Australia’s accusation of Chinese espionage sparks concern and confusion
On June 19, Australian Prime Minister Scott Morrison indirectly accused China of a cyber attack. The call-out was an unusual move, and though it is a calculated one, some observers wonder if it was necessary.
A ban on Australian beef imports. Tariffs on Australian barley. Travel and study-abroad advisories designed to undercut the Australian economy. Threats from China’s ambassadors, imprecations from state media, and slander from the foreign ministry.
Now, a cyberattack can be added to the litany of misdeeds that China has committed against Australia in the roughly three months since Canberra enraged Beijing by calling for an independent investigation into the COVID-19 outbreak.
At least, that is what Australia has led many to believe.
On June 19, Australian Prime Minister Scott Morrison held a press conference to announce that a “sophisticated, state-based cyber-actor” was targeting the Australian government, as well as Australian private industry, critical infrastructure, and civil society.
During the press conference, the prime minister refused to name China as the culprit, even as he appeared to invite the allegation. “There aren’t too many too many state-based actors who have those capabilities,” Morrison said.
The ongoing diplomatic squabble between the two nations left observers with few doubts about who Morrison had in mind. But by calling out Chinese cyber aggression only implicitly, the prime minister avoided having to prove any Chinese wrongdoing.
That rhetorical legerdemain is raising questions about why Australia came forward, how it made its statement, and how to litigate disputes in cyberspace — a domain where governments have more power to shape public knowledge than most realize.
Mixed messages
During the press conference, Morrison danced awkwardly between hyping the threat and playing it down to prevent panic.
“This has been done by a state-based actor with very, very significant capabilities,” he said. Then he qualified: “The attacks are a constant issue for Australia to deal with.” Finally: “We know what’s going on. We’re on it.”
The prime minister maintained that his announcement was calculated to communicate the threat to the current and potential victims of the digital intrusion.
To that end, following the press conference, the Australian Signals Directorate (ASD) released an intelligence advisory that detailed the methods the hackers had been using, as well as technical guidelines for how to stop those efforts in the future.
But the prime minister’s stated justifications for holding the press conference were unconvincing. The hackers had not achieved any large-scale data breaches. The malicious activity, the prime minister explained, was “not a surprise,” but it had been increasing “over many months.” And, according to the ASD’s advisory, the hackers exhibited no “intent to disrupt or destroy data.”
And then there was the optics of the press conference, which was bound to draw attention abroad.
“Australia wanted to talk about this publicly, but they don’t want to make it that big of a deal,” said Jason Healey, a Senior Research Scholar at Columbia University and a Senior Fellow for the Cyber Statecraft Initiative at the Atlantic Council, a U.S.-based think tank. “They wanted to do this diplomatically so that China would say, ‘All right, yeah, we get it.’ It was signaling more than anything else.”
Attributing what?
Unlike missile launches or troop deployments, computer hacking is difficult to observe. By necessity, it tends to be covert.
That means that when it comes to cyberspace, evidence of wrongdoing has to be collected and analyzed before an accusation can be made — a process that is known as attribution.
The covert nature of hacking also leaves it to the victim to decide whether to come forward at all and how to muster evidence to make that case.
Morrison’s press conference bore many of the hallmarks of attribution — a public statement with supporting technical documentation in the form of an intelligence advisory released by the Australian Signals Directorate.
There are two important exceptions. It did not name China explicitly. And it is not clear what China did wrong.
“The problem with this kind of a statement is that it implies there is a serious, harmful attack,” said Milton Mueller, a professor at Georgia Tech University and founder of the Internet Governance Project (IGP). “And when you look at the actual details, you discover there are no data breaches, no crippling ransomware, no denial of service.”
As part of his work for the IGP, Mueller has launched a project to explore the possibility of a transnational attribution authority, akin to the role of the IAEA but for assessing cyber attacks.
“Instead, this was just the kind of pinging and constant monitoring that we see with Persistent Engagement,” said Mueller, referring to the United States’ own strategy for military operations in cyberspace.
Pushing back
The decision to call out China — even implicitly — marked a shift for Australia. For years, Canberra has hesitated to speak publicly about Chinese cyber espionage.
In February of last year, for example, the Morrison administration refused to call out China for a hacking campaign that penetrated the Australian parliament. Those accusations were eventually leaked to the press by disgruntled officials within the government.
“To see this curveball of the stuff that they did not talk about and now they’re coming out and deciding they do want to talk about, it was like, huh, what made them say this?” said Jason Healey, the Senior Research Scholar at Columbia. “And with so little content behind it.”
One explanation for Australia’s about-face holds that the Chinese were on the brink of crossing a red line and the Australians wanted to send a signal to back down.
Still, it is hard to dismiss the possibility that opportunism, and politics, played a part in Australia’s announcement.
“If you are trying to make a case for a harder line against China, this is a convenient way to do it,” said Jon Lindsay, an assistant professor at the University of Toronto and co-editor of China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain.
Traditionally, Australia has towed a delicate line between China, by far its largest trading partner, and the West, with whom it has strong military and political ties.
But China’s recent pressure campaign may be tipping the balance. According to the Lowy Institute’s latest polling data, only 23% of Australians trust China to act responsibly in the world. Two years ago, that figure stood 30 percentage points higher.
Another factor may be exhaustion with Chinese cyber espionage itself.
According to Tom Uren, a senior analyst at the Australian Strategic Policy Institute’s International Cyber Policy Centre, Chinese cyber espionage groups have long prized efficiency over secrecy, employing cheap digital intrusion methods, like spear-phishing, instead of the more deliberate methods of Western intelligence organizations.
As a result, Chinese hackers get caught more often.
“Chinese cyber espionage has been tremendously tactically successful in that they’ve got a lot of information, but I think it strategically has had a significant cost,” Uren said. “If they hadn’t stolen a whole lot of material over decades, people wouldn’t have had the same degree of concern as they do now.”
An unregulated domain
Neither of those justifications would satisfy those like Mueller, who would discourage the manipulation of cyber threat intelligence in any form.
But as of now, there are no laws or norms regulating attribution. States can make of it what they want.
Australia’s approach — where a head of state announces a non-attack from an unknown adversary — is peculiar and perhaps ill-advised.
Still, it grabbed headlines. That may have been enough to warn others, to cajole Australians, and to deter the Chinese.
Or to fundraise. Roughly 10 days after the press conference, Australia announced that it would spend $1 billion dollars to boost its cyber defenses.