Prime Minister Scott Morrison’s announcement today that Australia was being targeted by a “sophisticated state-based cyber actor” was curiously measured. On the one hand, the “targeting” necessitated a Prime Ministerial statement, guaranteeing widespread media coverage. On the other hand, the PM’s assured the public that “this has been a constant for Australia to deal with”.
That’s probably because Morrison needs to deliver two messages.
First, the Prime Minister wants to communicate to the Australian private sector, to reassure local companies that might be seeing signs of the “targeting” that the government agencies are on top of it, and to encourage those that haven’t to tighten security. Morrison laid the groundwork for the more detailed technical advisory from the Australian Cyber Security Centre.
Countries such as Australia want to deter adversaries without provoking them.
Second, the Prime Minister is unavoidably sending a message to the “state-based actor” behind the intrusions (which is almost certainly China). In essence, Morrison is saying: We know what you’re up to, but we aren’t going to name you (yet).
That reluctance is part of the emerging rules of this new game of cyber competition. Countries around the world are struggling to develop a framework to manage growing state-on-state rivalry in and through cyberspace.
Countries such as Australia want to deter adversaries without provoking them. Public attribution – and the threat of doing so – is seen as one of way of warning and deterring an opponent. But early attribution can also be provocative and leave less room for subsequent escalation. Australian agencies may hope that the PM’s statement will deter the attackers from moving on to extract large volumes of information or engaging in any sabotage.
As the PM put it, “That fact that these threats present is not a surprise in this world in which we now live”. One part of managing that threat – and creating more rules – has to be a more nuanced popular vocabulary. Though the PM’s words were chosen carefully, the alarming and imprecise phrase “cyber attack” was used heavily in the media build up and subsequent coverage of his remarks.