CyberSight 360: The politics of cyber security

How can viewing cyber security through a political lens enhance our understanding of the issues at play?

In recent years, cyber security has become one of the top items on the political agenda of many countries, including Australia.

In a show of how seriously Australia’s Labor government is taking the issue, the cabinet position of Minister for Cyber Security was created in June 2022. In July 2023 the Australian government also appointed a National Cyber Security Coordinator who supports the Minister for Cyber Security to lead the coordination of national cyber security policy, responses to major cyber incidents, whole-of-government cyber incident preparedness efforts, and strengthening Commonwealth cyber security capability. Reflecting how politically charged the issue of cyber security has become, Minister for Cyber Security Clare O’Neil posted on X (formerly Twitter) last year: "The previous government left Australia's cyber security in an absolute mess, and the Albanese government is cleaning it up."¹

In the US, President Joe Biden has made cyber security a top priority at all levels of government. The Office of the National Cyber Director (ONCD) was established by Congress in 2021 as a component of the Executive Office of the President at the White House, and principally advises the President on cyber security policy and strategy. The ONCD also spearheaded the development of President Biden's National Cybersecurity Strategy issued on 2 March 2023, and coordinates the strategy’s implementation.

Cyber security is inherently political

Politics is about power and status. We often think of it as a power struggle between competing groups or people to assert their rival interests. But politics is also underpinned by complexity and uncertainty.

The area of cyber security is marked by a complex web of power relationships between multiple competing groups seeking to assert their interests. Against this backdrop, the rapid advancement of technology and tactics and increasing sophistication of threat actors create even more uncertainties in the interplay of power between various actors.

• Consumers feel powerless against organisations who collect their personal information, fearing their data is at risk as they cannot control the organisation's level of cyber security.
• Individuals and organisations feel powerless against faceless threat actors who continue to gain momentum and sophistication and always seem a step ahead.
• Organisations and businesses feel uncertain and worried about the increased regulation and enforcement powers of regulators in relation to privacy and cyber security.
• Governments are constantly trying to keep state-backed actors at bay to protect national security.
• Insureds are constantly worried about whether or not they can obtain affordable cyber insurance, and whether they will have cover for cyberattacks they may suffer.

The list goes on.

The power dynamic is not static

However, the power dynamic is not static, and it is not always negative.

Understanding cyber through a political lens and recognising the competing interests at play can enable us to develop and implement actions that benefit cyber security as a whole.

In recent times we have seen the dynamic of these power relationships evolve and shift, and sometimes for the better.

Victim vs threat actor

For example, there has always been an imbalance of power between the victim consumer or organisation, and the threat actor.

The threat actor operates in the shadows and has access to resources and technology that enable them to perpetrate their attacks easily and at an increasingly larger scale. Threat actors have continually come up with new ways to increase pressure on victims and tip the power balance further in their favour.

In November 2023 the ALPHV/BlackCat ransomware group announced that it had breached financial software firm MeridianLink and exfiltrated data without deploying ransomware. Just one week later, the group also posted to its dark web portal a screenshot of an SEC complaint it had made against MeridianLink. In its complaint to the regulator, the ransomware group claimed that MeridianLink had breached new SEC rules requiring companies that experience a data breach deemed to be material to investors to file a Form 8-K reporting the incident within four business days, unless the United States Attorney General determines that an immediate disclosure would be harmful to public safety or to national security. Although the SEC rules did not come into effect until December 2023, this was the first time a ransomware group filed an SEC complaint against a victim, likely in an attempt to add pressure on the victim organisation to pay the ransom by alerting the SEC to the organisation's failure to abide by the new rules or its regulatory obligations.²

In contrast, victim organisations often have limited resources to defend themselves and may not be able to adequately close off all vulnerability gaps. This often leaves a victim in a reactive position to any potential cyberattack, i.e. containing and recovering from the breach, and complying with their privacy obligations through privacy assessments and any relevant notifications. They are held hostage by the actions of the threat actor because they have no control over how the exfiltrated material may be used to cause further harm to the victim organisation and affected persons.

That said, in 2023 we saw victim organisations taking proactive steps to regain control and slowly tip the power balance in their favour. In recent cases including in Australia and Ireland, victim organisations have proactively sought court injunctions to prevent the dissemination and disclosure of leaked data to third parties. While a court order is difficult to enforce against a faceless threat actor, it does allow the victim organisation some control in warning other potential publishers against frustrating the injunctive orders, and in limiting the dissemination of the leaked data to minimise harm to the victim organisation and affected persons.

Government / law enforcement vs threat actor

We have also recently seen a shift in the power balance between governments and law enforcement authorities on one hand, and threat actors on the other.

The Australian government supplemented its defensive capabilities with offensive capabilities by setting up the Hack the Hackers Taskforce in November 2022. The permanent operation comprises approximately 100 police and defence personnel to “hack the hackers” with an immediate priority to target ransomware groups and disrupt their operations.

The Australian government also recently named and identified the cybercriminal behind the 2022 Medibank data breach — Russian citizen Aleksandr Ermakov — and imposed cyber sanctions on a threat actor for the first time, including a travel ban and asset restrictions.

The recent takedown of the ALPHV/BlackCat ransomware group³ and LockBit ransomware ⁴ through international operations undertaken jointly by law enforcement agencies such as the Federal Bureau of Investigations (FBI), Australian Federal Police (AFP) and agencies in Europe and North America has also demonstrated that threat actors may not always have the upper hand or remain untouchable.

Of course, it is no surprise that both ALPHV and LockBit were able to bounce back from the disruptions, with ALPHV unseizing its website and reportedly saying that it was no longer restricting affiliates using its ransomware software from attacking critical infrastructure including hospitals and nuclear power plants,⁵ and LockBit re-establishing operations and a new dark-web leak site just days after the global law enforcement effort dismantled the group's infrastructure.⁶

Nevertheless, offensive capabilities have gained momentum and will likely be the catalyst for further actions to disrupt the operations of cybercriminals and eventually tip the power balance in favour of governments and law enforcement authorities.

Regulator vs victim

Following a raft of privacy and cyber security reforms in Australia, including penalties for data breaches rising to A$50 million or more as a result of amendments to the Privacy Act and the more active approach to enforcement taken by regulators such as the OAIC, ASIC and ACMA, it would appear that the power imbalance between the various regulators and victim organisations continues to grow.

However, with a heightened cyber and privacy regulatory environment comes greater awareness amongst victim organisations of their obligations and actions needed to ensure compliance and avoid being the subject of regulatory investigations or enforcement proceedings. In other words, the power dynamic can drive change ─ understanding the competing interests at play can enable victim organisations to develop and implement actions to uplift their cyber resilience, keeping the power imbalance with regulators in check and bolstering cyber security as a whole.

Insurer vs insured

Insureds often feel powerless against insurers and suspicious of the availability of cover afforded under cyber insurance policies. The adoption of cyber war exclusion wording in cyber insurance policies in recent years has brought to the fore these tensions in the insurer-insured power relationship.

However, this is one power relationship in which the dominance and resources of the cyber insurer, if understood and utilised by the insured, can bring about cyber security gains.

Cyber insurers are motivated to keep claims and losses low, particularly aggregated risks. The cyber insurance industry is well placed and resourced to help lift cyber security practices amongst clients who choose to purchase cyber insurance. For example, cyber insurers increasingly require minimum controls to be in place as minimum underwriting standards before offering to provide cyber insurance. For clients with good or better-than-average controls, they may have access to better cover and/or a lower deductible and/or lower premium, which will in turn continue to encourage better cyber security practices amongst insureds. Many insurers also offer pre-incident services such as assisting in incident response planning or training to assist in uplifting the cyber security practices of their clients.

This is certainly not a zero-sum game relationship and can be beneficial for both parties.

Cyber security should not be used purely for political gains

To ensure a sustainable long-term cyber security strategy that can effectively tackle cyber threats, we need to be careful and strategic in how we approach the uplift of cyber resilience as a nation and globally.

Cyber security should not be the subject of petty politicking domestically or internationally, nor should it be used purely to achieve political gains. The greater good of uplifting the cyber resilience of the nation has to be the key guiding principle.

Ultimately, the politics of cyber security will constantly change, but if the focus remains on developing and implementing actions that bring about cyber security gains despite the power dynamics at play between various actors with competing interests, the broader vision of a cyber resilient nation with strong cyber defences will, and should, be achievable.

Access CyberSight 360 - A legal perspective on cyber security and cyber insurance for more on the key events, legislative and regulatory changes, trends and lessons from the year in cyber, and what we can expect in the year ahead.

¹ https://twitter.com/ClareONeilMP/status/1661281005179924480

² https://www.cpomagazine.com/cyber-security/ransomware-group-trolls-victim-with-sec-complaint-after-data-breach/; https://www.bankinfosecurity.com/alphv-gang-tattles-to-sec-over-victim-disclosing-breach-a-23611

³ https://www.afp.gov.au/news-centre/media-release/russian-led-hacking-group-disrupted-australian-businesses-regain-access

⁴ https://www.afp.gov.au/news-centre/media-release/international-police-operation-takes-down-worlds-most-harmful-2

⁵ https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/; https://www.theverge.com/2023/12/19/24008093/alphv-blackcat-ransomware-gang-site-seized-fbi-doj

⁶ https://www.cybersecuritydive.com/news/lockbit-revives-operations/708507/