It’s been a big week in cybersecurity. The twin giants of #infosec conferences, Black Hat and DEF CON, has just wrapped up in Las Vegas, and a DefCon Beijing beta event has been announced. The show-stealer was the open challenge, in which five different types of voting booths were left in a room for DEF CON attendees as a challenge. The first booth was hacked after 90 minutes, and the exercise demonstrated a number of poor security procedures, such as the default administrator passwords for the booths being unchanged and available online. They were not able to change votes, however. For a great write-up of the other keynote events and lectures, see here. In equally momentous news, yesterday marked the fourth anniversary of the launch of ASPI’s International Cyber Policy Center. Happy birthday, @ASPI_ICPC!

Russia has taken steps to pass a law that will ban the use of virtual private networks (VPNs) and other anonymisation technologies in the country. It will enter into force on 1 November 2017. Other legislation is set to come in early next year that will force messaging app companies to identify users by phone numbers by 1 January 2018. Edward Snowden, ex-NSA ‘whistleblower’ (and current Moscow resident), has publicly criticised the ban on VPNs, and noted it’s the second of such bans this week, with Apple reportedly removing VPN apps from its App Store in the Chinese market. While the exact cause of the removal was initially unclear, Apple has since released a relatively short statement taking responsibility for the removals, saying that the VPNs were not licensed under Chinese law. More than 60 VPNs have been affected so far.

Singapore’s privacy commission has proposed changes to the country’s personal data protection laws to provide mandatory data breach notification. Data breaches have remained topical elsewhere in the world, as Sweden’s nationwide motor registry data breach crisis has claimed the jobs of two Swedish ministers, Interior Minister Andres Ygeman and Infrastructure Minister Anna Johansson, and has saddled the prime minister with the possibility of facing a vote of no confidence. Data breaches have affected television as well. HBO’s internal databases were breached (again) and 1.5 terabytes of data exfiltrated. It’s not clear whether the data includes yet-unreleased episodes from season 7 of the hit TV show Game of Thrones, but written material from next week’s fourth episode has been released online.

Elon Musk and Mark Zuckerberg have had a public disagreement about whether we should welcome or fear our new artificial intelligence (AI) ‘overlords’. While Zuckerberg has described Musk’s concerns of an AI-led apocalypse as ‘irresponsible’, Musk has fired back that Zuckerberg’s understanding of the subject is ‘limited’. Commentators have suggested that it’s more about a difference of time scales, or a difference of branding, than a difference of opinion. In what might be a point for Musk, Facebook has gone back to the drawing board on one of its AI projects after two chatbots in the projects began communicating in their own language consisting of shorthand English strung together nonsensically, to humans at least.

A New York Times piece has outlined how China is aiming to become a leader in AI technology research and development by 2030, and how its spending billions of dollars to foster innovation. By contrast, the US has yet to create a national strategy for continued innovation in AI. There are programs and projects no doubt, like this week’s announcement that the US Air Force is looking at using AI to monitor Twitter and social media networks, but there’s an increasing risk that the US might find itself on the wrong side of the innovation offset.

Innovation remains high on the agenda for the Australian government. The Digital Transformation Agency and the Australian Public Service Commission are currently looking to find and place 250 cadets and apprentices in Australian government agencies to start off their brilliant careers in IT. On the senior side of the career spectrum, the Department of Defence’s chief information officer, Peter Lawrence, has come to the end of his five-year term after steering the department through a number of major programs and reforms. The Australian Communications and Media Authority will be conducting a review of the NBN and its 21 contractors and subcontractors by compelling all of the companies involved to provide data about why the NBN has been underperforming. And the South Australian government is allegedly introducing laws that would compel child exploitation website operators to provide their passwords so that law enforcement can access personal data held in their computers or personal clouds. The news has ignited some concern, though details remain scarce.

Adobe is killing off its Flash media player by 2020. Most have speculated that the reason for the closure is security, as Flash has been an infamous (and growing) source of many critical vulnerabilities. The move has been long predicted, as the functions that Flash provided have largely been replaced by the more secure and well-developed standards. Several major tech companies, including Microsoft, Facebook, Apple, Google and Mozilla have laid out roadmaps for how they’ll be moving on from Flash, and it looks like the change won’t be a big deal.

It’s been a good week for any ‘mooches’ looking for some free but good anti-virus software. Cybersecurity company ESET is offering a free 12-month subscription to its internet security service in partnership with PC Tech Authority Australia; it’s available here. Similarly, Kaspersky has begun offering a free version of its anti-virus software. In addition to improving the baseline security of users, one of the reasons the company is offering the software for free is that free installs of the software that encounter malware will provide more data points to improve Kaspersky’s threat-intelligence machine-learning systems.

For the final two cyber wraps of 2016, ICPC will review some of the biggest cyber stories to make headlines over the last twelve months so that we can all laugh, cry and reflect on the year that was together.

On the home front, 2016 was a big year. Australia’s Cyber Security Strategy was released in April by Prime Minister Malcolm Turnbull. The Strategy committed a total of $230 million to new initiatives to strengthen Australia’s cyber security, in addition to the $400 million funding already allocated to cyber security efforts in the 2016 Defence White Paper. The Strategy also created a new ministerial position for cyber issues, with two new positions—a Special Adviser to the PM, and a Cyber Ambassador—joining the existing ACSC Coordinator. Work has commenced on new capital city threat sharing centres and academic Centres of Excellence, as have preparations to move the ACSC from within ASIO HQ to new digs that will be more accessible to private sector partners and cyber workers with lower levels of security clearance. While those are all promising signs for the implementation of the Strategy, there’s been some criticism from industry about the pace of implementation. Full steam ahead for 2017.

Australia’s offensive cyber capability, which is being housed in the Australian Signals Directorate HQ, was also announced in the Strategy. While there understandably isn’t much detail available, the PM revealed that Australia’s capabilities have been engaged against Daesh’s cyber efforts in the Middle East. Other Australian highlights for 2016 include the second annual ACSC Threat Report which revealed a state actor was behind the hack of the Australia’s Bureau of Meteorology which took place last year.

2016 also saw a major change in how the internet is managed worldwide, with the transition of the Internet of Assigned Numbers Authority (IANA) from a US Department of Commerce contract to a standalone multi-stakeholder-led institution. The move was the culmination of a policy plan which stretches back to the Clinton administration, which was spurred along by the Snowden disclosures and increasing international concern about the US’s role in internet governance. The transition was delayed several times as the multi-stakeholder community struggled to implement a plan to take on the function, and was nearly further delayed by court action initiated by US Senator Ted Cruz. However, the move was eventually successful on 1 October. While the average Internet user wouldn’t have noticed any difference, the transition is a win for proponents of the multi-stakeholder model of internet governance.

Several other countries released new cyber strategies in 2016, with Britain, Germany,  New Zealand and Singapore providing some interesting policy contrasts to Australia’s effort. Britain’s government is taking a stronger position in protecting its citizens online, Germany is increasingly concerned about privacy, New Zealand is focused on cybercrime and education, and Singapore remains set on maximising digital growth’s full potential.

Cyber security incidents also remained weekly news in 2016. The fallout from the Dyn DDoS incident back in October continues to reverberate as other attempts to exploit security vulnerabilities of IoT infrastructure have followed—including one affecting Germany’s Deutsch Telekom earlier last month. In the US, the revelation that Yahoo! had hidden a 2014 data breach complicated the planned Verizon takeover. Other big breaches this year include the DNC hack (which we’ll cover next week), the US$81 billion dollar compromise of the SWIFT network through Bangladesh’s Central Bank, and Australia’s largest ever data breach—when the Red Cross Blood Service accidentally leaked the personal information of more than 550,000 donors.

We’ll see you next Wednesday for part two of our wrap-up of the year that was!

Following the high profile infiltration of the DNC’s email servers earlier in this year, the FBI’s now working to allay concerns that vote counting machines could be next on the hit-list of would-be saboteurs. FBI Director James Comey was quick to point out that a breach of these systems is pretty tough, pointing out the disjointed and ‘clunky as heck’ nature of the voting systems as the main barrier to malicious actors. ‘A lot of people have found that challenging over the years, but the beauty of that is it’s not exactly a swift part of the internet of things, and so it is hard for an actor to reach our voting process.’

Last week the White House announced that retired Air Force Brigadier General Gregory J. Touhill will become the US’s first federal Chief Information Security Officer (CISO). The creation of the post was foreshadowed by President Obama more than eight months ago via the Cybersecurity National Action Plan (CNAP). Touhill will make the shift from the Department of Homeland Security, where he currently serves as the deputy assistant secretary for cybersecurity and communications. According to the White House, the federal CISO will be responsible for ‘driving cybersecurity policy, planning, and implementation across the Federal Government’. In essence his role will largely be concerned with protecting government networks and the US’s critical infrastructure.

On the home front, Australia’s new Minister Assisting the PM for Cyber Security Dan Tehan has weighed in on the ‘information as a weapon’ discussion kicked off by the DNC hack. Tehan called the incident a ‘wake-up call’ and stressed that Australia must have ‘the proper protections in place’ to prevent similar incidents of what he terms ‘cyber influencing’ occurring here.

Singapore’s Cyber Security Agency (CSA) head David Koh has given a one-on-one interview with GovInsider, outlining the city-state’s approach to managing cyber threats, innovation, public outreach and promoting security by design. Koh, who’s led the CSA since it was formally established in April 2015, is currently overseeing the creation of a ‘competency skills framework’ developed with the private sector. Once complete, the framework should lay out specific career pathways available to IT experts in both technical and management streams. Koh also highlighted the importance of trust and assurance of data privacy to Singapore’s ‘Smart Nation’ vision, arguing that without a foundation of confidence there will be a reluctance amongst the population to share the data that gives the ambitious program its life.

Japan’s Financial Services Agency is set to host the country’s first cyber security exercise exclusively for financial institutions. The drill—scheduled to take place in October—will see 80 financial institutions come together to test their wares against fictitious malicious cyber actors. The exercise came about following the increase online attacks targeting financial institutions in the country. Participants will include local and major regional banks, with the drill seeking to expand and build upon on numerous existing info-sharing and collaborative agreements between several Japanese financial institutions.

Japan’s NEC Corporation has won a contract to roll-out a new 5,300 kilometre submarine cable in South East Asia. The Indonesia Global Gateway Cable System will connect the islands of Sumatra, Batam, Jawa, Bali, Kalimantan and Sulawesi with Singapore. It’ll also link Indonesia with two other major international cables, boosting connectivity, resilience and internet speeds across the country.

At the heart of the new Australian Cyber Security Strategy is a new paradigm for public–private engagement on cyber security. Business has been elevated from ‘partner’ to ‘co-leader’ in the new ‘National Cyber Partnership’ to jointly drive implementation of the Strategy. The Strategy quite rightly appreciates the criticality of engaging the combined skills, expertise and capabilities of the public and private sectors to manage cyber threats and reap the economic rewards of connectivity.

In the 2009 Cyber Security Strategy, the Government claimed leadership of national cyber security, noting that it was best placed to ‘identify the strategic threats and emerging challenges of Australia’s cyber security’. The 2016 Strategy has retreated from this hubristic statement and introduced new language that invites business to co-lead and co-design initiatives such as new voluntary standards, jointly operate new cyber threat sharing centres, and undertake combined cyber incident exercises. It reflects a more sophisticated approach to engaging the owners and operators of the majority of Australia’s cyber infrastructure.

The Government has already taken steps to enable digital growth, digital innovation and expansion of the national cyber security industry through initiatives such as the previously announced Cyber Security Growth Centres. This Strategy links with the National Innovation and Science Agenda by engaging the private and research sectors to design courses that produce work-ready graduates and attract more people to cyber security and related careers.

It’s been unclear to many on the outside looking in exactly who in Government they should be talking to, and when, about cyber security. The Strategy has sought to address this with the creation of two new leadership positions, the Minister Assisting the PM and the Special Advisor to the PM on Cyber Security. These positions will be critical for leading the successful implementation of the Strategy, and their ability and willingness to meaningfully engage with the private sector will be significant factor in its eventual success or failure. The additional funding to the tune of $21.5 million over five years for CERT Australia is also a welcome boost to the important work CERT Australia does in engaging Australian business and critical infrastructure operators.

When the creation of the ACSC was announced in 2013, it was heralded as an opportunity to engage the private sector in government’s cyber security operations, however its location in ASIO’s secure building was less than inspired. The announcement of the transfer of the ACSC to a new facility in Canberra promises to unlock its unmet potential for greater private sector interaction. The new cyber threat sharing centres in capital cities and the online cyber threat sharing portal should also assist in integrating public and private sector information. To be truly successful they will require government to provide meaningful, actionable information in a timely manner, and the private sector to also engage in a constructive exchange of information.

Other initiatives announced in the Strategy will also better enable the private sector to manage cyber threats and embrace opportunities for digital economic growth. Voluntary Cyber Security Governance ‘health checks’ for ASX 100 companies will seek to provide constructive organisational change and make cyber security a board-level issue. While small businesses received less focus than the top-end of town, they’ve received a small boost with promised funding for pen testing. That will not only encourage small businesses to be more resilient to cyber threats, but also help further develop the Australian cyber security industry. This industry offers significant export opportunities for Australia and the Strategy supports its growth in several ways—including the growth of a skilled workforce.

While the initiatives announced in the Strategy promise a new era of public–private partnership on cyber security in Australia, there are some old hurdles that must be overcome. Business has often lost interest in engaging with government, as the cost often appears to outweigh the benefits. Without clear articulation of government’s policy goals it’s hard for business to stay engaged in the often laborious processes that government imposes on itself (PDF). The success of the new Strategy and its promised new partnership with the private sector will rely on government clearly stating its policy intent and purpose, and sustaining engagement with the private sector now that the review process has concluded.  

Embracing the private sector to share in decisions that shape the national approach to cyber security will create better overall outcomes for both sectors, and should also provide for better co-investment in cyber initiatives. The Strategy has opened the door to a new model for the public–private partnership to enhance Australia’s cyber security to reap the economic benefits that lay in wait in cyberspace. It’s now up to cross-sectoral leadership to deliver the goods.

Last week, the US Senate approved the CISA or Cyber Security Information Sharing Act. Among the bill’s main provisions is a proposal to expand liability protections to companies that voluntarily share threat information with the government. The bill managed to evade a series of last minute privacy amendments, passing with strong bipartisan support in a 74–21 vote. Congress will now have to work to reconcile the differences between CISA and a similar, earlier version of the bill, the Protecting Cyber Networks Act, which passed the House in April. Once the two have been merged, the White House is expected to rubber stamp the finished product.

The New York Times has published an interesting piece on the issue of export controls on surveillance technology. Last month two men were fined by the US Department of Commerce for illegally exporting surveillance technology to Syria via an elaborate Middle East distribution network. The US has enacted specific bans on the export of American surveillance technology to both Syria and Iran, where it’s feared they can be deployed to crackdown on dissidents and opposition parties. But moves to introduce a wider licencing arrangement for the export of surveillance technology have been met with stiff resistance by the US tech sector. Other countries including Germany and Switzerland successfully passed mandatory licensing laws on the export of surveillance technology earlier this year, and in September the European Parliament agreed to a non-binding resolution calling for similar tech safeguards.

Japan’s Minister in charge of the Tokyo Olympic and Paralympic Games recently met with the head of the London Olympics organising committee, Sebastian Coe. The get-together aimed to share insights into the types of cyber-attacks tackled during the 2012 games and to communicate lessons learnt with the Tokyo 2020 organising committee. The meet follows the announcement that the Tokyo Metropolitan government will establish its own computer security incident response team (CSIRT) to assist in the protection of critical infrastructure in the lead-up to and during the games.

Chinese hackers behind the breach were motivated by a desire to understand how the US delivers health care, say insiders close to the investigation of the Anthem health insurance hack. The Chinese government has vowed to provide universal access to healthcare by 2020 but there’s widespread frustration domestically as to the quality, availability and cost of care. While Chinese intelligence agencies might have been interested in US government employee information, it’s believed that the theft of intellectual property and trade secrets was the main target for the infiltration. A US government official told the Financial Times, ‘Knowledge is power. How is it set up? What are they insuring? Why is this procedure covered but not that one? All of that is useful information.’

Last week Thai military chiefs publically called for the creation of a whole-of-government body to help ensure ‘cyber readiness’ at the national level. Special adviser to the permanent secretary for the Defence Ministry General Bunjerd Tientongdee warned that Thailand only maintained preparedness within the military and the Information and Communications Technology Ministry. Deputy chief of the Air Forces’ Cyber Warfare Division called for the creation of a ‘one-stop service’ to handle national cybersecurity issues. Earlier in the week Prime Minister General Prayut Chan-o-cha moved to distance Thailand’s military cyber set-up from the controversial ‘single gateway’ proposal after new questions were raised by the public surrounding the militaries involvement in domestic surveillance.