The rise of digilantism: we don't need another hero

Against the backdrop of the Australian Government’s ramping up of ‘hacking back’, largely in response to the Medibank data breach, the private sector is reminded that — unless you’re working for the Department of Defence — such activity is illegal (not to mention unethical, as defined by virtually all cybersecurity industry codes of conduct).

While it may be tempting to become a ‘cyber Batman’ and seek out criminals and bring them to justice, that is not the role of private organisations or companies.

With cybercrime continuing to rise — the Australian Cyber Security Centre’s most recent annual report says a cyber attack is reported against an Australian business every seven minutes — there’s growing concern that is turning into a call to action by some parties. With growing frustration in the community including personal vendettas arising from the swathe of compromised data being leveraged by scammers, security teams in 2023 may be tempted into digilantism, a form of hacking back, despite advice to the contrary.

Strength in numbers

The Australian Minister for Cyber Security, Hon Clare O’Neil, has been explicit in her public goals for Australia to be the safest cyber nation on earth. To achieve this in 2023, industry and government will need to focus on innovative ways to address the shortfall in highly skilled cyber professionals.

One way to do this is to create an official reserve force, much like the Army Reserve, that is trained in digital law enforcement and can be mobilised if a major attack or threat is identified. This ‘cyber militia’ would be acting in the national interest and within the law.

As tension heightens to protect Australian critical infrastructure and with the hefty cost of fines for businesses that fail to protect personal data, the Australian Government could call on the Cyber Reserve, which would be manned by skilled volunteers, in times of need. This would give the Australian Government another lever to pull should a major attack take place. Instead of a rogue cyber Batman, we would have a state-sanctioned Justice League.

This move would complement other legislative measures the federal government has instituted. The recently enacted Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increased the penalties for companies to encourage them to take better care of personal data. And the Security Legislation Amendment (Critical Infrastructure) Bill 2021 added new obligations to the critical infrastructure sector. The creation of a cyber militia boosts Australia’s sovereign capability to minimise the damage from an attack and will help with attribution so criminals can be stopped and, hopefully, brought to justice.

A dual agenda

However, the establishment of a Cyber Reserve is not without challenges. There is a global skills shortage and this is being felt in Australia where many companies are unable to compete on salary. But the establishment of a Cyber Reserve could be a way to attract more talent to Australia and to encourage more people to transition into a career in cybersecurity.

This may involve a genuine national discussion about the focused skilled migration programs for cyber practitioners, greater emphasis on formalised personnel transfers within Five Eyes, QUAD and AUKUS nation states and funding initiatives such as an extension to the current ADF Cyber Gap Program which is set to end in 2023.

The recent attacks on Medibank, Optus and others has put the spotlight on the importance of protecting personal data. The reality is that large attacks like this have been highly likely for some time; major data breaches against Australian companies are not new. Canva, Eastern Health, Services NSW and many others have suffered the loss of hundreds of thousands, and in at least one case, millions of user accounts.

We can no longer fight this new wave of attacks using the same tools and methods we’ve employed for the last decade. The time has come for Australia to embrace a new approach to fighting back against the rising tide of cybercrime.

Image credit: iStock.com/yogysic