The ABC’s veteran long-form journalism vehicle Four Corners has had a cracking run of late, but it came to something of a halt in its recent report on cybersecurity. It’s not that Linton Besser’s report wasn’t any good; it was quality journalism, and as Stilgherrian noted in Crikey, in a rather poor market for quality Australian mainstream journalism on tech security issues, it was worth a look.
Indeed, it compared well to a lot of other cybersecurity reporting, which tends to be video versions of those “hacker” stock photos in which a man, inexplicably wearing a balaclava, sits hunched over a laptop (or, better yet, has removed his face entirely).
Rather, the episode, “Cyberwar”, shared the problem that plagued much of the reporting about the Australian Bureau of Statistics’ census debacle: that Australia is portrayed as an innocent victim of the evil plots of malicious online actors — most notoriously, Chinese hackers, who’ve now supplanted Russian organised crime as the great internet villain in the cybersecurity narrative.
There was at least one clue about this in Four Corners, however: the presence of General Michael Hayden, former head of the Central Intelligence Agency. Michael Hayden is responsible for at least 144 verified civilian deaths in CIA drone strikes, who presided over a regime of torture at the CIA about which he misled both to Congress and the public, and who lied publicly about the CIA’s extraordinary rendition program.
But for the purposes of Four Corners, he was something else: the former head of the National Security Agency during 9/11 and afterwards (and thus partly responsible for one of the greatest intelligence failures in US history), who, in the aftermath, commenced mass surveillance of American citizens and dramatically ramped up the NSA’s program — in co-operation with the UK, Australia, Canada and New Zealand — of global mass surveillance. Hayden’s actions regarding Americans were illegal, but he has never been prosecuted.
For all that, he is certainly an expert on cybersecurity, making a good living these days as a security consultant and technology company director — and advocating views that are utterly at odds with his own actions as head of the NSA, but are more convenient for the tech companies he now works with. Hayden was keen to push the standard narrative about cybersecurity, that Chinese hackers are a key threat, telling Besser:
“Where I’m really concerned and where I think Australians should be really concerned is the Chinese not attacking the Australian government or the American government; our governments should be able to defend themselves. Again, not shame on China, shame on us if they steal our secrets. It’s a really unfair fight though if a nation state like China attacks private enterprise in Australia again not for legitimate state espionage purposes, but for industrial and commercial advantage.”
That statement helps us to understand where this narrative goes wrong and why Four Corners missed the crucial context. Hayden is distinguishing between traditional espionage, which is “what adult nation states do to one another” and commercial espionage, which is somehow morally different. But is it an “unfair fight” if a nation state attacks private enterprise for industrial and commercial advantage?
Let’s ask the NSA itself: Hayden’s former agency systematically hacked — along with its British counterpart GCHQ — non-American software companies to obtain data and undermine online security, as well as breaking into the systems of major US online service providers like Google and forcing those companies to collaborate in their activities (later found to be illegal by a US court).
But the NSA’s attacks on private companies weren’t limited to the tech sector: it spied on Brazilian energy company Petrobras and collected information on French companies and economic activities (the French aerospace and defence sector is one of the most potent commercial rivals to the US military industrial complex); indeed, it is clear its brief definitely included industrial espionage against allied governments (including leaders of allied governments), private companies and individuals. Even Australia has played a role in the NSA’s industrial espionage, spying on Indonesian trade negotiators and relaying legally privileged information to the NSA for use by American “customers”.
Hayden’s spurious claim that we have the moral high ground against China on industrial espionage, however, is part of a longstanding denial by the NSA that its global surveillance is primarily about promoting US commercial interests rather than fighting terrorism. The Australian government peddles a similar lie, and even raided and harassed a former ASIS officer who revealed that Australia had bugged the East Timorese cabinet in order to obtain a commercial advantage for our companies in negotiations over the Timor Sea. In fact, we are exactly like the Chinese in using mass surveillance and targeted hacking for “industrial and commercial advantage”.
But surely that doesn’t undermine the ordinary narrative — we might be as bad as the Chinese, but they’re surely still a huge threat to us? Well, yes — no one ever suggested that wasn’t the case, and in any event, cybersecurity is important whether you’re concerned about state actors, or organised crime, or joyriding hackers. But who is the greater threat to us? Is it clear that the greater cyber threat comes from without, rather than the Five Eyes governments?
There are several ways in which mass surveillance by our own governments demonstrably harms us.
As Hayden so eloquently explained, undermining encryption by insisting on backdoors into every security product creates a “universal weakness” that “on balance that actually harms American safety and security.” Undermining encryption standards, as the NSA did on Hayden’s watch, does exactly the same thing, and in fact we now have an example of how the NSA’s tampering with encryption might have led to the hacking of US government systems, while the US standards body actually warned people not to rely on its own encryption standards in the wake of the initial Snowden revelations because they’d been undermined. Security agencies might like undermining encryption, but the real winners are hackers, criminals and foreign spies.
Poor storage of collected surveillance data
The only genuinely effective means of preventing the theft of personal data is not to keep it in the first place — time and again, both large companies and government agencies that hold large collections of personal data have been breached and information stolen (or sold by insiders) — or sometimes simply put data online by mistake. And once personal data is released, there’s no getting it back.
Abuse of collected data
We know that NSA staff used its vast surveillance systems to stalk women and spy on current and former partners, as well as listen to intimate phone calls purely for titillation. Such abuse — inevitable when large amounts of personal data are stored — happens at a lower level in Australia as well. An Australian Federal Police officer used police data to stalk a former partner, an apparently not infrequent occurrence at the state police level, including the sharing of information with other unauthorised, even criminal, parties.
The capacity of security agencies to obtain data via targeted or mass surveillance has been acknowledged by the UK government as having a chilling effect on the effective operation of the media. Security agencies obtaining journalists’ data to identify sources “could have a chilling effect on sources’ willingness to provide important information and undermine the press’ vital ‘public watchdog’ role and ability to provide accurate and reliable reporting”. Exactly this scenario is playing out in Australia currently as the AFP, at the behest of NBN Co, try to find out who embarrassed the Prime Minister by revealing what a debacle the NBN had become by raiding politicians and their staff and trying to obtain emails to journalists, on the pretext secret information has been shared. The current government’s mass surveillance laws now make it child’s play to obtain information to reveal journalists’ sources; the accessing of journalists’ metadata appears to be common in the US, despite the protections of the First Amendment.
Each of these are real ways in which Australians’ security and the wellbeing of our civil society are compromised by mass and targeted surveillance by our own security agencies. How much does the threat of Chinese industrial espionage stack up to these actual impacts? It’s time to reframe the way we view cybersecurity and understand that the threat lies as much within as from outside — perhaps more so.