The Secretary of the Department of Home Affairs, Mike Pezzullo, has spoken out against hacked organisations that refuse assistance from the Australian Signals Directorate (ASD), likening it to refusing to cooperate with an air crash investigation.
One such example was discussed in evidence to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Friday.
“It was a nationally-known case involving a nationally-known company that [ASD director-general Rachel Noble] and I are declining to name at this point,” he said.
According to Noble, the ASD first learned of the attack from media reports.
“We try to reach out to the company to clarify if the media reports are true, and they don’t want to talk to us. So then we keep pushing,” Noble said.
“Sometimes we have to use our own very senior level contacts, sometimes through people in this building [Parliament] who might know members of boards or chairs of boards, to try and establish trust and build a willingness to cooperate.”
When a hacked company cooperates, ASD can typically map their networks and identify the criminality involved on the first day.
When the Victorian health system suffered a ransomware attack in 2019, for example, the malware was quickly identified, and the network was back up and running in four days.
“What we left them with was also tools, training, and capability to identify, to protect themselves from a similar attack attack, but more quickly identify it happening again,” Noble said.
However the unnamed company lawyered up, and it took a week for the ASD to get even basic network information.
“Five days later we’re still getting a very sort of sluggish engagement of trying to get them to help provide data to us and deploy some of our tools so we can work out what’s happening on their networks. That goes for 13 days,” Noble said.
“This incident had a national impact on our country. On day 14, we’re able to only provide them with generic protection advice, and their network is still down. Three months later, they get reinfected, and we start again.”
Noble says this is why the ASD needs the powers which would be granted by legislation currently being reviewed, the Intelligence and Security: Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
“This legislation actually just gives us the authority, through Home Affairs, more leverage to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place,” she said.
“The best part of this legislation, from my point of view, is if they look after themselves, it doesn’t become work for my people. And if their defences are much higher, they’re keeping the low level crims out, and then we might be able to focus on the much more sophisticated highly organised criminal syndicates or state actors.”
Unregulated libertarian cyberplanes endanger the commons
Pezzullo says Parliament has a duty to “think about the regulation of cyberspace in the way that you would think about the regulation of other commons”.
“Every time one of our planes go down, of course we collaborate with the investigators, and we work out where all the bodies were, and the wreckage of the parts, and we help with the safety investigation,” he said.
Not only do we learn lessons from crashes, he said, but we also regulate the movement of aircraft through our skies.
“The development of the internet’s been organic. It’s been driven by a somewhat unusual combination of libertarian impulses on the one hand, and profit-driven motivations on the other hand,” Pezzullo said.
“Every time you connect, you are flying unsafely through airspace. We would not tolerate our airspace being ungoverned and unregulated by the state.”
See also: How the FBI and AFP accessed encrypted messages in TrojanShield investigation
Noble spruiked the advantages of cooperating with the ASD.
“Our people in ASD are in hand-to-hand combat with criminals and state-based sectors every single day. We have the benefit of top secret intelligence provided to us from around the world, not just our own intelligence that we can gather, [and] 75 years of investment in technical capability to analyse and unpack it with an incredible posture and ability to understand, through our cyber defence capabilities, what’s happening on Australia’s internet.”
Why would businesses refuse assistance? Apart from potential philosophical objections, Noble offered a range of theories.
First, there’s what she called “ICT professional hubris”. Organisations want to believe they’ve got the technical skills and don’t need help.
“We understand that people feel that way. That’s usually before they’ve actually fully appreciated what they’re dealing with,” Noble said.
Second, the scenario Noble believes brings the lawyers into the room is when the organisation doesn’t have an incident response plan. They don’t know how they’ll manage public communication, relations with their suppliers and customers, potential brand damage, and other commercial interests.
Third, there are questions of liability, ranging from matters of directors’ duties and whether they’ve been negligent, to acting on ASD advice which then has an adverse effect on the company.
As PJCIS chair Senator James Paterson noted, some submitters to the inquiry have said the protection from liability offered in the Bill may not be sufficient.
Pezzullo said this review of critical infrastructure law shouldn’t be seen as a standalone action. There’s work being done as part of the 2020 Cyber Security Strategy “that goes precisely to the question of corporations law, directors duties, [and] better practice regulation in this field”.
“In fairness to the executive management teams that are grappling with this, things like insurance products, the actuarial costing and pricing of the risk, the depth of the reinsurance pool, the case law, is not particularly well formed,” Pezzullo said.
“We really are in the early days of flight. It’s just that the adversaries learned how to fly and they got better planes at the moment than most firms.”
Disrupting the Cyber Pirates of the Caribbean
On the broader question of dealing with malicious actors online, Pezzullo said governments needed to go on the offensive.
Police and intelligence agencies, sometimes with the assistance of military cyber forces, are striking at these actors in the “havens”, but some are beyond reach.
“Regrettably states — some states — either turn a blind eye to their activities, or actively enable and sponsor them. Regrettably, state protection emboldens these malicious actors,” he said.
One model to tackle this challenge might be the global counterterrorism model that was put in place after 9/11 to deal with al Qaida, but Pezzullo proposed something quite different.
“Another model that I would suggest to this committee that is worth reflecting on, as you consider this bill and consider your report, is the campaign that was mounted in the 17th, 18th, and then in the beginning of the 19th century, to clear the world’s oceans of pirates, including the pirates of the Caribbean, who were defeated by Her Majesty’s warships of the Royal Navy, in concert with bringing law to a lawless ocean,” he said.
“This is a problem with which we can deal, just as Britain overcame piracy. But we need the tools to do so, including the requisite legal authorities.”