Cyber attack could well be worse than coronavirus
The nightmare scenario is becoming technically more imaginable every day. Are we prepared?
Cyber security is going to be a big feature of your life.
Imagine disruption worse than COVID. Imagine vital equipment not working in hospitals. Even simple stuff, like locating needed blood supplies.
Imagine a power outage lasting weeks. You think lockdown is tough; contemplate life without electricity, without heating or cooling, or a refrigerator, for four weeks. Or more. What would happen if a city’s water supply system kept turning itself off? And what if all this occurs simultaneously? And if, when the tech wizards patch things up, they just kept breaking down, over and over?
Science fiction? It sounds like science fiction. Yet everything we’ve seen with COVID — the streets of Melbourne’s CBD looking as though a neutron bomb destroyed all human life, hundreds dead, more hundreds hospitalised, Victoria in savage lockdown trying to stamp the virus on its head once more — would have sounded like science fiction a few months ago.
The cyber nightmare is becoming technically more imaginable every day because of the relentless investment in cyber warfare undertaken by powerful nations.
The Morrison government this week released its 2020 Cyber Security Strategy. It’s a sober document, mildly worded. It provides increased resource levels and procedural changes. It also attempts to alert the Australian public, plus corporate leaders, operators of critical infrastructure and government systems managers, to the giant task ahead.
This flows from the growing threat.
In its bland way, the report alludes to something like the nightmare scenario. It says: “The loss of an essential service like electricity, water or transport could have devastating impacts far beyond the targeted business.
“Some nation-states or state-sponsored actors are so sophisticated that an attack may be beyond the capability of a single network owner to handle alone, irrespective of its size, expertise and best efforts.” Since 2018, “the threat environment is worsening”.
Cyber intrusions already cost the economy $29bn a year. But it is the national security dimension that is most pressing. The strategy cites a study suggesting a cyber attack causing a four-week disruption of digital infrastructures would cost the economy $30bn and more than 160,000 jobs.
The Weekend Australian spoke to a range of experts and practitioners. Most thought a sustained cyber attack on our critical infrastructure would be difficult to carry off and something Australia could probably repair within days. None, however, ruled out a worst-case scenario.
Home Affairs Minister Peter Dutton told me: “There’s no guarantee. It depends on the level of tradecraft that was used and the sophistication of the attack. You can be under attack without even being aware of it.”
When a catastrophic disaster occurs, such as the COVID pandemic — with now nearly 19 million infections worldwide, nearly 750,000 “official” deaths, as contagious as ever and no less deadly, and vastly more deadly than the flu or similar diseases, and which is presenting as a second wave in developed nations that thought they had seen it off — it is a disaster that was foreseen but not anticipated.
Very few countries, it turned out, had pandemic plans that were effective. Very few had invested even in adequate supplies of protective equipment. From year to year the crisis didn’t come, so the drift was to inertia, inactivity, complacency. When the virus arrived, there was an enormous temptation to play it down — just a seasonal disease, not too deadly, don’t overreact. Every delay, every denial, made the problem worse.
The Morrison government is determined this won’t happen with cyber security. It is pledging more than $1.6bn across 10 years to enhance capabilities and help business. In reality, total spending combating cyber threats, across government and the private sector, will be a vast multiple of that.
Cyber threats cover a spectrum of players. There are criminals like pedophiles who use the dark web, where it is extremely difficult for law enforcement agencies to work out people’s real identities, to traffic in pictures of underage children or sometimes to traffic in children themselves.
I was present in London at a private discussion of the dark web where practitioners said there was much fantasising and unreality on the dark web as well as real crime. Once they saw what they thought were assassination fantasies. But when they checked out the victims’ identities, they found they had indeed been killed. Criminals had such confidence in the dark web’s anonymity that they arranged professional hits, and dickered over the price.
Beyond that type of criminal, terrorists also use the dark web and heavily end-to-end encrypted services to organise. Sometimes they engage in crude denial-of-use cyber attacks.
More sophisticated are cyber criminals who scam money, steal identities or disable a company with ransomware so the company has to pay money to get its critical data back or resume its normal business activities.
Above all these, in national security terms the most important threat comes from hostile, or at least unfriendly, states. Their theft of data and threat to critical infrastructure is serious and growing.
The government defines critical infrastructure as: energy, water, communications, space, data and the cloud, defence industry, transport, health, banking and finance, food and grocery, higher education research and innovation.
To some extent, businesses, especially those that run critical infrastructure, should supply their own cyber security. But an analogy with the physical world illustrates the problem. A civilian port is expected to provide pretty robust physical security against burglary of its offices, theft of cargo, sabotage of visiting ships and so on. It cannot, however, be expected to provide its own protection against the air force of a hostile nation dropping bombs on it.
The cyber strategy describes the problem: “Nation-states and state-sponsored actors seek to compromise networks to obtain economic, policy, legal, defence and security information for their advantage. (They) may also seek to achieve disruptive or destructive effects against their targets during peacetime or in a conflict setting. These actors tend to be sophisticated, well-resourced and patient adversaries whose actions could impact Australia’s national security and economic prosperity.”
In any serious military clash, you could guarantee an accompanying cyber attack.
The nations most often named for cyber intrusions are China, Russia, North Korea and Iran, although many other countries are active and every country that can afford it has at least some defensive capacities.
In June Scott Morrison took the extraordinary step of telling Australians that they and their institutions were under a wave of constant, huge cyber intrusion from a foreign power. No one with the faintest knowledge of this area was under any doubt that he was talking about China.
This provides a real problem for Australia. Beijing devotes thousands upon thousands of talented, well-trained computer geeks to its cyber efforts. It does this on a scale that no other country can match or even tries to match. The US is technically ahead of China in this area, but Beijing’s technical expertise is extremely formidable.
The Prime Minister presumably had two audiences for his June remarks: the Australian people, so they would know what was going on; and the Beijing government, so that it would know Australia would not be intimidated, would resist cyber bullying and if necessary would call Beijing out publicly.
At the same time, the Morrison government tries to be low key in its language and keep as good a working relationship with Beijing as it can, consistent with our values and our core national interests. In the first six months of this year, China took $70bn, 40 per cent, of our merchandise exports. That’s self-evidently important.
Beijing has targeted Australian institutions for a long time. However, Beijing’s cyber efforts against Australia took a massive step up from 2018, after the Turnbull government became the first in the world to ban Huawei and ZTE from participating in Australia’s 5G network. Beijing was furious, although it never seems to occur to it that there is a bit of a double standard given the ruthless control it exerts over every part of the internet within China.
5G technology will transform life. It makes computers much faster and more powerful. It also embodies the internet of things, which means in time that everything is connected to the net and ultimately run digitally. This will enhance life for ordinary people. But in its complexity, and its absolute reliance on digital connectivity, it also creates huge vulnerabilities.
In his memoirs, Turnbull explains the key consideration in the decision: “An adversary with a permanent beachhead in an economy’s most important enabling platform technology would have the ability to make all or parts of the network — or devices and institutions within it — unavailable or unresponsive.” That’s a very polite and indirect rendering of the nightmare scenario sketched out at the beginning of this piece.
Of course Chinese companies say they would never do any such thing. But Turnbull also points to China’s 2017 National Intelligence Law, which requires all Chinese companies and individuals to “support, co-operate and collaborate” with Chinese intelligence and security agencies.
Australia cannot solve all these problems by itself and has worked closely with like-minded nations, especially the US National Security Agency. Commentators criticise Donald Trump for seeking to divide the world into two technological camps. But it is Beijing and its relentlessly aggressive actions that has made this a likely outcome.
Take TikTok. It has 100 million users in the US, mainly teenagers posting dance videos, lip-synch parodies and the like. However, like other such apps, it vacuums up a huge amount of personal data and it runs ads. Beijing could add that data to all the other data it gets from cyber activities against the US (and with Australian users against us). It could also, any time it likes, decide to run ads that change the perception of reality among TikTok users.
The proposed US solution, that Microsoft buy the US, Canada, New Zealand and Australian arms of TikTok, is a good solution. It fairly compensates the owners of TikTok for the business they have built up. But it also puts this business under US regulatory control.
The whole question of regulating social media companies is fraught, complex and entirely unresolved. But it is a clear threat to national security to have such companies operating in our jurisdictions while owned and managed by companies of a state that routinely engages in cyber hostility.
Cyber security will become much bigger over time. The threat environment worsens. We can predict its consequences. Can we anticipate them?
Greg Sheridan’s latest book is the bestselling God is Good for You. He has completed a series of podcasts on his five favourite books that are available at ipa.org.au or Apple Podcasts, Spotify and most podcast platforms.
Read related topics:Coronavirus
Join the conversation
Israel flags new approach in its war on terror
Time will tell if the attacks in Lebanon are a one-off tactic or a deliberate escalation.
Read more
Welcomes to country are a mark of mutual respect
Just like toasts at birthday parties or speeches at weddings, welcomes to country are sometimes over-cooked or strike the wrong chord. But conducted properly at the right events, this practice enriches all of us and furthers reconciliation.
Read more