Hybrid warfare and nation-state actors

Cyber threats to the Australian economy, civil society, and critical infrastructure are emerging as one of the biggest national security challenges Australia faces. We are only beginning to understand the interdependencies and scope of our critical infrastructure and just how vulnerable those systems are to cyber attacks.

Australian organisations must dramatically reduce the time that malicious actors have to infiltrate their systems to lessen the opportunity for the theft of sensitive information or cyber damage.

Russia’s invasion of Ukraine shows how fusing conventional and non-conventional elements of national power to achieve the desired political effect is now a central and increasingly effective component of modern statecraft and warfare.

One element of hybrid warfare likely to impact us all is malicious activity within the information domain, especially cyber espionage or attack.

Hybrid warfare

The term hybrid warfare describes how countries advance their strategic aims by blending military and non-military means such as deniable acts of coercion and political interference, sabotage, and use of military and paramilitary forces in operations short of open combat and offensive cyber operations.

Besides the conventional elements of war like an army, air force, and navy, the additional components of hybrid warfare can include propaganda, irregular forces, misinformation/disinformation, espionage, as well as diplomatic, economic, and political measures.

Using these measures continuously in peacetime is the reality. Activity in this space is also known as the ‘grey zone’, whereby coercive state-based operations will be deployed against state and non-state entities, carefully limited to fall below the threshold of an obvious and attributable act of war.

One of the key advantages of hybrid warfare is that a nation-state can select some of the more subtle tools in its arsenal to advance its strategic objectives without triggering an open war. These activities are not limited by physical or geographic constraints in the way that military forces are constrained.

There isn’t yet a global consensus if a state-based cyber attack against another nation’s infrastructure is considered an act of war. However, countries are indeed addressing how to respond to such threats. In 2010, for example, Australia and the United States agreed “that a cyber attack on either of them would trigger the mechanisms of the ANZUS Treaty.” i

Australian threat

The geopolitical landscape around Australia in the Indo-Pacific region is changing dramatically. As a result, Australia faces a wave of nation-state-backed hybrid warfare threats against national security and economic interests as powers shift and tensions continue to escalate.

Geopolitical conflicts present the most dangerous threat to the western world, with cyber weapons part of national armouries increasingly prominent in the order of battle. It is much more likely for Australia to experience a cyber attack than a physical attack in the initial stages of a conflict and during military operations.

It is also likely that a rogue and destructive cyber weapon will cause collateral damage to the critical infrastructure of other countries not directly involved in the conflict, or the malicious capability of the weapon will be appropriated and repurposed by other malicious state-based or criminal actors.

A sophisticated, motivated nation-state intent on espionage or hybrid warfare will be much less obvious than something as overt as a ransomware threat, operating as covertly as possible to evade security systems and defenders.

It is likely that many Australian businesses have been breached by a stealthy nation-state operation that they haven’t detected yet.

The Australian government has responded to this geopolitical instability and increasing nation-state threats by hardening public-sector networks against cyber attacks and updating legislation strengthening the security and resilience of critical infrastructure. ii

In addition, a new strategic review focused on the Australian Department of Defence is considering priority investment in defence capabilities, including within the cyber domain and on trusted supply chain resilience initiatives, to cope with the increasing speed of cyber attacks from one nation to another.

It’s now crucial that the same level of response and drive to build resilience is enacted by the full breadth of Australia’s private sector. The critical infrastructure legislation will drive improvements, but organisations and critical infrastructure providers must better prepare and fortify against the contemporary and emerging threat landscape.

Protecting Australia’s critical infrastructure

Ensuring cyber resilience against the threat of nation-state hybrid warfare and cyber attack is a vital and ongoing challenge for governments and businesses around the world. The geopolitical risk facing Australian interests over the coming years means that ignoring these threats is not an option.

The complexity and sophistication of these threats require a layered approach that encapsulates the systems at risk and the risks to those systems. A deliberate resilience program will improve threat detection and response, strengthen public-private cooperation to share threat intelligence and best practices, and develop and implement comprehensive plans.

By taking a proactive approach and partnering with trusted cyber expert organisations like Fortinet and FortiGuard Labs, our threat intelligence and research team, we can work together to mitigate the risks of nation-state hybrid warfare in the cyber domain.

To learn more about Fortinet’s FortiGuard Labs and its threat intelligence capabilities, visit https://www.fortinet.com/fortiguard/labs, or contact the team today.

i Kevin Rudd, Stephen Smith, ‘Cooperation on cyber—a new dimension of the US alliance’, joint statement, 15 September 2011, https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id:%22media/pressrel/1095105%22.

ii https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/slacip-bill-2022#:~:text=Having%20identified%20the%20need%20for,comme