The agencies dedicated to "protecting our secrets" are insisting on a password security method that even the Daily Mail knows is nonsense, writes John Quiggin.
I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and they must contain a mixture of alphanumeric and special characters (this is called a composition rule)
You don’t need to be a cybersecurity expert to know that this is nonsense. Comics like Xkcd have been mocking special character passwords for years. As is well known a long but easily memorable string of dictionary words like “
The problems of regularly changing passwords have regularly been discussed in the computer press. Back in April 2016, the US National Institute for Standards and Technology (NIST) came up with new guidelines responding to studies of how people actually use passwords. Among the most important guidelines “No composition rules” and “No more expiration without reason.” To quote the Sophos security site, “The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.”Anyone who paid attention knew all this years ago. But the coup de grace came with the widely published admission, a week ago, by Bill Burr, the person who invented these rules, that they were wrong and made computers less secure. By this point even the readers of the Daily Mail are in on the joke.
I could deal with my own password problem easily enough. There are lots of apps on the market that manage passwords and generate them so as to satisfy even the silliest composition rules (I use 1Password). But lots of users don’t have these apps and will adopt insecure practices like writing down the password on a sticky label.
So, in the spirit of “if you see something, say something”, I wrote to the agency in question, advising that its security practices were out of date. I assumed that the policy had been imposed by a technologically illiterate senior manager and that a client complaint might lead to some action.
Imagine my surprise when the agency wrote back to inform me that they had no choice in the matter. The new (in)security policy had been imposed across the entire Australian government by our chief cyberintelligence agency, the Australian Signals Directorate (snappy slogan “Reveal their secrets, protect our own”).
In May 2016, shortly after the NIST repudiated password expiry and composition rules, the ASD came up with a 300-page Information Security Manual, including (on p. 193 for those interested), the requirements for 90-day expiry and a complex composition rule.
Given that ASD is our representative in the “Five Eyes” Anglospheric intelligence agreement, I would have expected it to have access to the best available advice from the US. But apparently, they don’t even read the trade press.
I haven’t read the rest of the manual and wouldn’t be qualified to assess it in any case. But if the agency responsible for our national cybersecurity is mandating policies that are too silly for the Daily Mail, it seems unlikely that we can place much faith in the advice our government is receiving on more significant issues like data retention and the exploitation of security vulnerabilities by intelligence agencies seeking to “reveal their secrets”.
We might all be focused on cybersecurity, hackers and other malign online actors, but one shouldn’t forget the biggest threat to privacy is one’s own government.
Plenty of Swedes are discovering that today after a remarkable security breach during the privatisation of the IT system of the Swedish Transport Agency was revealed. The breach happened in 2015, when the outsourcing process at the agency meant many of the records related to both military vehicles and people with protected identities were openly available to IT workers in eastern Europe. Details on security planning might also have been made available.
“What happened in the transport agency is a disaster. It is extremely serious,” the Swedish Prime Minister said yesterday. The outsourcing company, IBM, was not responsible for the breach. Instead, according to a BBC report, the Director-General of the Transport Agency, Maria Agren, who has since left, decided at the time of the privatisation to ignore Sweden’s National Security, Personal Data and Publicity and Privacy Acts. Agren has since been fined the equivalent of $8000.
The breach demonstrates that agencies ostensibly unrelated to national security can pose a significant threat to it. In 2015, the US Office of Personnel Management (OPM) was hacked by the Chinese government, with personnel data on over 20 million Americans stolen. The OPM did security clearances for the federal government — but didn’t handle clearances for military or intelligence workers. Except, problematically, many workers in both defence and intelligence agencies have often worked, or rotated into and out of, non-defence and intelligence agencies elsewhere in the US government, meaning their details would have been in the vast quantities of data downloaded in Beijing.
The hack of the OPM turned out to have been caused by the fact that its IT systems were antiquated because the US government hadn’t bothered funding it properly for years. In December 2016, the General Services Administration which provides admin, HR and IT services for a number of agencies including OPM, announced it was outsourcing its IT services. The winner of the contract? IBM.
Jul 5, 2017
It's time for a dose of reality on cybersecurity ...
Today we’re splashing the red ink, as it were, for this candid, bona fide, honest and exclusive interview on cybersecurity with Prime Minister Malcolm Turnbull. NB: Quotes, the names of people giving the quotes, and many of the core and peripheral details have been changed — and, indeed, whole paragraphs fabricated — for reasons of cybersecurity and of mainstream media-related peer pressure:
Prime Minister Malcolm Turnbull will urge Donald Trump to demand that American tech companies make everyone in the online world less safe, while not having any impact on terrorism.
Turnbull will join the leaders of Britain and Germany in a display of national security theatre at this week’s G20 summit. “This whole issue is a massive one,” he said exclusively. “We need to dramatically weaken internet security, to make sure that the world’s worst online actors — organised crime, Russia, China, pedophile rings, terrorists — can get access to any encrypted system.”
In this exclusive interview, Turnbull dismissed critics who pointed out every single terrorist in the West was already known to security agencies well before they acted, instead insisting that making sure no one could email, text, do their banking, engage in e-commerce, play an online game or share information without being vulnerable to attack was crucial to stopping terrorism.
“As we’ve seen in the most recent wave of ransomware attacks,” Turnbull told us exclusively, “which originated in software acquired by the National Security Agency, governments are highly effective at developing and giving decryption tools to organised crime to break into commonly used IT systems. We want to extend that to everything on the internet.”
Security agencies backed the Prime Minister’s push to raise cyber. “There used to be a mistaken view that we could have decryption and backdoor access that magically only worked if they were used by Five Eyes agencies and their allies, and that we could keep that secure,” a senior intelligence agency official said. “Fortunately, we now understand that that’s false — what we have to do is make it impossible for anyone to use the internet safely — including ourselves — by getting access to encrypted communications and distributing them to anyone who wants to use them.”
Turnbull noted — exclusively — that terrorist groups had already developed their own encrypted communications systems to prevent counter-terror agencies from gaining access. “But that’s not the point — the point is to pretend to be doing something about terrorism. And making everyone on the internet is vulnerable to hacking is a small price to pay for the political benefits of being seen to be tough.”
“Look at both Tony Abbott and myself — portraying ourselves as tough on terror has worked wonders for our electoral popularity.”
The push to ensure no one can use the internet safely would necessitate a series of news law, the Prime Minister explained in an exclusive interview. “We’ll have to ban IT companies from developing any new encryption software, and ban hardware manufacturers from allowing it on their devices. We’ll also have to prevent access to open-source software so people don’t develop their own encryption, and prevent any encryption research from being conducted in our countries. We think it’s very workable and fits well with our focus on agility, innovation and start-ups in the burgeoning tech sector.”
Turnbull, speaking exclusively, noted that, as a former investment banker, he was particularly looking forward to organised crime and malicious state actors attacking the world’s financial systems using decryption methods. “Encryption is used everywhere online. That’s the beauty of it. And we’re determined to make everyone — every internet user, every business that operates online — less safe.”
Finally, did we mention this was an exclusive?
Jun 30, 2017
Cybersecurity agencies like the Australian Signals Directorate make us less safe with their determination to engage in cyber "offence".
Cybersecurity minister Dan Tehan
When it comes to cybersecurity, it seems, Australians can engage in macho posturing with the best. As the most recent outbreak of ransomware, Petya, circulates around the globe, our government was assembling a new division of cyber warriors. “An unprecedented legal directive,” wrote The Australian’s ever-amusing Simon Benson, would allow the Australian Signals Directorate to “shut down and destroy foreign criminal networks, including those responsible for recent global ransomware attacks”. Those attacks, Benson noted, “shut down a Cadbury’s factory in Tasmania”.
Mess with our chocolates, at your peril, hackers!
In an “exclusive”, at the ABC, we had a similar story. “A new information warfare unit … will be tasked with defending Australian military targets from cyber attacks and preparing to launch its own assaults on foreign forces.”
Meantime, cybersecurity minister Dan Tehan was calling the ransomware attacks a “wake-up call”.
“We are in contact with our Five Eyes partners … It appears to be the same vulnerability as Wannacry,” Tehan said on Wednesday, referring to the previous major ransomware attack in May. Tehan called that attack a “wake-up call”, too. In fact, virtually every cyber attack is called a “wake-up call”, stretching back decades, as NPR noted in the US.
If it was a genuine wake-up call, Tehan would acknowledge that it is our “Five Eyes partners” who are to blame for both Wannacry and Petya, because both use a vulnerability in a Microsoft operating system that the NSA either discovered for itself or purchased, and then kept quiet about, rather than alerting Microsoft about the flaw. The NSA, presumably, thought it too useful for its commercial espionage to bother alerting Redmond that there was a serious problem in its software. Until, that is, someone stole it from the NSA, and the NSA belatedly decided to might be a good idea to contact Microsoft and tell them to patch it.
The problem with this macho posturing stuff on cybersecurity is that it simply repeats exactly that cycle. How will the ASD “destroy foreign criminal networks”, especially those with the gall to go after our lollies? Why, using vulnerabilities discovered by the Five Eyes network or purchased by them, and then hoarded, rather than fixed. Inevitably, those vulnerabilities will be stolen from agencies, just like the NSA’s and CIA’s troves of vulnerabilities have been stolen, or they’ll be discovered by foreign agencies or criminals, and because they haven’t been fixed, exploited by them as well.
The ASD, along with its counterparts at the NSA, and at GCHQ, and in Canada and New Zealand, makes us all less safe with their approach to cybersecurity. That is the wake up call. But we’re too busy talking rubbish about cyber wars to hear it.
Jun 29, 2017
Ransomware attacks have been on the rise over the last three years and can affect anyone at any time, writes Crikey intern Will Hogan.
A ransomware cyber attack is currently targeting Australian businesses, following attacks on major firms and companies across Europe and the US. The Tasmanian Cadbury chocolate factory’s computer system was struck by the cyber attack, known as “NotPetya”, which “locks down” (i.e. renders useless) a given computer until the owner/user of that computer pays a ransom of bitcoin currency into a given account.
Workers at the Cadbury factory have been unable to continue normal operations as the virus has affected the entire system. Cadbury’s parent company Mondelez described the cyber attack as a “global IT outage”.
Australian staff from the global law firm DLA Piper received a text message from their head office warning them against logging into their computers and advising they should only communicate via mobile phone to avoid further spreading (international firms of DLA Piper had already been exposed to the virus overnight, so the Australian office is expected to be hit next). The malicious malware comes after the “WannaCry” virus spread across 150 countries last month.
What exactly are these viruses? And how damaging can they be?
What is ransomware?
Ransomware is a type of malware that gets into a computer, taking control of the entire system and data until a ransom is paid. Ransomware encrypts the data on the computer with a key that only the attacker knows. A message then pops up on the computer screen demanding payment or the ransomware will remain. Authorities are saying paying the ransom has not actually been proven to eradicate the ransomware and are warning those whose computer systems have been affected to not hand over any money.
Cybersecurity expert and former head of Microsoft’s threat intelligence analysis Sergio Caltagirone told Crikey: “Ransomware is usually delivered via email but users can also be infected by visiting unsavoury websites.”
What do the people behind these ransomware viruses want?
The viruses come all wrapped in a bow along with a polite request/demand for a ransom to be paid in the relatively new cryptocurrency bitcoin. The message on the screen of the corrupted IT systems of the Cadbury factory in Hobart supplied to an ABC news presenter asks the user to follow instructions to “recover all your files safely and easily”:
1. Send $300 worth of Bitcoin to following address: 1Mz7153MuxXTur2Rit78mGSdzaAtNbBWX.
2. Send your Bitcoin wallet ID and personal installation key to e-mail email@example.com.
If you have already purchased your key, please enter it below.
Is there anything that can be done to protect your computer?
Ensuring your computers are patched and regularly backed up is crucial in recovering from the attack. The nature of ransomware is that attacks are random, therefore users should back up data on another device to avoid losing files. Caltagirone stressed “every person and every company should be doing this now — not tomorrow”.
Why are these attacks happening now?
Ransomware attacks have been on the rise over the past three years and can affect anyone at any time. Cyber criminals are increasingly aware of how lucrative ransomware attacks can be, with many users seemingly willing to pay the ransom in the attempt to recover their files. Caltagirone says ransomware is a money-maker and “there is significant incentive for criminals to enter and expand this market”. However, other cybersecurity specialists have suggested the “ransom” part of this ransomware was actually just a stalking horse for malware whose primary function was to damage IT systems, not to extort money.
Are they co-ordinated?
At this stage, it has not been confirmed that the various attacks are linked. Last month’s WannaCry virus was similar in nature with the ransomware virus asking users to pay a sum of bitcoin or else their files would be deleted forever.
Can files be recovered after attacks?
The recovery success of encrypted files is uncertain. Cyber criminals usually provide an encryption key if ransom is paid, however there is no incentive for the attackers to hand over the key once payment is made. Authorities and cybersecurity experts are warning users to never pay the ransom amount. Caltagirone said: “By paying the ransom it emboldens others to conduct this activity and there is no guarantee that the criminal will unlock the files.”
Apr 20, 2017
By collecting and using vulnerabilities in widely used software, our own intelligence agencies pose a double threat to business -- while governments preach cybersecurity.
It’s time for another cyber scare.
“Many Australian organisations — 90 per cent of those surveyed — are experiencing some form of attempted or successful cybersecurity compromise, and that some are being targeted up to hundreds of times per day,” the Attorney-General George Brandis and Minister Assisting the PM for Cyber Security Dan Tehan said on Tuesday.
The “Australian Cyber Security Centre” had surveyed just over 100 people in the tech sector, they announced. “The survey demonstrates a high level of ability of organisations to prepare for and recover from cyber threats. However the continually changing threat environment means more needs to be done to prepare, adapt and detect potentially malicious activity.”
Like the poor (and terrorists), the “threat environment” will always be with us.
As Crikey has long pointed out, there’s a rich irony in the Australian government lecturing business about cybersecurity when, as a member of the “Five Eyes”, we’re part of the world’s worst cyber-criminal network, stealing economic and commercial information from not merely enemies but allies and neighbours for the benefit of our companies. But it’s no longer merely ironic; the cowboy antics of our spies are placing businesses at risk.
It’s long been known intelligence agencies are avid purchasers and producers of malware that exploits vulnerabilities in widely used IT systems and commonly used software, in addition to demanding — so far unsuccessfully, it appears — that IT companies give them some form of backdoor access to encrypted systems. The problem with any “backdoor” is that it can be stolen or lost by an agency, opening the relevant encrypted system up to intrusion by whoever gets hold of it — criminals, other intelligence agencies, terrorists, etc.
But that’s also the problem with hoarding vulnerabilities. Before Easter, the hacker group Shadow Brokers — which is possibly Russian-affiliated — dumped a load of National Security Agency malware that had been stolen from the ever-leakier electronic intelligence agency. Many of the tools revealed were for vulnerabilities in Microsoft’s operating systems, which, presumably because the NSA knew they had been stolen, had recently been fixed by the company. This follows a similar release recently by WikiLeaks of a trove of similar CIA malware.
A security agency genuinely concerned with protecting its nation’s companies and citizens from cyber threats would, when learning of a vulnerability, pick up the phone to Redmond, Cupertino or Mountain View and warn them — and not wait until they’ve been stolen from the vaults of the agency to do so. Instead, agencies like the NSA, and their friends here in the Australian Signals Directorate, hoard them for their own use, creating a double threat: not merely are they thereby extending the period in which users are vulnerable to malicious actors who have identified the same vulnerabilities, they are creating their own hacking target. The latest Shadow Brokers release, if only to the extent the WikiLeaks release might not have, confirms that security agencies can’t keep their hacking tools secure. Who knows who else has had access to the troves from the CIA and the NSA, apart from the Russians?
For Brandis and Tehan to parade as advocates for corporate cybersecurity isn’t merely ironic, it’s deeply hypocritical. Their own agencies make Australian businesses, and the rest of us, more vulnerable to hackers.
Oct 14, 2016
Already in trouble for trying to expand his power, Attorney-General George Brandis is now demanding the right to personally vet security researchers.
Beleaguered Attorney-General George Brandis, under fire for attempting to personally control access to the country’s second law officer, has made another grab for power under the guise of amending Australia’s Privacy Act, handing himself the right to personally approve “white hat” hackers testing whether government agencies have sufficiently rigorously anonymised public data.
As Crikey reported two weeks ago, Brandis suddenly announced new laws aimed at deterring re-identifying individuals in de-identified public data — coincidental with the Health Department withdrawing a major database of public health information because it had been insufficiently anonymised. The ease with which census data could be re-identified was also a serious concern relating to the Australian Bureau of Statistics’ decision to turn the census into a lifelong individual data set.
A key problem with Brandis’ proposal was how academic researchers and “white hat” hackers concerned about privacy would be protected when they tested de-identified datasets: if they discovered, as University of Melbourne IT security specialist Vanessa Teague did about the health data, that it has not been sufficiently rigorously de-identified, they could find themselves in breach of the new laws — and even more so if they informed anyone.
The problem has partly been addressed in the bill unveiled this week by excluding people employed by bodies releasing data. And people who discover that information can be re-identified will be required to inform the relevant agency as soon as practicable (IT News‘s Allie Coyne has a good discussion of the bill). However, rather than provide an exemption for academics or good-faith researchers testing to see whether government departments have done their job of properly de-identifying data, Brandis has decided to give himself the power to decide who gets exempted and who does not:
“The Minister may determine that an entity, or an entity included in a class of entities, is an exempt entity for the purposes of one or more of sections 16D, 16E and 16F in relation to one or more purposes specified in the determination, if the Minister is satisfied it is in the public interest to do so.”
In effect, Brandis is establishing system in which academics or other researchers will have to approach him for personal vetting in advance to check if government departments have done their job properly. Almost inevitably, that information would be passed to the security officials, who could decide to place such people under surveillance. And who would trust the Attorney-General, for example, to exempt someone who expressed an intention to test data released by his own department?
It continues one of the themes of Brandis’ disastrous reign as Attorney-General, his attempt to garner power for himself wherever he can. His attempt to restrict access to the Solicitor-General on his personal authorisation has led to revelations he misled Parliament and has been shopping for legal advice. His response to criticism about the “Special Intelligence Operation” provisions of the government’s expansion of ASIO’s powers aimed at jailing journalists for reporting on intelligence activities was to order the Commonwealth Director of Public Prosecutions to obtain his personal permission to prosecute journalists. The Independent National Security Legislation Monitor called for a complete overhaul of the section to dramatically curtail the threat to journalists but, despite Brandis ostensibly committing to implement that recommendation in February, the section remains unamended.
Brandis’ mass surveillance legislation also gave him extraordinary powers in relation to data retention; the act gave Brandis the personal power to issue “journalist information warrants” for the interception of journalists’ metadata, rather than an independent judicial figure as is normally required for warrants. Brandis also gave himself the power to add agencies to the list of bodies that could access metadata.
It’s a vast amount of self-awarded power for a man who demonstrably understands virtually nothing about the internet.
Oct 13, 2016
Despite an unusual effort to downplay cybersecurity risks, the Australian Cyber Security Centre's latest threat report was the basis for the usual scaremongering.
“The term ‘cyber attack’ is well-entrenched within the information security community, where it is used to broadly describe malicious activity against a computer network or system. The broad adoption of the term has seen it often used in a sensationalist way — similar to ‘cyber war’, ‘cyber terrorism’ and ‘cyber weapons’ — with the term ‘attack’ generating an emotive response and a disproportionate sense of threat.”
Ah the irony! Fine words from the Australian Cyber Security Centre in its 2016 threat report, except that it represents the sector of government that has been relentlessly hyping cybersecurity threats for years, finally discovering that if you incessantly claim Australia is under attack from online actors, people start believing it and repeating it.
But ACSC might need to have a word with David Kalisch of the Australian Bureau of Statistics, which claimed that census night on August 9 was disrupted by an “attack”, or the Australian Prudential Regulatory Authority, which used the word over and over in its recent “Cyber Security Survey”, or the Department of Communications, or CERT, which once used the word 29 times in five pages. Or one of the journalists the minister’s office dropped this very report to ahead of its release, who used “attack” repeatedly in her short piece.
Trying to calm people down on “cyber attacks” wasn’t the only area where ACSC is downplaying threats. It appeared to go to some lengths to put some proportion into cybersecurity issues. On state actors, it offered “a range of states now have the capability to conduct cyber attacks against Australian government and industry networks. However, in the absence of a shift in intent — which could occur relatively quickly — a cyber attack against Australian government or private networks by another state is unlikely within the next five years.” And on targeting by terror groups, “it is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years”.
Inevitably, such efforts weren’t of interest to ministers or the media. “The government claims terrorists could be capable of launching a cyber attack on Australia ‘to destructive effect’ within three years,” insisted a Fairfax journalist. “Terrorists could be able to break into secure Australian government networks to wreak significant disruption or destruction within three years,” warned Cameron Stewart in The Australian (Stewart at least heeded the warning about using “attack”). To be fair, though, both journalists were accurately reflecting the claims of Dan Tehan, the new “Minister Assisting the Prime Minister on Cyber Security” (today giving PWC some publicity by playing their Game of Threats software in Parliament House), who misrepresented the report. “The ACSC estimates that within three years, terrorists will have the ability to compromise a secure network with destructive effect,” Tehan was reported as saying.
Yeah, no, minister.
It is, admittedly, refreshing that a government agency is looking to downplay cyber hysteria, even if the relevant minister is desperate to pump it up. Perhaps the ACSC was keen to differentiate this year’s report from last year’s, even if it basically says the same thing. The ACSC also, commendably, really has it in for Adobe Flash, devoting a section to the growing exploitation of Flash’s many vulnerabilities. But in other areas, the ACSC is engaged in the same game we always see from the intelligence security: blaming others for what they themselves do.
Take the threat of cyber espionage, for example, about which the ACSC warns “more and more foreign states have acquired or are in the process of acquiring cyber espionage capabilities”. And “cyber espionage impedes Australia’s competitive advantage in exclusive and profitable areas of research and development — including intellectual property generated within our universities, public and private research firms and government sectors — and provides this advantage to foreign competitors”.
The Australian Signals Directorate, which like CERT is part of the ACSC, presumably knows this perfectly well since it has listened in to Indonesian trade negotiators talking to their US lawyers about their negotiations with the US, and then handed the information on to the Americans, thus impeding Indonesia’s competitive advantage. And their colleagues in the NSA would know this very well, given they spied on Brazilian oil firm Petrobras.
Or there’s the threat to Australian government agencies. “Australian government networks are regularly targeted by the full breadth of cyber adversaries. While foreign states represent the greatest level of threat, cybercriminals pose a threat to government-held information and provision of services…” Again, ASD would know all about that given its attempts to listen in to the communications of the Indonesian President, his family and inner circle. And their friends in the NSA would know even better about it, given they tapped the communications systems of the leaders of most of the allies of the United States outside the Five Eyes.
Or there’s data retention, which worries the ACSC. “Australian networks that hold bulk personally identifiable information (PII) have been, and will continue to be, targeted by cyber adversaries. Organisations should carefully consider how much PII they really need to collect, how they protect it, who they share it with, and the expectations of individuals who are entrusting their PII.” Maybe ACSC should have had a word with its members ASIO and AFP, which pushed hard for data retention legislation despite being unable to offer any evidence that it would help fight terrorism or serious crime, creating a vast trove of personal data that will, inevitably, be stolen.
The theme of the ACSC report, it appears, is that when it comes to cyber “attacks”, do as we say, not as we do.
New amendments to the Privacy Act announced yesterday by the Attorney-General George Brandis to protect the security of anonymised data could have the perverse effect of making it harder to uncover flaws in anonymisation and encryption techniques.
Brandis yesterday announced that the government would be amending the Privacy Act to “create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.”
Re-identification is the process of using anonymised data that has been released by public authorities to match it up to individuals within the group — either through exploiting the linkage key used to structure the data or using other data to narrow down the likelihood of a single data point belonging to an identified individual.
While Brandis said the prompt for the change was a Senate health committee report, it appears to have been due to the uncovering of serious flaws in a recently released Medicare and Pharmaceutical Benefits Scheme dataset that allowed re-identification of individuals. The flaws were discovered by the University of Melbourne IT security specialist Vanessa Teague at the Department of Computing and Information Systems.
De-identification has also been controversial given the Australian Bureau of Statistics’ decision to transform the census into an ongoing personalised longitudinal document for every citizen using names, addresses and data linkage keys. As Crikey and others explained, it can be trivially easy to re-identify data that has been de-identified, making the ABS’ new approach very risky from a privacy point of view. Privacy Commission Timothy Pilgrim has also warned of the need to ensure notionally de-identified data is treated as carefully as private information.
Brandis’ amendments would outlaw efforts to do that to Commonwealth datasets — such as the census, or health records. So all good? Well, to an extent, yes. A legislative prohibition is backed by public health experts in the US as one way of addressing concerns about the risk of de-anonymisation.
But there’s a very real risk that any prohibition will also prevent people — such as Teague and her colleagues — from identifying flaws in de-identification methods, or communicating those flaws once they discover them. This already happens to some white-hat hackers who subject commercially available software and corporate and government systems to penetration testing.
While some major companies offer rewards for people who spot and pass on security vulnerabilities, some hackers find themselves prosecuted for revealing potentially highly damaging flaws. The definition of “counsel, procure, facilitate, or encourage” would accordingly need to be drafted to exclude legitimate testing and sharing of, for example, flaws in the statistical linkage keys employed by the ABS. As online rights group Digital Rights Watch said this morning:
“The specific wording of ‘counsel, procure, facilitate or encourage’ will need to be framed carefully to exclude innocent acts, such as rigorous penetration testing of encryption software. Likewise, the whole area of research into de-identification research, such as that undertaken by the CSIRO, could be jeapordised through heavy-handed legislation … Criminalising security testing is the wrong way to increase security. The Government should instead focus on ensuring that data is not collected or stored in forms that allow re-identification.”
But the legislation will be drafted by the Attorney-General’s Department, which is openly contemptuous of data security issues, not to mention basic rights. AGD failed to respond to Crikey‘s request for clarification on the issue.
This is a complex issue because it is at the intersection of public health ethics and the IT industry mindset that is highly sceptical of any claims to security, and eager to subject them to rigorous testing. As Daniel C. Barth-Jones said in his magisterial look at the area in 2013:
“… if you’re a cryptographer, it is not surprising that you might be more inclined to suspect that everyone’s a spy — it’s just part of your training to do so … it should not be too surprising then that white hat hackers conducting ‘penetration testing’ likely think that other researchers are just fooling themselves if they rely on social and cultural norms, data use contracts and other legal protections, and ‘security by obscurity’ as part of the total package which prevents the occurrence of re-identification attempts.”
In Barth-Jones’ view, the risks of de-identification can be overstated (particularly when de-identification targets atypical people who are more easily identified than most of the population) and security experts rely too heavily on absolute guarantees rather than cost-benefit analyses about privacy-health benefit trade-offs. Nonetheless, he recommends “a carefully designed prohibition on re-identification attempts could still allow research involving re-identification of specific individuals to be conducted under the approval of Institutional Review Boards”.
The idea of the people who gave us the data retention debacle “carefully designing” anything, however, remains laughable. The net result could be that it becomes illegal to discover how badly encrypted datasets are, or let anyone know.
Sep 2, 2016
While we focus on the threat of Chinese hackers, we're oblivious to the danger posed to us by our own security agencies with mass surveillance powers.
The ABC’s veteran long-form journalism vehicle Four Corners has had a cracking run of late, but it came to something of a halt in its recent report on cybersecurity. It’s not that Linton Besser’s report wasn’t any good; it was quality journalism, and as Stilgherrian noted in Crikey, in a rather poor market for quality Australian mainstream journalism on tech security issues, it was worth a look.
Indeed, it compared well to a lot of other cybersecurity reporting, which tends to be video versions of those “hacker” stock photos in which a man, inexplicably wearing a balaclava, sits hunched over a laptop (or, better yet, has removed his face entirely).
Rather, the episode, “Cyberwar”, shared the problem that plagued much of the reporting about the Australian Bureau of Statistics’ census debacle: that Australia is portrayed as an innocent victim of the evil plots of malicious online actors — most notoriously, Chinese hackers, who’ve now supplanted Russian organised crime as the great internet villain in the cybersecurity narrative.
There was at least one clue about this in Four Corners, however: the presence of General Michael Hayden, former head of the Central Intelligence Agency. Michael Hayden is responsible for at least 144 verified civilian deaths in CIA drone strikes, who presided over a regime of torture at the CIA about which he misled both to Congress and the public, and who lied publicly about the CIA’s extraordinary rendition program.
But for the purposes of Four Corners, he was something else: the former head of the National Security Agency during 9/11 and afterwards (and thus partly responsible for one of the greatest intelligence failures in US history), who, in the aftermath, commenced mass surveillance of American citizens and dramatically ramped up the NSA’s program — in co-operation with the UK, Australia, Canada and New Zealand — of global mass surveillance. Hayden’s actions regarding Americans were illegal, but he has never been prosecuted.
For all that, he is certainly an expert on cybersecurity, making a good living these days as a security consultant and technology company director — and advocating views that are utterly at odds with his own actions as head of the NSA, but are more convenient for the tech companies he now works with. Hayden was keen to push the standard narrative about cybersecurity, that Chinese hackers are a key threat, telling Besser:
“Where I’m really concerned and where I think Australians should be really concerned is the Chinese not attacking the Australian government or the American government; our governments should be able to defend themselves. Again, not shame on China, shame on us if they steal our secrets. It’s a really unfair fight though if a nation state like China attacks private enterprise in Australia again not for legitimate state espionage purposes, but for industrial and commercial advantage.”
That statement helps us to understand where this narrative goes wrong and why Four Corners missed the crucial context. Hayden is distinguishing between traditional espionage, which is “what adult nation states do to one another” and commercial espionage, which is somehow morally different. But is it an “unfair fight” if a nation state attacks private enterprise for industrial and commercial advantage?
Let’s ask the NSA itself: Hayden’s former agency systematically hacked — along with its British counterpart GCHQ — non-American software companies to obtain data and undermine online security, as well as breaking into the systems of major US online service providers like Google and forcing those companies to collaborate in their activities (later found to be illegal by a US court).
But the NSA’s attacks on private companies weren’t limited to the tech sector: it spied on Brazilian energy company Petrobras and collected information on French companies and economic activities (the French aerospace and defence sector is one of the most potent commercial rivals to the US military industrial complex); indeed, it is clear its brief definitely included industrial espionage against allied governments (including leaders of allied governments), private companies and individuals. Even Australia has played a role in the NSA’s industrial espionage, spying on Indonesian trade negotiators and relaying legally privileged information to the NSA for use by American “customers”.
Hayden’s spurious claim that we have the moral high ground against China on industrial espionage, however, is part of a longstanding denial by the NSA that its global surveillance is primarily about promoting US commercial interests rather than fighting terrorism. The Australian government peddles a similar lie, and even raided and harassed a former ASIS officer who revealed that Australia had bugged the East Timorese cabinet in order to obtain a commercial advantage for our companies in negotiations over the Timor Sea. In fact, we are exactly like the Chinese in using mass surveillance and targeted hacking for “industrial and commercial advantage”.
But surely that doesn’t undermine the ordinary narrative — we might be as bad as the Chinese, but they’re surely still a huge threat to us? Well, yes — no one ever suggested that wasn’t the case, and in any event, cybersecurity is important whether you’re concerned about state actors, or organised crime, or joyriding hackers. But who is the greater threat to us? Is it clear that the greater cyber threat comes from without, rather than the Five Eyes governments?
There are several ways in which mass surveillance by our own governments demonstrably harms us.
As Hayden so eloquently explained, undermining encryption by insisting on backdoors into every security product creates a “universal weakness” that “on balance that actually harms American safety and security.” Undermining encryption standards, as the NSA did on Hayden’s watch, does exactly the same thing, and in fact we now have an example of how the NSA’s tampering with encryption might have led to the hacking of US government systems, while the US standards body actually warned people not to rely on its own encryption standards in the wake of the initial Snowden revelations because they’d been undermined. Security agencies might like undermining encryption, but the real winners are hackers, criminals and foreign spies.
Poor storage of collected surveillance data
The only genuinely effective means of preventing the theft of personal data is not to keep it in the first place — time and again, both large companies and government agencies that hold large collections of personal data have been breached and information stolen (or sold by insiders) — or sometimes simply put data online by mistake. And once personal data is released, there’s no getting it back.
Abuse of collected data
We know that NSA staff used its vast surveillance systems to stalk women and spy on current and former partners, as well as listen to intimate phone calls purely for titillation. Such abuse — inevitable when large amounts of personal data are stored — happens at a lower level in Australia as well. An Australian Federal Police officer used police data to stalk a former partner, an apparently not infrequent occurrence at the state police level, including the sharing of information with other unauthorised, even criminal, parties.
The capacity of security agencies to obtain data via targeted or mass surveillance has been acknowledged by the UK government as having a chilling effect on the effective operation of the media. Security agencies obtaining journalists’ data to identify sources “could have a chilling effect on sources’ willingness to provide important information and undermine the press’ vital ‘public watchdog’ role and ability to provide accurate and reliable reporting”. Exactly this scenario is playing out in Australia currently as the AFP, at the behest of NBN Co, try to find out who embarrassed the Prime Minister by revealing what a debacle the NBN had become by raiding politicians and their staff and trying to obtain emails to journalists, on the pretext secret information has been shared. The current government’s mass surveillance laws now make it child’s play to obtain information to reveal journalists’ sources; the accessing of journalists’ metadata appears to be common in the US, despite the protections of the First Amendment.
Each of these are real ways in which Australians’ security and the wellbeing of our civil society are compromised by mass and targeted surveillance by our own security agencies. How much does the threat of Chinese industrial espionage stack up to these actual impacts? It’s time to reframe the way we view cybersecurity and understand that the threat lies as much within as from outside — perhaps more so.