radiofree.asia

Category: cyber security

  • Security credentials and the remote access challenge

    Artificial intelligence technology could provide a solution to the growing challenge of securing access for remote office workers, without creating unreasonable hurdles to them working effectively and productively.

    With the surge in remote working resulting from the global pandemic, organisations are struggling to maintain security of remote access without placing too many impediments in front of staff and ensuring that measures are not circumvented by workers who just want to get on with their jobs.

    CyberArk’s Australia/New Zealand solutions engineering manager Andrew Slavkovic said the company was looking at how to enable a remote workforce to work efficiently and securely by restricting access privileges to only those needed.

    Bridging the Cyber divide: CyberArk’s Andrew Slavkovic and Enex TestLab’s Matt Tett talk to James Riley from InnovationAus

    “That’s a difficult endeavour,” Mr Slavkovic said. “We want to review the ways that we can use something like AI to determine what level of privilege a user will need and then automatically predicting it, so the employee is not in any way hampered in regard to their performance.”

    Further, he suggested AI could be used to help prevent security breaches. “We want to use AI more in our product set to determine, based on our past experience, a sequence of actions that could result in a malicious or suspicious sequence of activities, and automatically take action to prevent that from escalating.”

    He said a technique for increasing remote access security was to provide users with the minimum level of access privileges required for them to fulfil their role and adjust this in real time.

    “We’re talking about providing ‘just-in-time’ privilege as a mechanism and escalating that privilege access as and when required, then stripping it back to the minimum level when it’s no longer needed.

    “This can be a quite powerful tool, because if that individual account is compromised, what an attacker can do is very limited. They’ll have to discover another account or another identity that is more important to be able to move laterally within the network to obtain whatever target they want.”

    Mr Slavkovic said remote access security had also been boosted through the control framework set out in the Federal Government’s Information Security Manual (ISM). “The ISM control framework has a whole section around remote access. So, in theory, an organisation should have confidence that if they follow the framework, they will have a level of assurance that they’re going to be secure.”

    Mr Slavkovic spoke with InnovationAus’ James Riley, with Matt Tett, chairman and managing director of Enex TestLab, as part of the series, Bridging the Cyber Divide.

    Mr Tett said the government was changing its approach to ensuring security in government organisations – through audits and certification – to ensure organisations had sufficient policies and procedures in place to be secure. However, many breaches occurred because these policies and procedures were not adhered to.

    “Unfortunately, a lot of the incidents that we see occur are because people have circumvented the protocols or the procedures which have been put in in place.

    “If security gets in the way, people will generally find a way of circumventing it; and it’s no different whether you’re working in an organisation, whether you’re in a home environment, or whether you’re in a government department.”

    Mr Tett said the government had shifted the focus from certifying individual products to certifying organisations. The Australian Signals Directorate has recently revamped its Information Security Registered Assessors Program (IRAP) under which it endorses cyber security professionals to help secure industry and government information systems.

    “Having independent IRAP assessors able to go out to agencies and work with the security teams on implementing procedures and policies and standards is very good,” Mr Tett said. “They’re performing due diligence, or an audit, on an organisation to ensure they have sufficient policies, procedures and practices in place.”

    However, Mr Tett said the policies, regulations and standards needed to be measurable if they were to be effective. “You can have standards, you can have regulation, but you really need to make sure they’re measurable and actually working effectively. That’s a critical thing.

    “You want to measure before and after – measure the benefit of implementing policies and procedures, draw a baseline somewhere, and once you have that baseline, you can measure the maturity of those departments’ and agencies’ security models, rather than just measuring them by the number of incidents that they’ve actually had. It’s better to measure the prevention rather than the cure.”

    The Bridging the Cyber Divide podcast series is produced as a partnership between InnovationAus and CyberArk.

    The post Security credentials and the remote access challenge appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Scaling a secure innovative future for the tech sector

    Australia is at a widely analysed strategic crossroads. To accelerate the growth of a secure, resilient and technologically sophisticated economy, we must develop and extend our capability in critical and emerging technologies.

    That means supporting the commercialisation of Australian intellectual property in all areas of emerging technology – from artificial intelligence and automation, to fintech to medtech and biotech to cyber security.

    Cyber security is especially important, because it is a fundamental enabler of trust as well as innovation across emerging technologies and indeed across our entire economy.

    Michelle Price and Alex Scandurra
    AustCyber CEO Michelle Price and Stone & Chalk chief executive Alex Scandurra

    Well reported is the number and type of threat actors – both criminal and state-based – increasing markedly over the last 12 months, and not just for the big end of town. Organisations of all sizes, sectors as well as schools, community groups and homes are in the cross hairs.

    This increased necessity comes at a time of mandatory business transformation and digitisation. The COVID era laid bare the inefficiencies and friction points in business models across the economy, from education and entertainment to banking and retail.

    A more mature understanding of the transaction costs across destabilized supply chains has also emerged.

    Industry leaders are now searching for partners and trailblazers who can transform their business operations rapidly with emerging technologies, in ways that bring inbuilt security and resilience.

    If Australia remains simply an end customer of offshore vendors for emerging and critical technologies, we will be selling ourselves short strategically but also in the retained benefits of jobs and profit when we have competitive domestic offerings.

    Expenditure in business transformation and emerging technologies will be expropriated by global vendors selling off-the-shelf solutions to Australian customers who will gain no competitive advantage and will often be forced to arrange their business operations around the requirements of an existing product that the vendor is offering.

    On the other hand, if we use the infrastructure already built and invested in to nurture the commercialisation of home-grown emerging technologies in sophisticated ways, we can better leverage the strength of our advanced research capability to create intellectual property in industries that plays to Australia’s strengths as well as deliver increased self-reliance.

    The new/ endured normal of the pandemic demonstrates the need for us to be sharper in how we achieve this through trusted partnerships and innovation.

    Right now, across the world, the opportunity for Australia is enormous.

    This is why we, as the leaders of two prominent not-for-profits working in critical and emerging technologies, have merged our organisations to show a better way to leverage the best of previous investment in capability to create capacity to accelerate the growth in industries delivering a more innovative, secure economy.

    To capitalise on the transformative moment that we are in, Australia’s emerging technology companies must be secure by design from day one, before a single line of code is written. Corporates and government organisations seeking digital transformation partners lean heavily towards those that can provide serious security credentials.

    A strategic integration of the peak body for the cyber security industries with the leading commercialisation network for all emerging tech will ensure that our emerging technologies are secure and can increase the security of their customers and partners.

    Our cyber security industry has more than quadrupled in direct value since 2017, from $800 million to $3.6 billion today. Most companies in this sector are young – 40 per cent are less than five years old.

    This is an extraordinary growth story that has occurred under the auspices of AustCyber which has operated as an Industry Growth Centre since 2017. AustCyber will continue to operate as an Industry Growth Centre until mid-2022.

    Emerging technology more broadly has a pivotal role to play in Australia’s new economy. Research has shown that every job in technology created five more across the economy. Companies less than five years old employ nearly one in two Australians and are net job creators whereas legacy companies are net job shedders.

    Australia’s entire business ecosystem will need to leverage emerging technology companies that are innovative, focused and secure to thrive in a post-pandemic world.

    As an organisation that exists at the nexus of emerging technology and business Stone & Chalk is powering the growth of our emerging tech ecosystem and business transformation.

    Full-scale commercialisation support is needed to maintain and extend this growth and tell the next chapter of the story.

    The integration of AustCyber and Stone & Chalk will provide this to our current ecosystems and extend our reach across other emerging technology industries, established and nascent.

    This includes virtual trade missions with potential export markets, bespoke introductions to potential investors with the right portfolio and expertise to provide far more than financial support, access to customers ranging from scaleups and government departments to national and multinational corporates, and a powerful advocacy body advancing the interests of founders at a state and federal level.

    In a world where critical and emerging tech are becoming central to economic growth, resilience and security of national economies, a body like the one we are creating with this merger is no longer optional.

    Our success in the mission of developing and extending Australian industrial capability in critical and emerging technology will underpin the nation’s prosperity and security for decades to come.

    The post Scaling a secure innovative future for the tech sector appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Labor calls for national ransomware strategy

    Federal Labor has called on the government to launch a national ransomware strategy to make Australia a less attractive target for cyberattacks.

    Shadow assistant minister for cybersecurity Tim Watts released a discussion paper detailing potential policies, including increased law enforcement, targeted international sanctions, offensive cyber actions and regulating the payment of ransoms.

    The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and government in the cyber domain, with a total cost of about $1 billion per year. These forms of cyberattacks increased significantly in the last year and have become more sophisticated and more targeted.

    Tim Watts and Clare O'Neil
    Tim Watts: The Cybersecurity strategy has little to support the development of the local industry

    The federal government must play a leading role in making Australia a less attractive target for these ransomware groups, Mr Watts said.

    “The rapidly growing costs of successful attacks on targeted entities – in downtime, remediation, ransoms and supply chains interruptions – combined with the growing costs to all organisations of defending themselves against these attacks is an unsustainable burden on the nation,” Mr Watts said.

    “Ransomware is a jobs and investment destroyer at a time when the nation can least afford it. We need a new approach. It’s past time the Morrison government developed a comprehensive national ransomware strategy.”

    The increasing sophistication and targeting of ransomware presents an opportunity for the government to shift focus away from Australian entities, Mr Watts said.

    “The evolution of ransomware gangs into sophisticated, well-resourced organised crime groups presents both a challenge and an opportunity. The challenge of the emergence of so-called ‘big game hunting’ ransomware gangs that carefully research and select their targets to maximise their returns from attacks has increased the potential costs of these attacks,” he said.

    “But it has also created the potential for new strategies aimed at deterring these attacks. The threat of ransomware isn’t going anywhere soon, and the government cannot just leave it to Australian organisations to confront this challenge alone. It is time the Morrison government actively tackled this threat and developed a national ransomware strategy.”

    The Labor discussion paper proposes policies that could lower the return on investment for ransomware groups going after Australia, and increase their costs for them.

    On the costs side, more effort could be made on law enforcement action against ransomware groups, starting with measuring with current performance and pushing for greater international cooperation to arrest and charge individuals.

    The federal government should also “aggressively” participate in joint international law enforcement operations and cooperate in the region to prevent the emergence of new groups.

    “An activist approach to fighting ransomware would see the Australian government building coalitions of nations to pressure recalcitrant governments to stop ignoring and harbouring transnational ransomware groups, and to develop mutual law enforcement assistance agreements with these states,” the discussion paper said.

    When law enforcement is not possible, the government should look at engaging with like-minded countries to impose travel and asset sanctions on the ransomware gangs and enabling countries, the Opposition said.

    To reduce returns for these groups, the government should look at imposing controls on ransomware payments, crack down on rogue bitcoin exchanges and improve the cybersecurity of public and private organisations, the paper said.

    The Opposition said the government should actively engage with the US Treasury which has already proposed some regulatory actions around ransomware payments made through bitcoin exchanges.

    “If Australian organisations can develop a reputation for being less likely to pay ransoms than targets in other jurisdictions, the return on investment for targeting Australian organisations will fall and so too will targeted ransomware attacks against Australian organisations,” they said.

    More work needs to be done to lift the overall cyber resilience of public and private companies to combat these attacks, the paper said.

    And such a strategy needs to be communicated publicly, with Labor calling on Home Affairs minister Peter Dutton to make a ministerial statement in Parliament about it and for the government to appoint a dedicated member of the executive responsible for cybersecurity.

    “This is an important signal to adversaries indicating that the Australian government takes cybersecurity seriously,” the Labor discussion paper said.

    “Unfortunately, despite the growing threat of ransomware to the nation, Peter Dutton has never used the word ‘ransomware’ in the Parliament.”

    Mr Watts released another discussion paper last year, calling for a rethink of cybersecurity policy in Australia with a focus on national resilience and community-based efforts.

    The federal government unveiled the $1.7 billion 2020 Cyber Security Strategy in August, with initiatives including new laws to protect critical infrastructure, additional powers for authorities to combat crime on the dark web, and some efforts to improve the cyber resilience of small business.

    The post Labor calls for national ransomware strategy appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Stone and Chalk acquires AustCyber growth centre

    Tech incubator Stone and Chalk has acquired the Commonwealth-led cybersecurity Industry Growth Centre known as AustCyber in a boost for both organisations.

    Under arrangements unveiled on Monday, AustCyber becomes a wholly-owned subsidiary of Stone and Chalk, although the CEOs of both organisations say that while the legal structure says ‘acquisition’, the not-for-profit operational reality of the integration makes it a merger.

    AustCyber’s Michelle Price and Stone and Chalk’s Alex Scandurra say the combined resources and individual strengths of each organisation will deliver a scale and sophistication for industry growth programs not previously seen in Australia.

    AustCyber Stone and Chalk
    Scaling-up not-for-profits: The private sector-inspired Stone and Chalk acquires public sector -inspired AustCyber

    Both organisations would operate under their existing brands and run effectively separate accounting for to meet obligations under government funding agreements. But the staff and day-to-day operations across multiple sites and cities will effectively be integrated.

    Under the new structure, AustCyber becomes a wholly-owned subsidiary of Stone and Chalk. The organisations will maintain separate boards, although each will become “cross-fertilised with one board member from each organisation joining the other.

    AustCyber will continue to operate as an Industry Growth Centre under the new ownership arrangements until the end of June 2022 and would continue to receive federal funding under that program. Ms Price said the organisation is committed to meeting all of its obligations under its current funding arrangement.

    The AustCyber-Stone and Chalk tie-up has significant implications for the future of the Industry Growth Centres program. Other growth centres include the Advanced Manufacturing Growth Centre; Food Innovation Australia Limited (FIAL); METS Ignited for the mining engineering, technology and services sector; MTPConnect for the medical technology and pharmaceutical sector; and National Energy Resources Australia (NERA), for the oil, gas and energy sectors.

    The Industry Growth Centres initiative was unveiled by former industry minister Ian Macfarlane in 2014 as part of the Abbott government. The Australian Cyber Security Growth Network (later AustCyber) was added later as a key recommendation of the original 2016 Australian Government Cybersecurity Strategy.

    It was always intended that the growth centres become commercially viable, self-sustaining organisations. Funding for the current growth centres comes to a finish at the end of June 2022.

    It is understood that none of the growth centres have to this point found commercial models that put them on a sustainable revenue trajectory that would allow them to continue to operate independently of government funding beyond than deadline.

    AustCyber is a first mover in getting out in front of that looming funding deadline at the end of the next financial year and will look to secure its future within Stone and Chalk.

    Whether the other growth centres move to restructure operations ahead or choose to run down the clock on the funding timetable or to shutter their organisations remains to be seen.

    “It makes a lot of sense operationally,” AustCyber chief executive Michelle Price told InnovationAus. “Day to day its about growing the scale as well as the sophistication of the programs that the two organisations previously did separately.”

    “There were already a lot of synergies that we were already focusing on,” Ms Price said, with AustCyber and Stone and Chalk having signed a partnership agreement during 2020.

    “AustCyber was focused specifically on cybersecurity, but we were constantly being pulled across into other industries as well – not just because cybersecurity as needed elsewhere, but because of our expertise.”

    “The same was happening with Stone and Chalk,” she said. “The issues and the challenges that we were experience from a delivery point of view – and not having enough scale to respond to the demand – and seeing where the ecosystems were up with the level of sophistication that’s needed in growth programs, it just became really obvious to us that we should pursue a merger.”

    The merged organisations mean that the combined AustCyber and Stone and Chalk operation will operate in 11 locations across the country, as well as AustCyber’s international presence in Washington D.C. in the United States.

    These locations include Stone and Chalk’s innovation hubs in Sydney, Melbourne and Adelaide, and the AustCyber network nodes in Western Australia, South Australia, Canberra, Tasmania and New South Wales, as well as an expected new node in Victoria.

    “In those locations where Stone and Chalk has not had a presence, there is a renewed focus on how we can combine the AustCyber nodes with the Stone and Chalk approach to an innovation hub.

    Stone and Chalk chief executive Alex Scandurra said the organisation, which began life with a spefic focus on building companies in the FinTech sector, would continue to take the frameworks and approaches it uses successfully in FinTech to build companies across other areas of emerging tech.

    “What we saw as the opportunity in AustCyber was quite a lot of depth around the national security piece, as well as giving us additional strength when talking about cyber as a horizontal [sector] across all emerging technologies in a similar way that we saw FinTech in terms of mobilizing money across a whole series of sectors,” Mr Scandurra said.

    AsutCyber’s Ms Price said Minister Karen Andrews’ office had been told of the plan to merge with Stone and Chalk in December, and that the organisation had worked in lockstep with both the minister’s office and the department to reshape its structure.

    A spokesperson for Minister Andrews told InnovationAus: “In October 2020, Minister Andrews asked all Industry Growth Centres to submit a transition plan to the Department of Industry, Science, Energy and Resources, outlining their plan for self-sustainment beyond June 2022,”.

    “The Industry Growth Centres Initiative is an ongoing program. The transition of individual Growth Centres to self-sufficiency once mature was always envisaged under program objectives and highlighted as part of the announcement of their establishment,” the spokesperson said.

    To date, AustCyber has allocated $14.85 million in project funding through its $15 million Industry Growth Centres Project Fund.

    The post Stone and Chalk acquires AustCyber growth centre appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Myanmar’s junta plans draconian cyber-security law to stifle dissent

    Pacific Media Watch newsdesk

    Reporters Without Borders (RSF) has condemned a proposed cyber-security law in Myanmar that would organise online censorship and force social media platforms to share private information about their users when requested by the authorities.

    This would violate the confidentiality of journalists’ data and sources, and the public’s right to reliable information, says the Paris-based media freedom watchdog RSF.

    The draft law, which has just been leaked, is clearly designed to prevent pro-democracy activists from continuing to organise the demonstrations that have been taking place every day in cities across Myanmar in response to the military coup on February 1.

    The State Administration Council – as the new military junta euphemistically calls itself – sent a copy of the proposed law to internet access and online service providers on  February 9.

    And the junta is expected to make it public on February 15.

    The draft law, which RSF has seen, would require online platforms and service providers operating in Myanmar to keep all user data in a place designated by the government for three years.

    ‘Causing hate, destabilisation’
    Article 29 would give the government the right to order an account’s “interception, removal, destruction or cessation” in the event of any content “causing hate or disrupting unity, stabilisation and peace,” any “disinformation,” or any comment going “against any existing law.”

    This extremely vague wording would give the government considerable interpretative leeway and would in practice allow it to ban any content it disliked and to prosecute its author.

    Article 30, on the other hand, is very specific about the data that online service providers must hand over to the government when requested: the user’s name, IP address, phone number, ID card number and physical address.

    Any violation of the law would be punishable by up to three years in prison and a fine of 10 million kyats (6200 euros). Those convicted on more than one count would, of course, serve the corresponding jail terms consecutively.

    RSF submission
    “The provisions of this cyber-security law pose a clear threat to the right of Myanmar’s citizens to reliable information and to the confidentiality of journalists’ and bloggers’ data,” said Daniel Bastard, the head of RSF Asia-Pacific desk.

    “We urge digital actors operating in Myanmar, starting with Facebook, to refuse to comply with this shocking attempt to bring them to heel. This junta has absolutely no democratic legitimacy and it would be highly damaging for platforms to submit too its tyrannical impositions.”

    Facebook has nearly 25 million users in Myanmar – 45 percent of the population. Three days after the February 1 coup, the junta suddenly blocked access to Facebook, Twitter and Instagram.

    But many of the country’s citizens have been using VPNs (virtual private networks) to circumvent the censorship.

    The proposed law’s leak has coincided with social media reports of the arrival of many Chinese technicians tasked with setting up an internet barrier and cybersurveillance system of the kind operating in China, which is an expert in this domain.

    Earlier this week, RSF reported the comments of several journalists who have been trying to cover the protests against the military coup, and who said that press freedom has been set back 10 years in the space of 10 days, back to where it was before the start of the democratisation process.

    Myanmar is ranked 139th out of 180 countries in RSF’s 2020 World Press Freedom Index.

    This post was originally published on Asia Pacific Report.

  • Myanmar’s junta plans draconian cyber-security law to stifle dissent

    Reporters Without Borders (RSF) has condemned a proposed cyber-security law in Myanmar that would organise online censorship and force social media platforms to share private information about their users when requested by the authorities.

    The draft law, which has just been leaked, is clearly designed to prevent pro-democracy activists from continuing to organise the demonstrations that have been taking place every day in cities across Myanmar in response to the military coup on February 1.

    The State Administration Council – as the new military junta euphemistically calls itself – sent a copy of the proposed law to internet access and online service providers on  February 9.

    And the junta is expected to make it public on February 15.

    The draft law, which RSF has seen, would require online platforms and service providers operating in Myanmar to keep all user data in a place designated by the government for three years.

    ‘Causing hate, destabilisation’
    Article 29 would give the government the right to order an account’s “interception, removal, destruction or cessation” in the event of any content “causing hate or disrupting unity, stabilisation and peace,” any “disinformation,” or any comment going “against any existing law.”

    This extremely vague wording would give the government considerable interpretative leeway and would in practice allow it to ban any content it disliked and to prosecute its author.

    Article 30, on the other hand, is very specific about the data that online service providers must hand over to the government when requested: the user’s name, IP address, phone number, ID card number and physical address.

    Any violation of the law would be punishable by up to three years in prison and a fine of 10 million kyats (6200 euros). Those convicted on more than one count would, of course, serve the corresponding jail terms consecutively.

    RSF submission
    “The provisions of this cyber-security law pose a clear threat to the right of Myanmar’s citizens to reliable information and to the confidentiality of journalists’ and bloggers’ data,” said Daniel Bastard, the head of RSF Asia-Pacific desk.

    “We urge digital actors operating in Myanmar, starting with Facebook, to refuse to comply with this shocking attempt to bring them to heel. This junta has absolutely no democratic legitimacy and it would be highly damaging for platforms to submit too its tyrannical impositions.”

    Facebook has nearly 25 million users in Myanmar – 45 percent of the population. Three days after the February 1 coup, the junta suddenly blocked access to Facebook, Twitter and Instagram.

    But many of the country’s citizens have been using VPNs (virtual private networks) to circumvent the censorship.

    The proposed law’s leak has coincided with social media reports of the arrival of many Chinese technicians tasked with setting up an internet barrier and cybersurveillance system of the kind operating in China, which is an expert in this domain.

    Earlier this week, RSF reported the comments of several journalists who have been trying to cover the protests against the military coup, and who said that press freedom has been set back 10 years in the space of 10 days, back to where it was before the start of the democratisation process.

    Myanmar is ranked 139th out of 180 countries in RSF’s 2020 World Press Freedom Index.

    This post was originally published on Radio Free.

  • Critical infrastructure laws impact on cyber

    Government moves to beef up the security of Australia’s critical national infrastructure (CNI), set out in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and introduced into Federal Parliament on 10 December, will impact many companies, institutions and organisations that might not see themselves as being part of critical infrastructure.

    These organisations should prepare for the bill’s impact now, by taking note of how recent moves by the finance industry regulator to strengthen cyber security requirements is playing out.

    In his second reading speech on the bill, Home Affairs Minister Peter Dutton said it would cover “organisations in communications, transport, data and the cloud, food and grocery, defence, higher education, and research and health” – seen as critical to “maintaining basic living standards for the Australian population; sustaining Australia’s wealth and prosperity; Australia’s national security and defence; and the security of large or sensitive data holdings”.

    Nick Lennon
    Nick Lennon: The proposed critical national infrastructure laws will have a broad impact on cyber security

    Entities to which the legislation will apply are required to “adopt and comply with a risk management program that ensures that critical infrastructure assets are protected and safeguarded from all hazards”.

    The introduction of the proposed new legislation is timely. We are already seeing critical infrastructure overseas being attacked with dire consequences, and the threat actors are becoming more sophisticated.

    Phishing emails have long been a favoured threat vector but can generally be thwarted by an alert reader. Now, attackers are gathering information sufficient to create heavily socially engineered attacks that create high levels of trust, making them more difficult to detect.

    How the new critical national infrastructure legislation will work in practice, and whether the goals set for it by the government are achieved remains to be seen.

    The recent imposition of cyber security requirements on financial services industry players provides valuable insights and sets an example for other industries as they gear up to comply with the new cyber security regime.

    The Australian Prudential Regulatory Authority (APRA) introduced its Prudential Standard CPS 234 Information Security in July 2019. Its aim was to make sure APRA-regulated entities maintained a security capability sufficient to make them resilient to cyber-attacks.

    Cyber security issues had long been of concern to APRA, but prior to CPS 234 it lacked the power to act on those concerns. CPS 234 gave it that power, and at Mimecast we are seeing the impact. Superannuation funds, credit unions, tier two banks and financial service providers are coming to us to help them meet their obligations.

    However, APRA has already recognised the limitations of CPS 234, and has beefed up its cyber security oversight of the finance sector considerably.

    In August 2020, its Corporate Plan 2020-2024 detailed a new security strategy. In a speech to the Financial Services Assurance Forum, APRA executive board member Geoff Summerhayes, said the new strategy aimed to “extend APRA’s reach beyond our regulated entities to influence the broader eco-system of suppliers and providers they rely upon”.

    There are certain industries that drive innovation, and the finance industry is one. It will play a major role in determining how increased cyber security regulation impacts all industries.

    History shows that regulation tends to hit financial services first, and then spreads into other industries, because investment impacts all industries.

    Director level responses to CPS 234 and to APRA’s new cyber security strategy will set the tone for how boards in other industries respond to the new legislation and execute their new cyber responsibilities.

    Organisations that will be covered by the new CNI legislation can learn from the finance sector’s response to CPS 234 and APRA’s new cyber security strategy and act on that legislation appropriately.

    The greatest challenge for legislators and regulators implementing the new critical national infrastructure legislation – and for industry – will likely be in maintaining adequate cyber security in many small organisations that have the potential to cause severe disruption to national infrastructure if they are compromised.

    I recently asked the CISO of a body with a strong interest in our critical infrastructure what kept him awake at night. His answer: a small FinTech transferring billions of dollars through the payments system.

    The role of that FinTech could at least be identified. Identifying every organisation that could be compromised and exploited to attack critical infrastructure is likely to be much more difficult.

    APRA realises this challenge. At the heart of APRA’s new cyber security strategy, Summerhayes said, is “recognition that the Australian financial system is an ecosystem of an estimated 17,000 interconnected financial entities, markets, and financial market infrastructures that provide products and services to consumers”.

    APRA directly regulates only 680 of these entities, but a cyber breach of any of these could “have a cascading impact on the whole system”.

    Nick Lennon is the Mimecast Country Manager for Australia.

    The post Critical infrastructure laws impact on cyber appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Senators question new hacking powers for AFP

    A group of senators have raised significant concerns with the federal government’s proposed new hacking powers for the Australian Federal Police, warning that a “wide scope of innocent third parties” could be caught up by the coercive and broad scheme.

    The Standing Committee for the Scrutiny of Bills, a bipartisan committee chaired by Labor, has revealed its thoughts on the Identify and Disrupt Bill, questioning a lack of focus on privacy, no judicial oversight, the potential for innocent people to be impacted and the ability for police to use the hacking powers without obtaining a warrant.

    The government quietly introduced the legislation to Parliament late last year with no consultation and little fanfare. The bill hands sweeping new powers to the AFP and ACIC to hack into the computers and networks of suspected criminals.

    AFP Australian Federal Police
    Hackers?: The Australian Federal Police in line for sweeping new powers to hack

    The bill introduces three new warrants, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks even if they don’t know their identity and actually taking over their accounts covertly.

    While saying the new powers are targeted at combating “online serious crimes”, the powers will apply to any crime carrying a jail time of at least three years, including theft, fraud, tax evasion, illegal gambling, forgery and privacy.

    There was significant backlash to the legislation, with the Law Council of Australia calling for proper oversight and scrutiny of the “extraordinary powers”. The legislation is currently the subject of a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry.

    A bipartisan senate committee has now raised serious concerns with the new powers, saying the “coercive” warrants have the “potential to unduly trespass on personal rights and liberties”.

    In its first report of the year, the bipartisan Standing Committee for the Scrutiny of Bills said that home affairs minister Peter Dutton has a lot of explaining to do on the new powers.

    “The committee considers it essential that legislation enabling coercive search powers be tightly controlled, with sufficient safeguards to protect individual rights and liberties,” the committee said in the report.

    Under the powers, the AFP and the Australian Criminal Intelligence Commission (ACIC) will be able to apply for the warrants from eligible judges or a member of the Administrative Appeals Tribunal (AAT). But the senators said that only judges should be vested with this power.

    “The committee has had a long-standing preference that the power to issue warrants authorising the use of coercive or intrusive powers should only be conferred on judicial officers,” it said.

    “In light of the extensive personal information that could be covertly accessed, copied, modified or deleted from an individual’s computer or device, the committee would expect a detailed justification to be given as to the appropriateness of conferring such powers on AAT members, particularly part-time senior members and general members. In this instance, the explanatory memorandum provides no such justification.”

    The committee is also concerned that the warrants will apply for 90 days, with an extension offer too, and a lack of focus on privacy.

    “Noting the significant impact on the privacy of individuals whose information is collected or accessed under these warrants, it is unclear why privacy is a mandatory consideration in relation to account takeover warrants only and should not also apply to data disruption and network activity warrants,” it said in the report.

    “Similarly, it is unclear why issuing authorities must not consider whether the warrant is proportionate having regard to the nature and gravity of the offence and the likely value of information sought to be obtained in relation to all warrants rather than being limited to network activity warrants.”

    The application of the powers to crimes with jail time of three years also raised the eyebrows of the senators.

    “Noting this broad range of offences, the committee considers that an explicit requirement to consider proportionality in relation to issuing each of the warrants is important to ensure that the significant coercive powers authorised under these warrants are only exercised where necessary and appropriate,” the committee said.

    The legislation also allows for the authorities to take these coercive actions and conceal the fact that they did without obtaining a warrant in “emergency circumstances”.

    This will be done through applying to the appropriate authorising officer, who will approve it if they reasonably suspect there is an imminent risk of serious violence to a person or substantial damage to property, and that the powers are immediately necessary.

    “The committee is particularly concerned that such powers only be authorised under a warrant issued by a judicial officer. Allowing a law enforcement agency to authorise its own actions under an emergency authorisation has the potential to unduly trespass on the right to privacy, and as such the committee would expect the explanatory materials to provide a detailed justification for such provisions,” the committee said.

    “In this instance, the statement of compatibility provides no such justification. In effect, it appears that these provisions allow coercive or intrusive actions to be taken which have not been authorised under an existing warrant.”

    Overly “broad” definitions in the legislation means that numerous innocent individuals may be caught up by the network activity warrants, the committee warned.

    “The committee is concerned that, as a result of these broad definitions, there is a potentially unlimited class of persons who may be subject to, or affected as a third party connected to a person who is the subject of, a network activity warrant,” they said.

    The senators put a number of questions to Mr Dutton, including why just judges shouldn’t be able to issue the warrants, why the 90-day time period is necessary and why the value of the information isn’t considered when issuing the warrants.

    Submissions to the PJCIS inquiry into the legislation will close at the end of the week.

    The post Senators question new hacking powers for AFP appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt launches $26.5M cybersecurity skills grants program

    Grants of up to $3 million are on offer for cybersecurity training programs as part of a $26.5 million national cybersecurity strategy initiative officially launched by the federal government this week.

    The first round of the Cyber Security Skills Partnership Innovation Fund was opened on Thursday, with grants of between $250,000 and $3 million on offer for applicants looking to “improve the quality and availability of cybersecurity professionals through training”.

    The grants will fund up to 50 percent of a cyber skills program, which will have to be a joint application from at least two partner organisations which may include universities, high schools, industry associations, state and local governments and businesses.

    Eligible activities for the grants include developing and delivering specialist cybersecurity courses for individuals, retraining programs, professional development, apprenticeships, new internships or cadetships and cyber labs and training facilities.

    There will be $13 million available as part of the first funding round, which will be aimed at building career pathways in the cybersecurity sector as part of Australia’s economic recovery from COVID-19, industry minister Karen Andrews said.

    “The Cyber Security Skills Partnership Innovation Fund will support partnerships between industry, education providers and governments to build the next generation of cybersecurity experts,” Ms Andrews said in a statement.

    “Cybersecurity is essential to our digital economy and needs to be strong in all areas, particularly in small and medium enterprises which comprise 98 percent of all Australian businesses. This fund builds on our commitment to keep Australians secure online, and to support building industry capability.”

    The fund was one of the initiatives included in the Cybersecurity National Workforce Growth Program, one of the deliverables under the Morrison government’s Cyber Security Strategy, unveiled last year.

    The grants will help to build on the other initiatives included in this strategy, home affairs minister Peter Dutton said.

    “Having more people trained in cybersecurity will build on the other measures funded as part of our $1.67 billion strategy to keep Australians safe online and protect against cyber attacks from malicious actors including cyber criminals,” Mr Dutton said.

    The first round will close on 11 March, with a second round expected to open before the end of the year.

    The fund was one of few initiatives in the strategy targeted at the local cybersecurity sector, with little focus on building the burgeoning industry.

    This was criticised by Labor cybersecurity spokesperson Tim Watts.

    “It looks like the government has given up on developing and growing the Australian cybersecurity industry altogether. There was no commitment on industry policy, on local content, on procurement, on SME involvement, or on maximising R&D spend to grow the Australian industry,” Mr Watts said.

    “During a recession, when we are trying to build sustainable, high-wage jobs for the Australian recovery post COVID-19, it is inexplicable that industry development seems to be completely missing from this strategy.”

    The post Govt launches $26.5M cybersecurity skills grants program appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Big Tech clashes with digital rights groups over data

    Big tech and business are warring with digital and civil rights groups over the need to introduce a right of direct action for data breaches as part of the sweeping review of Australia’s privacy laws.

    The Attorney-General’s Department is conducting a sweeping review of the Privacy Act on the back of the Australian Competition and Consumer Commission’s (ACCC) digital platforms inquiry, which recommended a number of legislative changes.

    A key issue the inquiry is looking at is whether a direct right for individuals to bring actions or class actions before the courts to seek compensation for breaches under the Privacy Act should be introduced.

    data
    It’s a jungle: The right to take direct court action over data breaches has spurred a fight

    Presently there is a very limited ability for Australians to seek redress for a privacy breach by a company subject to the Privacy Act, through an injunction or a complaint to the Office of the Australian Information Commissioner (OAIC).

    In its final report, the ACCC called on the government to introduce a right of action in the Federal Court or Federal Circuit Court to seek compensatory damages and aggravated and exemplary damages for financial and non-financial harm as a result of an infringement of the Privacy Act.

    “This would give consumers greater control over their personal information by providing an avenue of redress in court without having to rely on the OAIC alone to take representative action,” the ACCC said in its digital platforms report.

    “This ability will not only empower consumers but may also provide an additional incentive for Australian Privacy Principles entities to ensure they comply with their obligations under the Privacy Act and the APPs.”

    Instead of accepting this recommendation, the federal government opted to consult further on the direct right of action as part of the wider review of the Privacy Act.

    A number of civil and digital rights groups and legal organisations offered strong support for this policy in submissions to the inquiry, while big tech firms and other large businesses unsurprisingly railed against it, instead arguing that the OAIC should be handed a more prominent role in enforcing the Privacy Act.

    But the opposing side argued that the right of action would complement the OAIC’s enforcement role and is critical to ensuring the privacy of Australians is upheld.

    In its submission, Australian tech giant Atlassian said a direct right of action is unnecessary and may “magnify rather than mitigate any concerns about the costs and time for individuals seeking resolutions through the complaints process”.

    “It is difficult to see why the introduction of a direct right of action for individuals to seek compensation for breaches of the Privacy Act is necessary or, indeed, is the most appropriate way to meet these objectives,” the Atlassian submission said.

    “We strongly believe that efforts are better redirected towards improving the efficiency and effectiveness of existing enforcement mechanisms, including by supporting the OAIC to increase its complaint-handling workload and considering other mechanisms to facilitate certainty and consistency of entities’ compliance obligations.”

    US tech firm Adobe also argued against a direct right of action in its submission to the Australian inquiry, saying it would only benefit those who could afford to take legal action.

    “The cost of undertaking litigation is very high, which means that providing a direct right of action will generally benefit only a very few Australians who have sufficient resources to take such action,” the Adobe submission said.

    “Adobe submits that providing greater powers to the OAIC to assist in the resolution of privacy-related complaints is a more effective means by which to empower individuals to exercise control over their personal information.

    “If the OAIC had enhanced powers and the necessary resources to conduct investigations, and provide adequate remedies, this would truly empower individuals who would be able to easily and quickly take action to address privacy harms.”

    Tech titan Google also said that the OAIC’s dispute resolution is “preferable to creating a direct right of action”.

    “If the government is considering introducing a direct right of action, we suggest that a precondition to any direct action is an attempt to resolve a dispute through conciliation by the OAIC or some other administrative body,” Google said in its submission.

    Media giant Nine also argued against the ACCC’s recommendation.

    “The main beneficiaries of having those claims in the courts instead of the OAIC will be lawyers, as many people will choose to be represented. Lawyers will have incentives to increase the quantum and frequency of claims,” the Nine submission said.

    “Those individuals will fare better, and the system will fare better, if their concerns continue to be handled by the professional team which has done so effectively for nearly 20 years at the OAIC. That team should be well funded. It is much better for the current system to be supported than to disrupt it in the way proposed.”

    While also strongly supportive of the OAIC receiving additional funding and resources, several other submissions argued that the direct right of action could work in tandem with the privacy office to uphold the rights of Australians.

    The post Big Tech clashes with digital rights groups over data appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Reserve Bank investigates cyber attack – latest in NZ digital breaches

    The NZ Reserve Bank says it is investigating the breach, which may have exposed “commercially and personally sensitive information”. Image: Alexander Robertson/RNZ

    By RNZ News

    A cyber security expert says attacks like the latest on the Reserve Bank could be due to the type of data systems they are using.

    The Reserve Bank revealed yesterday a third party file sharing service it uses, which contains some sensitive information, had been hacked.

    It is the latest after a string of cyber attacks in the past year targeting several major organisations in New Zealand, including the NZ Stock Exchange – which had its servers knocked out of public view for nearly a week in August.

    Titanium Defence cyber security expert Tony Grasso, who was the cyber lead at the Department of Internal Affairs, told Morning Report file sharing systems could weaken security.

    Grasso said there were still lots of questions about the breach to be answered.

    “The question that will be on my mind, and I’m sure this will be what they’re looking at is, who got in, how did they get in, and more importantly, what information has been taken from this file share, but more interestingly than that, have they got from the file share onto the bank systems internally?”

    However, he said it would be hard to say who could be behind the breach at this stage.

    Foreign intelligence agency?
    “You have to always keep in mind it may be a foreign intelligence national agency whenever something as big as the Reserve Bank … any government department within reason, you always have to have that at the back of your mind,” he said.

    “It would be interesting to find out how they were caught. Our detection systems here are good, if it’s one of those systems that have come from another government agency, a more sensitive government agency, that may indicate it was a foreign actor, or these days criminal gangs are getting together and they’ve become an industry on their own and are really good at getting into organisations.

    “Imagine the ransom you could put on the Reserve Bank if you encrypted all their data, for example.”

    Grasso hoped for a more detailed report from the Reserve Bank on who it could be.

    “The Americans are very good at saying ‘it was definitely a foreign government’ and they normally name them as well. It would be good to know if it was that, if it was a criminal organisation or if was it a just a lone wolf – we have loads of these in our industry.”

    The Reserve Bank said sensitive information “may” have been breached.

    The type of information exposed would depend on who the third party was, Grass said.

    Third party may be IT provider
    “A third party could be just an IT provider and they’re just sharing architecture documents, that would be bad of course. But it could be information around covid for example.

    “If they were working with external agencies about the recovery of the company from covid … it could be papers around how we’re planning for our recovery, I mean who knows.

    “I would hope that sensitive stuff like that isn’t held in a third party file server, I’m fairly sure it wouldn’t be.”

    He said even if its own systems were very secure, having a third party who was insecure connecting to the systems could bring a threat.

    Yesterday, Reserve Bank Governor Adrian Orr said they were investigating the breach with experts and authorities.

    “The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.

    “It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational.”

    The Reserve Bank declined a request for an interview with Morning Report.

    This article is republished under a community partnership agreement with RNZ.

    Print Friendly, PDF & Email

    This post was originally published on Radio Free.

  • What to do about global spyware abuse?

    Mohamed EL Bashir, a Public Policy & Internet Governance Strategist, wrote a lengthy but informative piece about the persistent problem of commercial spyware Abuse: “Reshaping Cyberspace: Beyond the Emerging Online Mercenaries and the Aftermath of SolarWinds“, in CircleID 5 January 2021.

    The piece starts of with some concrete cases such as Ahmed Mansoor [see https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/] and Rafael Cabrera, [see: https://www.nytimes.com/2017/06/21/world/americas/mexico-pena-nieto-spying-hacking-surveillance.html]. In 2018, a close confidant of Jamal Khashoggi was targeted in Canada by a fake package notification, resulting in the infection of his iPhone.

    ..Citizen Lab has tracked and documented more than two dozen cases using similar intrusion and spyware techniques. We don’t know the number of victims or their stories, as not all vectors are publicly known. Once spyware is implanted, it provides a command and control (C&C) server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Those tools are created to be stealthy and evade forensic analysis, avoid detection by antivirus software, and can be deactivated and removed by operators.

    Once successfully implanted on a victim’s phone using an exploit chain like the Trident, spyware can actively record or passively gather a variety of different data about the device. By providing full access to the phone’s files, messages, microphone, and video camera, the operator can turn the device into a silent digital spy in the target’s pocket.

    These attacks and many others that are unreported show that spyware tools and the intrusion business have a significant abuse potential and that bad actors or governments can’t resist the temptation to use such tools against political opponents, journalists, and human rights defenders. Due to the lack of operational due-diligence of spyware companies, these companies don’t consider the impact of the use of their tools on the civilian population nor comply with human rights policies. [see: https://humanrightsdefenders.blog/2020/07/20/the-ups-and-downs-in-sueing-the-nso-group/]

    The growing privatization of cybersecurity attacks arises through a new generation of private companies, aka online mercenaries. This phenomenon has reached the point where it has acquired its own acronym, PSOAs, for the private sector offensive actors. This harmful industry is quickly growing to become a multi-billion dollar global technology market. These newly emerging companies provide nation-states and bad actors the option to buy the tools necessary for launching sophisticated cyberattacks. This adds another significant element to the cybersecurity threat landscape.

    These companies claim that they have strict controls over how their spyware is sold and used and have robust company oversight mechanisms to prevent abuse. However, the media and security research groups have consistently presented a different and more troubling picture of abuse…

    The growing abuse of surveillance technology by authoritarian regimes with poor human rights records is becoming a disturbing new, globally emerging trend. The use of these harmful tools has drawn attention to how the availability and abuse of highly intrusive surveillance technology shrink already limited cyberspace in which vulnerable people can express their views without facing repercussions such as imprisonment, torture, or killing.

    Solving this global problem will not be easy nor simple and will require a strong coalition of multi-stakeholders, including governments, civil society, and the private sector, to reign in what is now a “Wild West” of unmitigated abuse in cyberspace. With powerful surveillance and intrusion technology roaming free without restrictions, there is nowhere to hide, and no one will be safe from those who wish to cause harm online or offline. Not acting urgently by banning or restricting the use of these tools will threaten democracy, rule of law, and human rights worldwide.

    On December 7, 2020, the US National Security Agency issued a cybersecurity advisory warning that “Russian State-sponsored actors” were exploiting a vulnerability in the digital workspace software developed by VMware (VMware®1Access and VMware Identity Manager2 products) using compromised credentials.

    The next day, on December 8, the cybersecurity firm FireEye announced the theft of its “Red Team” tools that it uses to identify vulnerabilities in its customers’ systems. Several prominent media organizations reported an ongoing software supply-chain attack against SolarWinds, the company whose products are used by over 300,000 corporate and government customers — including most of the Fortune 500 companies, Los Alamos National Laboratory (which has nuclear weapons responsibilities), and Boeing.

    A malware called SUNBURST infected SolarWind’s customers’ systems when they updated the company’s Orion software.

    On December 30, 2020, Reuters reported that the hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. This new development sent a worrying signal about the cyberattack’s ambition and intentions.

    Microsoft president Brad Smith said the cyber assault was effectively an attack on the US, its government, and other critical institutions, and demonstrated how dangerous the cyberspace landscape had become.

    Based on telemetry gathered from Microsoft’s Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability was very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and compromised, most of which are understood to be based in the US, but Microsoft’s work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the UAE, and the UK, including government agencies, NGOs, and cybersecurity and technology firms.

    Although the ongoing operation appears to be for intelligence gathering, no reported damage has resulted from the attacks until the publishing date of this article. This is not “espionage as usual.” It created a serious technological vulnerability in the supply chain. It has also shaken the trust and reliability of the world’s most advanced critical infrastructure to advance one nation’s intelligence agency.

    As expected, the Kremlin has denied any role in recent cyberattacks on the United States. President Vladimir Putin’s spokesman Dmitry Peskov said the American accusations that Russia was behind a major security breach lacked evidence. The Russian denial raised the question of a gap of accountability in attributing cyberspace attacks to a nation-state or specific actor. Determining who is to blame in a cyberattack is a significant challenge, as cyberspace is intrinsically different from the kinetic one. There is no physical activity to observe, and technological advancements have allowed perpetrators to be harder to track and to remain seemingly anonymous when conducting the attack (Brantly, 2016).

    To achieve a legitimate attribution, it is not enough to identify the suspects, i.e., the actual persons involved in the cyberattacks but also be able to determine if the cyberattacks had a motive which can be political or economic and whether the actors were supported by a government or a non-state actor, with enough evidence to support diplomatic, military, or legal options.

    A recognized attribution can enhance accountability in cyberspace and deter bad actors from launching cyberattacks, especially on civilian infrastructures like transportation systems, hospitals, power grids, schools, and civil society organizations.

    According to the United Nation’s responsibility of States for Internationally Wrongful Acts article 2, to constitute an “internationally wrongful act,” a cyber operation generally must be 1) attributable to a state and 2) breach an obligation owed another state. It is also unfortunate that state-sponsored cyberattacks violate international law principles of necessity and proportionality.

    Governments need to consider a multi-stakeholder approach to help resolve the accountability gap in cyberspace. Some states continue to believe that ensuring international security and stability in cyberspace or cyberpeace is exclusively the responsibility of states. In practice, cyberspace is designed, deployed, and managed primarily by non-state actors, like tech companies, Internet Service Providers (ISPs), standards organizations, and research institutions. It is important to engage them in efforts to ensure the stability of cyberspace.

    I will name two examples of multi-stakeholder initiatives to secure cyberspace: the Global Commission on the Stability of Cyberspace (GCSC), which consisted of 28 commissioners from 16 countries, including government officials, has developed principles and norms that can be adopted by states to ensure stable and secure cyberspace. For example, it requested states and non-state actors to not pursue, support, or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites.

    Cyberpeace Institute is a newly established global NGO that was one-year-old in December 2020 but has the important goal of protecting the most vulnerable and achieve peace and justice in cyberspace. The institute started its operations by focusing on the healthcare industry, which was under attack daily during the COVID 19 pandemic. As those cyberattacks were a direct threat to human life, the institute called upon governments to stop cyber operations against medical facilities and protect healthcare.

    I believe that there is an opportunity for the states to forge agreements to curb cyberattacks on civilian and private sector infrastructure and to define what those boundaries and redlines should be.

    SolarWinds and the recent attacks on healthcare facilities are important milestones as they offer a live example of the paramount risks associated with a completely unchecked and unregulated cyberspace environment. But it will only prove to be a moment of true and more fundamental reckoning if many of us, governments, and different multi-stakeholders played a part, each in their respective roles, in capitalizing and focusing on those recent events by forcing legal, technological, and institutional reform and real change in cyberspace.

    The effects of the Solarwinds attack will not only impact US government agencies but businesses and civilians that are currently less secure online. Bad actors are becoming more aggressive, bold, reckless and continue to cross the red lines we considered as norms in cyberspace.

    Vulnerable civilians are the targets of the intrusion tools and spyware in a new cyberspace wild west landscape. Clearly, additional legal and regulatory scrutiny is required of private-sector offensive actors or PSOAs. If PSOA companies are unwilling to recognize the role that their products play in undermining human rights or address these urgent concerns, then, in this case, intervention by governments and other stakeholders is needed. 

    We no longer have the privilege of ignoring the growing impact of cyberattacks on international law, geopolitics, and civilians. We need a strong and global cybersecurity response. What is required is a multi-stakeholders’ courageous agenda that redefines historical assumptions and biases about the possibility of establishing new laws and norms that can govern cyberspace.

    Changes and reforms are achievable if there is will. The Snowden revelations and the outcry that followed resulted not only in massive changes to the domestic regulation of US foreign intelligence, but they also shaped changes at the European Court of Human Rights, the Court of Justice of the European Union, and the UN. The Human Rights Committee also helped spur the creation of a new UN Special Rapporteur on the Right to Privacy based in Geneva.

    The new cyberspace laws, rules, and norms require a multi-stakeholder dialogue process that involves participants from tech companies, academia, civil society, and international law in global discussions that can be facilitated by governments or supported by a specialized international intergovernmental organization.

    Sources and References:

    http://www.circleid.com/posts/20210105-reshaping-cyberspace-beyond-the-emerging-online-mercenaries/

    This post was originally published on Hans Thoolen on Human Rights Defenders.

  • Bridging the public private divide: Cybersecurity

    Cybersecurity threats are having a huge impact on all industries across the public and private sectors – with wide-ranging effects on company trust, the economy, and creating a host of identity and privacy issues. No organisation is impenetrable, but some are better prepared than others.

    InnovationAus asked a leading local cybersecurity policy expert if these threats could be what unites public and private sectors to help build a more resilient Australia in an ever-increasing digital world.

    “Malicious cyber actors are attacking organisations with impunity and without any regard for what type of sector they represent,” said Australian Cyber Security Cooperative Research Centre (CSCRC) head of strategic policy Stephenie Andal.

    Dr Andal spoke with InnovationAus’ James Riley and privileged access management specialist CyberArk’s Australia and New Zealand regional director Thomas Fikentscher as part of the video series Bridging the Cyber Divide.

    Bridging the cyber divide: James Riley, Stephenie Andal and Thomas Fikentscher

    Private and public bodies are being equally be targeted by cyber attackers, whether they be state-backed actors wanting to harm democracy or gain competitive advantage, or cybercriminals driven by profit or malice. However, nuances in the events – and the interpretation of them – can make creating suitable legislation complicated.

    As Australia heads into 2021, the nation is staring down radical legislative changes on all things cyber. There’s the big tech media code targeting Google and Facebook and the Federal Government’s just-released draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

    The critical infrastructure amendment seeks to encompass retailers, supermarkets, banks, law firms and cloud providers in addition to classical critical infrastructure providers such as ports and energy utilities that were captured by the 2018 Security of Critical Infrastructure Act — Australia’s answer to the US Terrorism Prevention and Critical Infrastructure Protection Act of 2017.

    There is certainly a cost to businesses, especially those now captured by the legislation, that potentially do not have the cyber security maturity that is required to bring it up to speed.

    Beyond broadening cybersecurity obligations in the private sector, the amendment would establish structures for government agencies to assist private sector firms during a hack. On paper, government assistance in these instances looks great but it’s hugely problematic for cloud providers like Amazon Web Services and Microsoft’s Azure division if a signal intelligence and security agency like the Australian Signals Directorate (ASD) intervenes in a cyber security hack.

    It can create serious trust problems for global tech companies that supply essential IT services for government agencies, not just in Australia but across the world. Should Microsoft let an Australian security agency into its network without expecting questions from customers in other jurisdictions?

    At the same time, the line between state-sponsored cyber-espionage is blurring with rough-and-ready ransomware. The WannaCry and NotPetya ransomware outbreaks in 2017 initially looked like the work of cybercriminals but Western governments blamed them, respectively, on the governments of North Korea and Russia.

    On the other hand, Dr Andal points to Verizon’s recently released 2020-2021 Cyber Espionage Report that found the sectors most affected by cyber espionage include financial services, professional services and the public sector.

    “I think what’s really critical to note about these global trends is some of the new sectors that are being encompassed within Australia’s forthcoming legislation,” said Dr Andal.

    “There’s a recognition from the Australian Government that malicious cyber activity happens across multiple sectors, across all parts of our economy and we really need to be doing more and taking a more holistic approach to mitigating these threats,” she added.

    Evidence of Australia’s public sector response can be seen in the consolidation of government cybersecurity functions across the ASD, the Australian Cybersecurity Center (ACSC), and AustCyber, an independent, non-profit Australian cybersecurity growth network that was set up by the Federal Government in 2017 to support Australia’s sovereign cybersecurity capability, she said.

    Dr Andal’s works for the CSCRC, which handles collaboration between industry, government and academia – somewhat emulating Israel’s approach through the Israel Innovation Authority, which has supported its startup tech scene and digital sovereign capabilities since the 1970s.

    Digital sovereign capabilities are a big question for Australia. CyberArk’s Mr Fikentscher believes a lack of understanding about ‘digital risk’ is hampering homegrown companies from expanding into overseas markets.

    He argues there should be a ‘digital board’ that helps inform company directors and government agencies as to how to bring cybersecurity into the broader discussion about company risk management.

    “Digital risk [as an outcome from digital transformation] is something that’s quite new, whereas cybersecurity has long been in that space,” said Mr Fikentscher.

    “I believe some organisations, that have always operated internationally and had that exchange to global markets, are a bit more advanced because they have more depth of experience,” he said.

    “Whereas domestic organisations, that are trying to expand internationally, run into problems around digital risk because they just don’t know where to start and how to structure and manage the approach to market properly.”

    The public-private divide on the digital economy spans questions about how government supports Australian security startups, how boards of large companies manage cybersecurity risks, the regularity framework for cybersecurity, and what instruments the government is building for itself and for the private sector.

    The ACSC ensures Australia remains resilient against cyberattacks against government and industry while helping inform citizens and consumers about risks. The ASD got a A$31 million injection as part of the Federal Government’s $1.35 billion Cybersecurity Strategy announced in June. The Government stressed that the investment was to boost ASD’s capabilities to fight hackers offshore before they breached local networks.

    But then throw in China and international trade discussions into the equation and new questions arise. There are geopolitical rifts happening between China, Australia, the US and Europe that make the question about public-private partnerships a lot more complicated – in a world where existing global supply chains are being disrupted.

    “Really, we’re in a very challenging and fast-moving moment – where, at a global and supranational level, we’re seeing the technological unpicking or decoupling of systems or supply chains as we’ve known it,” said Dr Andal.

    “We’re in the thick of trying to grapple with what that means for us from a digital transformation perspective, from a cybersecurity perspective and then all the way down to citizens and how we will benefit or perhaps not from that.

    “Many nations are grappling with this, not only Australia.”

    However, Australia could be headed down the right path with organisations like the CSCRC, which have a chance to convince larger Australian Government agencies to support early-stage research that could be commercialised, according to Mr Fikentscher.

    “You could actually start a research a project at the very early days and bring in one of the big agencies or a private organisation to collaborate as a public-private project,” he said. “This offers the best of both worlds – where the public sector provides the guard rails and the private sector is driving this on the innovation side.

    “It starts with collaboration. If we do that, we can find and develop a lot of good talent within this country, and as a result we would be less reliant on bringing people and skills in from offshore into Australia.”

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post Bridging the public private divide: Cybersecurity appeared first on InnovationAus.

    This post was originally published on InnovationAus.