Some inside the security community feel that the ham-fisted execution of search warrants against Australia’s two biggest media organisations will now irrevocably politicise debate around how offensive cyber powers and surveillance are controlled.
Within the bureaucracy, the tussle to establish contemporary cyber powers has also rekindled long-standing inter-agency tensions that the establishment of the powerful Department of Home Affairs was meant to neutralise.
A key friction point is whether agencies within Home Affairs should be allowed and resourced to run their own cyber offence, an expansion many in defence circles view as risky because of the potential for escalation.
One argument against the expansion of powers is that the offensive cyber weapons arsenal and bag of tricks used operationally by ASD is dangerous by nature and must be kept highly restricted to prevent proliferation.
Conversely, as Dutton expressed, there is a growing frustration that available tools are not being put to their full use and a capability and response gap has emerged.
At a doctrinal level, noted cyber strategists have for some years been arguing for a de-escalation of offensive cyber operations and their limitation to surveillance and intelligence operations as opposed to firefights bent on neutering infrastructure.
This has included questioning the benefits of the Stuxnet cyber attack on Iran because it telegraphed an implicit green light for other nations to engage in such conduct.
While Australia’s banks have long-supported cyber agencies including the Australian Cyber Security Centre and AFP’s earlier High Tech Crime Centre, they have preferred to send their own staff into security agencies rather than having police residing in banks.
At the same time, despite massive spend on cyber and counter fraud security, banks pass through the bulk of their online credit card fraud losses back through to merchants, a liability shift that has had retailers ropeable for years.
The question many in banks will be privately asking is whether new offensive cyber measures that can potentially neutralise fraud will come with a regulatory shift to make institutions responsible for losses.
Online credit card fraud not sits at just under $500 million a year across banks and is still growing strongly, concurrent with the shift to online payments.
Whether banks are prepared to live without an arsenal for hire at their disposal in exchange for some ongoing legacy financial comfort is a question that will now be being asked in Australia’s institutions.
The Australian Banking Association has been contacted for comment. Got a news tip for our journalists? Share it with us anonymously here.