Australia should name parliament cyber attackers
Until now, Australia has only made official cyber attributions as part of the coalition of Five Eyes nations, sometimes with other countries joining in. Blaming Russia for the NotPetya incident was one such coordinated diplomatic action, for example.
Australia’s official position on the parliament cyber attack is that is was “sophisticated” — they always are — which means it must have been a nation-state actor.
Prime minister Scott Morrison has done the right thing by hosing down speculation before all the evidence is in. But with such a blatant attack on the institutions of government, has the time come for Australia to go it alone in naming perpetrators?
Is it perhaps even time for an official response that goes beyond a few harsh words, and imposes some visible costs?
These questions were explored by David E Sanger in Sydney on Monday. He’s the author of The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, and he’s the New York Times journalist who revealed that Stuxnet was part of the US-Israeli combined operation “Operation Olympic Games”.
“I don’t see the argument against it,” Sanger told Fergus Hunter, head of the Australian Strategic Policy Institute (ASPI) International Cyber Policy Centre (ICPC), in a public conversation.
“I mean, you’re already the one country that has banned Huawei outright. Nothing you’re going to do beyond that is going to anger the Chinese more than banning their national champion. So I’m not quite sure what the downside is. You know, you’re not high on their Christmas card list at this point in any case,” he said.
“There are some countries, and some people like Vladimir Putin, who are unembarrassable. So you can name them, and it doesn’t mean they’re going to stop. But there are others who are highly embarrassable, because they’re going to be afraid that it’s going to be hard to get investment in their own country if they’re known as a serial violator.”
For mine, I don’t doubt that China can express its anger more intensely than through a cyber attack. Only the other day, by sheer coincidence I’m sure, Chinese customs officials at the key northern port of Dalian stopped Australian coal imports, and the value of the Australian Dollar immediately dropped.
Nevertheless, Sanger thinks that if Australia can demonstrate the attack had come from China, or from Iran, or wherever, we should name names despite the potential repercussions that may unfurl.
“I think it’s in their [Australia’s] strong interest to publish that data, publish the indicators, get as close as they can to indicating who it is who launched it, if they’ve got that data, because they want to show the Chinese Ministry of State Security that this is not a free ball, and that there will be consequences,” Sanger said.
“Australia is really good at this. I mean, its signals intelligence [SIGINT] operation is known as one of the best in the world. So would it be nice if you bring in GCHQ or the NSA or somebody else to do an independent look, and come and announce their conclusion?”
Sanger pointed to a similar international effort by South Korea after that country’s corvette ROKS Cheonan was sunk in 2010. Experts were pulled in from the US, UK, Canada, Australia, and Sweden, and they determined that the Cheonan was sunk by a North Korean torpedo. North Korea has of course denied these claims.
“But you’re going to have to be willing to show your work,” Sanger said.
“And that’s the part where people in the intelligence agencies are going to say, ‘Well wait a minute, then the Chinese are going to discover that we’re watching them.’ And my answer to that is, if the Chinese haven’t figured that out by now, they wouldn’t be able to attack you in the first place.”
Sanger acknowledged that he’s “not sure the Australian government is seeking advice from New York Times reporters,” and I’m not sure they’re interested in the opinions of ZDNet columnists either.
“Australia’s responses to malicious cyber activity could comprise law enforcement or diplomatic, economic, or military measures as appropriate for the circumstances,” said then foreign minister Julie Bishop in October 2017.
“This could include, but is not restricted to, offensive cyber capabilities that disrupt, deny, or degrade the computers or computer networks of adversaries.”
It would be totally inappropriate to point the finger at another nation without proof, of course. But at some point, it will be time for Australia to walk the walk.
ACSC chief Alastair MacGibbon says there is an increased responsibility on system owners to truly protect their systems.
DMARC email authentication can significantly reduce the risk of phishing attacks, but only 5.5 percent of Australia’s main government domains have deployed it. That’s set to change.
Relax, developers, the Assistance and Access Act is ‘highly unlikely’ to force employees to deceive their bosses by creating secret backdoors. Nor does it breach Europe’s GDPR digital privacy laws.
HPE and IBM are reportedly among the managed service providers targeted by China’s APT10 group. Meanwhile, the Australian Cyber Security Centre hasn’t ruled out government agencies being among the end targets.
Criminals used compromised web hosting servers to mine cryptocurrency, and insert advertising and SEO tools into customer websites.
After just two hours of debate, Australia’s encryption law amendments are now stalled in the Senate until April. Only one key amendment was passed, but both government and opposition can claim a win.