“The term ‘cyber attack’ is well-entrenched within the information security community, where it is used to broadly describe malicious activity against a computer network or system. The broad adoption of the term has seen it often used in a sensationalist way — similar to ‘cyber war’, ‘cyber terrorism’ and ‘cyber weapons’ — with the term ‘attack’ generating an emotive response and a disproportionate sense of threat.”
Ah the irony! Fine words from the Australian Cyber Security Centre in its 2016 threat report, except that it represents the sector of government that has been relentlessly hyping cybersecurity threats for years, finally discovering that if you incessantly claim Australia is under attack from online actors, people start believing it and repeating it.
But ACSC might need to have a word with David Kalisch of the Australian Bureau of Statistics, which claimed that census night on August 9 was disrupted by an “attack”, or the Australian Prudential Regulatory Authority, which used the word over and over in its recent “Cyber Security Survey”, or the Department of Communications, or CERT, which once used the word 29 times in five pages. Or one of the journalists the minister’s office dropped this very report to ahead of its release, who used “attack” repeatedly in her short piece.
Trying to calm people down on “cyber attacks” wasn’t the only area where ACSC is downplaying threats. It appeared to go to some lengths to put some proportion into cybersecurity issues. On state actors, it offered “a range of states now have the capability to conduct cyber attacks against Australian government and industry networks. However, in the absence of a shift in intent — which could occur relatively quickly — a cyber attack against Australian government or private networks by another state is unlikely within the next five years.” And on targeting by terror groups, “it is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years”.
Inevitably, such efforts weren’t of interest to ministers or the media. “The government claims terrorists could be capable of launching a cyber attack on Australia ‘to destructive effect’ within three years,” insisted a Fairfax journalist. “Terrorists could be able to break into secure Australian government networks to wreak significant disruption or destruction within three years,” warned Cameron Stewart in The Australian (Stewart at least heeded the warning about using “attack”). To be fair, though, both journalists were accurately reflecting the claims of Dan Tehan, the new “Minister Assisting the Prime Minister on Cyber Security” (today giving PWC some publicity by playing their Game of Threats software in Parliament House), who misrepresented the report. “The ACSC estimates that within three years, terrorists will have the ability to compromise a secure network with destructive effect,” Tehan was reported as saying.
Yeah, no, minister.
It is, admittedly, refreshing that a government agency is looking to downplay cyber hysteria, even if the relevant minister is desperate to pump it up. Perhaps the ACSC was keen to differentiate this year’s report from last year’s, even if it basically says the same thing. The ACSC also, commendably, really has it in for Adobe Flash, devoting a section to the growing exploitation of Flash’s many vulnerabilities. But in other areas, the ACSC is engaged in the same game we always see from the intelligence security: blaming others for what they themselves do.
Take the threat of cyber espionage, for example, about which the ACSC warns “more and more foreign states have acquired or are in the process of acquiring cyber espionage capabilities”. And “cyber espionage impedes Australia’s competitive advantage in exclusive and profitable areas of research and development — including intellectual property generated within our universities, public and private research firms and government sectors — and provides this advantage to foreign competitors”.
The Australian Signals Directorate, which like CERT is part of the ACSC, presumably knows this perfectly well since it has listened in to Indonesian trade negotiators talking to their US lawyers about their negotiations with the US, and then handed the information on to the Americans, thus impeding Indonesia’s competitive advantage. And their colleagues in the NSA would know this very well, given they spied on Brazilian oil firm Petrobras.
Or there’s the threat to Australian government agencies. “Australian government networks are regularly targeted by the full breadth of cyber adversaries. While foreign states represent the greatest level of threat, cybercriminals pose a threat to government-held information and provision of services…” Again, ASD would know all about that given its attempts to listen in to the communications of the Indonesian President, his family and inner circle. And their friends in the NSA would know even better about it, given they tapped the communications systems of the leaders of most of the allies of the United States outside the Five Eyes.
Or there’s data retention, which worries the ACSC. “Australian networks that hold bulk personally identifiable information (PII) have been, and will continue to be, targeted by cyber adversaries. Organisations should carefully consider how much PII they really need to collect, how they protect it, who they share it with, and the expectations of individuals who are entrusting their PII.” Maybe ACSC should have had a word with its members ASIO and AFP, which pushed hard for data retention legislation despite being unable to offer any evidence that it would help fight terrorism or serious crime, creating a vast trove of personal data that will, inevitably, be stolen.
The theme of the ACSC report, it appears, is that when it comes to cyber “attacks”, do as we say, not as we do.