At the end of March, cybersecurity breaches were reported across the Nine Media network and, almost simultaneously, at Parliament House in Canberra. While the disruption in Canberra was neither as severe — staff were unable to access their email — nor as visible as the breach at Nine, the nature of the target makes it noteworthy. The Australian reported that it could even be indicative of a Grey Zone attack.
So what is a Grey Zone attack? How does it work? And what are the implications — should business leaders be concerned?
A paper published last June by the Army Research Centre explained that “Grey Zone simply represents the latest iteration of an alternative label for statecraft. Other sufficiently synonymous labels include political warfare, coercive statecraft, strategic competition and hybrid war(fare).”
The Army’s Futures Statement on Accelerated Warfare, also published last year, warned that “state and non-state actors are using coercive means below the threshold of war to gain advantage and disrupt other actors. These ‘Grey Zone’ actions, combined with information operations and cyber-attacks, are increasing in intensity of competitive actions across diplomatic, information, military and economic elements of national power”.
These methods have resembled those seen over the last decade from Russia conducting Grey Zone activities in Eastern Europe and the Middle East, or China in the South China Sea and surrounds. The Grey Zone methodology uses every means at a nation’s command — short of war — to achieve national objectives.
These objectives may involve the roll out of Information Operations (IO), which includes network-centric warfare, information warfare, psychological operations, military deception operations, computer network attack and computer network exploitation. Information Operations is used to control and dominate the information environment at all levels of information domains, and to influence or disrupt an audience by denying access to their own information by way of operational security, counterintelligence, computer network defence and information assurance.
A Grey Zone attack represents an indirect strategy, which is more dependent on factors such as psychology and planning rather than force and overt display of aggression. It can be launched suddenly, in a series of well-coordinated synchronised actions and activities, or more covertly, as a slow-burning release of serial attacks which aim to achieve a set of long-term objectives.
In the military context it is referred to as asymmetric, and non-kinetic in nature. This means it doesn’t follow a standard recognisable rule or doctrine of war. It doesn’t appear to have a clearly identifiable side and, to such an extent, state-based actors use proxies such as cut-outs and criminal organisations to conduct their objectives through a third party. This affords them deniability, cover and concealment, and obfuscation of their true intentions. In essence it resembles the Cold War updated.
This means that we still need people and functions within our modern nation-state to remain capable and with a competitive role to play in the response to Grey Zone activities.
Recently, Assistant Defence Minister Andrew Hastie warned that Australian businesses are at high risk amid a wave of cyber-attacks. InnovationAus supported Hastie’s call on Australia’s cybersecurity community to unite against growing threats as more people go online — including criminals and state-based actors.
This brings us back to the previous point of Grey Zone attacks involving state-based actors using criminal organisations as proxies to carry out particular tasks in their mission. Hastie emphasised the need for Australia to have the ability to thwart cyber-attacks, which would require government, industry and academia working together.
The implication this has for business is the necessity to adopt proper cyber hygiene, including the push to “mainstream” risk-mitigation strategies. Strategies need to be regularly revised and updated in accordance with changes in escalating threat, the nature and significance of attacks, and the methodologies such as Grey Zone — which need to be clearly understood by way of Cyber Threat Intelligence, for example.
The government is prepared to provide insights and capability sharing with industry for the sake of national security. Two such organisations are the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). To learn more about how ASD and ACSC can support and guide your strategy, visit their web sites and take advantage of their resource library for individuals, business and government audiences.
The scale and visibility of the recent attacks on the Parliament and Nine must motivate leaders to review their current strategies accordingly, and to prepare for current and future attacks. This means employing or engaging a highly skilled cybersecurity workforce, developing or sourcing a Cyber Threat Intelligence capability, and building up resilience and recovery by planning for incident detection, response and recovery