It’s time for another cyber scare.
“Many Australian organisations — 90 per cent of those surveyed — are experiencing some form of attempted or successful cybersecurity compromise, and that some are being targeted up to hundreds of times per day,” the Attorney-General George Brandis and Minister Assisting the PM for Cyber Security Dan Tehan said on Tuesday.
The “Australian Cyber Security Centre” had surveyed just over 100 people in the tech sector, they announced. “The survey demonstrates a high level of ability of organisations to prepare for and recover from cyber threats. However the continually changing threat environment means more needs to be done to prepare, adapt and detect potentially malicious activity.”
Like the poor (and terrorists), the “threat environment” will always be with us.
As Crikey has long pointed out, there’s a rich irony in the Australian government lecturing business about cybersecurity when, as a member of the “Five Eyes”, we’re part of the world’s worst cyber-criminal network, stealing economic and commercial information from not merely enemies but allies and neighbours for the benefit of our companies. But it’s no longer merely ironic; the cowboy antics of our spies are placing businesses at risk.
It’s long been known intelligence agencies are avid purchasers and producers of malware that exploits vulnerabilities in widely used IT systems and commonly used software, in addition to demanding — so far unsuccessfully, it appears — that IT companies give them some form of backdoor access to encrypted systems. The problem with any “backdoor” is that it can be stolen or lost by an agency, opening the relevant encrypted system up to intrusion by whoever gets hold of it — criminals, other intelligence agencies, terrorists, etc.
But that’s also the problem with hoarding vulnerabilities. Before Easter, the hacker group Shadow Brokers — which is possibly Russian-affiliated — dumped a load of National Security Agency malware that had been stolen from the ever-leakier electronic intelligence agency. Many of the tools revealed were for vulnerabilities in Microsoft’s operating systems, which, presumably because the NSA knew they had been stolen, had recently been fixed by the company. This follows a similar release recently by WikiLeaks of a trove of similar CIA malware.
A security agency genuinely concerned with protecting its nation’s companies and citizens from cyber threats would, when learning of a vulnerability, pick up the phone to Redmond, Cupertino or Mountain View and warn them — and not wait until they’ve been stolen from the vaults of the agency to do so. Instead, agencies like the NSA, and their friends here in the Australian Signals Directorate, hoard them for their own use, creating a double threat: not merely are they thereby extending the period in which users are vulnerable to malicious actors who have identified the same vulnerabilities, they are creating their own hacking target. The latest Shadow Brokers release, if only to the extent the WikiLeaks release might not have, confirms that security agencies can’t keep their hacking tools secure. Who knows who else has had access to the troves from the CIA and the NSA, apart from the Russians?
For Brandis and Tehan to parade as advocates for corporate cybersecurity isn’t merely ironic, it’s deeply hypocritical. Their own agencies make Australian businesses, and the rest of us, more vulnerable to hackers.