So, more of the same corporate media reporting of cybersecurity from Four Corners last night. Journalists misunderstanding “hacking”? Check. Wildly overstating the incidence and impact of “hacking”? Check. Treating consultants from the cybersecurity industry and national security apologists as independent experts? Check. Terms like “cyber war” being thrown around? Check. China being blamed? Check.
In short, a cybersecurity executive’s dream.
The only solid material to emerge from the report was what anyone who works in IT already knew: some companies and government departments fail to do the basics of IT security, from using decent passwords (or at least change them from the factory default), keeping up-to-date with software patches, and not having confidential material on publicly-available servers. This is less “cyberwar” than the equivalent of leaving your front door unlocked so opportunist thieves rob you instead of going somewhere a little easier.
Much was made of the purported “theft” (actually, copying) of plans for ASIO’s headquarters from a building contractor by, seemingly, Chinese hackers.
Espionage for commercial, political or military purposes of course never happened before the internet; in the analog world, no country ever spied on another; no companies devoted resources to stealing ideas or technology from other companies. Only since we could go online have spies been busy trying to steal each other’s secrets.
But who actually copied the plans?
According to former US security officials, the National Security Agency — which hoovers up 2 petabytes of information from around the world every hour — disguises its data theft as … hackers from China, in case it’s detected. You see, on the internet, no one knows you’re an NSA employee.
Obsessed like the corporate media is about Chinese hacking, Four Corners’ Andrew Fowler didn’t understand enough about cybersecurity to question the narrative being fed to us by governments and companies.
Another question: why is the ASIO building plan so secret? When the Howard government first considered the construction of what would eventually become a grossly over-budget and long-delayed monstrosity, Phillip Ruddock as attorney-general moved the project out of the normal Public Works Committee process, ensuring no public oversight of the inflated project (the $460 million budget has become a $630 million cost). The only oversight has come via Senate Estimates, where getting information from ASIO on the building has been like pulling teeth.
As it turns out, poor IT security on a contractor’s laptop has meant the American, or the Chinese, or some joyriding hacker doing the equivalent of trying doors to see what was unlocked, knew more about the project than the taxpayers paying for it.
All that on a night when the really interesting cybersecurity revelation came when Prime Minister and Cabinet’s attended Senate Estimates. Officials from the Cyber Policy and Homeland Security Division — the area charged with oversight of cybersecurity issues — were asked by Greens Senator Scott Ludlam if they’d heard of Tor, the routing system that enables users to communicate online anonymously, which is probably the single most widely-used anonymisation mechanism used in the world. No, never heard of it, officials replied.
So the officials advising the Prime Minister on cybersecurity aren’t even aware of one of the most commonly used mechanisms for avoiding government internet surveillance.
Perhaps that’s a good thing.