‘Release the Hounds’: Why Offensive Cyber Operations against Ransomware Purveyors Are Legitimate Exercises of State Power

By Ravi Nayyar

Author’s Note:

This essay (except for one modified endnote and the title) was submitted in June 2021 as the final assessment for Advanced Criminal Law in the final semester of my LLB. I am immensely grateful to Dr Arlie Loughnan, Professor of Criminal Law and Criminal Law Theory at the University of Sydney Law School, for helping me develop this essay. Dr Loughnan’s counsel on weaving the ransomware and offensive cyber threads into a background of criminal law theory — specifically, the literature on the criminal law as a security project of the state — was crucial.

Given that this is a criminal law-centred essay, please forgive me if you consider it to be light on detail on the international law position regarding the fifth domain. This was a deliberate decision on my part because the essay was an assessment for a criminal law subject. Also, there are several scholars who are far more qualified to discuss the international law question than I, and to whose analysis I defer.

The opening three words of the title of this essay comprise a catchphrase which denotes the launching of offensive cyber operations. A catchphrase especially popularised by Mr Patrick Gray, host of the Risky Business podcast. From which the title of this essay is inspired.

Introduction

In signalling ‘what is publicly wrongful’[1] and seeking to make society ‘more secure from a range of different bad things that might happen to us’, the criminal law arguably is a ‘security project’ of the state.[2] A tool to promote citizens’ ‘being without threat’,[3] the criminal law can also work to prevent psychological harm to citizens ‘from anxiety or apprehension’ regarding security threats.[4] Its focus on harm prevention means that the criminal law can satisfy demands for security in the wake of even a single threat or event such as the attacks of 11 September 2001.[5] It can prioritise mitigation of the risk of harm over responding to harm after the fact, seemingly resting on ‘the pre-crime logic of security’.[6]

The state’s embrace of its ‘general responsibility for the prevention of harm’[7] is reflected by powers given to state agencies to prevent crime. The Australian Signals Directorate (‘ASD’) — Australia’s signals intelligence and offensive cyber operations agency — [8] is authorised ‘to prevent and disrupt, by electronic or similar means, cybercrime undertaken by people or organisations outside Australia’.[9] Cybercrime is defined broadly as ‘crimes that use or target computer networks’.[10] Ransomware attacks are a significant category of cybercrime.[11] They target computers with ransomware, a type of malware which ‘encrypts the [target’s] files, making them inaccessible until a specified ransom is paid’.[12] The serious threat from ransomware attacks is evident in how, globally, ‘by 2021, a ransomware attack on businesses occurs every 11 seconds’.[13] This is not merely a technical threat, but an arguably systemic one.[14]

I will explore the role of the criminal law as a security project via a case study on the conduct of offensive cyber operations (‘Operations’) by ASD against persons overseas who are likely to launch ransomware attacks against Australian victims. I define Operations as the targeting of (a) computer(s) ‘to project power in and through foreign cyberspace through actions taken in support of [military]… or national objectives’.[15] ASD’s capability to conduct Operations was first disclosed in 2016.[16]

I will thus answer the following question:

Are the Operations legitimate exercises of state power?

I will answer this question in the affirmative in light of the following elements of the criminal law as a security project: the state’s focus on harm prevention;[17] and the blurred line between external and internal security.[18] In making this argument, I will explore the threat to Australians from ransomware, including the cross-border nature of that threat.

Harm Prevention

Arguments

Operations are legitimate exercises of state power because of the threat to Australians posed by ransomware. Operations represent an example of the state properly using the criminal law as a security project in order to prevent harm to its citizens from criminal acts.[19]

The conceptual intersection of the threat to Australians from ransomware and that from terrorism can mean that the manner in which terrorism motivated the state to ‘think and act pre-emptively’ in protecting national security[20] can be echoed by the ransomware threat.

How this terrorism-ransomware overlap can drive a necessarily security-oriented approach by the state in seeking to prevent ransomware attacks is reflected by how Australian agencies tend to refer to terrorism and ransomware in a similar fashion. The Australian Federal Police considers terrorism to remain ‘a major security challenge for Australia’.[21] Similarly, the Commonwealth Department of Home Affairs’ Cyber Security Industry Advisory Committee defined ransomware as ‘one of Australia’s fastest escalating threats’.[22] The Australian Cyber Security Centre (‘ACSC’) reported that, between July 2019 and June 2020, ‘ransomware has become one of the most significant cyber threats facing the operation of private sector organisations’ and attacks ‘can cripple organisations that rely on computer systems to function’.[23] Given that agencies seeking to preserve Australians’ security arguably accord ransomware and terrorism similar significance, Operations can represent a legitimate exercise of state power in that the Commonwealth can use them to prevent future harm by targeting likely ransomware attackers prior to their launching an attack against Australians, similar to how the Commonwealth pre-emptively targets likely terrorists.[24] The broad authority given to ASD to prevent cybercrime which originates from overseas[25] is a necessary means of achieving that harm prevention goal.

Conventional ‘kinetic’[26] terrorism and ransomware attacks can also cause similar consequences, strengthening the case for the Commonwealth launching Operations pre-emptively. Ransomware attacks can be launched with the intention of causing mass casualty attacks, similar to conventional terrorism, by damaging critical infrastructure systems.[27] For instance, they can disable hospital systems and compromise patient care,[28] even forcing postponement of surgeries (a consequence of the NotPetya attack).[29] Conventional terrorism and ransomware attacks can have similar psychological impacts: three large studies found that ‘cyber terrorism’ (which can include ransomware attacks) ‘aggravates stress and anxiety, [and] intensifies feelings of vulnerability’, echoing the impact of conventional terrorism.[30] Such emotions were arguably evident in how Americans were panic-buying fuel in the wake of the disabling of a pipeline carrying 45% of the fuel supply of the United States East Coast following a ransomware attack on the pipeline’s operator.[31] As a harm prevention tool of the criminal law, Operations are thus legitimate in seeking to promote Australians’ physical and mental wellbeing by thwarting ransomware attacks against Australian targets.[32]

Additionally, the threat from ransomware to Australians’ security, and thus the legitimacy of Operations as a harm prevention tool, is demonstrated by the systemic risk to Australia’s national security which is posed by ransomware attacks.[33]

Ransomware attacks impair the interconnected computer networks that the Australian economy and society rely on to function.[34] The crippling of government services in Atlanta, Baltimore and over six hundred other American towns, cities and counties from 2018 to 2020 by ransomware attacks[35] can serve as warnings for Australia of the systemic risk encouraged by ransomware. The paralysis of the Ukrainian economy by the NotPetya attack demonstrates the capacity of ransomware to wreak havoc on the economic and technical systems that citizens rely on.[36]

The Commonwealth’s extolling of its role in preserving the security of its people as a justification for giving cybercrime prevention powers to ASD[37] arguably comes into sharp relief. That justification is reinforced by the ACSC considering ransomware to be ‘one of the most significant threats given the potential impact on the operations of businesses and governments’.[38] In reinforcing the role of the criminal law as a security promotion tool, Operations would seek to prevent such wide-ranging harm to Australians from ransomware attacks. ASD’s conducting Operations against overseas persons likely to execute such attacks can thus represent a legitimate exercise of state power.

Counter-Arguments

There are, however, two factors that can undermine the state’s justification of Operations as a harm prevention tool of the criminal law and as legitimate exercises of state power.

Firstly, Operations are potentially unsustainable. Similar to how ‘there can never… be “enough” security measures’ for the criminal law to implement under the auspices of a security project,[39] Operations can represent ‘an elaborate game of whack-a-mole’ against those likely to launch ransomware attacks.[40] This is likely the case because a state trying to defend its territory’s computer networks can suffer from an asymmetry in speed and initiative against attackers in cyberspace.[41] The speed at which attackers can compromise victim computers was demonstrated by the WannaCry ransomware attack, which affected 200,000 organisations in 150 countries within 24 hours after its launch.[42] This can suggest how the very ‘architecture of cyberspace favors attackers, preventing states from enacting effective defenses’.[43] Aucsmith draws parallels between the threat from malicious cyber actors and that from insurgents, highlighting attackers’ ability ‘to choose the time, place, and method of attack’ and to execute attacks at a lower financial cost relative to that which is incurred by defenders (like the state, businesses and citizens) in securing their computer networks and infrastructure.[44] The state’s operating in a domain, which can favour ransomware attackers, reflects how using the criminal law as a security project can be rendered futile by the ‘difficulty of identifying whether or not the end [of security] has been achieved’.[45] As a result, the legitimacy of Operations as exercises of state power, though seeking to uphold the criminal law as a harm prevention tool, is weakened.

Secondly, using the ransomware threat to justify Operations can overlook the role played by robust risk mitigation strategies to secure vulnerable computers from the threat of ransomware in the first place.[46] In focusing on the need to conduct Operations, the state can ignore the importance of taking defensive measures and ‘hardening’ the cyber resilience — the ‘ability to prepare for, respond to and recover from a cyber attack’ — [47] of computer networks as harm prevention tools.[48]

Australia’s seeking to justify the conduct of offensive cyber operations by reference to the ransomware threat can echo how governments generally can use security-oriented policies to ‘obfuscate larger sources of anxiety’ and not implement alternative solutions to a security problem such as, in this case, greater investment in cyber resilience for vulnerable computer networks.[49] These measures can include helping network operators comply with recognised international cyber resilience standards and using antivirus software.[50] The importance of prioritising cyber resilience was writ large in how operators of computers compromised by the WannaCry ransomware could have prevented said compromise by installing software updates that rectified the specific vulnerabilities in their computers that WannaCry ultimately targeted.[51]

States themselves stress cyber resilience as a tool to prevent harm from a ransomware attack. The ACSC highlights that implementation of ASD’s ‘Essential Eight’ cyber resilience controls can ‘substantially reduce the risk of compromise, and help to prevent the most common tactics, techniques and procedures (TTPs) used by malicious cyber adversaries’.[52] The Director of GCHQ — ASD’s UK counterpart — [53] stressed cyber resilience as ‘an increasingly strategic issue’ requiring ‘a whole nation approach’.[54] If Australian computer networks are properly defended, it can be considered that Operations are not a wholly necessary, let alone legitimate, exercise of state power under the auspices of the criminal law as a security project.

Rebuttal

The counter-arguments seeking to undermine, however, the legitimacy of Operations as a harm prevention tool are rebutted for the below reasons.

Merely suggesting Operations as unsustainable and unnecessary because of the aforementioned asymmetries suffered by states lacks nuance, given that those asymmetries represent the inherent realities of cyberspace.[55] Using terms like ‘whack-a-mole’[56] or referring to how cyberspace naturally favours attackers[57]unfairly conflates such challenges with reasons for states not to seek to prevent harm from ransomware by using the criminal law as a security project. That ransomware attackers are favoured by cyberspace[58] can instead reinforce the need for states to proactively tackle the ransomware threat by nullifying ransomware attackers’ capabilities to harm citizens, and thus strengthen the legitimacy of Operations as exercises of state power.

The need for ASD to launch Operations against suspected ransomware attackers can echo that for policing agencies to seize illicit markets located on the Dark Web. While agencies have made several seizures and dozens of arrests worldwide,[59] market vendors and operators can ‘[start] over after closures or seizures’.[60] Agencies remain, however, committed to tackling the criminal threat posed by such markets.[61] Experts support this commitment when they recommend how agencies can more effectively target the markets.[62] Similarly, the fact that the likely purveyors of ransomware benefit from how ‘Moore’s Law works for criminals too’[63] should not necessarily mean that states should abandon efforts to tackle the ransomware threat. Rather, it should further embolden states in their efforts to conduct Operations, especially since the threat could be larger than previously thought in light of the under-reporting of ransomware attacks.[64]

States are helped in said efforts by being able to exploit the same qualities of cyberspace that are leveraged by malicious actors to launch Operations against those actors. This was evident in how ASD disabled the Islamic State’s (‘ISIS’) online propaganda capacity in cooperation with United States and United Kingdom counterparts.[65]ASD also disabled infrastructure used by overseas criminals and blocked their access to stolen data in April 2020.[66] These represent operational precedents for ASD’s ability to conduct Operations, itself likely to strengthen with over $31 million in new funding announced in 2020 to strengthen ASD’s counter-cybercrime capacity.[67]

Besides, strengthening cyber resilience of vulnerable computers and conducting Operations against suspected ransomware attackers are together part of the counter-ransomware toolkit.[68] The co-existence of Operations with efforts to drive greater cyber resilience is implied by ASD’s being tasked with preventing cybercrime and advising Australians on cyber resilience.[69] This rebuts the notion that Australia focuses on Operations at the complete expense of improving cyber resilience of Australian computer networks.

The co-existence of strengthening cyber resilience and conducting Operations echoes how states champion a multi-stakeholder toolkit for tackling the ransomware threat and collaborate with ‘a larger panoply of individual, communal and private agents’ under a harm prevention approach more generally.[70] Public-private partnerships are vital because the private sector operates networks vulnerable to ransomware and provides cyber resilience services.[71] Such partnerships drive securer computer networks, including through better intelligence-sharing, development of stronger security standards and coordination of responses to cyber attacks.[72] Australia’s cyber security strategy is underpinned by the parallel roles of government, industry and civil society.[73] This focus on partnerships led the Commonwealth to announce that ASD would strengthen collaboration with telecommunications providers to prevent cybercrime.[74]

The legitimacy of the role played by Operations — in pre-emptively disabling the capability of likely ransomware attackers to compromise Australian networks — within the mentioned multi-stakeholder toolkit is accentuated by how defensive measures alone cannot prevent the ransomware threat.[75] Given the purpose of Operations, ASD would be upholding the state’s ‘first and defining priority’ in citizen protection.[76] Operations are critical not least since they counter the growing threat from ransomware attackers to human security through the latter’s targeting of healthcare facilities.[77] Hence, Operations are legitimate exercises of state power because, as part of a broad counter-ransomware toolkit, they represent proper use of the criminal law as a harm prevention tool.

Blurred Line between External and Internal Security

Arguments

The Operations are legitimate because, being transnational, they represent an appropriate use of the criminal law in dealing with the blurred line between external and internal security threats.[78] This blurring is encouraged by the ransomware threat,[79] given the ‘borderless’ nature of cyberspace through which foreign ransomware attackers penetrate Australian networks.[80] This is exacerbated by the rich interconnectivity of computer networks across territorial borders, which makes computers even more vulnerable to compromise.[81] The adverse consequences of such interconnectivity were evident in how the NotPetya ransomware attack spread from its original Ukrainian targets to multiple continents, including computers that controlled global shipping infrastructure and vaccine production in North America.[82]

Such circumstances can provide the trigger for Australia to reinforce its sovereignty against flows of data, that ‘criss-cross and undermine [its] territorial borders’,[83] through Operations launched by ASD against likely ransomware attackers. The Commonwealth can use the criminal law as a security project against offshore actors undermining its capacity to provide security within its borders and thus push back against the transnational security threats that those actors encourage.[84] In considering that the deployment of security strategies against such cross-border threats is necessary, Australia may believe that ‘the border is everywhere’.[85] That would especially be the case in relation to threats originating through cyberspace, given how these overseas-borne threats ‘increasingly impinge on national security’[86] and exploit a domain which is shared by citizens, governments, businesses and criminals.[87]

In light of the state’s larger responsibility for tackling external threats, the erosion of the distinction between external and internal threats can increase the overall responsibility of the state for providing security.[88] Such circumstances have arguably driven increasing involvement of intelligence agencies in domestic law enforcement since the end of the Cold War.[89] This can help justify the deployment of an intelligence agency in ASD[90] to promote Australians’ security against a category of cybercrime which represents a cross-border threat to Australian computer networks.[91] It can thus be legitimate for: the ISA to enact ASD’s counter-cybercrime role as an exception to the prohibition on Australian intelligence agencies conducting domestic law enforcement work;[92] and the Commonwealth to refer to ASD as ‘a national asset with a national focus’.[93] The Commonwealth can use these factors to justify the legitimacy of Operations as exercises of state power and a tool of the criminal law as a security project in dealing with a transnational security threat.

Counter-Arguments

The legitimacy of Operations as exercises of state power against a transnational security threat is arguably undermined by two factors.

Firstly, the Operations are problematic because they could make Australia breach international law. Australia (through ASD) may be in violation of another state’s sovereignty by targeting computers in the latter’s territory.[94]The issue is exacerbated by a UN Group of Governmental Experts (‘GGE’) highlighting the applicability of ‘international law, and in particular the Charter of the United Nations’ to cyberspace — a matter which Australia agrees with — [95] and how states’ compliance with international law ‘is an essential framework for their actions’ in cyberspace.[96] The ‘essential’ role of compliance with international law in promoting peace in cyberspace[97] is seen in how the state, in whose territory ASD’s targets are located, can misread ASD’s conduct of Operations as (preparatory to) acts of aggression by Australia against their territory and take serious countermeasures against Australian computer networks in retaliation.[98] The Operations’ potentially encouraging threats to Australia’s national security and placing Australia in breach of international law severely undermines their legitimacy as exercises of state power.

Secondly, the legitimacy of the Operations can be negatively affected if they are incorrectly targeted. Incorrect targeting can result from ASD’s being unable to verify that they are launching an offensive cyber operation against computers and networks that belong to a person who is actually likely to launch a ransomware attack, as opposed to targeting an innocent third party. This can result from the difficulty in attributing activity in cyberspace to a specific cyber actor,[99] encouraging the same knowledge gaps that are considered to plague states’ conduct on the world stage more generally.[100] The problem is reinforced by how malicious cyber actors can share tactics and tools, as well as impersonate each other to confuse investigators.[101] For example, Russian intelligence officers allegedly designed their malware to resemble that of North Korean hackers when the former targeted the 2018 Winter Olympics in order to thwart attempts to attribute the attack to the Russian government.[102] States can also sponsor cyber attacks and thwart attempts to attribute the attacks to them by encouraging or directing non-state actors — including cybercriminals, patriotic nationals or private companies — to conduct the actual attacks.[103] China is an example of such states because the Chinese Ministry of State Security uses freelancers from Chinese universities and technology companies to attack dissidents and ethnic minorities via cyberspace.[104]

Misattribution of malicious cyber activity, and subsequent incorrect targeting of Operations, by ASD can have serious consequences (at least diplomatically) for Australia. Operations can be misinterpreted, for example, by the state housing the computers incorrectly targeted by ASD as acts of war by Australia and seriously impair Australia’s relations with other countries.[105] In launching poorly targeted Operations, Australia can thus echo the state which is criticised by the security literature for failing to recognise its knowledge gaps as it attempts to provide security.[106] These factors can undermine the legitimacy of Operations as exercises of state power.

Rebuttal

The aforementioned issues raised by Operations do not, however, wholly counter the latter’s legitimacy as a security-promoting tool of the criminal law to counter the transnational threat from ransomware.[107]

The international law position on states’ conduct in cyberspace is not precisely settled,[108] reducing the legal risk to Australia from ASD’s execution of Operations. A 2021 report by a United Nations Open Ended Working Group does not detail precisely how states’ international law obligations apply to cyberspace, rather stressing that those obligations exist.[109] The legal uncertainty can be reinforced by how states agreed that more work was required to understand how international law precisely governs their activity in cyberspace.[110] This creates what Crootof termed ‘substantive normative confusion’,[111] making it unclear whether Operations are actually unlawful exercises of state power.

For instance, it is not settled whether an Operation by ASD would breach the sovereignty of the state where a targeted computer is located if the Operation meets the following criteria: ASD is only targeting the computer of a suspected cybercriminal; the Operation neither ‘interferes with [n]or usurps the inherently governmental functions of’ that state, such as healthcare delivery; and the Operation does not cause physical destruction.[112] Such precise targeting is possible if the attacking agency (here, ASD) has granular intelligence on the targeted computer.[113] The Operation against the online propaganda capability of ISIS demonstrates the benefit of gathering and leveraging precise intelligence on targets.[114] Given the quality of their reconnaissance of ISIS’s networks, operators from the attacking agencies could distinguish between material belonging to ISIS and that to civilians, even if both were stored on the same servers.[115] That intelligence underpinned the precautions that the operators took to ensure that they minimised collateral damage.[116] Hence, provided Operations meet the above criteria and are surgical, they are legitimate exercises of state power that seek to enforce the criminal law as a security project to guard against transnational threats to Australians.

ASD also has internal compliance frameworks and oversight by the Commonwealth Parliament, Commonwealth Government, and Inspector-General of Intelligence and Security, that help ensure that its activity does not make Australia breach international law.[117] These compliance and oversight mechanisms are key because Australia has signalled its intention to conduct Operations in a manner compliant with international law.[118]In promoting Australia’s compliance, these mechanisms strengthen the legitimacy of Operations as a security-promoting tool of the criminal law.

Besides, attribution of cyber activity to specific actors is long-established and made easier by greater capacity to collect and analyse intelligence in cyberspace.[119] Australia’s capacity to do so arguably underpins its ‘capability to attribute malicious cyber activity in a timely manner to several levels of granularity’.[120] ASD can strengthen that capability by leveraging that of partners in the Five Eyes (‘FVEY’) intelligence-sharing alliance, especially the National Security Agency and GCHQ.[121] Working with FVEY counterparts is crucial because of the greater ‘attributive credibility’ of the latter two agencies.[122] ASD can also collaborate with its domestic counterparts to gather intelligence on targets, evident in how it sourced intelligence from a partner agency to better identify, and thus successfully disrupt, the business model of organised cybercrime syndicates via targeted Operations, as announced in December 2020.[123] The intelligence picture available to ASD can be strengthened by collaboration with the private sector, given that the latter encounters threats in cyberspace in (almost) real time.[124]ASD can rely on private vendors of ‘extremely sophisticated cyber intelligence services’, whose offerings rival the capabilities of intelligence agencies, to aid its attribution and targeting efforts in preparation for Operations.[125]Hence, by driving robust attribution of past malicious activity to, and correct identification of, potential ransomware attackers, these factors can help ensure that Operations are correctly targeted and function as legitimate exercises of state power.

Conclusion

This essay adopted the perspective of the criminal law as a security project in examining whether offensive cyber operations conducted by the Australian Signals Directorate against persons located overseas, who are likely to launch ransomware attacks against Australian computer networks, are legitimate exercises of state power. The essay concluded that such Operations are legitimate for two reasons. Firstly, Operations are an appropriate harm prevention tool, as part of a multi-stakeholder policy toolkit, which mitigates the systemic risk from ransomware.[126]Secondly, in light of the blurred divide between external and internal security threats, Operations are a legitimate mechanism to counter the cross-border threat from ransomware.[127] This is because concerns about Australia’s compliance with international law and accuracy of Operations’ targeting can be mitigated by: the meeting of specific criteria that reduce the risk of Operations putting Australia in breach of international law; ASD’s internal and external oversight frameworks; and ASD’s robust capabilities for gathering and analysing intelligence.

[1] Victor Tadros, ‘Distinguishing General Theory, Doctrine and Evidence in Criminal Responsibility: A Response to Lacey’ (2007) 1 Criminal Law and Philosophy 259, 262–3.

[2] Victor Tadros, ‘Crimes and Security’ (2008) 71(6) Modern Law Review 940, 941; Lindsay Farmer, ‘Response 2: Criminal Law as a Security Project’ (2014) 14(4) Criminology and Criminal Justice 399, 399.

[3] Lucia Zedner, ‘The Concept of Security: An Agenda for Comparative Analysis’ (2003) 23(1) Legal Studies 153, 155.

[4] Ibid.

[5] Ibid 153–4.

[6] Lucia Zedner, ‘Pre-Crime and Post-Criminology?’ (2007) 11(2) Theoretical Criminology 261, 264.

[7] Andrew Ashworth and Lucia Zedner, ‘Prevention and Criminalization: Justifications and Limits’ (2012) 15(4) New Criminal Law Review 542, 544.

[8] ‘About ASD’, Australian Signals Directorate (Web Page, 10 October 2013) [1] <https://www.asd.gov.au/about>.

[9] Intelligence Services Act 2001 (Cth) s 7(1)(c) (‘ISA’); Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill Act (Cth) sch 1 item 9.

[10] Scott Eltringham et al, United States Government, Prosecuting Computer Crimes (Office of Legal Education, Executive Office for United States Attorneys, 2nd ed, 2010) v.

[11] See, eg, European Union Agency for Law Enforcement Cooperation, Serious and Organised Crime Threat Assessment: A Corrupting Influence: The Infiltration and Undermining of Europe’s Economy and Society by Organised Crime (Report, 12 April 2021) 41 (‘Serious and Organised Crime Threat Assessment’).

[12] Lawrence J. Trautman and Peter C. Ormerod, ‘WannaCry, Ransomware, and the Emerging Threat to Corporations’ (2019) 86(Winter) Tennessee Law Review 503, 507, quoting Internet Crime Complaints Center, United States Government, ‘Ransomware Victims Urged to Report Infections to Federal Law Enforcement’ (Alert No I-091516-PSA, 15 September 2016) [1].

[13] Global Initiative against Transnational Organised Crime, The Global Illicit Economy: Trajectories of Transnational Organized Crime (Report, March 2021) 85 (‘The Global Illicit Economy’).

[14] Institute for Security and Technology, Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force (Report, 30 April 2021) 8–10 (‘Key Recommendations from the Ransomware Task Force’).

[15] Department of Defense, United States Government, Cyberspace Operations (Joint Publication No 3–12, 8 June 2018) ix.

[16] Paul Karp, ‘Malcolm Turnbull Reveals Cyber-Attacks Breached Government Agencies’, The Guardian (online, 21 April 2016) [1]-[7] <https://www.theguardian.com/technology/2016/apr/21/malcolm-turnbull-reveals-cyber-attacks-breached-agencies>.

[17] Zedner (n 6) 264.

[18] Zedner (n 3) 153, 164; Ian Loader and Neil Walker, Civilizing Security (Cambridge University Press, 2007) 23.

[19] Lucia Zedner, ‘Terrorizing Criminal Law’ (2014) 8 Criminal Law and Philosophy 99, 103–4, citing Jeremy Waldron, Torture, Terror and Trade-Offs: Philosophy for the White House (Oxford University Press, 2010) 117.

[20] Zedner (n 6) 264.

[21] ‘Fighting Terrorism’, Australian Federal Police (Web Page, 1 June 2016) [2] <https://www.afp.gov.au/what-we-do/crime-types/fighting-terrorism>.

[22] Cyber Security Industry Advisory Committee, Commonwealth, Locked Out: Tackling Australia’s Ransomware Threat (Report, March 2021) 3 (‘Locked Out’).

[23] Australian Cyber Security Centre, Commonwealth, ACSC Annual Cyber Threat Report: July 2019 to June 2020 (3 September 2020) 12 (‘ACSC Annual Cyber Threat Report’).

[24] Zedner (n 6) 264.

[25] ISA s 7(1)(c).

[26] Michael L. Gross, Daphna Canetti and Dana R. Vashdi, ‘Cyber Terrorism: Its Effects on Psychological Well-Being, Public Confidence, and Political Attitudes’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 235, 236.

[27] Roland L. Trope, ‘Threading Needles in the Dark: Will Deals Survive when Cyberattacks Collapse the Grid’ 41 Northern Kentucky Law Review 339, 339, 352; Trautman and Ormerod (n 12) 517, quoting Rod Rosenstein, ‘Deputy Attorney General Rosenstein Delivers Remarks at the 2017 North American International Cyber Summit’ (Speech, North American International Cyber Summit, 30 October 2017) [21]; Thomas Payne, ‘Teaching Old Law New Tricks: Applying and Adapting State Responsibility to Cyber Operations’ (2016) 20 Lewis and Clark Law Review 683, 684–5.

[28] Gross, Canetti and Vashdi (n 26) 239, citing ‘North Korea “Directly Responsible” for WannaCry Attack on NHS’, The Independent (News Article, 19 December 2017) <https://www.independent.co.uk/news/world/asia/north-korea-wannacry-attack-nhs-us-homeland-security-tom-bossert-cyberattack-hacking-a8118036.html>.

[29] Associated Press, ‘Heritage Valley Health, Drugmaker Merck Hit by Global Ransomware Cyberattack’, Pittsburgh Post-Gazette (online, 28 June 2017) [1]-[2] <https://www.post-gazette.com/business/tech-news/2017/06/27/Heritage-Valley-Health-Merck-targets-cyberattack-pennsylvania-ransomware/stories/201706270148>.

[30] Gross, Canetti and Vashdi (n 26) 237, 241–2.

[31] Christopher Bing and Stephanie Kelly, ‘Cyber Attack Shuts Down U.S. Fuel Pipeline “Jugular,” Biden Briefed’, Reuters (News Article, 9 May 2021) [1], [3] <https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/>; Mary-Ann Russon, ‘US Passes Emergency Waiver over Fuel Pipeline Cyber-Attack’, BBC News (News Article, 10 May 2021) [2] <https://www.bbc.com/news/business-57050690>; Vanessa Romo, ‘Panic Drives Gas Shortages after Colonial Pipeline Ransomware Attack’, NPR (News Article, 11 May 2021) [1]-[2] <https://www.npr.org/2021/05/11/996044288/panic-drives-gas-shortages-after-colonial-pipeline-ransomware-attack?utm_source=twitter.com&utm_campaign=npr&utm_medium=social&utm_term=nprnews>.

[32] Zedner (n 6) 273–4; Loader and Walker (n 18) 152–3, 157.

[33] Locked Out (n 22) 3–4.

[34] Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Harvard University Press, 2020) 2–3; OECD, Seven Lessons Learned about Digital Security during the COVID-19 Crisis (Paper, 4 November 2020) 3.

[35] Eileen Decker, ‘Full Count?: Crime Rate Swings, Cybercrime Misses and Why We Don’t Really Know the Score’ (2020) 10 Journal of National Security Law and Policy 583, 583–4, citing Lily Hay Newman, ‘Atlanta Spent $2.6M to Recover from a $52,000 Ransomware Scare: Whether to Pay Ransomware Is a Complicated — And Costly — Calculation’, WIRED (News Article, 23 April 2018) <https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/>; Nicole Perlroth, This Is How They Tell Me the World Ends (Bloomsbury Publishing, 2021) 363.

[36] Perlroth (n 35) 339; Andy Greenberg, ‘The Untold Story of NotPetya, the Most Devastating Cyberattack in History: Crippled Ports. Paralyzed Corporations. Frozen Government Agencies. How a Single Piece of Code Crashed the World’, WIRED (News Article, 22 August 2018) [11] <https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/>.

[37] Commonwealth, Parliamentary Debates, House of Representatives, 15 February 2018, 1611 (Michael McCormack).

[38] Locked Out (n 22) 3–4; ACSC Annual Cyber Threat Report (n 23) 4–5.

[39] Loader and Walker (n 18) 11.

[40] Rebecca Crootof, ‘International Cybertorts: Expanding State Accountability in Cyberspace’ (2018) 103(3) Cornell Law Review 565, 580.

[41] Ibid; David Aucsmith, ‘Disintermediation, Counterinsurgency, and Cyber Defense’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 343, 350.

[42] Perlroth (n 35) 334.

[43] Crootof (n 40) 573.

[44] Aucsmith (n 41) 350.

[45] Zedner (n 3) 157.

[46] See, eg, Melanie Maynes, ‘One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts’, Microsoft Security (Blog Post, 20 August 2019) <https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/>; The CyberPeace Institute, Playing with Lives: Cyberattacks on Healthcare Are Attacks on People(Report, 2021) 95 (‘Playing with Lives’).

[47] Australian Securities and Investments Commission, Report 429: Cyber Resilience: Health Check (March 2015) 4–5.

[48] Clive Walker and Ummi Hani Binti Masood, ‘Domestic Law Responses to Transnational Cyberattacks and Other Online Harms: Internet Dreams Turned on Internet Nightmares and Back Again’ (2020) 10(1) Notre Dame Journal of International and Comparative Law 56, 76.

[49] Zedner (n 3) 163; Malcolm Harkins and Anthony M. Freed, ‘The Ransomware Assault on the Healthcare Sector’(2018) 6(Winter) Journal of Law and Cyber Warfare 148, 163.

[50] Walker and Masood (n 48) 76, citing Susan W. Brenner and Leo L. Clarke, ‘Distributed Security: Preventing Cybercrime’ (2005) 23(4) Journal of Computer and Information Law 659, 692.

[51] Perlroth (n 35) 331, 335, 337.

[52] ACSC Annual Cyber Threat Report (n 23) 4.

[53] ‘Overview’, GCHQ (Web Page, 21 March 2019) <https://www.gchq.gov.uk/section/mission/overview>; ‘About ASD’, Australian Signals Directorate (Web Page, 10 October 2013) [1] <https://www.asd.gov.au/about>.

[54] Dan Sabbagh, ‘GCHQ Chief: West Faces “Moment of Reckoning” over Cybersecurity’, The Guardian (online, 23 April 2021) [5] <https://www.theguardian.com/uk-news/2021/apr/23/gchq-chief-west-faces-moment-of-reckoning-over-cybersecurity>; Jeremy Fleming, United Kingdom Government, ‘Director’s 2021 Vincent Briscoe Lecture’ (Speech, Imperial College London, 5 April 2021) [85].

[55] Crootof (n 40) 580; Aucsmith (n 41) 350.

[56] Crootof (n 40) 580.

[57] Ibid 573.

[58] ACSC Annual Cyber Threat Report (n 23) 12–13.

[59] Roderic Broadhurst et al, Australian Institute of Criminology, Impact of Darknet Market Seizures on Opioid Availability (AIC Research Report No 18, 2021) 9–11; Brian Barrett, ‘179 Arrested in Massive Global Dark Web Takedown’, WIRED (News Article, 22 September 2020) <https://www.wired.com/story/operation-disruptor-179-arrested-global-dark-web-takedown/>; ‘German Police Make Arrests as They Shut down Large Darknet Site Housing Child Abuse Material’, ABC News (News Article, 4 May 2021) <https://www.abc.net.au/news/2021-05-04/germany-police-arrest-three-over-child-abuse-materials-site/100113600>.

[60] Broadhurst et al, Australian Institute of Criminology (n 59) 45.

[61] See, eg, European Union Agency for Law Enforcement Cooperation, Internet Organised Crime Threat Assessment 2020 (Report, 5 October 2020) 60–1 (‘Internet Organised Crime Threat Assessment 2020’).

[62] Broadhurst et al, Australian Institute of Criminology (n 59) 45.

[63] Marc Goodman, Future Crimes: Inside the Digital Underground and the Battle for Our Connected World(Doubleday, 2015) 188; Internet Organised Crime Threat Assessment 2020 (n 61) 25, 27.

[64] Internet Organised Crime Threat Assessment 2020 (n 61) 28; ACSC Annual Cyber Threat Report (n 23) 10.

[65] Stephanie Borys, ‘Australian Cyber Soldiers Hacked Islamic State and Crippled Its Propaganda Unit — Here’s What We Know’, ABC News (News Article, 18 December 2019) [1]-[5] <https://www.abc.net.au/news/2019-12-18/inside-the-secret-hack-on-islamic-state-propaganda-network/11809426>; Stephanie Borys, ‘Licence to Hack: Using a Keyboard to Fight Islamic State’ ABC News (News Article, 18 December 2019) [8] <https://www.abc.net.au/news/2019-12-18/inside-the-islamic-state-hack-that-crippled-the-terror-group/11792958?nw=0>; Jeremy Fleming, United Kingdom Government, ‘Director’s Speech at Cyber UK 2018’ (Speech, Cyber UK 2018, 12 April 2018) [66]-[73].

[66] Linda Reynolds, Commonwealth, ‘On the Offensive against COVID-19 Cyber Criminals’ (Media Release, Department of Defence (Cth), 7 April 2020) [5].

[67] Prime Minister, Minister for Home Affairs and Minister for Defence, Commonwealth, ‘Nation’s Largest Ever Investment in Cyber Security’ (Media Release, 30 June 2020) [8].

[68] Key Recommendations from the Ransomware Task Force (n 14) 19.

[69] ISA ss 7(1)(c)-(ca), (e), (2); Rachel Noble, ‘Director-General ASD Speech to the National Security College’ (Speech, Australian National University National Security College, 1 September 2020) [30].

[70] Zedner (n 6) 263.

[71] IBM Cloud Education, ‘The Fundamentals of Networking’, IBM Cloud Learn Hub (Blog Post, 17 March 2021) [7] <https://www.ibm.com/cloud/learn/networking-a-complete-guide>; Aucsmith (n 41) 353; Irv Lachow and Taylor Grossman, ‘Cyberwar Inc.: Examining the Role of Companies in Offensive Cyber Operations’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 379, 379.

[72] Jennifer Maddocks, ‘Outsourcing of Governmental Functions Contemporary Conflict: Rethinking the Issue’ (2019) 59(Spring) Virginia Journal of International Law 47, 55; Playing with Lives (n 46) 21–4, 78–82, 93–99; Key Recommendations from the Ransomware Task Force (n 14) 24.

[73] Commonwealth, Australia’s Cyber Security Strategy 2020 (Report, 6 August 2020) 8, 18.

[74] Prime Minister, Minister for Home Affairs, Minister for Defence, Commonwealth (n 67) [9]-[10].

[75] Key Recommendations from the Ransomware Task Force (n 14) 25; Eric Blinderman and Myra Din, ‘Hidden by Sovereign Shadows: Improving the Domestic Framework for Deterring State-Sponsored Cybercrime’ (2017) 50(4) Vanderbilt Journal of Transnational Law 889, 917; Derek E. Bambauer, ‘Information Hacking’ (2020) 20 Utah Law Review 987, 999–1001.

[76] Loader and Walker (n 18) 10.

[77] The Global Illicit Economy (n 13) 17, 19; Perlroth (n 35) 389–90; Deborah R. Farringer, ‘Send Us the Bitcoin or Patients Will Die: Addressing the Risks of Ransomware Attacks on Hospitals’ (2017) 40(Spring) Seattle University Law Review 937, 957; Playing with Lives (n 46) 15–16, 29, 52–3; OECD, Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document (Recommendation and Companion Document, 2015) 24 (‘OECD Recommendation’).

[78] Zedner (n 3) 153, 164.

[79] Walker and Masood (n 48) 71; Locked Out (n 22) 2.

[80] Ibid.

[81] OECD Recommendation (n 77) 24; Buchanan (n 34) 2–3; Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (Doubleday, 2019) xi-xiii; Michael N. Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2017) 12; Perlroth (n 35) 341.

[82] Greenberg (n 81) xi.

[83] Loader and Walker (n 18) 18, 64.

[84] Ibid 19.

[85] Zedner (n 3) 165, quoting Malcolm M. Feeley and Jonathan Simon, ‘Actuarial Justice: The Emerging New Criminal Law’ in David Nelken (ed) The Futures of Criminology (Sage, 1994) 181.

[86] Lucas Kello, ‘Private Sector Cyber Weapons: An Adequate Response to the Sovereignty Gap?’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 357, 358.

[87] Ciaran Martin, ‘Cyber-Weapons Are Called Viruses for a Reason: Statecraft and Security in the Digital Age’ (Speech, King’s College London, November 2020) 3; Buchanan (n 34) 313–15, 319.

[88] Zedner (n 3) 164.

[89] Loader and Walker (n 18) 21.

[90] ‘About ASD’, Australian Signals Directorate (Web Page, 10 October 2013) [1] <https:// www.asd.gov.au/about>.

[91] Walker and Masood (n 48) 71; Locked Out (n 22) 2; Serious and Organised Crime Threat Assessment (n 11) 41; Perlroth (n 35) 341.

[92] ISA ss 7(1)(c), 11(2)(f).

[93] Commonwealth, Parliamentary Debates, House of Representatives, 15 February 2018, 1610–11 (Michael McCormack).

[94] Schmitt (n 81) 11–12; Kello (n 86) 372; Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN GAOR, 70th sess, Provisional Agenda Item 93, UN Doc A/70/174 (22 July 2015) 12 (‘Report of the Group of Governmental Experts’).

[95] ‘International Security and Cyberspace’, Australia’s International Cyber Engagement Strategy (Web Page, 4 October 2017) [11], [13] <https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/part_4_international_security_and_cyberspace.html>.

[96] Report of the Group of Governmental Experts, UN Doc A/70/174 (n 94) 12.

[97] Ibid.

[98] Herbert Lin and Amy Zegart, ‘Introduction’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 1, 6, 11.

[99] Gross, Canetti and Vashdi (n 26) 248, citing Thomas Rid and Ben Buchanan, ‘Attributing Cyber Attacks’ (2015) 38(1–2) Journal of Strategic Studies 4, 7; Kello (n 86) 372.

[100] Loader and Walker (n 18) 117.

[101] Walker and Masood (n 48) 63; Gross, Canetti and Vashdi (n 26) 237.

[102] Department of Justice, United States Government, United States of America v Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevichfrolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin (Indictment, 15 October 2020) 39.

[103] Lachow and Grossman (n 71) 393–4; Perlroth (n 35) 200, 351, 365; Crootof (n 40) 644; Payne (n 27) 712.

[104] Perlroth (n 35) 200.

[105] Blinderman and Din (n 75) 892; Crootof (n 40) 644; Gary D Brown, State Cyberspace Operatons: Proposing a Cyber Response Framework (Occasional Paper, Royal United Services Institute, September 2020) 4.

[106] Loader and Walker (n 18) 117.

[107] Walker and Masood (n 48) 71; Locked Out (n 22) 2; See, eg, Serious and Organised Crime Threat Assessment (n 11) 41.

[108] Blinderman and Din (n 75) 891; Schmitt (n 81) 20.

[109] See, eg, Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, Final Substantive Report, UN Doc A/AC.290/2021/CRP.2 (10 March 2021) 2.

[110] Ibid 6.

[111] Crootof (n 40) 644.

[112] Schmitt (n 81) 20–2; Marko Milanovic and Michael N. Schmitt, ‘Cyber Attacks and Cyber (Mis)information Operations during a Pandemic’ (2020) 11 Journal of National Security Law and Policy 247, 255.

[113] Steven M. Bellovin, Susan Landau and Herbert Lin, ’Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and Policy Implications’ in Herbert Lin and Amy Zegart (eds), Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations (Brookings Institution Press, 2018) 265, 274, 276, 284.

[114] Dina Temple-Raston, ‘How the U.S. Hacked ISIS’, NPR (News Article, 26 September 2019) [25]-[27] <https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis>.

[115] Ibid.

[116] Ibid.

[117] See, eg, Karp (n 16) [5]; ‘Accountability’, Australian Signals Directorate (Web Page, 19 July 2019) <https://www.asd.gov.au/accountability>.

[118] ‘International Security and Cyberspace’, Australia’s International Cyber Engagement Strategy (Web Page, 4 October 2017) [47], [49] <https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/part_4_international_security_and_cyberspace.html>.

[119] Rid and Buchanan (n 99) 31; Bellovin, Landau and Lin (n 113) 274; Lin and Zegart (n 98) 8, 13.

[120] ‘International Security and Cyberspace’, Australia’s International Cyber Engagement Strategy (Web Page, 4 October 2017) [50] <https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/part_4_international_security_and_cyberspace.html>.

[121] Buchanan (n 34) 18–19, 23, 30–9.

[122] Rid and Buchanan (n 99) 31.

[123] Linda Reynolds and Peter Dutton, Commonwealth, ‘Australia Continues to Combat Foreign Cybercriminals’(Media Release, Department of Defence (Cth), 2 December 2020) [5]-[7].

[124] See, eg, Amitai Etzioni, ‘The Private Sector: A Reluctant Partner in Cybersecurity’ (2014) 15(Special Issue) Georgetown Journal of International Affairs 69, 75–6; Commonwealth, Parliamentary Debates, House of Representatives, 10 December 2020, 11263–4 (Peter Dutton); @snlyngaas (Sean Lyngaas) (Twitter, 7 May 2021, 4:03am AEST) <https://twitter.com/snlyngaas/status/1390366688831496193?s=20>.

[125] Lachow and Grossman (n 71) 383; @RidT (Thomas Rid) (Twitter, 8 May 2021, 2:28am AEST) <https://twitter.com/RidT/status/1390704988490448909?s=20>.

[126] Locked Out (n 22) 3–4.

[127] Ibid 2; Walker and Masood (n 48) 71.