Hot on the heels of the recent Petya ransomware attack, the Federal government has shifted from being coy about Australia’s offensive cyber capability to publicly directing the Australian Signals Directorate to make life hard for cyber criminals.
Dan Tehan, the Minister Assisting the Prime Minister for Cyber Security gave the ASD its marching orders last week as the government looks to scale up it cyber forces.
“Given the growing cost of cybercrime to the Australian economy, the Government has directed the ASD to use its offensive cyber capabilities to disrupt, degrade, deny and deter organised offshore cyber criminals,” said Mr Tehan in a statement.
Mr Tehan said Australia’s offensive cyber muscle had so far been targeted at terrorist organisations.
“The use of this capability, which is currently used to help target, disrupt and defeat terrorist organisations such as Daesh, is subject to stringent legal oversight and consistent with our obligations under international law,” he said.
“The recent WannaCry and Petya ransomware attacks have affected governments, businesses and individuals around the world.
“Our response to criminal cyber threats should not just be defensive. We must take the fight to the criminals,” Mr Tehan said.
The government has been spooling up its cyber warrior army for some time and will require more troops on keyboards as it takes on offshore cyber criminals.
The near-term size of the cyber security force was not stated by Mr Tehan, but there is a clue in the 2016 Defence White Paper which says the Australian Defence Force will need an extra 900 bodies for a variety of technical roles.
The white paper says: “Enhancements in intelligence, space and cyber security will require around 900 ADF positions, including in intelligence collection and analysis, communications, supporting the information requirements of new platforms like the Joint Strike Fighter, surveillance aircraft and navy ships, and to better support Special Forces and cyber security.”
Recruiting much sought after and highly paid cyber experts could be difficult although Neil James, the executive director of the Australia Defence Association said recruitment for cyber would be no different to recruiting highly trained people from professions such as medical and legal.
Part of the answer was to use the defence force reserve system to create a force ready to deploy when threat levels became acute.
“One of the solutions is to aim at reservists who are already doing it (cyber security) in the private market,” said Mr James.
The ADF was becoming more flexible about people coming into the reserve, said Mr James.
“They are thinking about changing the standards for defence reservists. They are not saying that everyone involved in cyber is some overweight nerd, but what they are saying is they will have to think through how they go about recruiting people for the reserves and relaxing or modifying some of the normal physical or at times psychological requirements,” said Mr James.
“There’s been a fair bit of thought gone into this for some time.”
He said the cyber force was likely to be a mix of full time and part time staff with the full timers being a mix of public servants, military personnel and civilian contractors with the part timers being mostly military reservists.
The ASD has been recruiting offensive cyber operators for a while. Last October it posted a job ad on its website calling for applicants who wanted to get involved in the ‘planning, coordination and delivery of cyber operations in support of Australian Government requirements.’
There was even some levity in the ASD cyber warrior recruitment campaign. The Department of Defence web page advertising the positions asked potential cyber warriors if they wanted to ‘go covert with a licence to hack’ and get involved in ‘phishing weekends’ to ‘be a force for good and protect Australia from the dark side.’
The offensive cyber roles advertised last year were reasonably well paid. Successful applicants were to be based in Sydney and earn up to $100K a year with 15.4 percent super on top.
Last year’s cyber warrior recruitment drive came as the ASD’s digital defence workload increased. Between 1 January 2015 and 30 June 2016, the ASD responded to 1095 cyber security incidents considered serious enough to require an operational response.
At the time, Mr Tehan hinted that Australia was already conducting offensive cyber operations when interviewed over the cyber threat report by ABC radio.
Asked if Australia could go on the offensive such as the US has threatened over Russian-related hacking in America, Mr Tehan said the Prime Minister had made it clear for the first time that Australia has a cyber offensive capability.
“Now how we use that capability is something that we don’t publicly broadcast but you can look at what other countries are doing in this area to get a sense of how they approach it,” Mr Tehan told the ABC last year.
With the citizenry, business and government jittery about repeated ransomware attacks, the federal government is no longer playing footsie with its offensive cyber capabilities.
Since the end of 2014, there have been over 114,000 reports of cybercrime registered with the Australian Cybercrime Online Reporting Network (ACORN).
The pace has picked up with 23,700 cybercrime reports reported over the last 6 months.