The US–Australia Cyber Dialogue: Fighting Cybercrime in the Asia–Pacific
November 4, 2016
Liam Nevill and Zoe Hawkins
This post originally appeared on The Stratigist, a blog by the Australian Strategic Policy Institute.
Across the globe, financial losses due to cybercrime continue to mount. Estimates of the cost of cybercrime to the Asia–Pacific vary, but suggested figures of about US$81 billionimply that it’s a bigger problem than any one country can address on its own. For the participants at the recent Australia–US Cyber Security Dialogue, discussing growing cybercrime threats and current cooperation between governments, law enforcement and the private sector, highlighted some of the hurdles that must be overcome to elevate the fight against cybercrime.
The cross-jurisdictional nature of cyberspace means multi-layered cooperation between both countries’ government and law-enforcement agencies is required for cybercrime prevention and prosecution. At the government-to-government level, information sharing between the US and Australia is growing, with Australia being the first country to enter into a sharing framework with the Department of Homeland Security. That’s a promising step for bilateral cooperation on cybercrime, and should encourage other countries to contribute as well.
However, the quality of the public–private partnership to fight cybercrime isn’t as high as it needs to be in either Australia or the US. In both countries, the government approach to the private sector is seen as paternalistic, which has served to offend industry and discourage their full participation. Improving this perception through a more respectful approach, in pursuit of sincere partnership, will be a key requirement of improving cooperation on cybercrime.
Another key stumbling block is the nature and quality of information sharing between the public and private sector in both countries. There’s far more intelligence about the cybersecurity threat landscape available than is currently being shared by private and public sectors in both countries. Issues of classification can stifle governments’ ability to divulge data, while private sector entities may withhold information from the government and other companies as they are worried about losing commercial advantage, damage to their reputation or legal issues. As a result, some companies prefer to passively benefit from other’s information sharing before showing their own hand. In reality, information sharing is only of value when the right information is shared consistently, building both good will and trust between the parties, and reinforcing the value of the agreement. More forthcoming attitudes from all stakeholders will be necessary to address the growing cybercrime challenge.
To this end, governments in Australia and the US must take seriously the task of communicating the business case for information sharing to the private sector. Sharing relevant intelligence with trusted partners can serve to raise both the difficulty of cybercrime operations and rate of perpetrator apprehension across the board, likely lowering the net cost to a company. Sectoral information sharing and analysis centres and programs where members must submit a minimum number of malware samples every dayto retain their membership have been suggested as mechanisms by which to defeat this race to the bottom. Likewise, governments in Australia and the US must work to overcome unnecessary bureaucratic red tape and make useful threat trend information available to the private sector where appropriate.
Ultimately, this problem can’t be viewed purely in simplistic bilateral terms. Cyberspace is a dynamic and complex ecosystem of connections, and so too our response must be. Effectively addressing cybercrime requires trusting relationships between both countries’ governments and private sectors in order to create a multipolar collaborative network between all four parties, rather than just a selection of two dimensional connections. Doing so will allow for greater threat information sharing across multiple divides, and is an important goal to work towards.
Beyond information sharing, building capacity in the Asia–Pacific is a significant area for both Australia and the US when it comes to bilateral government-to-government and public–private cooperation. Cybercriminals are able to act with impunity within certain countries that don’t have the resources, capability or legal framework to address cybercrime. Coordinated efforts to shut down those safe havens will increase the cost of business for cybercrime groups and decrease the rate of harm.
The private sector is well-positioned to tackle that task, with many companies possessing the necessary investigative capabilities to help regional countries raise the difficulty of criminal operations. That’s more than an altruistic endeavour, as the private sector is likely to benefit from the opening up of new markets for cybersecurity products and online services that come with raising of a country’s cyber maturity. So, fortunately, the business case for this method of fighting cybercrime is a lot easier to make, but coordinated partnership is still a key ingredient for success.
There’s much that the US and Australia can do together to reduce the volume and seriousness of cybercrime. More robust threat information sharing and the active removal of cybercrime safe havens should be focus areas of partnership between the government and private sectors of both nations. Further maturing US–Australia cooperation on cybercrime in the Asia–Pacific will provide increased security and economic prosperity for both countries.
Liam Nevill and Zoe Hawkins are analysts in ASPI’s International Cyber Policy Centre.