Advanced search
Publication Cover
Current Issues in Criminal Justice Latest Articles
Submit an article Journal homepage
595
Views
0
CrossRef citations to date
0
Altmetric
Comment

‘Hacking the hackers’: reflections on state-implemented disruption as a ‘new model’ for cyber policing

Chad WhelanDepartment of Criminology, School of Humanities and Social Sciences, Deakin University, Geelong, AustraliaCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0002-2910-0983
ORCID Icon &
James MartinDepartment of Criminology, School of Humanities and Social Sciences, Deakin University, Geelong, AustraliaORCID Iconhttps://orcid.org/0000-0002-4805-5364
ORCID Icon
Received 11 May 2023, Accepted 02 Nov 2023, Published online: 15 Nov 2023

ABSTRACT

Following the most significant data breaches in Australia’s history, targeting Optus and Medibank, in November 2022 Australia’s Minster for Home Affairs and Cybersecurity Clare O’Neil announced ‘a new model of policing’ involving a collaboration between the Australian Federal Police and Australian Signals Directorate. This collaboration would result in a new taskforce focused on ‘hacking the hackers’ or disrupting criminal groups responsible for high-profile cyber-attacks against Australian entities. Since this announcement, significant discussion has ensued regarding the meaning of state-implemented ‘disruption’ and questions have been raised about the potential mandate and operations of the newly announced taskforce. This paper explores the concept of disruption as it applies to cyber-criminal groups. It then turns to considerations for policy and practice regarding the pursuit of disruption. The paper aims to advance existing understanding of disruption and encourage further research and policy debate into the policing of cybercrime as the Australian government commences work on the 2023–2030 Australian Cyber Security Strategy.

This article is part of the following collections:
The Future of the Criminal Law

Introduction

On the 12th of November 2022, Australia’s Minster for Home Affairs and Cyber Security Clare O’Neil announced ‘a new model of policing that will be undertaken on a permanent basis by the Australian Government in a new partnership between the Australian Federal Police and the Australian Signals Directorate’ (Department of Home Affairs (DHA), Citation2022). The Minister made explicit that this new ‘Joint Standing Taskforce is not simply responding to crime’; ‘they will be hunting these [cyber] gangs wherever they are around the world and disrupting their activities. … We are going to hack the hackers’ (DHA, Citation2022). This announcement followed the two largest data breaches in Australia’s history, targeting Medibank and Optus, which together impacted more than 40% of the country’s population (ABC News, Citation2022). A third breach, affecting Latitude Financial, occurred in March 2023 and was later discovered to involve 14 million records containing personal data (ABC News, Citation2023). This most recent breach has further escalated public and political discussions around what the Australian government is doing to enhance cybersecurity and deter cybercrime.

Minister O’Neil’s announcement followed a statement made by Australian Federal Police (AFP) Commissioner Reece Kershaw that the AFP had identified the perpetrators behind the Medibank breach as being based in Russia (AFP, Citation2022). Minister O’Neil has suggested that we need to widen our understanding of ‘justice’ in addressing the limits of traditional criminal justice interventions when cyber offenders are based in foreign jurisdictions with different attitudes toward cybercrime. More specifically, the Australian government has signalled its intent to move from a more traditional position focused on arrest and prosecution to a more offensive one involving the use of Australia’s cyber capabilities to directly ‘disrupt’ criminal groups based in foreign countries. Implicit in Minister O’Neil’s announcement calling for a ‘new model of policing’ is a recognition of the many challenges associated with preventing ransomware and cybercrime more generally.

One of the biggest of such challenges is that many of the offenders are located in foreign states that give them permission (tacit or otherwise) to offend without repercussion (Martin & Whelan, Citation2023). The apparent failure of the Russian state, and to some extent other states (e.g., Iran, North Korea), to take meaningful action against cyber-criminal groups located within their jurisdictions raises important questions regarding the limits of traditional law enforcement models that depend upon policing agencies acting against domestically located criminals (Collier et al., Citation2022; Holt & Bossler, Citation2016). Put simply, following a traditional criminal justice approach, Australian law enforcement agencies have no capacity to directly threaten any criminal group in a sovereign state without the support of local police. In the absence of mutual policing assistance, the best outcome that a traditional policing approach can offer is that an offender is identified, charged in absentia and subject to an Interpol ‘red notice’ that would see them taken into custody should they make the mistake of leaving their safe haven. For this reason, many governments are developing new tools and methodologies to strike back at cyber criminals outside of their own jurisdictions. We argue that these novel approaches will be increasingly important in deterring cybercrime and limiting the harms caused by foreign-based offenders who and are, in effect, ‘unpunishable’ through the traditional criminal justice system.

This paper explores what the concept of state-implemented disruption means in the context of cybercrime and its potential implications for policy and practice. To be clear, by asserting that ‘we will hack the hackers’, Minister O’Neil is referring to offensive operations targeting criminal (rather than state) entities that are conducted by Australian law enforcement and intelligence agencies. This is not to be confused with longstanding debates around ‘hacking back’ that refer to ethical and legal considerations associated with offensive cyber operations or other forms of ‘active cyber defence’ undertaken by private actors that have fallen victim to cyber attacks (see, e.g., Caldwell & Curran, Citation2020; Denning, Citation2014; Holzer & Lerums, Citation2016). These types of retaliatory, offensive cyber operations as employed by private entities fall outside the scope of this paper. Further, while we assert that state-implemented disruption is a legitimate and necessary approach, depending on how disruption is defined and pursued we contend there are multiple potential risks to this approach that will require effective management. In this paper, we explore five such considerations by reflecting on the wider literature: risk of failure; risk of displacement; risk of counter-productive adaptation; risk of mission creep; and risk of escalation. These categories are not mutually exclusive, and our discussion of these risks is by no means exhaustive. Rather, our aim is to advance existing understanding of disruption and encourage further research and debate regarding its application to cybercrime as the Australian government commences work on the 2023–2030 Australian Cyber Security Strategy.

Approaching the police role in cybercrime: the pivot to disruption

The literature on the policing of cybercrime, while growing, is still very much in its infancy. Situated in a broader context of cybercrime governance (e.g., Dupont, Citation2017; Dupont & Whelan, Citation2021), research has called attention to issues such as the reporting of cybercrime (e.g., Cross, Citation2019, Citation2020), police understanding of cybercrime (e.g., Doge & Burruss, Citation2019; Harkin & Whelan, Citation2019; Whelan & Harkin, Citation2021; Wilson et al., Citation2022), and the limited resources devoted to cybercrime (e.g., Bossler et al., Citation2020; Harkin et al., Citation2018; Harkin & Whelan, Citation2022). Others have emphasised the challenge of sovereignty and the necessity for public-private partnerships (e.g., Faubert et al., Citation2021) as well as the need for a global cybercrime treaty to promote more effective cooperation between states (e.g., Holt & Bossler, Citation2016; Schjolberg & Ghernaouti-Helie, Citation2011). This has occurred alongside cybercrime becoming a ‘volume crime’ in Australia and most other countries. Most of these volume crimes fall under the ‘cyber-enabled’ category of cybercrimes – whereby networked technologies are used to enhance the commission of crimes that also occur by other means (e.g., frauds and scams) – rather than ‘cyber-dependent’ crimes such as ransomware (Connolly et al., Citation2020; Wall, Citation2021). Nonetheless, across this nascent area of research, one major question persists: What is the capacity of – and expectations placed upon – police to prevent cybercrime?

While there are dedicated government entities such as the Australian Cyber Security Centre (ACSC) with an education and outreach component, preventing victimisation of cybercrime has largely become a matter for individuals and private organisations to take steps to improve their own cybersecurity posture. Unlike most other forms of crime, it is questionable whether there are the same expectations placed on police organisations regarding the prevention of cybercrime. Police have been more focused on investigating a very small proportion of overall cyber offending and prosecuting individual offenders and networks where they have been able to. This is a role that is understandably frustrated not only by difficulties with attribution (i.e., identifying offenders), but also because offenders are often located in jurisdictions with varying protocols for international collaboration. This brings us to an all too familiar scenario where even when potential offenders are identified cooperation from local law enforcement may not be forthcoming. It is this scenario that underscores what we describe loosely as the pivot to disruption. Researchers have only begun to seriously focus on these ‘non-traditional’ police interventions against cybercrime, which appear to be modelled on disruption strategies used against organised crime and terrorism (e.g., Collier et al., Citation2022).

Disruption is not a new concept in policing. However, while disruption has been used to analyse and understand law enforcement responses to organised crime for some time (e.g., Innes & Sheptycki, Citation2004; Kirby & Snow, Citation2016), there have been few attempts to define the concept. In one definition, Kirby and Penna (Citation2010, p. 205) described disruption as a ‘flexible, transitory, and dynamic tactic, which can be used more generally to make the environment hostile for the organised crime group’. This approach, they continue, ‘focuses on disrupting the offender’s networks, lifestyles and routines’ (Citation2010, p. 205). Similarly, Innes and Sheptycki (Citation2004) noted that disruption involves the use of police strategies and tactics ‘to disrupt criminality in such a way as to prevent crime from occurring or to reduce its gravity if it does occur’ (Innes & Sheptycki, Citation2004, p. 2). Importantly, both these and other definitions of disruption emphasise its focus on current and future criminality – that is, crimes that are either occurring now or are soon to occur, rather than offences that have already occurred. Implicit, therefore, in these definitions are complementary notions of disruption both as a means of deterrence through its potential to impose costs on offenders, as well as a form of incapacitation by degrading or eliminating entirely the capability of criminal actors to continue in the commission of a crime.

In relation to organised crime (see Bright & Whelan, Citation2021), disruption has taken many forms, including legislative tools (e.g., anti-consorting laws for outlaw motorcycle gangs), surveillance and intelligence options (e.g., covert efforts to create uncertainty amongst criminal groups), active engagement (e.g., compelling witness testimony through enhanced legal provisions), and seizures (e.g., drug seizures, unexplained wealth, and asset confiscation provisions). In addition, disruption has gained momentum in relation to other crime types, most notably terrorism (e.g., through measures such as control orders that now also apply in certain jurisdictions in relation to organised crime). Some have argued that disruption in some of these contexts is less concerned with crime prevention or deterrence but rather may be interpreted as an expression of state power and extra-judicial punishment (Sentas, Citation2016). If this is indeed the case, in addition to fulfilling its other functions disruption may be perceived as fulfilling a retributive function for groups who, for one reason or another, are resistant to punishment via traditional prosecution-focused law enforcement.

It is important to note that unlike traditional metrics of policing (particularly arrests and prosecutions) disruption is less understood and able to be quantified. This is likely to be amplified in the context of cybercrime where widely celebrated outcomes (e.g., seizures) would typically not be possible and many parallels in the cyber domain (e.g., ‘takedowns’ of infrastructure) may be short-lived in terms of having actual meaningful impacts on cyber offenders’ networks and routines (see, e.g., Décary-Hétu & Giommoni, Citation2017). In the case of cybercrime, outside of select examples, there is very limited understanding of what disruption means. Those examples would include the Federal Bureau of Investigation (FBI) operation that resulted in the majority of the ransom paid to the Colonial Pipeline attackers being recovered (Chainalysis, Citation2022; FBI, Citation2021) and the recently announced infiltration and takedown of Hive’s online infrastructure (FBI, Citation2023). The operation against Hive – a well-known ransomware group albeit with a relatively short criminal career – included penetrating the group’s computer networks, obtaining decryption keys and offering them to ransomware victims worldwide, and ultimately seizing control of Hive’s servers and websites used to communicate internally as well as to attack and extort victims (FBI, Citation2023).

We imagine that it is precisely operations such as the FBI’s activities against Hive that the Australian government had in mind when announcing the new hacking back taskforce. It remains to be seen, however, the extent to which initiatives like this have lasting impacts against such groups or whether they will simply adapt to new infrastructure and continue their operations relatively unscathed. Some cybersecurity researchers (e.g., Bátrla & Harašta, Citation2022) and professionals (e.g., DiMaggio, Citation2023) have argued for the need to go further. For example, in a recent report on LockBit, currently the most prolific ransomware group globally, DiMaggio (Citation2023, p. 57) argued that law enforcement needs to stop treating ‘ransomware criminals’ as ‘traditional criminals’ on the basis that most are ‘protected and out of reach of law enforcement unless they leave Russia’. Instead, DiMaggio argued for the adoption of offensive approaches, including launching distributed denial of service attacks against groups as well as ‘information warfare’ operations intended to create distrust and uncertainty which, in turn, will ‘frustrate criminals and affect the RaaS provider negatively’ (Citation2023). Disruption, as such, can encompass many different things in the context of cybercrime, with each having different considerations for policy and practice.

Pursuing disruption: considerations for policy and practice

The remainder of this paper explores considerations for policy and practice as they relate to disrupting cybercrime. We do this by reflecting on relevant observations from the broader literature on disruption and cybercrime. We focus on five key considerations: risk of failure; risk of displacement; risk of counter-productive adaptation; risk of mission creep; and risk of escalation. As noted earlier, each risk is not mutually exclusive and our discussion of them is by no means exhaustive. Our hope is to advance understanding of disruption as a concept as well as stimulate further debate into state responses to cybercrime.

Risk of failure

Regardless of how disruption is defined, one of the most consequential risks facing the new AFP-ASD taskforce is that of failure, which could occur at either tactical or strategic levels depending on how disruption is defined. At the tactical level, failure is likely to result if the taskforce is unsuccessful in identifying appropriate targets; if the interventions that are developed and deployed are insufficiently robust; or if cyber-criminal groups that are targeted are able to recover quickly such that cyber-attacks resume without significant disruption. Assessing the probability of tactical failure is complicated by a range of factors. Cyber disruptions are relatively novel and evidence regarding their effectiveness is mixed; on the one hand, US authorities in particular have a growing record of success in executing offensive operations against cyber-criminal groups, and cybersecurity researchers suggest that new disruptive interventions are technically capable of disrupting broader components of the cybercrime ecosystem (e.g., Bátrla & Harašta, Citation2022). On the other, research into previous cyber interventions; for example, those targeting cryptomarkets, indicate that their mid-to-long-term impact is minimal at best (Décary-Hétu & Giommoni, Citation2017; Van Buskirk et al., Citation2017) while more recent research concerning thetargeting of online criminal infrastructures has highlighted similar concerns (Collier et al., Citation2022). Long-standing challenges such as accurate attribution also persist (Rid & Buchanan, Citation2015). However, even in the event that effective disruptive tactics are developed and deployed – by which we mean that the capacity for targeted groups to cause harm is significantly degraded – there is no guarantee that this will result in success at the strategic level.

There are at least three risks that could result in the strategic failure of Australia’s cyber-disruption operations. First, strategic failure could result from a lack of appropriate resourcing. Despite major new investments in Australian Signals Directorate, offensive cyber capabilities under the REDSPICE program (ASD, Citation2021), it remains to be seen whether sufficient numbers of appropriately trained personnel can be recruited and retained, particularly in the near future. The specialist skills that are required to conduct offensive cyber operations are in short supply across the global economy, with industry analysts suggesting a shortfall of approximately 3000 cybersecurity specialists in Australia alone (AustCyber, Citation2022). Competition with the private sector for these professionals is fierce and, while there are many reasons why individuals choose career paths other than salary, public entities largely lack the capacity to match the attractive remuneration that is available for highly skilled information technology workers. As former AFP Commissioner Andrew Colvin observed in 2019,

[Recruiting] is a constant challenge for us in this space. The technical skills required for a cybercrime investigator firstly are: there’s not a lot of them, the skill is perishable and it’s highly sought after. So no sooner do you have someone on the hook that they might end up going to another industry or private industry. (Colvin, cited in Hendry, Citation2019)

Overcoming retention problems in the context of an industry-wide skills shortage goes beyond simply boosting budgets and instead requires long-term planning and investment in the development of domestic cyber expertise.

Second, strategic failure could result from ineffective management of public expectations. As with existing approaches to disruption, government authorities are accustomed to communicating policing success in terms of arrests, seizures, and stable if not declining crime rates. None of these options appear to be immediately available with cyber disruption. It is unclear whether an inability of government to produce familiar ‘results’ may be appreciated by the general public even in a context of sustained tactical success. Further compounding this problem is the necessity to keep many of the tools and methods involved with offensive cyber operations secret (DHA, Citation2022). These issues highlight an important tension at the heart of disruptive policing. Traditional justice, as the old axiom goes, relies on not just being done, but being seen to be done (Meyerson, Citation2015). The absence of visible punishment and, if operations are conducted covertly, even visible policing activity that is associated with cyber disruption means that the general public may not feel comforted by the operations of the taskforce even in the event that they produce objectively beneficial results.

Third, there is, unfortunately, little to suggest that even the most sophisticated, well-resourced, and competently executed disruption-based strategy is capable of stemming the wave of cybercrime that is currently swelling. Having sufficient resources to target all of those who commit crimes against Australian targets, or even a large enough proportion to produce a significant deterrent effect, may well be beyond the capacity of the Australian state. Indeed, no country has yet demonstrated an ability to disrupt cyber-criminals such that the growth in the most economically and socially damaging cybercrimes, particularly online frauds and ransomware, have been reversed. We must therefore at least contemplate the uncomfortable scenario that, despite the best efforts of the new taskforce, adequately disrupting cybercrime might prove elusive. This, once more, underscores the importance of clearly defining disruption as well as criteria for how success can be measured.

Risk of displacement

Amongst the various unintended contingencies associated with disruption, it is the displacement of cyber-attacks towards other, non-Australian targets that appears the most likely to occur. Disruption is intended to impose costs on cyber-criminal groups targeting Australia without addressing the root causes of their offending. Assuming that the taskforce is successful in meeting this objective, and in the absence of measures that do address the root causes of cyber-attacks, there is little reason to suggest that cyber-criminal groups will cease offending altogether. A much more likely outcome is that many will continue launching cyber-attacks and instead simply target others that do not benefit from the same level of deterrence (Boes & Leukfeldt, Citation2017). While situational crime prevention research demonstrates that not all crime is displaced (e.g., Cornish & Clarke, Citation2017; Johnson et al., Citation2014), very little is known about displacement in the context of cybercrime (e.g., Collier et al., Citation2022). However, studies of cryptomarkets have demonstrated the potential for displacement amongst online offenders who are unbound by geographical limitations. In 2014, law enforcement agencies from more than 17 countries executed Operation Onymous which simultaneously took down more than a dozen of the largest and most successful cryptomarkets. Despite producing a significant short-term reduction in the number of online drug sales, the cryptomarket ecosystem was quick to adapt with users promptly migrating to successor sites. Within two months, online drug sales facilitated by cryptomarkets had exceeded levels that preceded the intervention (Décary-Hétu & Giommoni, Citation2017; Van Buskirk, et al., Citation2017).

The displacement of cyber-attacks towards foreign targets may not be an entirely unwelcome outcome. Australian organisations will be better protected, which is the stated purpose of the taskforce. It is also possible that in being forced to pursue less lucrative foreign targets that the profitability of engaging in cyber-attacks will be reduced, thereby reducing their overall incidence. However, when we extend our gaze further afield, we can envisage how such a dynamic could compromise the national interest, particularly when considering how Australia is viewed by more vulnerable third-party countries (TPCs) that may be adversely affected by cyber-attacks. If, for example, attacks against Australia were reduced at the expense of less protected targets, such as those in friendly states in the Pacific, Australia’s image as a ‘good neighbour’ in the region could be compromised. Affording TPCs additional protection—for example, by offering cyber-assistance or the creation of a cybersecurity ‘umbrella’, whereby Australia also implements disruption against cyber-criminals on the behalf of other select states—could demonstrate our bona fides as a responsible and supportive regional partner. Naturally, such issues extend beyond the purview not only of law enforcement but also intelligence agencies, and their management would require consultation with, and careful consideration by government and other experts in international relations.

Risk of counter-productive adaptation

An alternative to outright failure and geographical displacement is that disruptions may prove effective initially but that they prompt adaptations on the part of cyber-criminal groups such that they become more dangerous or harder to counter. This could occur, for example, if targeted threat actors fragment into smaller, less easily identifiable but still effective groups in order to frustrate attempts at disruption. Alternatively, cyber-criminal groups could shift towards increased targeting of small-to-medium-sized enterprises that not only do not have sufficient resources to invest in cyber defences but also are not subject to mandatory reporting laws, thereby frustrating attempts at intelligence gathering and attribution. Such an outcome could result in Australian entities facing an increased number of capable threat actors rather than a smaller cohort of more centralised groups.

There are a number of historical parallels that demonstrate the plausibility of unintended, counterproductive adaptations resulting from government interventions, particularly those involving collaboration between law enforcement and military agencies. Perhaps most relevant is the long-standing effort on behalf of many Western states, including Australia and under the global leadership of the US, in using militarised law enforcement to disrupt the illicit drugs trade. Despite continually expanding budgets over the course of several decades, enhanced powers of surveillance and other infringements on civil liberties, and the widespread integration of military equipment and tactics into civilian law enforcement agencies, the scale of the illicit drugs trade – and more importantly, the harms that result from it – are more substantial now than they have ever been (Coyne & Hall, Citation2017). We make this observation not because we seek to debate the merits of governmental responses to the illicit drugs trade; rather, we only point out that despite significant investments at disruption, the global illicit drugs market has not only adapted in response but has also continued to grow. Any evaluation of disruption must therefore monitor and measure effects of geographical displacement and other possible adaptations.

Risk of mission creep

Mission creep refers to the potential for organisations, operations and/or technologies to stray from their original purpose into areas not originally intended (Monahan & Palmer, Citation2009). This phenomenon has been observed in police forces both domestically and internationally. For example, in the US, paramilitary special weapons and tactics (SWAT) teams were originally established to respond to critical, high-risk situations in which traditional policing methods and equipment were deemed unsuitable (Kiker III, Citation2015). These were, by definition, unusual circumstances, a fact which is reflected in their relatively infrequent deployment at the time of their introduction. For example, in the early 1980s SWAT teams were deployed nationally across the US approximately 3000 times per year (Balko, Citation2013). However, in recent years this figure has risen more than ten-fold (Roziere & Walby, Citation2019). Although some attribute the growth in the number of SWAT-related units and the broadening of their role to the increasing professionalisation of these units and policing more broadly (den Heyer, Citation2014), for others it is a result of the increasing militarisation of policing and mission creep (Roziere & Walby, Citation2019). Regardless of one’s position on this debate, SWAT teams are now ubiquitous across the US and instead of their use being confined to those rare circumstances that might necessitate the deployment of paramilitary police, they are instead increasingly being used for purposes other than those originally intended.

Whatever the reasons, the example above illustrates the potential for tools, methods, and capabilities that are developed in one context to be reinterpreted over time. Despite the paucity of detail surrounding the technical tools, legal powers and other resources that are available to the disruption taskforce, it can be inferred from public statements (e.g., Noble, Citation2020) that they are not only formidable but that they must also remain, to a large extent, covert and hidden from public scrutiny. This combination of extraordinary power and secrecy in the context of novel collaboration between civilian and military organisations makes the spectre of mission creep potentially all the more concerning. While the context of disrupting foreign cyber-criminal groups is quite different to domestic policing, parallel examples would suggest the importance of ensuring sufficient controls are in place to monitor for potential mission creep over time.

Risk of escalation/retaliation

The final risk we wish to highlight concerns that of escalation and/or retaliation. This risk can be separated into two distinct categories, the first concerning potential escalatory cyber-attacks involving cyber-criminal groups, and the second concerning a similar, but more serious escalatory dynamic between nation states. Considering cyber-criminal groups first, it has recently been argued that in pursuing a disruption-based strategy, authorities risk putting ‘a big red cross on Australia’s back’ (Alazab, Citation2022). Here the risk seems relatively amorphous, that cyber-criminals will be somehow provoked by Australia conducting offensive cyber operations such that ‘they might be encouraged to retaliate’ (Alazab, Citation2022). In our view, this risk seems the less plausible of the two. While some cyber-criminals may have some political objectives (e.g., Munk, Citation2022), the majority appear to be clearly financially motivated and opportunistic actors (e.g., DiMaggio, Citation2023). If this is indeed the case, retaliatory attacks undertaken by cyber-criminal groups make little sense.

A more plausible and concerning scenario also mooted by Alazab (Citation2022) and others (e.g., Skopik & Pahi, Citation2020) is that a cyber-criminal group may leave false traces indicating that an otherwise innocent party was responsible for an attack. If false attribution is not detected this could subsequently lead to the disruption taskforce undertaking offensive operations against an innocent party. Such an outcome seems more likely to result in escalation, not to mention potential harm inflicted against an innocent party. Critically, if retaliation against Australia was undertaken by a nation state, then the risk of an escalatory spiral of tit-for-tat cyber-attacks emerges as a distinct possibility. These very concerns were raised recently in Canada, following the public release of its National Security and Intelligence Review which questioned the legality of the Communications Security Establishment’s (the Canadian equivalent of ASD) use of offensive cyber operations and the potential for escalation (CBC News, Citation2023). This leads us to the most damaging, indeed potentially catastrophic, risk of all: that of escalatory cyber-attacks leading to outright conflict between nation states. While this scenario seems remote at this stage, it highlights the need not only for rigorous processes that help ensure accurate attribution, but also for methodically developed strategies and doctrines that help ensure that offensive cyber operations are limited, proportional, and calibrated in such a way that they do not result in dangerous unintended consequences. Disruption strategies and tactics must also be framed within the context of international laws and norms, such as the current international treaty on countering cybercrime under negotiation by United Nations member states.

Conclusion

In this paper, we have sought to unpack the concept of ‘disruption’ in the context of cybercrime and discussed the various potential risks that accompany offensive attempts to disrupt ransomware criminal groups. Our intention is not to be exhaustive – no doubt further risks will emerge as the work of the disruption taskforce progresses – but rather to prompt debate within the criminology and broader academic communities, as well as amongst policy makers, law enforcement, intelligence, and defence agencies, and the general public. As Scott (Citation2022) observed, ‘Australia’s offensive cyber capability is now growing faster than its public discussion about why these tools are needed and how they should be used’. Given the opportunities and potential dangers that these necessarily powerful new capabilities present, such discussion is critical to ensuring the effective operation of the disruption taskforce and to properly safeguard Australian interests.

While it is beyond the scope of the paper to offer detailed solutions as to how these risks should be managed, we argue that a clear definition of disruption and criteria for how it will be pursued and measured should be an essential foundation of the new Cyber Security Strategy. We further argue that appropriate external oversight, multi-lateral engagement with allies, regional partners and even states that harbour cyber-criminals will all be necessary. Underpinning these approaches, we believe that Australia needs to develop a clear cyber doctrine that outlines how offensive cyber operations should be used and who, exactly, they should be used against. Such a doctrine should, in our view, not be limited to policymakers and relevant institutions. Input should also be sought from experts from a range of academic disciplines, including criminology, security studies, computer sciences, as well as law and international relations. As the Australian Government is currently revising its Cyber Security Strategy, this is an ideal opportunity for criminologists to contribute to this increasingly important policy domain.

Acknowledgements

The authors would like to thank Benoît Dupont and the anonymous reviewers for their valuable feedback on an earlier version of this paper. The usual disclaimers apply.

Disclosure statement

No potential conflict of interest was reported by the author(s).

References

  • ABC News (2022). Medibank cyber attack: What personal data has been accessed and what can you do? ABC News, 7 November 2022. https://www.abc.net.au/news/2022-11-07/medibank-cyber-attack-what-personal-data-has-been-accessed/101623540 [last accessed 8 May 2023]
  • ABC News (2023). Latitude Financial will not pay ransom to cyber hackers as millions of customer records compromised. ABC News, 11 April 2023. https://www.abc.net.au/news/2023-04-11/latitude-financial-will-not-pay-ransom-to-cyber-hackers/102207430 [last accessed 8 May 2023]
  • Alazab, M. (2022). A new cyber taskforce will supposedly ‘hack the hackers’ behind the Medibank breach. It could put a target on Australia’s back. The Conversation. https://theconversation.com/a-new-cyber-taskforce-will-supposedly-hack-the-hackers-behind-the-medibank-breach-it-could-put-a-target-on-australias-back-194532 [last accessed 8 May 2023]
  • AustCyber. (2022). Australia’s cyber security sector competitiveness plan 2022, https://www.austcyber.com/resources/sector-competitiveness-plan [last accessed 8 May 2023]
  • Australian Federal Police. (2022). Statement by AFP Commissioner Reece Kershaw on Medibank Private data breach. Australian Federal Police. https://www.afp.gov.au/news-media/media-releases/statement-afp-commissioner-reece-kershaw-medibank-private-data-breach [last accessed 8 May 2023]
  • Australian Signals Directorate. (2021). REDSPICE: A blueprint for growing ASD’s capabilities. file:///Users/whelan/Downloads/ASD-REDSPICE-Blueprint%20(1).pdf [last accessed 8 May 2023]
  • Balko, R. (2013). Rise of the warrior cop: The militarization of America’s police forces. New York: Public Affairs.
  • Bátrla, M., & Harašta, J. (2022). ‘Releasing the hounds?’ Disruption of the Ransomware ecosystem through offensive cyber operations. In 2022 14th International Conference on Cyber Conflict: Keep Moving!(CyCon) (Vol. 700, pp. 93–115). IEEE.
  • Boes, S., & Leukfeldt, R. (2017). Fighting cybercrime: A joint effort. In R. M. Clark & S. Hakim (Eds.), Cyber-physical security: Protecting critical infrastructure at the state and local level (pp. 185–203). Springer.
  • Bossler, A., Holt, T. J., Cross, C., & Burruss, G. W. (2020). Policing fraud in England and Wales: Examining constables’ and sergeants’ online fraud preparedness. Security Journal, 33(2), 311–328. https://doi.org/10.1057/s41284-019-00187-5
  • Bright, D., & Whelan, C. (2021). Organised crime and law enforcement: A network perspective. Routledge.
  • Caldwell, A., & Curran, K. (2020). A critique of active defense or ‘hack back’. International Journal for Information Security Research, 10(1), 957–961. https://doi.org/10.20533/ijisr.2042.4639.2020.0109
  • CBC News (2023) Intelligence watchdog questions cyber agency’s approach to international law, CSE insists it was above board. CBC News, 28 April 2023. https://www.cbc.ca/news/politics/cse-cyber-legal-obligations-1.6826521 [last accessed 8 May 2023]
  • ChainAlysis (2022). Crypto crime report 2022. https://go.chainalysis.com/2022-Crypto-Crime-Report.html [last accessed 8 May 2023]
  • Collier, B., Thomas, D. R., Clayton, R., Hutchings, A., & Chua, Y. T. (2022). Influence, infrastructure, and recentering cybercrime policing: Evaluating emerging approaches to online law enforcement through a market for cybercrime services. Policing and Society, 32(1), 103–124. https://doi.org/10.1080/10439463.2021.1883608
  • Connolly, L., Wall, D. S., Lang, M., & Oddson, B. (2020). An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity, 6(1), tyaa023.
  • Cornish, D. B., & Clarke, R. V. (2017). Understanding crime displacement: An application of rational choice theory. In M. Natarajan (Ed.), Crime opportunity theories (pp. 197–211). Routledge.
  • Coyne, C. & Hall, A. (2017). Four decades and counting: The continued failure of the War on Drugs, Policy Analysis 811, Cato Institute, Washington, D.C.
  • Cross, C. (2019). Reflections on the reporting of fraud in Australia. Policing: An International Journal, 43(1), 49–61. https://doi.org/10.1108/PIJPSM-08-2019-0134
  • Cross, C. (2020). Oh we can’t actually do anything about that’: The problematic nature of jurisdiction for online fraud victims. Criminology & Criminal Justice, 20(3), 358–375. https://doi.org/10.1177/1748895819835910
  • Décary-Hétu, D., & Giommoni, L. (2017). Do police crackdowns disrupt drug cryptomarkets? A longitudinal analysis of the effects of Operation Onymous. Crime, Law and Social Change, 67(1), 55–75. https://doi.org/10.1007/s10611-016-9644-4
  • Den Heyer, G. (2014). Mayberry revisited: a review of the influence of police paramilitary units on policing. Policing and Society, 24(3), 346–361.
  • Denning, D. (2014). Framework and principles for active cyber defense. Computers & Security, 40, 108–113. https://doi.org/10.1016/j.cose.2013.11.004
  • Department of Home Affairs (DHA). (2022). Media conference Melbourne. Department of Home Affairs, Australian Federal Government, Canberra. https://minister.homeaffairs.gov.au/ClareONeil/Pages/media-conference-melbourne-12112022.aspx [last accessed 23 Feb 2023]
  • DiMaggio, J. (2023). Ransomware diaries: Unlocking LockBit. Analyst 1. https://analyst1.com/ransomware-diaries-volume-1/ [last accessed 23 Feb 2023]
  • Dodge, C., & Burruss, G. (2019). Policing cybercrime: responding to the growing problem and considering future solutions. In R. Leukfeldt & T. J. Holt (Eds.), The human factor of cybercrime (pp. 339–358). Oxfordshire: Routledge.
  • Dupont, B. (2017). Bots, cops, and corporations: On the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime. Crime, law and Social Change, 67(1), 97–116. https://doi.org/10.1007/s10611-016-9649-z
  • Dupont, B., & Whelan, C. (2021). Enhancing relationships between criminology and cybersecurity. Journal of Criminology, 54(1), 76–92. https://doi.org/10.1177/00048658211003925
  • Faubert, C., Décary-Hétu, D., Malm, A., Ratcliffe, J., & Dupont, B. (2021). Law enforcement and disruption of offline and online activities: A review of contemporary challenges. In M. Kranenbarg & R. Leukfeldt (Eds.), Cybercrime in context: The human factor in victimization, offending, and policing (pp. 351–370). Springer.
  • Federal Bureau of Investigation (FBI). (2021). FBI Statement on JBS cyberattack. FBI National Press Office. https://www.fbi.gov/news/press-releases/press-releases/fbi-statement-on-jbs-cyberattack [last accessed 8 May 2023]
  • Federal Bureau of Investigation (FBI). (2023). U.S. Department of Justice disrupts Hive ransomware variant. https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant [[last accessed 8 May 2023]
  • Harkin, D., & Whelan, C. (2019). Exploring the implications of ‘low visibility’ specialist cyber-crime units. Australian & New Zealand Journal of Criminology, 52(4), 578–594. https://doi.org/10.1177/0004865819853321
  • Harkin, D., & Whelan, C. (2022). Perceptions of police training needs in cyber-crime. International Journal of Police Science and Management, 24(1), 66–76.
  • Harkin, D., Whelan, C., & Chang, L. (2018). The challenges facing specialist cyber-crime units: An empirical analysis. Police Practice and Research, 19(6), 519–536. https://doi.org/10.1080/15614263.2018.1507889
  • Hendry, J. (2019). AFP copping cyber skills shortage hard warns chief. IT News. https://www.itnews.com.au/news/afp-copping-cyber-skills-shortage-hard-warns-chief-519687 [last accessed 22/9/23]
  • Holt, T., & Bossler, A. (2016). Cybercrime in progress: Theory and prevention of technology-enabled offenses. Routledge.
  • Holzer, C. T., & Lerums, J. E. (2016). The ethics of hacking back. In 2016 IEEE Symposium on Technologies for Homeland Security (HST) (pp. 1–6). IEEE.
  • Innes, M., & Sheptycki, J. W. (2004). From detection to disruption. International Criminal Justice Review, 14(1), 1–24. https://doi.org/10.1177/105756770401400101
  • Johnson, S., Guerette, R., & Bowers, K. (2014). Crime displacement: What we know, what we don’t know, and what it means for crime reduction. Journal of Experimental Criminology, 10(4), 549–571. https://doi.org/10.1007/s11292-014-9209-4
  • Kiker III, C. R. (2015). From Mayberry to Ferguson: The militarization of American policing equipment, culture, and mission. Washington & Lee Law Review Online, 71, 282.
  • Kirby, S., & Penna, S. (2010). Policing mobile criminality: Towards a situational crime prevention approach to organised crime. In K. Bullock, R. V. Clarke, & N. Tilley (Eds.), Situational prevention of organised crime (pp. 193–212). Willan Publishing.
  • Kirby, S., & Snow, N. (2016). Praxis and the disruption of organised crime groups. Trends in Organized Crime, 19(2), 111–124. https://doi.org/10.1007/s12117-016-9269-0
  • Martin, J., & Whelan, C. (2023). Ransomware through the lens of state crime: Conceptualizing ransomware groups as cyber proxies, pirates, and privateers. State Crime Journal, 12(1), 4–28. https://doi.org/10.13169/statecrime.12.1.0004
  • Meyerson, D. (2015). Why should justice be seen to be done? Criminal Justice Ethics, 34(1), 64–86. https://doi.org/10.1080/0731129X.2015.1019780
  • Monahan, T., & Palmer, N. A. (2009). The emerging politics of DHS fusion centers. Security Dialogue, 40(6), 617–636.
  • Munk, T. (2022). The rise of politically motivated cyber attacks: Actors, attacks and cybersecurity. Routledge.
  • Noble, N. (2020), Director-General ASD speech to the National Security College, Australian Signals Directorate. https://www.asd.gov.au/publications/director-general-asd-speech-national-security-college [last accessed 8 May 2023]
  • Roziere, B., & Walby, K. (2019). Special weapons and tactics teams in Canadian policing: legal, institutional, and economic dimensions. Policing and Society, 30(6), 704–719.
  • Rid, T., & Buchanan, B. (2015). Attributing cyber attacks. Journal of Strategic Studies, 38(1-2), 4–37. https://doi.org/10.1080/01402390.2014.977382
  • Schjolberg, S., & Ghernaouti-Helie, S. (2011). A global treaty on cybersecurity and cybercrime. Cybercrime Law, 97. https://www.cybercrimelaw.net/documents/A_Global_Treaty_on_Cybersecurity_and_Cybercrime,_Second_edition_2011.pdf
  • Scott, B. (2022). Australian cyber: What’s “Redspice” for? The Interpreter. https://www.lowyinstitute.org/the-interpreter/australian-cyber-what-s-redspice [last accessed 8 May 2023]
  • Sentas, V. (2016). Policing the diaspora: Kurdish Londoners, MI5 and the proscription of terrorist organizations in the United Kingdom. British Journal of Criminology, 56(5), 898–918.
  • Skopik, F., & Pahi, T. (2020). Under false flag: Using technical artifacts for cyber attack attribution. Cybersecurity, 3(1), 1–20. https://doi.org/10.1186/s42400-020-00048-4
  • Van Buskirk, J., Bruno, R., Dobbins, T., Breen, C., Burns, L., Naicker, S., & Roxburgh, A. (2017). The recovery of online drug markets following law enforcement and other disruptions. Drug and Alcohol Dependence, 173, 159–162.
  • Wall, D. S. (2021). Cybercrime as a transnational organized criminal activity. In F. Allum & S. Gilmour (Eds.), Routledge handbook of transnational organized crime (pp. 318–336). Routledge.
  • Whelan, C., & Harkin, D. (2021). Civilianising specialist units: Reflections on the policing of cyber-crime. Criminology & Criminal Justice, 21(4), 529–546. https://doi.org/10.1177/1748895819874866
  • Wilson, M., Cross, C., Holt, T. J., & Powell, A. (2022). Police preparedness to respond to cybercrime in Australia: An analysis of individual and organizational capabilities. Journal of Criminology, 55(4), 468–494. https://doi.org/10.1177/26338076221123080

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Download PDF

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.