Yet more warnings of cyber security threats, appropriate, but the follow through is the usual. Rhetoric over application

April 23, 2021 |

The Australian in Business on frontline in cyberspace ‘war’   and the BBC with GCHQ chief warns of tech ‘moment of reckoning’ both report on senior governmental figures in Australia and the United Kingdom warning of the impact of threats to security through the internet.

Andrew Hastie, Assistant Defence Minister, in another series of “canary in the coal mine” grabs highlights the danger of cyber attacks to infrastructure, governments and business.  There is talk of a new international cyber and meetings of critical technology engagement strategy and meetings of the governments cyber security industry advisory committee and need to counter threat actors.  He is right that major cyber attacks aimed at government institutions and major infrastructure is a threat to Australia’s digital sovereignty.  And of course the article talks up the funding of the international cyber and critical technology strategy which involves spending of $375 million.  All very worthy.

But these statements are nothing much new.  The threat from hackers has been a problem that has existed for over a decade.  Longer.  It has evolved over time, as technology has developed and opportunities to monetise the use of malware has grown at an exponential rate. The greater activities of state players has made a difficult situation worse.

Where Hastie and other government members are wrong is in having a top down approach to the ensuring that businesses and governmental agencies are properly prepared to deal with cyber attacks.  Strategies are fine.  But they have no real impact on the day to day operations of businesses, many of which have contact with government.  There is little incentive for businesses to do all that is required to minimise cyber attack.  Some see it as being in their best interests and do so without any prompting.  Some are in industries where cyber attacks are frequent and the effects are potentially catastrophic so it is normal to maintain appropriate protections, for example with banks and in the mining sector.  But most businesses spend too little time and money on cyber security including training and developing processes and protocols.  Which is where the real problem lies.  Over 80% of data breaches are caused by human error.  That bespeaks inadequate training and a poor culture.  There is no incentive for businesses to mend their ways.  The Privacy Act is a flawed piece of legislation and the regulator is at best timid and quite ineffective.  The chances of a business being penalised for not properly complying with the Privacy Act are small.  Even if a complaint is made about an organisation intefering with someone’s personal information, the Information Commissioner’s investigations are slow, highly bureaucratic and take around 2 years to resolve.  And the awards against malefactors are risibly low.  Until the Government reforms the law, arms the regulator with powers and resources to take action against those who fail to maintain adequate data security and appoints staff to the Information Commissioner’s office who are more assertive and effective all the talk of dangers is just that, talk.  The problem will still remain.

Meanwhile back in Old Blighty the head of GCHQ, Jeremy Fleming, raises similar concerns about the security challenges when adopting technology GCHQ chief warns of tech ‘moment of reckoning’     His comments that technology take up must be matched by proper security is sensible but hardly new.  That is what privacy advocates have been saying since the internet became ubiquitous and a necessary part of commerce and government activity.  It is just that Governments have until relatively recently not appreciated the public policy necessity of having proper security.

The Australian article provides:

Assistant Defence Minister Andrew Hastie says businesses face having their entire systems crippled by cyber criminals and has called for a shift in thinking to protect the nation’s digital sovereignty, as the Australian and US governments push back against state-sponsored hackers. The step-up will be supported by a new international cyber and critical technology engagement strategy, which puts Australia at the forefront of efforts by Western nations to resist attempts by countries, including China, to undermine democracies.

Amid a wave of cyber attacks targeting Australian companies, critical infrastructure operators and governments, Mr Hastie told The Australian that “increasingly we’re going to see war, or coercive activities, carried out in cyberspace”.

The government’s cyber security industry advisory committee, chaired by Telstra chief executive Andy Penn, met on Tuesday to discuss the ongoing cyber-crime threat to businesses.

The Biden administration last week warned of new Microsoft Exchange server vulnerabilities, linked to China, and imposed sanctions against Russia over the devastating SolarWinds cyber attack, which compromised US government agencies and companies. Mr Hastie, who is urging Australian businesses and individuals to patch their Microsoft Exchange systems after initial security updates were ineffective, said he strongly backed the increased international focus on cyber attacks.

“This is a critical recognition that cyber is the new battlefield and we must continue to co-operate to counter threat actors,” he said. “We’ve always talked about sovereignty in territorial terms, but we need to start thinking and talking about what it means for Australia to retain and protect its digital sovereignty.

“Cyber is low cost, it’s hard to attribute when someone conducts a cyber attack, and you can do it anytime, anywhere.”

Foreign Minister Marise Payne on Wednesday said the international cyber and critical technology strategy would support responsible conduct in cyberspace in the Indo-Pacific region and protect the nation against technologies that can “significantly enhance or pose risks to Australia’s national interests”.

The critical technologies include artificial intelligence, 5G, the Internet of Things, quantum computing and synthetic biology.

Under the strategy, the Morrison government will inject $37.5m into strengthening the cyber capabilities of South Pacific and Southeast Asian countries and co-sponsor a proposal to establish a UN program for responsible state behaviour online.

“We can’t have individual states trying to dominate international standard-setting bodies in pursuit of their own economic and ideological interests,” Senator Payne said.

The US Office of the Director of National Intelligence this month warned of the growing cyber risks posed by China, Russia, Iran and North Korea. It said China presented a “prolific and effective cyber-espionage threat”, possessing substantial cyber-attack capabilities and a growing influence threat.

The threat assessment warned China “can launch cyber attacks that, at a minimum, can cause localised, temporary disruptions to critical infrastructure within the US”.

It also said cyber threats “from nation states and their surrogates will remain acute”, with hostile countries using cyber operations to “steal information, influence populations, and damage industry, including physical and digital critical infrastructure”.

Home Affairs Minister Karen Andrews, who this month took part in talks with counterparts from the US, Canada, New Zealand and Britain about cyber and ransomware attacks, said the government was working to combat threats through its legislation to “enhance security and resilience of critical infrastructure assets … from cyber crime”.

“Cyber criminals continue to pose risks to Australians and Australian businesses, and I’m committed to ensuring our response is commensurate to the gravity of this threat,” she said.

The Australian Cyber Security Centre last week updated its security advice to “critical” after new vulnerabilities were discovered in Microsoft Exchange 2013, 2016 and 2019, which could be “exploited by attackers to gain persistent access”.

Microsoft’s Threat Intelligence Centre last month attributed the attacks on its software to HAFNIUM, a “group assessed to be state-sponsored and operating out of China”.

The BBC article provides:

The West is faced with a “moment of reckoning” when it comes to technology and security, the head of intelligence agency GCHQ has told the BBC.

Jeremy Fleming said there was a risk that key technologies on which we rely will no longer be shaped by the West.

“We have to keep evolving our approach if we’re going to keep up,” he said of the growing challenge from China.So-called smart cities, which will collect large amounts of data, are just one example, he added.

“The risk is that the technology is implemented in a way in which we can’t assure its security,” he warned.

The UK is a “big beast” when it comes to technology but “we can’t take that for granted”, the GCHQ director warned, saying this was a moment when we had to decide if we were going to continue to evolve and compete with our adversaries.

Mr Fleming was speaking ahead of giving this year’s Vincent Briscoe Annual Security Lecture at Imperial College, and in the wake of the Integrated Review, which placed science and technology at the centre of future security and defence policy.

Lessons from 5G

The challenge from China is uppermost in the minds of intelligence chiefs across Western countries, particularly when it comes to technology.

“The risk, as I see it today, is that we lose control of the standards that shape our technology environment,” he told the BBC.

“The things that make sure that our liberal Western democratic views are baked into our technology.”

Mr Fleming said there were lessons to be learnt from the debate over the role of Chinese company Huawei in building a new 5G telecoms system. It was initially given a role in the UK, before being excluded following US sanctions.

But there were concerns that there were few other companies actually able to supply the latest technology.

“The conversation about 5G was really lost a decade ago, when Western nations decided that they weren’t going to invest in the underpinning infrastructures… and the result was we just didn’t have the choices,” he said.

The imperative was to make sure in the future the UK took the kind of long-range decisions need to ensure it has choice – so there would not be the same concerns over dependency, he said.

Smart city fears

That need to look forward prompted a focus on smart cities.

These involve a vast number of sensors and cameras built into a city’s infrastructure – controlling everything from traffic to utilities such as water and power.

But it also means vast amounts of data will be collected about people’s movement and activity.

Done in the right way, the GCHQ chief argues this presents a “fantastic opportunity” to increase efficiency and improve services.

But he warned it also carries risks around privacy and anonymity.

“If we don’t control the technology, if we don’t understand the security required to implement those effectively, then we’ll end up with an environment or technology ecosystem where the data is not only used to navigate, but it could be used to track us”.

China is a leading supplier of smart city technology, with councils in the UK already purchasing cameras from its companies.

Mr Fleming said it was vital to ensure all the technologies were not from one place and to understand how data was being processed.

There were only a relatively small number of areas where the UK would need to completely control a technology, he said, and more broadly working with allies would be essential to shape international standards and to defend itself in cyberspace.

At home, the UK has to invest in skills and innovation.

The UK should not be “fatalistic”, he said, and had a “very strong track record” of meeting technology challenges.

Leave a Reply