Politicians don't get it. The militaries are only just beginning to confront it. An all-out cyber assault has the potential to do as much damage as a nuclear strike. Or worse.
Australian Prime Minister Scott Morrison on Friday morning took the unusual step of addressing the nation. Defence Minister Linda Reynolds was standing beside him.
The country was under attack, the Prime Minister announced. But it wasn't by land, air or sea. Instead, it was on the digital front. And this "malicious" and "state-based" assault was being made against multiple fronts.
"This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure," Morrison said.
He refused to identify the source of the attack: "What I can confirm is there are not a large number of state-based actors that can engage in this type of activity."
But the Prime Minister also declined to speculate on its objectives.
He did reveal, however, that he considered it severe enough to mobilise Australia's "Five Eyes" intelligence alliance with Canada, the United States, New Zealand and the United Kingdom.
"We have some of the best agencies in the world working on this, and that means that they are putting all of their efforts into thwarting these attempts," he said.
Most significantly, the Prime Minister said the attacks were ongoing.
Disturbingly, cybersecurity experts say there is little we can do to defend against them.
Any state-based attacker could be seeking weak spots within Australia's digital networks for future exploitation. It could be retrieving sensitive information. It could be corrupting vital data. It could be planting malicious code "cyber bombs" among critical infrastructure systems.
It could be all these things.
"Those who are engaged in this are not doing this to help us," Morrison said.
ANU National Security College researcher James Mortensen says the Prime Minister's response should be interpreted as a political, economic or security event.
"I'm generally hesitant to view cyber issues as their own domain," he says. "The information, systems and access that is compromised in these attacks have a real-world value."
And Flinders University national security analyst Dr Zac Rogers says the invisible damage could be immense.
"Computer networks have been structurally vulnerable to attack from the beginning," the Jeff Bleich Centre for the US Alliance in Digital Technology research lead says. "The attack surface – the number of different ways malicious code can penetrate networks – is simply too large to defend against".
While detecting and preventing intrusion has been emphasised, little has been done to identify what actually happened.
"These methods have no impact on 'zero days' – malicious code that sits undetected in systems," Rogers says.
Most cybersecurity efforts are focused on defending critical infrastructure such as financial systems, transport networks, electricity grids, essential services utilities and government services.
Attacks on these systems could disrupt – and even kill – on an enormous scale.
But these attacks could also bring down governments and whole societies.
"Manipulation of the information environment, in general, has been a secondary consideration," Rogers says. And that means the facts, figures and opinions used in policy and decision-making could have been compromised.
Assault on trust
"Until attacks and intrusions are 'weaponised' – used to affect direct material and personal harm – cyber will remain by definition a grey zone," Mortensen says.
Cyberattacks are cheap. They're ambiguous. They're deniable.
"They are an easy and low-risk way for states like China, Russia and Iran to dish out pain on a global stage," Mortensen says. "I'd say those states have a vested interest (at least at this stage) in ensuring that their cyber actions remain cheap and ambiguous, at least so that their targets don't see any value in escalating the tension."
But Rogers says their true target may be less visible than power networks or telecommunications systems.
And much more vulnerable.
"While the nominal targets of this attack are unidentified, the deeper target is the institutional trust that enables Australia's open democratic system to function," Rogers says.
"The disrupter has an operational advantage, but its advantage is magnified into a strategic threat only if open trust-based societies and their institutions fail to understand the deeper threat. Democratic resilience is about understanding trust as a strategic resource."
And destroying trust in democratic institutions has been a consistent objective of authoritarian states seeking to sell their own strongman model of governance.
That involves exploiting social media algorithms.
That involves manufacturing serious breaches in privacy.
That involves sustained manipulation of news and information.
Most importantly, even failed attempts at these objectives end up serving their purpose – to undermine trust.
"We need to understand what trust is made of – or at least what conditions it requires to exist," Rogers says.
The threat is a society overwhelmed with paranoia. Which is why state-backed information attacks target the independence of the judiciary and the rule of law, government accountability, and the rigour of scientific processes.
"The threat of an enemy at the gates can pale in comparison to the damage done by the monster under the bed," Rogers says. "The irony of the age of information would be that it could herald the end of influence."
The best means of defence
Australia isn't experiencing an all-out cyber assault.
Instead, it is a series of probing attacks.
The Prime Minister said an increasing accumulation of targeted strikes over "many months" had revealed the presence of a co-ordinated campaign.
"This has been a constant issue for Australia to deal with and so I wouldn't say that there has been any one event or any one instance," he said during the address.
He did not reveal what it was that had prompted him to make the early-morning public announcement.
"There is nothing in the government's announcements that is indicative of a shift in the cyber domain – same vectors, same targets, same' usual suspects'," Mortensen notes. "It might be reasonable to expect that the scale of the attacks and the emphatic nature of Morrison's response is demonstrative of an uptick in the severity or intensity of these attacks."
Which is why, he says, his actions need to be seen in economic or political terms.
But what the Prime Minister did reveal, Rogers says, was the ongoing failure of the "defend the castle" model of cyber defence. Instead, he says, networks must be rebuilt from the ground up to be secure and resilient.
"The paradigm shift is to data-centric security – building defence into the data itself," Rogers says. This includes the use of encryption systems and digital technologies like blockchain.
But the threat isn't just malicious code. It's also about compromised hardware.
"Military-level cyber defenders now talk about 'assured computing on untrustworthy components' – techniques to be certain of system function without certainty about the components," he says.
Grey zone scuffle
The presence of the defence minister at the Prime Minister's address was an apparent attempt to emphasise the national security significance of the situation. Reynolds said the Australian Cyber Security Centre and Department of Home Affairs had issued an advisory outlining how organisations and institutions could "detect and mitigate" the digital assault.
"I remind all Australians that cybersecurity is a shared responsibility of us all," Reynolds said.
But Mortensen doesn't see the words of either the Prime Minister or defence minister as an escalation.
"I don't think Morrison's emphatic response, nor the scale of the attacks are indicative of any shift in the online environment; instead, they are far more indicative of an interstate relationship that is struggling to stay civil," he says.
"Technology gives states like China and Russia the opportunity to express their disappointment with others in a far more visceral way than traditional diplomacy allows, all while minimising any cost or impact they might incur."
And such acts will sit firmly in the "grey zone" of international conflict until physical harm is done.
"Attacks on critical infrastructure, elections, and military systems has generally been informally considered the red line," Rogers says.