It was notable that this week’s naming and shaming of the Chinese government over the Microsoft Exchange server hack earlier this year, and criminal hacking in general, did not include sanctions.
Of all the signatories to the statement led by US President Joe Biden, Australia most of all might have had a problem with that.
Bad enough China has been sanctioning us by blocking imports of wine, barley and meat, without Australia also blocking exports of, say, iron ore, which is about the only thing that would hurt the superpower.
But at some point Australia, along with the US, Japan, the UK and Europe, will have to work out what to do about China’s escalating cyber warfare, because issuing stern press releases probably won’t do it.
And whatever is done that might cause the Chinese Communist Party to take notice will probably hurt us as much as it hurts them.
The world is now engaged in a cyber arms race, and the west is playing too nice and getting left behind.
As I understand it, this year’s big development wasn’t so much the Microsoft Exchange hack itself, even though it compromised tens of thousands of computers around the world.
It was that the Chinese Communist Party has apparently worked out how to cheaply boost its capability by letting its army of official espionage hackers do cyber crime in their spare time, specifically ransomware.
That’s where someone who is very good at computers gets into a company’s system, locks it and demands money to unlock it.
Unlike with kidnapping and terrorism, the corporate victims usually cough up because it’s a simple cost-benefit transaction: The price is a fraction of what it would cost the company if the data stayed locked or system stayed crashed.
Company directors I’ve spoken to about it admit as much.
As a result, many millions, possibly billions, of dollars are being quietly handed over to ransomware cyber criminals in deals that never see the light of day, and a lot of the money is now going to China, to help finance the Communist Party’s cyber war effort.
The biggest publicly known ransomware in Australia recently was the attack on Nine Entertainment, revealed by the Financial Review in March, and never officially reported to the ASX.
Nine must have refused to pay because the network was brought to its knees and has had to rebuild many of its systems from the ground up.
Whether China or Russia was behind that is not clear, but the consensus is that it was a “state actor”, as they say, not individual hackers. In other words, it was a government.
And there lies the problem with the limp response to what China is up to: If a foreign government had blown up Nine’s studios with an actual bomb, there would be no question about whose responsibility it was to defend the company – the government, and specifically the military.
An international incident would ensue, ambassadors would be withdrawn and diplomatic relations discontinued. We would be on high alert – a war footing.
With cyber crime it’s not as clear, even when the spies know who did it, and not just because no one dies.
A question of responsibility
The cost of a corporate cyber attack can be immense and widespread but who is responsible for defending against it? The company or the government?
Some companies, especially banks, spend plenty on cyber security, but many don’t. For example, for a hospital, the choice between some new equipment to save lives and a software upgrade is easy: Save lives.
So the cyber defence of the realm is patchy to say the least.
The government, meanwhile, is spending nowhere near enough and its cyber security experts presumably aren’t allowed to do ransomware on the side.
Also, the Australian National Audit Office routinely finds that government departments don’t meet the required cyber security standards.
And in time-honoured fashion the government is trying to bury these failures in an avalanche of strategic papers, reports, advisory committees and plain, mind-numbing guff.
Australia’s Cyber Security Strategy 2020, launched by then Home Affairs Minister Peter Dutton, was an absolute guff-fest, promising an investment of $1.67 billion in cyber security over 10 years, with an extra 100 Australian Federal Police officers to specialise in it.
Estimates of China’s current force of hackers (now apparently doing some ransomware on the side) range up to 100,000 but that’s a pure guess; it could be anything. And then there’s Russia’s and Iran’s.
Meanwhile, the defence budget for 2020-21 is $44.6 billion in one year, including $15.8 billion to be spent on hardware acquisition.
Almost $2 billion has been spent over 15 years on digitising the Army, but this project has been put on hold, unfinished.
Naval shipbuilding costs $4 billion a year.
Almost $100 billion is to be invested in a domestic guided weapons manufacturing industry so bombs can be sent several kilometres from the back of a truck.
The next war will be at least partly fought over the internet – in fact, it’s arguably happening already, with wartime espionage and cyber “bombs” going off in corporations and government bodies, planted by China.
The billions spent on fancy military hardware won’t be much use if the computer systems get hacked and they won’t work, while the national electricity grid is switched off from Beijing.
Alan Kohler writes twice a week for The New Daily. He is also editor in chief of Eureka Report and finance presenter on ABC news