Australia should "name and shame" countries behind state-sponsored hacking to build up international pressure against the practice, a cyber-security expert has said in the wake of the major breach of a defence subcontractor.
And the Turnbull government may soon start doing exactly that, Australia's cyber affairs ambassador Toby Feakin has told Fairfax Media, citing greater political awareness and technical clarity over how cyber attacks originated.
Fergus Hanson, the head of the Australian Strategic Policy Institute's international cyber policy centre, said that Australia has been "a bit gun shy" in calling out state-sponsored hacking.
He was speaking after revelations that 30 gigabytes of unclassified but commercially-sensitive data were stolen by hackers who accessed the systems of a Department of Defence subcontractor with lacklustre security protocols. The data covered information about the $14 billion Joint Strike Fighter program, Australia's next fleet of spy planes and several of its naval warships.
The Australian Signals Directorate - the nation's defence cyber spy agency - has codenamed the hacker 'Alf' after the Home and Away character, and refers to the hacker's time in the system as "Alf's Mystery Happy Fun Time".
"Australia has been a bit gun shy to call out many countries ??? We need to think about naming and shaming because you can't really build up pressure internationally against commercial cyber espionage otherwise," Mr Hanson said on Thursday.
He pointed out China has signed bilateral agreements with a number of countries including Australia after the US started calling it out for commercial cyber espionage.
While the government has not fingered any group or country for the attack, an official from the ASD on Wednesday flagged the possibility that it was carried out by state-sponsored hackers and that a tool popular with Chinese hackers was used to execute the breach.
Mr Feakin told Fairfax Media last week - before revelations about the defence contractor breach - that the government was thinking carefully about becoming more proactive.
"At the moment we're in an environment where there's a lot of activity that isn't called out," he said on the sidelines of an event in Canberra. "I can see a point where this landscape changes quite dramatically from where it is now.
"You've got to be vey careful once you actually call a country out that you can back up what you're saying with evidence. We think about that very carefully as a government, as to if and how we would do that."
'Government can't be blamed'
Defence Industry Minister Christopher Pyne would not confirm that a state actor was responsible for the attack, although he said it was a possibility.
Mitchell Clarke, the manager at the secretive ASD who revealed the breach at a cyber security conference, said the attack showed the "maturing state of nation state espionage".
Mr Pyne said it was a "stretch" to blame the government for the lax security standards of subcontractors, who work for Defence's "prime" contractors such as Boeing, Lockheed Martin and Raytheon.
"I don't think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government," Mr Pyne told the ABC on Thursday.
But Andrew Davies, a senior analyst also from ASPI, said that "ultimately the Commonwealth has to be responsible for the setting of standards and accreditation".
The firm in question, whose identity was unknown, had about 50 employees and such sloppy security protocols that it used generic passwords such as "admin" and "guest".
Major defence companies - the so called "primes" that win major contracts from governments then subcontract smaller firms - referred Fairfax Media's inquiries to the Defence Department.
Defence had not responded to Fairfax Media enquiries by deadline.
Labor leader Bill Shorten took the government to task over the breach on Thursday, saying ministers "should be "demanding answers, not making excuses".
"The whole chain of information needs to be tightened up," he said. "This shouldn't happen."
