general civil is itself subject to physical attack—the internet infrastructure) while bringing their cyberequivalent of physically attacking a radar conventional forces to bear. And—reinforcing system rather than temporarily disabling it by the point made in the previous section— electronic warfare means.7 Russian civilians were simultaneously But in these instances, where a cyberattack active against Georgian government and on military infrastructure is part of a wider media systems. action, whether or not the ANZUS Treaty In both instances, the efforts to interrupt applies to the cyberattack is largely moot. The communications and disrupt sensors other component(s) of the attack would cause were coordinated with a physical invasion. ANZUS to be invoked in any case, either under Synchronising operations on the ground Article III (threat to security) or Articles IV with electronic warfare or cyberoperations and V (armed attack). is important because dominance in either domain is likely to be temporary. In Politics by other means fact, that may be truer of cyberwar than However, no military action is an end in electronic warfare. Even a successful attack itself—as Clausewitz observed, it’s just a tool on a computer system is likely to have its to secure a political goal. The most dramatic effectiveness measured in hours. If the example of a cyberattack against a sovereign underlying infrastructure is intact, machines state (which wasn’t accompanied by physical can be rebooted or communications rerouted. activity) was the assault on Estonian systems Redundancies abound in military systems, and in 2007, which is believed to have been a workarounds would almost certainly return a Russian state-sanctioned attack. At the time, level of functionality sooner rather than later. Russia was engaged in a series of disputes A concerted attack on core military and with Estonia over trade and security issues government command and control systems and the status of a large enclave of Russian would necessarily demonstrate the attacker’s speakers in Estonia—hence the cyberassault methods and access points, which are both fits Clausewitz’s definition. Over the course perishable commodities in a rapidly moving of several weeks, Estonian systems were field. The attacker would only give up the seriously disrupted. Eventually, ways to blunt ‘crown jewels’ if there were larger stakes than the effectiveness of the attacks were found just making a point in cyberspace. There are and the ‘e-siege’ was lifted, but the disruption symbolic and much less revealing ways of to Estonian society and the country’s economy was significant. 8 Special Report

This was an extension into cyberspace of uranium, throwing them into a state that coercion that stops short of armed attack. caused widespread mechanical failure. In the physical world, methods such as The development of Stuxnet was almost blockades, embargoes and sanctions—or the certainly a state-sponsored activity and threat of any of those—can be used in an probably had years of sophisticated software attempt to secure a political goal. Threats to engineering effort behind it, but the program a nation’s economic wellbeing can be used code is now available on the internet, and as leverage without threatening territorial modifications of the basic idea are starting sovereignty. Given the importance of to appear. Since similar controllers are used in computer systems to commerce and finance many other industrial applications, including today, it’s a natural evolution for cyberattacks the control of civilian infrastructure, the to be used in this way.8 possibility of a Stuxnet-type attack on other However, it’s not so easy to do in practice. targets in the future seems plausible. Timescales work against cyberattack used During the media discussion of the shift this way. Blockades, sanctions and embargoes in American thinking on cyberwarfare, an need to have a cumulative effect, and take unnamed US official was reported to have time to grind down the will of the targeted said rather colourfully, ‘if you shut down party. But, for all of the reasons discussed in our power grid, maybe we will put a missile the previous section, cyberdominance would down one of your smokestacks.’ In fact, that tend to be ephemeral. Even Estonia, a country example shows how hard it will be to make a of just 1.4 million people, managed to thwart case for a military response that doesn’t seem Russian efforts in the space of a few weeks. disproportionate. There’s no doubt that when Interfering with the operation of the financial the power grid goes down in a major city, markets in a major economy that’s better it’s a significant disruption and hazard—the resourced than Estonia could cause significant city grinds to a gridlocked halt, airports stop disruption, and could leave ‘ripples’ of lost operating, accidents occur and people can be confidence for some time afterwards. But injured or even killed—but it doesn’t take a system redundancy and the measures in cyberattack to do that. For example, a 40°C place to back up data, and the identification day is quite capable of bringing down the and mitigation of the techniques used, would power grid in Washington DC, as has been probably reduce the ability of cyberattack to proved in at least the last three summers. extract significant political concessions. The New York City and large areas of California 9/11 attacks—about as dramatic an impact have also experienced well-publicised partial as possible—shut down the New York Stock or complete blackouts due to failures of the Exchange for only four trading days. system to cope with loads.

However, civilian infrastructure is generally The bit made flesh pretty resilient. Most cities have contingency One other possibility is that a cyberattack plans in place to handle power outages, could be used to trigger an event in the and vital services typically have backup physical world. Again, there’s a precedent power supplies. Other utilities, such as for this. The Stuxnet computer worm that water suppliers (another target sometimes was used to attack Iranian nuclear facilities cited in warnings about the dangers of targeted the software that controlled cyberattack), have override systems that the banks of centrifuges used to separate would render any online attack temporary. ANZUS 2.0: cybersecurity and Australia–US relations 9

For all of those reasons, it’s hard to see why At the bottom line, it’s hard to come up with such an attack would hold much appeal for a credible scenarios that put cyberattacks would-be attacker unless it were part of some into the same league as threats to territory wider operation. or national security as it’s traditionally been understood—which is the underpinning of The Czechoslovakia and South Ossetia the ANZUS Treaty. experiences again suggest what might be done. Bringing power grids down or causing Of course, it might be that the aim of the some other major disruption to civil or military recent announcement wasn’t to produce a infrastructure at the same time as other practical operational doctrine, but instead operations would make the job of military, to send a message about what’s regarded as domestic security and civil response agencies acceptable behaviour in cyberspace. In the much harder, and it might amplify the case of the previous NATO agreement, the psychological effect on the general populace. intended recipient was probably Russia, with the message being that hostile cyberactivity, In the case of the US or Australia, a such as that against Estonia, will be regarded plausible scenario is an attack on domestic as an act of aggression. In the Georgian case infrastructure that’s coincident with a there was no ambiguity—cyberattacks were terrorist attack (or military operations accompanied by physical acts of war. elsewhere), with the aim of complicating the government’s response. But in either In fact, those two instances provide a likely case, the response of the ANZUS allies would explanation of the echoing of Article III in the necessarily be to the attack in its entirety, ANZUS announcement rather than Article IV not just the cyberattack. And the type of or V. The Estonia attacks were a threat to response would be tailored to the overall security and thus look more like an Article III situation—a missile down a smokestack incident, whereas Georgia clearly comes might be a response to an attack that involves under Articles IV and V. a cyber component, rather than to an isolated In the ANZUS case, the intended recipient of cyber incident. any intended message is presumably China, and the message is that cyberattacks, while Conclusion perhaps falling short of the seriousness of The practical significance of the AUSMIN armed attack, are unacceptable and may joint statement on cyberattacks isn’t entirely attract a serious response. clear. The threshold that Australian officials have described for invoking the ANZUS Notes Treaty is so high that, for a variety of reasons, 1 Joint Statement on Cyberspace, it’s hard to see the eventuality arising as a Australian Minister for Foreign Affairs, stand‑alone incident. 15 September 2011, available from It’s sometimes argued that the ubiquity of http://www.foreignminister.gov.au/ cybersystems makes the new threat spectrum releases/2011/kr_mr_110916a.html. uniquely dangerous. That view is hard to 2 Minister for Defence, interview on SKY sustain—the electromagnetic spectrum has News, 15 September 2011, available been central to communications and military from http://www.minister.defence.gov. systems for at least half a century, but there’s au/2011/09/15/minister-for-defence- no joint statement on electromagnetic interview-with-david-speers-on-sky-news- security that elevates it to the level of a treaty. pm-agenda/. 10 Special Report

3 While a second war against Japan seems US perceptions of cyberthreats unlikely with the benefit of hindsight, there’s little doubt that the post-WWI James Lewis experience of a resurgent Germany An accurate assessment of threats in drove much of the allied planning for cyberspace is essential for effective policy. the post-WWII period. See, for example, It’s important to distinguish between the Ernest R May, ‘Lessons’ of the past: the use use of force through cyberspace and ongoing and misuse of history in American foreign malicious activities. Early assessments policy, Oxford University Press, 1973. focused too much on the potential for harm 4 The full text of the treaty is available at and the ‘homeland security’ aspect of the http://www.austlii.edu.au/au/other/dfat/ cybersecurity problem, to the detriment treaties/1952/2.html. of policymaking.

5 US Defense Intelligence Agency, Soviet We’re now in a position (using available electronic countermeasures during invasion public data) to identify the current threats in of Czechoslovakia, DIA Intelligence cyberspace and predict what future threats Supplement UP-275-68. will look like, although there are major areas of ambiguity—the role of proxies, the effect 6 Cooperative Cyber Defence Centre of of the illicit acquisition of technology and Excellence, Cyber attacks against Georgia, the strategic implications of cyberespionage. Tallin, Estonia. We need to make an important initial 7 In electronic warfare, these approaches distinction among the various kinds of are called ‘suppression of enemy air malicious cyberactivity: defence’ (SEAD) and ‘destruction of • There’s the potential use of cyberattack enemy air defence’ (DEAD). While there for military purposes, but at the moment is no equivalent nomenclature in the only a few nations have that capability public discussion of cyberwarfare, the and they’re unlikely to use it outside of acronym‑rich environment within the armed conflict. Non-state actors at this Pentagon is sure to rectify that situation. time don’t have the most advanced and 8 International law may have some catching damaging cybercapabilities. up to do here. For example, a blockade is • There are threats to public safety (in the viewed as an act of war not because of its sense that private citizens and companies economic and social impact, but because are at risk of financial harm), but that risk, of the physical presence of warships or like traditional criminal activity, doesn’t other instruments of state power. There is aggregate into a threat to state survival no direct analogue in cybercoercion. and independence. By itself it isn’t a threat to national security.

• There’s long-term risk from espionage conducted against computer networks through ongoing technical collection programs that damage national economies and economic competitiveness. This may pose a long-term threat to national security, but ANZUS 2.0: cybersecurity and Australia–US relations 11

in the near term neither national survival new ways to coerce or damage them. Those nor the independence of the state is capabilities are, in some degree, also available at risk. to private actors, and the lack of norms and law enforcement cooperation means that There’s a question of aggregation—whether for a few countries, hacking into a business at some point the level of crime and competitors’ networks has become a normal espionage in cyberspace or the cumulative business practice that’s tolerated if not effect becomes a threat to national security. encouraged by the government. The questions of aggregation and cumulative effect are areas of ambiguity. Clearly, if the One way to test the centrality of the threat amount of cybercrime reaches a point at from nation-states is to ask what would which legitimate online activity is greatly happen to cybersecurity if states ceased curtailed (and we’re not at that point), that’s engaging in malicious actions. Were that to a risk to nations. The cumulative effect of happen, most of the risk of coercion or attack cyberespionage is harder to assess, as many and much of the damage from espionage other factors will shape the risk to national and crime would be eliminated. In addition, security—the growth and innovative if states no longer tolerated the activities of capabilities of the victim country, the ability private hackers and cybercriminals and were of the acquirer to use the technology, the willing to investigate and prosecute them, global rate of technological change (if a there would be a significant reduction in design is 10 years out of date by the time it’s crime. It’s the current monopoly of states over introduced, the effect may be minimal). advanced cybercapabilities and their use of private actors as proxy forces that create most In looking at these categories of threat— of the national security threat in cyberspace. attack, crime and espionage—we can say that it’s the ability of foreign national state The reach of the black markets opponents to exploit networks at will that poses an immediate national security That will eventually change as private actors risk. That they choose now only to steal not affiliated with states acquire advanced information doesn’t mean that they lack the cyberattack capabilities. This is inevitable. capability to do more, to undertake actions Cybercriminals make extensive use of virtual that create immediate disruption and pose black markets, which offer a range of attack immediate risks to the state. and penetration capabilities, including information on vulnerabilities, personal The principal source of threats to national information for use in phishing attacks, security is other nation-states. There’s some an ability to rent botnets1, and malicious blurring of threats from crime and threats code for penetrating networks. The most to national security because of the role advanced capabilities aren’t yet available in that private actors, such as cybercriminals these markets because either they must be and hackers, play as proxy forces. Malicious supplemented with intelligence information actions in cyberspace provide nation-states from other sources (such as human agents with a new capacity to degrade opponents. or other kinds of technical collection) or they The means for doing this involve gaining require advanced engineering knowledge informational advantage—a traditional to understand the dependencies of critical function of espionage—that provides deeper infrastructures and software. The general insight into opponents’ intentions and trend, however, is that these disruptive capabilities, access to their technology, and 12 Special Report

technologies become ‘commoditised’ and their military and intelligence portfolios. available for purchase. What we don’t know The usual comparison is with aeroplanes—a is whether these black markets would shrivel rickety toy in 1913 and a crucial tool of war if states were to reduce their support for five years later. While perhaps only five malicious cyberattack capabilities or whether or six countries currently have high-end they could continue to grow. cybercapabilities, more than 30 countries are developing military doctrine for cyberwarfare Non-state actors, whether they are jihadis or that includes examining how to incorporate politically motivated groups like Anonymous, cyberattack into offensive operations. An don’t yet have such capabilities. If al-Qaeda even larger number of nations engage in or some other jihadist group had cyberattack cyberespionage, both because the cost of capabilities, why would they wait to use entry is relatively low and because they can them? We’ve never seen a terrorist use of build on existing capabilities for monitoring cyberattack (as opposed to terrorist use of the domestic communications (a practice that internet). Similarly, the activities of groups like almost every nation in the world engages in, Anonymous, while annoying, pose little risk. subject to different national laws). A ‘denial of service’ attack is threatening only when it’s linked to some larger coercive threat, The use of cyberspace for military or attack as was the case in Estonia. We don’t know purposes by (an expanding number of) the rate of improvement in non-state actor opponent forces or, eventually, by non-state capabilities, but for the moment the threat actors would involve three sets of actions. from them is limited. First, as we’ve seen in Estonia and Georgia, malicious cyberactivity provides a new tool The identification of states as the primary of political coercion, to threaten and put source of malicious activity in cyberspace pressure on an opposing state. This can focuses the task of defence. Instead of an involve denial of service attacks, website amorphous, anonymous threat, we now have defacements or the spread of harmful a known set of opponents whose motives information. It’s likely that Russian doctrine are already known or can be understood for cyberwarfare puts a heavy emphasis (even if their capabilities remain somewhat on coercive political actions in the event of opaque). A nation developing its cyberdefence conflict. However, using international law as a strategy can begin by asking who are its guide, these should not be considered attacks, likely opponents and which countries engage as they don’t involve the use of force. in malicious actions (such as espionage) against it, and then look for evidence that The struggle for informational this malicious activity has been translated advantage into cyberspace. Those countries that pose a military threat probably also pose Many militaries are exploring a threat in cyberspace. Those that engage cybercapabilities that would degrade an in conventional espionage are likely also opponent’s ‘informational advantage’. In the to be engaged in cyberspying. Once we’ve 1980s, the US began to develop concepts and translated the cyberthreat into the traditional doctrine that emphasised using intangible, realm of national security, both risks and informational and decisional tools to gain solutions become easier to identify. military advantage. The early lesson was that networked forces would outperform The surprising element is how quickly so non-networked forces. The 1991 was many nations have adapted cyberaction into ANZUS 2.0: cybersecurity and Australia–US relations 13

an early demonstration of the informational Escalation and retaliation advantages of combining combatants, There’s an implicit escalatory ladder from sensors and weapons using space and political coercion to physical destruction, and network assets. Perhaps the greatest benefit the use of cyberattacks by opponent militaries comes from the reduction of uncertainty will probably depend on political–military for military commanders, allowing them to judgements about the need for and benefits make decisions faster and more effectively: of escalation. Escalation is also determined by networks reduce the fog of war. Therefore, the nature and location of the target, ranging informational advantage has become a from deployed military forces in the combat logical target for opponents, who will seek to zone to civilian targets in the opponent’s disrupt networks, damage or destroy data and homeland. We can think of an escalatory create crippling uncertainty among opponent matrix of techniques and targets that allows commanders. Chinese military doctrine an opponent to shape doctrine and strategy probably combines electronic warfare, attacks for cyberattack. on space assets and cyberattack as a means to degrade informational advantage (and For the US, this means that the primary other nations, while not as advanced or as source of risk in cyberspace comes from capable, are likely to have similar doctrine). Russia and China, both of which possess first-class capabilities equal to those of the Finally, there’s a demonstrated capacity to do US and its allies. There’s a risk of military physical damage using software commands conflict with both countries (as episodes transmitted over networks. Public knowledge in Georgia and the China Sea illustrate), of this capability grew after the 2007 Aurora and both will use cyberattack should such tests at Idaho National Labs demonstrated conflict occur. In some ways, Russia and that a sequence of commands aimed at China have similar motives for engaging in control systems could lead machines to malicious cyberactivity. Both seek to degrade self-destruct. Stuxnet, a complex cyberattack US capabilities—they’d describe this as against an Iranian nuclear facility, was another opposing US hegemony. Both seek to expand public example of this destructive capability. their ability to use what’s become a critical There’s been some public discussion by US military capability. Both engage in espionage officials of how potential US opponents to determine the intentions, capabilities have conducted cyberreconnaissance and plans of the US and its allies. Both use against critical US infrastructure in order cyberespionage to look for political threats to be able to launch destructive attacks to the regime (such as Tibetan activists). if necessary. The strategic implications of Both nations use proxy or irregular forces. that reconnaissance are not much different The principal difference, to date, is that the from those of a satellite passing overhead Russian emphasis has been on financial crime, for nuclear targeting purposes, although reflecting the close ties between the Russian space flight over national territories is lawful state and organised crime, while the Chinese while cyberreconnaissance involves unlawful emphasis has been on the illicit acquisition of intrusion into opponent networks. As with technology to increase China’s economic and satellite imagery, updating the target set is military strength. essential, and the update frequency required for maintaining an attack capability is Russia and China have invested heavily probably greater for cybertechniques. in systems to monitor domestic communications. There are no legal 14 Special Report

impediments in either nation to the near‑chaotic pattern of individual actions. interception of traffic from and between But that there are many malicious Chinese citizens. While the primary purpose of these actors in cyberspace, not all of whom are extensive surveillance systems is regime coordinated, shouldn’t obscure the central preservation, it does raise the question role of the state in preparing for cyberwar, of the extent to which private actors can directing economic espionage, supporting engage in illicit activities in cyberspace for proxies, and tolerating malicious behaviour long periods without the knowledge of aimed at foreign targets. these governments. There’s a degree of paranoia common among authoritarian states with communist Proxies and protesters backgrounds. Both Russia and China share a This suggests a degree of state complicity fear of the open access to information and in, or at least tolerance of, malicious the freedom of expression provided by the cyberactivities carried out by private internet. Their conundrum is that open access individuals resident in the two nations’ is essential for business and research, and territories, but it’s easy to overstate the it’s difficult to segregate the benefits from degree of control. While the Federal Security the political risk such openness poses for Service’s control over Russian hackers and undemocratic regimes. Reacting to the use of cybercriminals is probably greater than the social networks in Tunisia and Egypt, Russian Chinese Government’s control over its hacking President Dmitry Medvedev reportedly community, in neither case is that control said, ‘Let’s face the truth. They have been complete. The monitoring systems of both preparing such a scenario for us, and now nations are primarily focused on detecting they will try even harder to implement it.’ political threats, meaning that criminal The belief that Western nations are wielding activity can evade interdiction to some an ‘information weapon’ to destabilise degree. Both use criminals as proxy forces, other nations undergirds much Russian and but that doesn’t mean that criminal activities Chinese thinking about cybersecurity—to are all centrally directed. The unspoken the point where they assert that it’s more arrangement may well be that in exchange accurate to speak of ‘information security’ for a tolerance of malicious activities directed and ‘information space’ than ‘cybersecurity’ against foreign targets the hacker community and ‘cyberspace’. is willing to accept direction from government This emphasis on information operations agencies, may receive support in some is probably an indicator of how Russia (and instances, and may be required to share some perhaps China) may apply cybertechniques of the proceeds of its malicious activities. to warfare. Much of the discussion revolves The situation in China is less clear. There are around cyberweapons as an alternative to long-running national collection programs, kinetic weapons or as a means of disrupting usually using proxies. There are individual opponent data and information systems. It’s efforts by individual agencies that mightn’t also likely that Russia will use cybertechniques be centrally coordinated. There are actions for both traditional political ends, seeking to by Chinese citizens and companies that are influence opponent and third-party opinion in independent of any central control. The the event of conflict, and as a tool of coercion situation resembles traffic in Beijing—a to undermine opponent morale. semblance of order superimposed on a ANZUS 2.0: cybersecurity and Australia–US relations 15

Financial disruption Cyberespionage provides new opportunities for political manipulation. The most salient Warfare and attack aren’t the most example was the release of damaging emails immediate threat, however. Nor is cybercrime in advance of climate change negotiations. (if we define it as extracting money from the The emails were used to discredit the unwitting) the most pressing risk. Some worry scientific case for climate change. The that China or Russia will use cybertechniques first instance occurred before the 2009 to destabilise the Western financial system, Copenhagen conference (involving heads but that’s unlikely. The Chinese are too heavily of state). Embarrassingly, a second incident invested in Western financial institutions to involving the same scientists occurred in disrupt them as anything other than an in 2011 before the Durban conference. A more extremis, suicidal action, and the Russians public but less successful attempt at political benefit too greatly from financial crime to manipulation occurred with the release of disrupt a fruitful source of revenue. There’s confidential US diplomatic cables in 2010. a possibility of an espionage exploit or crime inadvertently triggering some kind of highly The theft of confidential business information damaging event in financial networks, but provides immediate benefit. that wouldn’t be intentional. The real and mining company Rio Tinto was the subject of immediate threat comes from cyberespionage more than 200 attempts to hack its networks aimed at the illicit acquisition of technology at the time it was renegotiating contracts and the acquisition of confidential political with Chinese companies. and business information. The deep insight The greatest threat, because it has the into Western governments and economies potential to change economic and military provided by cyberespionage and the power, comes from the illicit acquisition of acceleration of technological developments technology. Opponent weapons systems will provide a tangible advantage—just as improve at a faster rate and opponent the ULTRA program gave the Allies a tangible commercial firms can offer new products military advantage in World War II. without the cost of investing in research and The current dilemma goes well beyond development. There can be a delay of some conventional military espionage. Legislative years in implementing stolen technology, and bodies in the US, UK, Australia and Japan espionage programs work best when they have had significant penetrations and data are part of a larger strategic investment and outflow. Financial agencies in Canada and industrial strategy, but Western nations have France, along with international financial probably lost more since the exploits of the institutions, have been the target of attacks. KGB’s Directorate T and Line X, which focused Significantly, the penetration of French on stealing technology to close the gap agencies occurred during the preparations between East and West in the 1970s. for a crucial G-20 meeting that France was chairing, and much of the preparatory Reassessing cybersecurity information was exfiltrated. In effect, a This reassessment of potential threats is nation-state opponent was able to acquire important, as it helps focus and drive a information that could significantly improve transition to a new approach to cybersecurity. its economic strategies and its negotiating The old approach, encapsulated in Presidential positions. Reading your opponent’s Decision Directive 63 of 1998 and the 2003 playbook at will poses serious risks to their National Strategy to Secure Cyberspace, national interests. 16 Special Report

emphasised voluntary action by individual purposes. There’s a deep ideological dispute, networks, loosely coordinated through a at least in the US, between cybersecurity mixture of information sharing processes. advocates and internet pioneers, who argue The 2003 national strategy, with its that cyberspace should be unconstrained (to emphasis in market solutions, was widely promote innovation and preserve rights)—a and correctly perceived as inadequate from self-governing community led by civil society the moment of its release. PDD-63 was a with little need for government intervention. watershed document that laid out many Finally, cybersecurity is a new problem for of the ideas—information sharing, public– international security and requires new private partnerships, critical infrastructure diplomatic strategies for defence and trade. In protection—that still shape discussion of key areas—security, trade, law enforcement— cybersecurity, but it and the ideas it put the US has made progress, but these issues forward are badly outdated and inadequate complicate and slow the work of building for the threats nations now face. better defences.

Correctly identifying the threat in cyberspace This slow pace is itself a source of risk. The as espionage (both economic and political) future of threats in cyberspace will involve the calls for different policies and priorities. ‘proliferation’ of attack capabilities. Currently, Creating a computer emergency response only a few states possess advanced attack team, sharing information for a technical capabilities able to create physical damage or ‘point defence’ and focusing on critical serious disruption. Those nations are deterred infrastructure are not an adequate strategy from launching frivolous cyberattacks and are for national defence. The most important very unlikely to use cyberattack techniques change for policy in the US is the recognition outside of armed conflict. However, when that cybersecurity is a national security less deterrable states and non-state actors problem. Espionage, transnational crime and acquire attack capabilities, they won’t be as potential military attack are governmental constrained. Risk will expand considerably issues that are best dealt with by diplomatic, if nations don’t make greater progress in intelligence, law enforcement and military building international understanding to agencies, particularly if states are the control cyber-risks and in building defensive leading threat. capabilities at a national level. The likelihood of a damaging attack is now close to zero, but This new approach to cybersecurity faces the situation isn’t static and could change a number of serious issues that hamper rapidly without a new, comprehensive (to varying degrees) the ability of Western approach to cybersecurity. democracies to create adequate defences. There’s an ongoing debate over the role Note of government. Businesses fear additional regulation and privacy advocates fear 1 A botnet is a group of compromised government intrusion. Creating robust computers which are remotely controlled public–private partnerships is difficult. over the internet by an unauthorised user. Defining the correct role of military forces in deterring cyberattack or defending civilian infrastructure raises constitutional challenges, as democracies don’t use their military forces for routine internal security ANZUS 2.0: cybersecurity and Australia–US relations 17

Cybersecurity: legal and both in economic forums (the Council of normative issues Europe and the Organisation for Economic Co‑operation and Development) and in Jessica R Herrera-Flanigan military security organisations (such as NATO). The report also discussed openness and What is cybersecurity? The question’s one innovation in internet governance; building that policymakers, companies, governments capacity, security and prosperity on the and individuals continue to ponder. Even international level; and international freedom. the use of the terms ‘cybersecurity’ and ‘cyberattack’ raises questions about whether Contrasting with the US approach is one the underlying issue is an economic or advocated by Russia and China, which defines defence issue. Interestingly, in the early years cybersecurity in terms of controlling content, of global cybersecurity efforts, the struggle communications and social networking was one of commerce/economics versus tools in a manner that does not undermine law enforcement efforts on cybercrime. nations’ cultural, political, economic and Only in recent years has the debate shifted social stability.3 In September 2011, those two to economic security versus national nations, joined by Tajikistan and Uzbekistan, security. Even within the latter category, in proposed to the an the US there’s a question about whether International Code of Conduct for Information cybersecurity should be treated as a matter of Security that required nations to pledge: homeland security and resiliency or as one of To cooperate in combating criminal and national defence and military capability. terrorist activities that use information The quest to define cybersecurity mirrors and communications technologies, the struggle for global dominance. On including networks, and in curbing the one side, the US and its allies have agreed dissemination of information that incites that cybersecurity is about creating, as terrorism, secessionism or extremism US Secretary of State has or undermines other countries’ political, stated, an ‘interoperable, secure and economic and social stability, as well as reliable information and communications their spiritual and cultural environment …4 infrastructure that supports international Thus, underlying any global effort to put trade and commerce, strengthens together legal norms for cybersecurity is an international security, and fosters free inherent conflict between promoting internet expression and innovation’.1 Under such an liberty and assuring internet sovereignty. approach, protecting systems against damage The difficulty of resolving this conflict is and compromise and assuring reliability is significant. In many ways, it would be similar coupled with promoting intellectual property to putting an American football team against protections, human rights and privacy. an Australian football team and telling them This approach was largely laid out in the to play football. Without new rules and, by International Strategy to Secure Cyberspace default, the creation of a new hybrid game, released by the White House in May 2011.2 there would be no consensus on how to In that report, the Obama administration move forward. Reaching a consensus on discussed the need to promote cyberspace cybersecurity will be one of the most difficult cooperation, focusing particularly on the global policy issues facing nations collectively norms of behaviour for states and the need in the coming years. for bilateral and multilateral agreement, 18 Special Report

Even if nations were able to move past the the borders of states should be attributed top layer of liberty versus sovereignty in the to those states as a norm. Any attribution cybersecurity debate, they face even more would raise third-party sovereignty issues. In significant legal and policy challenges. There addition, increasing terrorist activity against are five areas where there are interdependent the US and its allies over the past 20 years yet independent factors that must be has changed the nature of war. In place of addressed: national defence norms; criminal military-to-military engagements, there laws; standards and technical solutions; have been increasing attacks on civilian trade; and privacy. Layered over those five targets. If those attacks were to be carried are intellectual property protections and out in cyberspace, intelligence-gathering and economic espionage, which straddle criminal assessing the origins of an attacker would and trade efforts, and are incorporated here be complicated by the lack of traceability, in discussion about those two efforts. remoteness, and the attackers’ ability to hide behind others. Cyberwarfare and the national Interestingly, Russia has proposed for a defence number of years a global ‘cyberarms control’ In the defence realm, in addition to the approach, similar to actions that nations discussions at NATO and the United Nations have taken in the chemical, biological and about how nation-states should address nuclear areas. The proposal would commit cybersecurity, a number of bilateral efforts signatories to abstaining from developing have attempted to address how allies will offensive cybercapabilities or from engaging respond to cyberthreats, although the in cyberespionage. Unfortunately, verification terminology used to describe cooperative that a nation is meeting its obligations is efforts is vague and can be interpreted in almost impossible, and most nations, at multiple ways.5 this point in the cyberdebate, would not agree to place themselves at a strategic For example, the 2011 US–Australia AUSMIN disadvantage. The US has generally opposed Joint Statement on Cyberspace mirrors the Russian proposals, although last year Article III of the ANZUS Treaty6 and appears the Obama administration indicated that to treat cyberattacks in the same fashion it was considering engaging with nations as a bombing or assault. The challenge, such as Russia on cyber-issues in order however, is in determining when self-defence to try to establish some baseline rules is triggered in cyberspace. Unlike a bombing for engagement.7 or assault, cyberattacks cross borders and nations, making it difficult to assess Cybercrime and procedural laws whether a nation‑state or rogue actor is behind an attack. Quite simply, there’s no When governments first began discussions international consensus on the application on cybersecurity, much of the debate focused of the laws of armed conflict to cyberspace on cybercrime and the procedural laws that and cyberwarfare. This is due in part to both allowed for the enforcement of criminal the definitional and cultural challenges of laws. The most significant work in this area formulating a uniform global solution to came out of the ’s 2001 cyberthreats. Convention on Cybercrime.8 The convention addressed both substantive and procedural Another part of the challenge is in laws. Substantively, it focused on the ‘CIA’ determining whether attacks from within of cybercrime—the confidentiality, integrity ANZUS 2.0: cybersecurity and Australia–US relations 19

and availability of computer systems. It also is focused on developing a global supply chain addressed child pornography and copyright integrity program and framework in order to infringement, as defined by the World provide buyers of IT products with a choice of Trade Organization. accredited technology partners and vendors.

The convention didn’t address issues In 2002, the OECD created its Guidelines such as hate speech, which was a point of for the security of information systems and contention between a number of nations networks: towards a culture of security, and the US. The US couldn’t sign on to the which consisted of nine principles that convention if hate speech were included were designed to lead to the adoption because of its constitutional protections of best practices for public awareness, of free speech. Other nations, such as education, information sharing and training Germany, felt that the issue should be in the cyber‑arena.11 More than 30 nations included as it was an important tool in participated in the development of the their fight against xenophobia. To address guidelines. It’s important to note that the all the concerns, an additional protocol to nations that have implemented the guidelines the Convention on Cybercrime was added have largely been nations that follow the in 2006, requiring participating nations to ‘liberty’ approach to cybersecurity. They criminalise the cyberdissemination of racist viewed the guidelines as assisting their and xenophobic materials.9 efforts to promote economic growth, trade and development. Procedurally, the convention addressed laws relating to the collection of evidence As nations move forward with the and to powers and procedures for criminal development of standards, policymakers investigations. Among the areas addressed must acknowledge the potential impact were the preservation of stored data, ‘unilateral standards’ can have on global disclosures of traffic data, search and seizure cybersecurity efforts. For example, if the processes, and transborder access to stored US insists on developing its own domestic data without mutual assistance. standards, then other nations such as Russia, Brazil and China may pursue their own Australia introduced its cybercrime legislation standards. The result? A technical in in the summer of 2011, which, if passed, would which nations develop networks that are not allow the nation to ascend to the Council of interoperable or technologically compatible. Europe’s Convention on Cybercrime. During Those networks would be based on rules, debate, significant concern was raised protocols and practices that fit each nation’s about the privacy protections afforded to values and ethics, leaving us all the further citizens. The US ratified the convention in from finding consensus on a global response 2006. In total, 17 nations are signatories to cybersecurity. of the convention but haven’t ratified and 29 nations have ratified. Trade

Standards and best practices Trade’s role in cybersecurity is only now becoming more of a force, especially as A number of ideas on international standards China’s economic dominance grows and have been proposed by code organisations. increased concerns about intellectual property The two most significant efforts have protections emerge. We can expect the World happened within the Open Group Trusted Trade Organization and the World Intellectual Technology Forum and the OECD.10 The forum 20 Special Report

Property Organization to take more of a lead, Privacy especially on the intellectual property front. Privacy is an issue that has developed into its What remains to be seen, however, is how own complicated area, attracting significant recent activity in the US to defeat legislative attention in many nations, especially those efforts to enforce intellectual property rights advocating for a cybersecurity liberty through the Stop Online Piracy Act (SOPA) and approach. As such, it won’t be discussed in Protect IP Act (PIPA) will affect those efforts. great detail in this paper. One thing that’s Grassroots campaigns were successful in worth noting, however, is that ‘data breach getting SOPA/PIPA pulled from consideration. and notification’ laws have proliferated Following that effort, a global movement in the US but have done so as a privacy was started to defeat the Anti-Counterfeiting and not a cybersecurity issue. In the US Trade Agreement (ACTA), a multinational Congress, the staffers who work on privacy treaty that establishes international standards are largely not the same staffers trying to for intellectual property rights. Protest against address cybersecurity. As privacy becomes ACTA occurred on 11 February 2012, causing more complex through social media, mobile a number of European nations to speak out communications and cloud computing, the against ACTA or to quietly set aside their interconnect between it and cybersecurity implementation of the statute. will only strengthen and possibly complicate Within the trade space, another legal even further any effort to develop a global area to watch is how nations may turn to cybersecurity regime. protectionism to further cybersecurity efforts, especially in today’s global economy where Conclusion technology products flow from nation to In sum, cybersecurity is and will continue nation. Call it the ‘Huawei problem’, but to be a struggle to find global legal and several US policymakers have made it clear normative solutions for a global problem on a that they want stronger protections from global network. It’s often said that ‘a network imports that come from foreign companies is only as strong as its weakest link.’ As more with ties to nations of concern. Huawei is a nations and applications go online, the need Chinese telecommunications company with for a layered approach that combines liberty connections to the Chinese People’s Liberation and sovereignty interests will only grow. As Army that was selling technology to Sprint for that approach is developed, it will have to be use in the US telecommunications network, technology-neutral. It will also have to define before security concerns resulted in a reversal roles according to defence, law enforcement, of the contract. The Australian Government standards, trade and privacy but recognise blocked Huawei from work on the National that there’s overlap and that traditional Broadband Network in March 2012 for the division lines won’t necessarily work. same reason. How to balance trade and commerce requirements with the commercial emergence of foreign companies with ties Notes to foreign governments, especially those 1 http://www.state.gov/secretary/ governments known for their cyberespionage rm/2011/05/163523.htm. and intellectual property theft, is a question that we can expect much debate and 2 www.whitehouse.gov%2Fsites%2Fdefau discussion about in the coming years. lt%2Ffiles%2Frss_viewer 2FInternational_ Strategy_Cyberspace_Factsheet.pdf. ANZUS 2.0: cybersecurity and Australia–US relations 21

3 See MSNBC.com, Chasm widens in Responding to cyberattacks East–West ‘Cyber Cold War’, http:// as allies: implications for the www.msnbc.msn.com/id/46254559/ ANZUS alliance ns/technology_and_science-security/t/ chasm-widens-east-west-cyber-cold- James Mulvenon war/#.T1P0T3kx6So. Since 1952, the ANZUS Treaty has been a 4 http://blog.internetgovernance.org/pdf/ foundation for the military and national UN-infosec-code.pdf. security relationships between the US and Australia. While the alliance has no integrated 5 http://www.minister.defence.gov. defence structure or dedicated forces, the two au/files/2011/09/110915-Cyber-Joint. countries have ‘fought side-by-side in every pdf; http://www.state.gov/r/pa/prs/ major conflict since the First World War’1 and ps/2011/09/172490.htm. continue to maintain extensive ministerial 6 http://australianpolitics.com/foreign/ consultations, joint exercises and intelligence /anzus-treaty.shtml. sharing.2 For most of this history, the parties to the ANZUS Treaty were concerned solely 7 See ‘US backs talks on cyber warfare’, Wall with kinetic military conflict, but the rise of Street Journal, 4 June 2010, http://online. cyberconflict necessitates an expansion of the wsj.com/article/SB1000142405274870334 scope of the alliance. 0904575284964215965730.html.

8 http://conventions.coe.int/treaty/en/ Why do we need cybercooperation? treaties/html/185.htm. Strategic cooperation in cyberspace between 9 http://conventions.coe.int/treaty/en/ like-minded state actors such as the US and treaties/html/189.htm. Australia is now absolutely critical to the national security of both countries. The main 10 http://www.opengroup.org/ottf/. drivers are twofold: our collective reliance 11 http://www.oecd.org/document/42/0,37 on cyberspace for an increasing percentage 46,en_2649_34255_15582250_1_1_1_1,00. of global trade and commerce, and the html. corresponding rise of serious threats to what is universally acknowledged to be flawed technical architecture. Even as the world becomes more dependent on cyberspace in every facet of life, the threat environment has become more dire, exacerbated by a desire to prioritise connectivity over security.

The spectrum of cyberthreats ranges widely from lower level threats like defacements to intermediate threats like botnets and malware, and beyond to a new threshold of cyberattacks established by the Stuxnet worm.3 Not only is the spectrum wide, but the potential actors and adversaries are proliferating at the speed of the 22 Special Report

network. States and non-state actors, against Georgian Government and media including state-sponsored organisations websites, again presumably by Russian-backed or proxies, have varying levels of capability actors. Taken together, these various classes and intent, but still comprise a significant of cyberthreat present a significant threat to level of threat in cyberspace. Increasing the viability of cyberspace as a usable domain dependence on cyberspace across all for states, groups or individuals, necessitating dimensions of (political, a systematic examination of the dynamics of economic, military, diplomatic, social) only cyberconflict. increases our vulnerability and the potential In short, the advanced persistent threat negative consequences of not adequately problem is global, so the solutions can’t understanding the threats. be isolated within an individual country. While Stuxnet is considered the new Instead, countries with similar values and pinnacle of cyberthreats, cyberespionage, institutional structures must band together not cyberattack or cyberwar, is currently the in a ‘coalition of the willing’ to develop most pressing risk for the US and its allies common strategies, policies, laws, standards in cyberspace. Strategic espionage against and technical approaches. Given the long political, military and intelligence targets can history of the relationship between change the outcome of interstate conflicts and Washington, it’s natural to see the and even alter the balance of power, while ANZUS Treaty as the foundation of strategic economic espionage can result in substantial cooperation between Australia and the US. economic losses and can endanger future competitive advantage.4 Within the espionage What cooperation strategies should realm, ‘advanced persistent threat’ poses we pursue? the most significant, sustained challenge to Before discussing specific strategies, it’s actors in cyberspace. important to note a number of structural Another important class of threats against conditions and constraints that shape states includes activities designed to deny the cooperation environment. First, the access to cyber-resources, such as the governments of both countries are keenly distributed denial of service (DDoS) attacks aware that key resources for the effort, against Estonia in 2007, which took down including time, bureaucratic energy and even the websites of many Estonian organisations, travel dollars, are finite and must be optimised including the parliament, banks and media for the greatest potential gain. Second, we following increased tensions with Russia. must recognise that the major ‘problem’ The Estonian disruption also included countries operating in cyberspace—China, defacements and other lower level methods, Russia and Iran—are also the most difficult although the DDoS attacks caused the most to talk to, and the cyber issue is inextricably significant, sustained damage. While some intertwined with a wide array of other points Russian hackers have taken responsibility for of strategic tension and conflict with the the attacks, no official connection with the three countries. Russian Government has been uncovered. Given these factors, we should first align The Estonian experience was repeated during and normalise cybercooperation among the 2008 cyberdisruptions before and during ourselves before pursuing the more the brief war between Georgia and Russia, difficult challenge of cyberdialogue with including defacement and DDoS attacks adversary states. To this end, we can build ANZUS 2.0: cybersecurity and Australia–US relations 23

upon over a decade of successful bilateral the conduct of large scale, politically and multilateral exchanges, led in the US motivated conflict based on the use of by the State Department, to synchronise offensive and defensive capabilities to cyber‑related laws and regulations and disrupt digital systems, networks, and establish formal points of contact at the infrastructures, including the use of working levels. The intent of these exchanges cyber‑based weapons or tools by non- has been to improve information sharing, state/transnational actors in conjunction joint investigations and our common defence. with other forces for political ends.5 Strategically, we seek to create a cyber cordon Cyberconflict includes activities conducted sanitaire among Western, developed nations, by both state and non-state actors against a while more starkly delineating the boundaries variety of targets. It encompasses a number of the cyberthreat ‘sanctuary’. Operating of activities that pose threats to individuals, as a common bloc also unquestionably organisations and nation-states, as well strengthens our bilateral and multilateral as traditional military and intelligence negotiations with adversary states, operations. An alternative definition preventing them from playing us off against notes that cyberconflict is ‘broader than one another. cyberwarfare, including all conflicts and Why does this cooperation work? The coercion between nations and groups for answer lies in our similar political, legal strategic purposes utilising cyberspace where and economic systems, as well as our long software, computers, and networks are both history of fighting together as an alliance. the means and the targets.’6 At its most basic Our political systems share the same core level, cyberconflict encompasses activities values, including representative democracy, conducted by many kinds of actors in order to freedom of the press and governmental achieve a strategic gain. transparency. Our legal systems enshrine Given the huge stakes and potential damage protections of privacy and civil liberties. And to networked economies like those of the US our economic systems are anchored in the and Australia, it’s natural to begin with an encouragement of genuine private enterprise examination of the notion of cyberdeterrence. as opposed to the state capitalist systems While the US wisely retains the intention of our main cyberadversaries. While the and capability to initiate cyberconflict at symmetries between Western systems aren’t a time and place of its own choosing, it always exact, the similarities far outnumber naturally seeks to deter other adversaries the differences. from the same goal, particularly given While these commonalities facilitate the asymmetric dependence of the US cooperation in peacetime, cooperation under on cyberspace for economic, political and conditions of cyberconflict is very different. technological power. While it’s well known We’re very early in the development of that US government, military, and corporate strategic and military understandings of networks have been the target of sustained the nature of cyberconflict. In many ways, it computer network exploitation activities feels like 1946, when the US had detonated over the past 10 years, the country hasn’t atomic weapons but there had been very little yet been the target of the type of large-scale strategic thinking about their employment. computer network attack envisioned by Richard Clarke and others in their writings. But what is cyberconflict? One definition How can we explain this apparent gap? Why describes it as: 24 Special Report

have adversaries not taken advantage of been gluing security onto the side of the clear vulnerabilities to launch cyberattacks network ever since. Without fundamental against the US? Is it because they haven’t re-architecting of the network, which is developed sufficient capabilities to do so? unlikely in the short-term, is deterrence That’s hard to believe, given the sophistication by denial even possible? In the short term, of the intrusions and methods. Has there not Rattray argues that these defensive dilemmas yet been the right combination of strategic put a greater onus on risk management than circumstance and perceived payoff, such impenetrable protection: as the China– contingency involving Diffuse vulnerabilities and limited US military intervention, to justify using resources also require defensive efforts known capabilities? Or, despite its strategic predicated on managing the risks confusion, does the US currently benefit of attacks rather than establishing from a form of tacit cyberdeterrence from comprehensive defenses capable of computer network attack, and if so, what is assured protection.9 the basis for this tacit deterrence? But Owens et al. write that ‘the gap between When unpacking cyberdeterrence, the canon the attacker’s capability to attack many typologises deterrence into two categories: vulnerable targets and the defender’s inability deterrence through denial and deterrence to defend all of them is growing rather than through punishment. diminishing.’10 In addition, cyberoffensive Cyberdeterrence through denial is also capabilities are dramatically cheaper than primarily based on computer network effective cyberdefensive capabilities. As is defence. One piece of good news is that the often pointed out, the cyberwarrior, armed ‘attribution problem’, which occupies centre perhaps with a minimal kit (computer, stage in the discussion of the dilemmas posed internet connection and publicly available by cyberdeterrence by punishment, is not tools) only needs to find one way in, but the as significant an issue in cyberdeterrence by cyberdefender, protecting perhaps a huge denial, because it isn’t critical to know who network of thousands of heterogeneous might attack, only whether you’re vulnerable nodes with dozens of access points, needs to attack. Also, two primary methods for to bar every possible avenue of approach. protecting retaliatory forces are mobility and Thus, cyberdeterrence by denial is also concealment.7 Cyberforces, by virtue of their cost-prohibitive. For both of these reasons, form factor (a laptop is easier to conceal than it appears that cyberdeterrence by denial a ballistic missile submarine), are already more may be less credible than deterrence mobile and more concealed than nuclear by punishment. forces ever were. Finally, the inability to In the cyber-realm, deterrence by punishment disarm an adversary’s cyberattack capability theoretically offers better chances of success, has three benefits: reduced incentives for especially against adversaries that have pre-emption; more focused and proportional well-developed cyberinfrastructure. As Owens retaliation; and reduced demand for et al. argue: immediate retaliation (‘use it or lose it’).8 Deterrence by punishment is more likely But the cyber offence–defence balance is a to be an effective strategy against nations huge problem for cyberdeterrence by denial. that are highly dependent on information Fundamental security was not built into the technology, because such nations have a architecture of cyberspace, and we have ANZUS 2.0: cybersecurity and Australia–US relations 25

much larger number of potential targets a system that’s extremely hard to defend that can be attacked. Nevertheless, and confers dominance on the offence. The even nations with a less technologically defender can mitigate the asymmetry by sophisticated national infrastructure are reducing the degree of interconnectivity, probably vulnerable to cyberattack in or even disconnecting networks, but that’s selected niches.11 very costly, given the growing reliance of the US and advanced nations on those Moreover, the will to retaliate is arguably networks for a wide range of economic less of a factor in cyberattack than in nuclear activity and military operations. Second, the strategy, given its plausible deniability, design of the architecture often provides potentially covert nature, and less physically the attacker with anonymity and plausible destructive effects.12 deniability, aided by the lack of effective Yet cyberdeterrence through punishment is governance of the network focused on also highly problematic. The main challenges mitigating malicious activity. Third, the for cyberdeterrence through punishment are: relatively low cost of technology and operations significantly lowers the barriers • the so-called ‘attribution problem’, which to entry for the attacker, enabling a wide makes it difficult to identify the attacker range of actors to acquire capabilities. in the first place Fourth, cyberoperations running at the rapid • a series of credibility problems, including ‘speed of the network’ deny defenders and automaticity of response, unavailability the political leadership sufficient time for of retaliatory targets, demonstration assessment and decision-making. Automation of effect, uncertainty of cybereffects, may mitigate this problem, but the risks are repeatability of effect, survivability both high and unknown. Fifth, the pace of of retaliatory capability, thresholds, technological change and the breadth of signalling, command and control, and network connectivity are outpacing both extended deterrence. defensive approaches at the enterprise or engineering level and the policy and legal None of these challenges can be solved constructs promulgated to guide their through policy measures alone, such as stated operations. Moreover, these conditions are declaratory policies. All of these challenges only getting worse with the proliferation of create strategic instability in cyberconflict social media and mobile communications, and undermine the utility of deterrence and the migration to cloud computing. An through punishment. internet underground capable of exploiting This leads us to the stark conclusion that these trends is alive and well, with pirates and the current cyberspace domain is inherently mercenaries thriving in a swampy ecosystem unstable. The strategic cyber-environment that makes hiding and attacking too easy. is marked by an inability to establish Last, while the issues are acknowledged, credible deterrence and effectively little progress is being made in improving prevent the emergence of adversaries and security and resilience as a key aspect of conflicts in cyberspace detrimental to US internet governance. interests. The sources of this instability are Given this state of strategic instability in manyfold. First, the technical architecture cyberspace, it’s more important than ever undergirding cyberspace is highly permissive for allies such as the ANZUS Treaty countries of cyberintrusions and attacks, resulting in 26 Special Report

to bolster their collective cyberdeterrent in sovereign nations and therefore bound by coordinating information sharing13 and by their laws. In other words, there’s no technical cybercapabilities across all three ‘commons’ in cyberspace similar to air, sea realms of computer network operations and space, and there’s no part of the global (defence, exploitation and attack). This architecture that is ‘sovereignty-less’. The is a natural extension of the language in implications of this realisation are profound, Article II of the treaty calling for all parties to and explain why countries like China are ‘separately and jointly by means of continuous keen on moving internet governance from and effective self-help and mutual aid [to] non‑governmental organisations like ICANN maintain and develop their individual and (the Internet Corporation for Assigned Names collective capacity to resist armed attack.’ and Numbers) and the Internet Governance A higher and more complicated goal would Forum to state-based organisations be to link the nations’ cyberdeterrence and like the United Nations International declaratory policies such that cyberattacks Telecommunications Union. The battlelines would be covered under Article V’s language have been clearly drawn (compare the White that ‘an armed attack on any of the Parties House’s recently published International is deemed to include an armed attack’ on Strategy for Cyberspace with China and all. If deterrence fails, however, it’s equally Russia’s proposed International Code of important for the ANZUS Treaty partners Conduct in cyberspace), and Western nations to coordinate their kinetic and non-kinetic need to develop policy responses that are responses to a foreign cyberattack through properly aligned and mutually reinforcing. information sharing about defensive Among the future cooperation challenges signatures and the synchronisation of exploit are the ‘long game’ issues in cyberspace, and attack operations. especially shaping the global information technology standards regimes. For many Current and future cooperation years, organisations such as the Internet challenges Engineering Task Force and IEEE were One current arena for cooperation and conflict dominated by knowledgeable technical between states involves what might be personnel with little interference from called the ‘re-sovereigntisation’ of cyberspace. governments, which had adopted a laissez During the early years of the internet, when faire approach to standards development. cyberspace was not the technological China’s unwillingness to pay royalties for foundation for global commerce, states had existing standards and protocols such as the luxury of permitting the architecture to CDMA led Beijing to fund an aggressive, grow organically and not being concerned state-driven industrial policy to develop with its strategic value. Now that the parallel, indigenous standards for nearly situation has clearly changed, all states have all of the existing protocols. While most of come to an important realisation: every the Chinese standards have been rejected node of the network, every switch, router by the International Organization for and computer, is either located within the Standardization and other governance sovereign boundaries of a nation-state and bodies as technically inferior to the existing therefore governed by its laws, or travels on standards, China, exploiting its status as submarine cables or satellite connections ‘the world’s IT workshop’, has been able to that are owned by companies incorporated force multinational companies assembling ANZUS 2.0: cybersecurity and Australia–US relations 27

equipment in-country to integrate the 4 Joseph Nye, The future of power, p. 145. rejected standards into their products, thus For a specific example of cyberespionage, distorting the standards regime. see Brian Grow and Mark Hosenball, ‘Special report: in cyberspy vs. cyberspy, Western countries were late in recognising China has the edge’, Reuters, 14 April 2011, this strategy and its implications, and have available from http://www.reuters. been playing ‘catch-up’ ever since. Because com/article/2011/04/14/us-china-usa- the standards debates today will define the cyberespionage-idUSTRE73D24220110414. nature of the technical architecture and the corresponding cybersecurity challenges 5 James Mulvenon, ‘Toward a cyberconflict of 5, 10 and even 20 years from now, it’s studies research agenda’, IEEE Security and important that the US and Australia develop a Privacy, 3(4) (July–August 2005), 52–55. common approach on the standards issue and 6 Jason Healey, ‘Advanced intelligence coordinate their efforts. support to cyber conflict’, Delta risk fundamentals for cyber warfare Notes (course presentation), Needham, MA, 1 ‘Australia–United States Ministerial 28–30 September 2010). Consultations (AUSMIN) 2011 Joint 7 Thomas Schelling, The strategy of conflict, Communiqué’, media note, Office Harvard University Press, Cambridge, MA: of the Spokesperson, San Francisco, (1960, 1963), 1980, 243. California, 15 September 2011, available from http://www.state.gov/r/pa/prs/ 8 Martin Libicki, Cyberdeterrence and ps/2011/09/172517.htm. cyberwar, RAND Corporation, 2009, 61–62.

2 Intelligence sharing between Australia 9 Gregory Rattray, Strategic warfare in and the US was referenced in the 2005 cyberspace, MIT Press, 2001, 474. AUSMIN joint communiqué, available from 10 WA Owens, KW Dam and HS Lin (eds), http://www.dfat.gov.au/geo/us/ausmin/ Technology, policy, law and ethics regarding ausmin05_joint_communique.html. US acquisition of cyberattack capabilities, 3 William J Broad and David E Danger, National Academies Press, 2009, 44. ‘Worm was perfect for sabotaging 11 Owens et al., Cyberattack capabilities, 41. centrifuges,’ New York Times, 18 November 2010, available from http:// 12 Libicki, Cyberdeterrence and cyberwar, www.nytimes.com/2010/11/19/world/ 69–71. middleeast/19stuxnet.html. For more 13 Intelligence cooperation between information on Stuxnet, see Ralph Langner, Australia and the US was highlighted in ‘Cracking Stuxnet, a 21st-century cyber the press release from the 2005 AUSMIN weapon’, TED, March 2011, available talks, held in Adelaide in November 2005. from http://www.ted.com/talks/ ralph_langner_cracking_stuxnet_a_21st_ century_cyberweapon.html?awesm=on. ted.com_Langner&utm_content=awesm- publisher&utm_medium=on.ted.com- static&utm_source=langner.com. 28 Special Report

Conclusion if a significant attack were perpetrated by a non-state actor. All of our contributors point to the wide variety of actors in cyberspace and the In that instance, there are many lessons breadth of threats they pose, but there’s to be learned from our joint effort against little doubt that, for the time being anyway, global terrorism. Just as an individual act of states remain the most capable and powerful terrorism can potentially spark a national actors in cyberspace. This is why treaties such security crisis, as it did after the September 11 as ANZUS are so important in dealing with attacks, so too can an act of cyberterrorism or national security cyberthreats. a state-sponsored or quasi-sanctioned action. Greater American–Australian cooperation From what little has been publicly articulated in cyberspace, aside from a joint military by Minister for Defence Stephen Smith, the response in the event of a cyberattack within type of cyberattack that would trigger the the context of a wider war between nation ANZUS Treaty would be one that could be a states, is critically important to managing precursor to cyberwarfare or, more likely, a this dynamic. cyberattack that’s either in combination with or would trigger physical, kinetic attacks. There are still differences within the This sets a very high threshold for the type of international community about what type of attack that would invoke the provisions of the cyberaction constitutes a cybersecurity threat ANZUS Treaty. on the part of individuals and small groups. Ultimately, as our contributors note, it’s a In a situation like that, there would most case of information and internet freedom likely be preceding hostilities and the actors versus cybersecurity. involved would be apparent. Response would be relatively straightforward. In societies where there are less openly contested politics and restrictions on But even though only a very high order information access, cybersecurity means not cyberattack would trigger a joint military accessing and promoting certain types of response, the ANZUS alliance is also the basis information that would threaten the state. for continued and strengthened cooperation Authoritarian governments are seeking to and coordination on a multitude of levels frame and define cybersecurity in a way concerning cyberthreats. that allows them to limit and monitor This is also important because, while states online activity. The Shanghai Cooperation remain the most capable actors in cyberspace, Organization approved an agreement put there’s no doubt that access to information forward by Russia and China that defined via the internet and the growth of computer online aggression and ‘information war’ as networks have greatly empowered individual any effort to undermine another country’s actors, which poses a different challenge ‘political, economic and social systems’. They to the state. An individual or group with want to frame the cybersecurity debate to relatively few resources can bring down a include limitations on internet freedom—the critical computer network. Individuals or ability to use the internet freely, anonymously groups can use information technology and and without monitoring. social networking to organise, promote and However, cybersecurity is obviously framed carry out actions or positions contrary to differently in open democratic societies that national security. Future cooperation through promote freedom of information like Australia the ANZUS alliance structures would have to and the US. The previous position should be clarify whether the treaty could be invoked unacceptable for countries that believe in ANZUS 2.0: cybersecurity and Australia–US relations 29

universal human rights and the right to civil can’t be labelled as an ‘attack’ per se, it’s disobedience. Greater cooperation among critically important to assess whether or not close allies like Australia and the US can help an intrusion has exploited a vulnerability clarify this debate and promote cyber-norms that could also be used to disrupt or that protect internet freedom while also destroy networks. promoting cybersecurity. Additionally, as Dr Lewis points out in his Collaboration through the ANZUS alliance paper, it’s also a question of aggregation. should also help the US and Australia shape, Ongoing and unchecked cyberespionage distinguish and define various cybersecurity carries national security risks. The sheer concerns. A cyberattack should be clearly amount of data that is now carried and stored defined and distinct from an act of on computer networks is unprecedented. cyberespionage. Too often, an intrusion into a For relatively little effort, cyberspies can now computer network for the purpose of stealing access vast quantities of information that information is labelled as a cyberattack when they never could before. it should be more accurately described as Clearly, the ANZUS alliance is an important an act of cyberespionage. To label an act and relevant mechanism in meeting and of espionage as an attack and therefore a addressing national security challenges for potential precursor for an armed response is a both Australia and the US. Cybersecurity major departure from accepted international and the ability to shape and dominate practices. Breaking into a facility that stores the cyberdomain are future shapers of classified information or information that’s geopolitical power. The more that Australia important to national security, whether it’s and the US can act in concert as like-minded a building or a computer network, is not allies, the better they’ll be able to ensure their an attack. It’s espionage, an accepted and security and economic and political wellbeing. expected practice among states, including Australia and the US. Equally important is the need of shaping and defining the terms of debate in the It’s important to note that the ANZUS alliance, cyber‑realm (internet freedom versus and in fact no other country or statement, has cybersecurity) and defining what action explicitly stated that this should be the case, meets the threshold of a cyberattack. It’s an but the absence of clarity in language leaves ongoing conversation and effort, but one that room for confusion. There’s no shared concept Australia and the US can lead. of what constitutes a cyberattack, and using the cooperation afforded by the ANZUS Acronyms and abbreviations alliance to shape and promote a definition is an important opportunity. ACTA Anti-Counterfeiting Trade Agreement DDoS distributed denial of service However, there’s an important blurring between espionage and attack in cyberspace IEEE Institute of Electrical and Electronics Engineers that doesn’t exist in the physical space. The same intrusion method that’s used to NATO North Atlantic Treaty Organisation extract information from a network can also OECD Organisation for Economic Co‑operation be exploited to conduct an attack to disrupt and Development that network. This is a critically important PIPA Protect IP Act (US) distinction that policymakers must be aware SOPA Stop Online Piracy Act (US) of and account for. While every cyberintrusion UN United Nations 30 Special Report

About the Authors Important disclaimer Dr Andrew Davies is the Director of the This publication is designed to provide Operations and Capability Program at ASPI. accurate and authoritative information He has written on the impact of Asian in relation to the subject matter covered. military modernisation programs, nuclear It is provided with the understanding that proliferation, defence acquisition projects and the publisher is not engaged in rendering any form of professional or other advice major Australian capability decisions. or services. No person should rely on the contents of this publication without James Andrew Lewis is a senior fellow and first obtaining advice from a qualified Program Director at CSIS where he writes on professional person. technology, security and the international economy. He was the Rapporteur for the About Special Reports 2010 United Nations Group of Governmental Generally written by ASPI experts, Experts on Information Security. He has Special Reports are intended to deepen understanding on critical questions authored many publications since joining facing key strategic decision-makers CSIS. One series of reports explores the and, where appropriate, provide policy relationship between technology, innovation, recommendations. In some instances, and national power. material of a more technical nature may appear in this series, where it adds to Jessica R Herrera-Flanigan is a partner at the understanding of the issue at hand. Special Reports reflect the personal the Monument Policy Group, a strategic views of the author(s), and do not in any consulting and government affairs firm, way express or reflect the views of the where she focuses on the issues affecting our Australian Government or represent the nation’s security, technology, commerce, and formal position of ASPI on any particular issue. entertainment markets. Previously, she served ASPI as the Staff Director and General Counsel of Tel +61 2 6270 5100 the House Committee on Homeland Security. Fax + 61 2 6273 9566 She also has served as Senior Counsel at the Email [email protected] Computer Crime & Intellectual Property Web www.aspi.org.au Section, Criminal Division, US Department of © The Australian Strategic Policy Institute Limited 2012 Justice, where she led the Section’s cybercrime investigation team. This publication is subject to copyright. Except as permitted under the Copyright Dr James Mulvenon is Vice-President of Act 1968, no part of it may in any form or by any means (electronic, mechanical, Defense Group, Inc.’s Intelligence Division microcopying, photocopying, recording and Director of DGI’s Center for Intelligence or otherwise) be reproduced, stored in a Research and Analysis. A specialist on the retrieval system or transmitted without Chinese military and cyber warfare, Dr. prior written permission. Enquiries should be addressed to the publishers. Mulvenon’s research focuses on Chinese Notwithstanding the above, Educational C4ISR (command, control, communications, Institutions (including Schools, computers, intelligence, and reconnaissance), Independent Colleges, Universities, and defense research/development/acquisition TAFEs) are granted permission to make organizations and policy, strategic weapons copies of copyrighted works strictly for educational purposes without explicit programs (computer network operations permission from ASPI and free of charge. and nuclear warfare), cryptography, and the military and civilian implications of the information revolution in China. BECOME A MEMBER

JOIN NOW TO RECEIVE PRINTED PUBLICATIONS AND MORE

Join Australia’s liveliest minds writing today on defence and strategic issues. ASPI produces Strategy, Strategic Insights, Special Reports, and specialist publications including The Cost of Defence and The Australian Defence Almanac.

ASPI’s work is at the cutting edge of new thinking on defence and security.

Thoughtful, ground-breaking and often controversial, ASPI leads the public debate on these issues. Become a valued part of the ASPI team today!

Join now and we will post your choice of 3 free publications from our recent publications list.

Future subjects include: • Professional military and national security • Comparative assessment of regional militaries • Response to violent extremism • Vietnam • ADF future strike capability • Transnational and organised crime TELL A FRIEND ABOUT ASPI Join Australia’s liveliest minds writing today on defence and strategic issues. Each year the Australian Strategic Policy Institute (ASPI) will produce up to six issues of Strategy, six shorter Strategic Insights and a number of Special Reports on issues of critical importance to Australia and the Asia–Pacific. Thoughtful, ground-breaking and often controversial, ASPI leads the public debate on defence and security issues. JOIN ASPI

Name Position Company/Organisation  Government  Non-Government Address City State Postcode Country Telephone Email

SELECT 3 FREE PUBLICATIONS  Two steps forward, one step back: Indonesia’s arduous path of reform  Beyond bin Laden: Future trends in terrorism  Our near abroad: Australia and Pacific islands regionalism  Forks in the river: Australia’s strategic options in a transformational Asia  Changing pace: ASPI’s strategic assessment 2011  Regionalism and community: Australia’s options in the Asia–Pacific  : Patterns of security cooperation

INDIVIDUAL  1 year $199  2 years $378  3 years $537 STUDENT*  1 year $99  2 years $188  3 years $263 CORPORATE (Oct 06+)  1 year $649  2 years $1233  3 years $1752 * (STUDENT ID )

To join 1) Subscribe online www.aspi.org.au 2) Mail to Level 2, Arts House, 40 Macquarie St, Barton ACT 2600, or 3) Phone (02) 6270 5100 or fax (02) 6273 9566

 Cheque  Money Order  Visa  MasterCard  AMEX  Diners Payable to Australian Strategic Policy Institute ABN 77 097 369 045

Name on card Card no. Expiry Date / Total Amount $ Signature

This will be a TAX INVOICE for GST purposes when fully completed and payment is made. Please note specialist publications are not included.