Recently, Dan Tehan, the minister assisting the Prime Minister on cyber security, informed Parliament that the ASD had been instructed to broaden its capabilities from military to prosecuting offensive operations against criminal ­groups. I see this as an important step forward in the evolution of combatting the modern cyber threat, and represents leadership we unfortunately do not see enough of from the Government. I hope that based on this change in policy, it fosters increased intelligence sharing between ASD and commercial entities to the benefit of Australian national interest and the sovereignty of Australian cyber space.

There is one task verb absent from the title, and therefore the new minted mission of the ASD; that is Defeat. This is an acknowledgement of the scale of the cyber threat to Australia, and its dynamic and complex nature. You cannot defeat a complex and dynamic threat because it is adaptive, each action you take elicits a counter action that is the product of its own intelligence and analysis cycle. This is the nature of the cyber adversary, they represent an adaptive threat problem to Australia. The deliberate omission of ‘Defeat’ as an aim of this new organisation is not an admission of futility in pursuing these criminal groups, but instead it is an honest statement of the ongoing commitment required to keep them from causing harm to Australia. The work is continuous, because despite the effort that this organisation will take to Disrupt, Deny, Degrade and Deter, the threat is adaptive and will return. We are in a fight and the government knows this.

At Diamond Cyber Security we share this view, and we understand what it takes to engage with an adaptive threat – this is in our DNA. We focus on disruption as the means of enabling commercial and public enterprise to engage with the cyber adversary, and engagement is no longer a choice. Commercial entities must take the same stance as the government, realising (whether they truly believe this or not) they too are in the same fight. If they do not choose to engage with the cyber adversary, they will continue to be victims. A disruptive strategy allows for the continuous effort required to participate in this conflict. It must have the following attributes:

It must be affordable and efficient. You need the greatest effect for the lowest cost. Because it's going to be a continuous or ongoing strategy.

It must create effective defence's in depth, and those defence’s need to adapt. A dynamic threat demands a dynamic defence.

This may come as shock to those who have not been exposed to and trained for conflict, the realisation that someone seeks to harm you, or your business, is confronting. This needs to be quickly overcome, because it is the new normal. There is simply too much financial incentive for the threat to cease.

There are groups that have been taking an active stance towards the threat, so whilst this is radical shift for the Australian government, it is not new in the world. Cisco’s research arm Talos have been active in their pursuit of criminal groups and have sought to Disrupt and Degrade the infrastructure used to execute their illegal activity. Their methods are different to what is being proposed by ASD, once they have identified the infrastructure being used in malware distribution, phishing campaigns etc, they work with law enforcement and hosting companies across the globe to remove it. Whilst it is not the offensive cyber action being proposed by our government, it demonstrates the understanding that not being engaged means being a victim. I was lucky enough to attend a briefing from Talos on their operations to disrupt the distribution of the Angler network, and was very impressed.

My assessment of many companies in Australia is that they are operating with yet another D task verb – Denial. Whilst this does not describe all Australian business, there seems to be a prevailing thought that ‘it won’t happen to us down here’. At best there is an attitude that compliance to a control framework and a once a year penetration test will secure their enterprise.

Unfortunately, this is not the case.

As described above, the threat is adaptive, it doesn't operate on a yearly audit or control validation cycle, it observes, orients, decides and acts against your enterprise much quicker than a compliance framework can comprehend.

It seems like a bleak situation, one that will never improve, however this does not mean no action is taken; quite the inverse, it should spur us (the collective of industry paired with Government) to do more. There may be mixed views on whether this is the responsibility of our Government to disrupt criminal organisations existing outside our borders, but in my opinion, it is the leadership that Australia needs.

To see more on Diamond Cyber Security’s thoughts on these issues and more, read – The Cyber Manifesto.