Tag Archive for: cyber security

Cyber wrap

AshleyMadison

Tony Abbott’s Telecommunications Sector Security Reforms continues to cause angst with major telco and tech firms. The proposed amendments to legislation including the Telecommunications Act and Telecommunications (Interception and Access) Act would force telcos to supply security agencies with details of proposed supplier arrangements and purchases, and give government the authority to veto purchases deemed to pose a threat to national security. Three major  telco industry groups have developed a joint submission to the Attorney‑General criticizing the reforms as unecessary and disproportionate.

Meanwhile more Australian companies are seeking insurance to mitigate the risks of a cyber incident, although brokers have warned that insurance cannot replace proper risk management practices. This is advice backed up by former GCHQ Director Sir David Ormand and NSA chief Admiral Mike Rogers who warned London city financial firms that even the most cyber secure companies must assume their cyber defences will be breached at some point.

Paul Coyer from Forbes has written a great piece discussing the dynamics of the US–China cyber relationship. Coyer points out that China’s behaviour in cyberspace and international cyber security discussions is driven by a deep sense of vulnerability in the face of America’s enormous technological advantage—a feeling that has grown as the full extent of the relationship between major US hardware and software firms and the NSA was revealed by Edward Snowden. China’s National Security Law and Cyber Security Law, discussed last week, is clearly informed by this insecurity, emphasising the principle of sovereignty in the information space and its links to national security.

The Hacking Team breach has highlighted existing concerns about the transfer of cyber surveillance technology across borders. Mari Batashevski has published a long piece on the role that Hacking Team and similar firms, often Israeli, play in installing and operating cyber surveillance systems in states like Uzbekistan and Kazakhstan. Back in May the US Commerce Department released draft regulations that require permits to export encrypted software and cyber surveillance technologies, based on principles agreed by Wassenaar Arrangement members (including Australia) in December 2013. Some US tech firms have criticised the proposed regulations as flawed.

This week brings news of another data spill from a very sensitive target. AshleyMadison, the infamous website for those seeking ‘something on the side’ fell victim to a group called the Impact Team. The hackers apparently took action because Avid Life Media—AshleyMadison’s parent company—was advertising a ‘full delete’ feature for customer profiles but failing to actually delete all the data. Whether the Impact Team were truly upset by AshleyMadison’s supposed shonkiness, or just wanted to take down a target that prominently touted its security and privacy protection credentials is yet to be determined. Regardless, count it as another data spill that could prove awkward for many of its victims.

And finally our friends at CSIS have published a report on the development of cyber security regulations for the US financial industry.

Cyber wrap

UN HQ

This week kicks off with news that the UN GGE on Cybersecurity has produced a consensus document after their most recent meetings at the UN HQ in New York. In what’s a nice win for cyber stability the document is said to include support for 11 norms or ‘rules of the road’. A previously proposed norm not included in the agreement included that nation states shouldn’t attack foreign private industry for domestic financial gain, with the decision made that such a norm would be better introduced via more economically-orientated forums. The decision on the applicability of international law to cyberspace, reached in the 2013 UNGGE report, was also re-affirmed. According to the State Department’s Michele Markoff, the nations agreed that the UN Charter ‘applies in its entirety, affirming the applicability of the inherent right to self-defence…, and noting the applicability of the law of armed conflict’s fundamental principles of humanity, necessity, proportionality, and distinction.’

The New York Times has produced a nice summary of what you need to know about China’s new cybersecurity law. The new document is significant as it lays out who holds the cyber power within the Chinese government. Unsurprisingly the document shows that Lu Wei and the Cyberspace Administration have a controlling power over cyber policy with responsibility for ‘planning and coordinating network security efforts and related supervision and management efforts.’ Many of the provisions in the document aren’t new, but collect various existing rules and legislation in a single national-level document.

The French government has reportedly joined the ranks of countries known to have tapped the SEA-ME-WE-3 submarine cable. The cable, which carries internet and telecommunications traffic from Europe to Australia,  has been a target of Western signals intelligence agencies, with GCHQ said to be leading efforts amongst the Five-Eyes nations.

Over the ditch the NZ government has introduced the Harmful Digital Communications Act, which criminalises certain types of cyber bullying. This covers ‘truthful as well as false information and intimate visual recordings’ that are shared without permission and that cause harm. Penalties include fines of $50,000 for individuals and $200,000 for businesses with potential jail time depending on the severity of the crime.

Arun Mohan Sukumar has a good article on the dynamics of international cyber policy and internet governance within the BRICS countries. He argues that while the countries in the BRICS grouping have varied approaches to internet governance, they have a unique role to play in ‘calling out deficiencies in the present system’.

The Japanese Ministry of Internal Affairs and Communications has created an advisory council to draft a new cyber security policy for local governments, in response to a growing number of attacks targeting sub-national government institutions. The multistakeholder body has already held its first meeting, which was attended by the Minister for Internal Affairs and Communications, Sanae Takaichi.

Last week the Japanese government continued its already extensive regional capacity building efforts by sending a group of officials to Vietnam. The delegation, composed of officials from NISC and the Japan International Cooperation Agency (JICA) will assess cybersecurity practices and identify problems in the Southeast Asian country’s cyber set-up with an eye to further efforts down the line.

Caching Asia–Pacific cyber perspectives

London Conference on CyberspaceGreetings from Kuala Lumpur! The ICPC team is in Malaysia seeking Asia–Pacific perspectives on the Global Conference on Cyber Space (GCCS) to be held in The Hague later this year. The GCCS is the fourth iteration of the International Cyberspace Conference process that began in London in 2011, with subsequent sessions in Budapest (2012) and Seoul (2013). This multistakeholder process aims to build a focused dialogue on principles for governing behaviour in cyberspace and set out a future agenda.

Despite representing 47.5 percent of global netizens and growing fast, the Asia–Pacific has long been underrepresented in international cyber discussions. As the world gathers in the Netherlands in April, it’s vital that the region’s distinct and diverse voices are represented.

GCCS 2015 will be built around several key objectives including the support of practical cooperation in cyberspace; promotion of capacity-building and expertise-exchange in cyberspace; and the discussion of norms for responsible behaviour in cyberspace. The key themes at the Hague conference will be cybersecurity, cybercrime, international peace and security, freedom and privacy, capacity-building, and social and economic growth. Those areas will help to shape the cyber ecosystem for years to come. Read more

Cyber wrap

There’s been a wave of regional cyber policy activity in recent weeks. We’ll start in Singapore where the government launched a central agency to consolidate and centralise cybersecurity capabilities. The national Cyber Security Agency will begin operating on 1 April and is headed by David Koh, deputy secretary of technology at the Ministry of Defence. The agency falls under the Minister for Communications and Information, Yaacob Ibrahim, who’s been given the ministry in charge of cyber security. For those interested in a breakdown of staff and responsibilities, Irene Tham at The Straits Times provides a good overview. Meanwhile, Prashanth Parameswaran over at The Diplomat looks at the threat picture, industry collaboration, and building a more resilient regional cyber security regime in time for the ASEAN Community 2015.

China’s ‘cybersecurity review regime’ is generating significant anxiety in the US business community, particularly the high-tech and banking sectors. Paul Mozur in The New York Times explains how ‘the [Chinese] government has adopted new regulations requiring companies that sell computer equipment to banks to turn over secret source code and submit to invasive audits’. It’s not the first time China has promoted these types of policies. But Adam Segal at the Council on Foreign Relations argues that this time is different. First, the policy comes from the top—from the Central Leading Group for Cyberspace Affairs no less, which is chaired by President Xi Jinping, and includes Premier Li Keqiang and ideological linchpin Liu Yunshan. In addition, companies have been told they cannot opt out. Read more

Cyber wrap

The use of social media by extremist groups continues to trouble policymakers and police forces across the globe. The sophisticated use of online platforms by groups such as ISIS have spurred governments in Europe to call on US tech companies to pre-emptively filter terrorist-related material. ‘Online jihad 3.0’ has drawn serious government concern about freedom of speech, as well as liability, and more creative solutions might be prudent. For instance, social media users in Japan have taken to mocking ISIS’ attempt to hijack Japanese hashtags following the kidnapping of two Japanese citizens.

Although its links to ISIS remain dubious, the self-proclaimed Cyber Caliphate has made Malaysia Airlines its latest high-profile victim by hacking the company’s website. While such attacks can be brushed off as a cosmetic inconvenience, the hacks can have serious consequences for a company’s bottom line and reputation, as well as for consumer confidence. More serious cases have included hacks of CENTCOM, the Tennessee Valley Authority, and the White House. And although directed at third or fourth party platforms, those attacks fed at fear of cyber vulnerability in the military and energy infrastructure. It’s critical that supply-chain and third-party cyber security is considered when assessing cyber risk and such high profile attacks highlight the tricky cost–benefit balance of trusting one’s public face to external platforms. Read more

Down to business: Australia–China cyber relations

ForwardThe Australia–China relationship has seen impressive positive momentum over the last year. In April 2014, Prime Minister Tony Abbott led a well-received trade mission to Beijing, and President Xi Jinping reciprocated with a visit to Canberra following November’s G20 summit in Brisbane. Addressing a joint sitting of Parliament, President Xi spoke of elevating the relationship into a ‘comprehensive strategic partnership’ and announced the conclusion of negotiations for the China–Australia Free Trade Agreement (ChAFTA). But the momentum doesn’t necessarily extend to cyber matters, where media headlines suggest only conflict. There’s no doubt that both China and Australia have serious disagreements over commercial cyber espionage, the Snowden revelations, and internet governance among other issues. But cyber isn’t an all-or-nothing issue. There’s room for constructive dialogue between China and Australia, as exemplified by the fact that the two countries have already held their first bilateral cyber dialogue.

Any discussion of China–Australia cyber cooperation needs to be realistic. We won’t agree on everything, but it’d be prudent to take a step back from the rhetoric of cyber war and cyber conflict. Australia isn’t the United States and it wouldn’t be sensible for it to pursue measures similar to the Department of Justice’s indictments of PLA officers or the US-China Commission’s recommendation to explore the use of sanctions in response to commercial cyber espionage. Instead Australia should engage with a focus on commonalities and with the aim of establishing practical, concrete avenues for engagement. Read more

Cyber wrap

Privacy?It’s been a busy week in cyber for ASPI with two publications calling for enhanced cyber cooperation under the auspices of the US–Australia alliance.

In the first, Preserving the Knowledge Edge, Stephan Frühling, James Goldrick and Rory Medcalf argue for a strengthening of the C4ISR relationship:

US–Australian C4ISR cooperation will be essential to the success of the US rebalance, but also to Australia’s own immediate security in a strategic environment in which more and more countries operate high-technology platforms that once used to be the preserve of Australia and its allies.

The priority is to make force structure adjustments that support a greater Australian contribution—with cyber capabilities a clear option. Read more

Cyber review: deeds, not words

At Pacific Northwest National Laboratory (PNNL) the science of cyber analytics supports better predictions and guides adaptive responses of computers and computer networks.

My ASPI International Cyber Policy Centre (ICPC) colleagues have been quick off the mark in response to the Prime Minister’s recent announcement of the review into Australian Cyber Security. They warn against a ‘cautious audit of existing structures’ and recommending the development of an ‘outward-facing cyber strategy…that addresses how we as a country want to act in a non-traditional strategic environment beyond our own making’.

While there’s little in the way of detail beyond the initial media release as to how the review will be conducted, or its terms of reference, two areas of concern stand out. First, the term ‘practical’ used in the media release—‘the review team will look for practical ways to improve Australia’s security’—may overly restrict the review team’s work. And second, the team might unnecessarily narrow their focus to e-commerce alone. Read more

Australia: the coming cyber review and beyond

Make no little [cyber] plans. They have no magic to stir men’s blood and probably will not themselves be realized.

This morning at the much-anticipated opening of the Australian Cyber Security Centre (ACSC), Prime Minister Tony Abbott announced a review into Australian cybersecurity. The review is intended to assess Australia’s current cybersecurity arrangements relating to the security of government information and communications in addition to the security of businesses and individuals.

The fact that the Prime Minister is giving the issue such direct attention is certainly encouraging. When coupled with the ramp-up to the ACSC launch and the Australian Cybercrime Online Reporting Network (ACORN) roll-out yesterday it shows that there’s significant momentum on cyber issues in Canberra.

Also promising is that the review will look at how to expand interaction with the private sector and draw on the expertise of an independent external panel. Top-level support and stakeholder engagement are the hallmarks of a solid policy process, which has been disjointed in the five year gap since the last Australian Cyber Security Strategy.

Read more

Australia and great power cyber strategy after APEC

US President Barack Obama during a bilateral meeting with Chinese President Xi JinpingLast week’s APEC forum was a game played with a smile. To recall advice Churchill gave to his officers, ‘if you can’t smile, grin. If you can’t grin, keep out of the way until you can.’ So, despite lingering mistrust—and expectations of a ‘shirtfront’—world leaders smiled together.

One of the big omissions at APEC was progress on US–China cyber relations. That came as a surprise, as both US national security advisor Susan Rice and deputy Ben Rhodes had signalled prior to the Obama-Xi meeting that cybersecurity would be a major talking point. Any meaningful discussion was largely overshadowed by the climate change agreement (positive as it was). The most Obama stressed about cybersecurity was the ‘importance of protecting intellectual property as well as trade secrets, especially against cyber-threats.’ There may have been a breakthrough in their half-day discussion, but it’s unlikely.

Also explaining the lack of progress is that, in the weeks leading up to the meeting, the US began to pressure China on its cyberespionage activity, causing China to back away from the table. The FBI released a private warning to the tech industry about a group of Chinese government hackers running a campaign to steal data. That coincided with the release of a report by cybersecurity researchers, who allege that a state-led group, dubbed ‘Axiom’, is operating in areas of ‘strategic economic interest’. Furthermore, the US Postal Service and the federal weather service—the National Oceanic and Atmospheric Administration—both confirmed that Chinese hackers had breached their networks. Read more