NewsBite

Advertisement

This was published 5 years ago

Spy game: Inside the fight to beat hackers who know no borders

By David Wroe

It wasn't until 2016 that Australia admitted having an "offensive" cyber capability. It remains one of the most secret weapons in the government's arsenal.

But it happens. From time to time, the top cyber spy agency, the Australian Signals Directorate (ASD), looks closely at a cyber threat emanating from overseas - Russian hackers stealing money from an Australian super fund for instance - and hits back, probably by delivering a virus to the hackers' computers, though methods are highly classified.

Cyber attacks by highly skilled hackers have become almost a routine thing against Australian institutions.

Cyber attacks by highly skilled hackers have become almost a routine thing against Australian institutions.Credit: DPA

The law recognises they need this power against overseas cyber criminals because hackers in Russia, or any inaccessible jurisdiction, are beyond the reach of Australian police. The same went for Islamic State cyber warriors operating out of Syria or Iraq.

But under proposals that have been discussed within the senior ranks of the bureaucracy and that remain under consideration by the Morrison government, the ASD would also be authorised to do this within Australia under special circumstances. It's described as "disruption" and the obvious targets would be child exploitation rings, organised crime gangs and terrorists that use online means to do their business.

The ASD would also be allowed to sit within the computer networks of private companies that operate critical infrastructure - such as power grids, water supply networks, telecommunications, ports and banks - and actively defend those networks against potentially catastrophic cyber attacks.

Loading

It's ideas like this that were at the heart of the political firestorm over the leaking of top-secret documents to News Corp and the subsequent police raid on the home of journalist Annika Smethurst.

In the fallout of the raids on Smethurst's home and on the ABC over a separate set of reports on Australian soldiers' conduct in Afghanistan, there has been little discussion of what has happened to the original proposal discussed in the leaks.

The Sydney Morning Herald and The Age can reveal the proposals remain a live consideration, if still at the ruminative stages. Options are still being bounced around various branches of the government.

Advertisement

Nothing has gone to cabinet. A government spokesman would say only that the government's position had "not changed since statements were made on this matter last year".

The discussions have been widely cast as a plan to use ASD to spy on Australians, though officials have been adamant this was never remotely part of the proposal.

Rather they wanted to discuss ways that ASD could work more closely with the Department of Home Affairs, which has responsibility for cyber policy, to disrupt online criminals and protect critical networks.

It may not constitute spying but it would still be a substantial change in the kind of authority the ASD currently has and would provoke controversy if the government went ahead.

But it also recognises certain new realities about the kind of threats Australia faces. Cyber attacks by highly skilled hackers have become almost a routine thing against Australian institutions, and all kinds of criminals are increasingly using cyber means to do their work.

Loading

The confusion around spying seems to stem from the fact that the collection of overseas communications signals forms a large part of the ASD's job, much like the United States' National Security Agency, which is frequently portrayed in Hollywood and television as a great vacuum cleaner sucking up the world's electronic communications.

That is an intelligence-gathering role - spying.

But it has a distinct and different role, which is cyber protection. That includes defending Australian networks and carrying out offensive cyber operations. It is these functions that are under discussion, not signals collection.

The most pressing issue, insiders say, is the defence of critical infrastructure. It is now a widely held view within the government and among outside experts that power grids, banks, telcos and even hospitals are highly vulnerable targets.

As one close observer put it: "I don't think people have any idea how vulnerable we are and what limited capacity we have to respond."

An attack on critical infrastructure could be used by a foreign adversary to coerce and intimidate Australia. The first shots of a war will almost certainly come in the form of electrons and bytes.

But it's the below-war layer of activity that has people worried. Countries such as Russia and China have come to excel at what is often called "grey zone" military activity, the kind of stuff that is menacing or even damaging but doesn't quite reach the threshold of demanding retaliation.

Russian hackers froze part of Ukraine's power grid two days before Christmas in 2015, leaving more than 200,000 people without electricity. Moscow-backed cyber operators have also reportedly penetrated hundreds of US power grids, apparently to conduct reconnaissance of the networks.

Loading

Australia has been attacked in several highly publicised incidents recently: on the Parliament, the major political parties and the Australian National University, twice. The latest theft of 19 years' worth of student and staff data from the ANU has left national security insiders aghast.

In a speech to the Australian Strategic Policy Institute in Canberra on Thursday, Defence Minister Linda Reynolds said: "More and more frequently, malevolent cyber activity is threatening our security and economic wellbeing."

Defence Force chief Angus Campbell said in a speech at the same conference that authoritarian states were better than democracies at "political warfare", including cyber attacks, because they tended to see the world as a never-ending struggle rather than having the clear delineation between war and peace that democracies prefer.

"Western societies are often open, diverse, organic and liberal. They're the way we want them to be. In other words, unfortunately, exposed," Campbell said.

Loading

An argument being put in Canberra is that the kind of defences needed to repel sophisticated state-backed hackers from critical infrastructure properly reside with the government, not with the private-sector operators of the power grid or telco.

Just as you wouldn't let a private company own tanks or ballistic missiles, nor would you want it having the suite of capabilities held by ASD.

ASD currently advises companies and institutions such as universities. The question is whether it should be more directly involved.

"To defend a network, you have to be on the network," one security source says. "You don't want to be mapping and planning the defence of a network during a major attack. You want to be lawfully on the network before a 9/11-style attack occurs."

In a speech in November at Perth's Edith Cowan University, the powerful head of the Home Affairs Department, Mike Pezzullo, said: "We cannot, and will not, wait for a catastrophic cyber incident before we act to prevent future attacks."

Home Affairs Department head Mike Pezzullo: "We cannot, and will not, wait for a catastrophic cyber incident before we act to prevent future attacks."

Home Affairs Department head Mike Pezzullo: "We cannot, and will not, wait for a catastrophic cyber incident before we act to prevent future attacks."Credit: Dominic Lorrimer

The more controversial aspect of the proposal would be the authorising of the ASD to carry out "disruptions" of networks hosted within Australia as well as those overseas.

The argument being made there is that some criminal networks such as child exploitation, drug or terrorist gangs, will be spread over computers and servers hosted both in Australia and offshore. The distinction is no longer entirely clear in an age of cloud computing, encryption, virtual private networks and proxy servers that enable users to hide their location and identity.

This network-level disruption could crash systems hosting child exploitation material, or prevent terrorists from publishing recruitment propaganda.

Loading

The flaw in the argument, some critics say, is that, irrespective of technological challenges, crime in Australia must be tackled by law enforcement. Police should gather evidence, make an arrest and brief prosecutors.

A former head of ASD, Ian McKenzie, used this argument when he spoke out against such proposals last year. He said Australian authorities should not be disrupting systems used by people in Australia who hadn't been convicted of anything.

Fergus Hanson, who heads the Australian Strategic Policy Institute's international cyber policy centre, similarly disagreed with using the agency for domestic disruption.

"ASD should be exclusively focused on foreign threats," he says.

But he says the critical network protection idea is worth considering, though any change to the law would require carefully thought-through safeguards. It would need to make certain that having authority to be inside a company's network to defend it against foreign adversaries did not extend to domestic surveillance.

ASD director-general Mike Burgess has made enormous strides in telling the public more about what his traditionally secretive organisation does.

ASD director-general Mike Burgess has made enormous strides in telling the public more about what his traditionally secretive organisation does.

It's understood that much of the discussion between officials has revolved around how to ensure any new powers are strictly circumscribed and with appropriate safeguards, including warrants and oversight by the Inspector-General of Intelligence and Security.

In a speech to the Lowy Institute in March, ASD director-general Mike Burgess - who has made enormous strides in telling the public more about what his traditionally secretive organisation does - described how every offensive cyber operation against foreign targets was "proportionate", "subject to rigorous oversight" and strictly within the law.

If the legal changes being floated were to go ahead, they would need to pay minute detail to these principles - and more.

Most Viewed in Politics

Loading

Original URL: https://www.smh.com.au/link/follow-20170101-p51xqc