tag:theconversation.com,2011:/es/topics/cybersecurity-535/articlesCybersecurity – The Conversation2024-03-27T14:37:30Ztag:theconversation.com,2011:article/2266682024-03-27T14:37:30Z2024-03-27T14:37:30ZChina’s UK election hack – how and why the Electoral Commission was targeted<figure><img src="https://images.theconversation.com/files/584522/original/file-20240326-24-tyjinv.jpg?ixlib=rb-1.1.0&rect=95%2C36%2C4793%2C2763&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption"></span> <span class="attribution"><span class="source">Shutterstock/Gago design</span></span></figcaption></figure><p>The UK government has accused China of hacking the UK Electoral Commission, gaining access to information about millions of voters.</p>
<p>In the aftermath of the incident, the UK and US governments have <a href="https://www.bbc.co.uk/news/uk-politics-68654533">sanctioned</a> a company that is a front for the Chinese Ministry of State Security (MSS), Wuhan Xiaoruizhi Science and Technology, and affiliated individuals for their involvement in the breach and for placing malware in critical infrastructure.</p>
<p>The UK and many other countries have growing concerns over cyber operations that target national security, technological innovation and economic interests. China has been linked to state-sponsored cyber espionage activities for some time. Targets have included foreign governments, businesses and critical infrastructure. </p>
<p>While China is not inherently a threat to the UK, the two countries have a complex relationship that is characterised by both cooperation and competition. China has economic influence over the UK and the two compete on innovation. But China’s military ambitions, human rights record and reputation for covert influence campaigns require careful diplomatic and strategic management.</p>
<p>It’s not clear what precisely motivated the attack on the Electoral Commission but such attacks are generally linked to various strategic interests. States may target foreign electoral organisations with the aim of influencing election results or more generally to undermine democratic processes, including by damaging trust among voters. They may seek leverage with whatever information they gather, either economically or in terms of global positioning. </p>
<p>These activities are not unique to China. In a deeply connected and increasingly digitised world, many states are strategically motivated to engage in subterfuge of this kind.</p>
<h2>How this kind of attack works</h2>
<p>The US Cybersecurity and Infrastructure Security Agency (CISA) has <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a">already detailed</a> the methods deployed by affiliates of the MSS in their cyber espionage. They systematically exploit vulnerabilities in software and systems, penetrating federal government networks and commercial entities. </p>
<p>Their approach demonstrates a deep understanding of cyber warfare and intelligence gathering and a high level of expertise. It’s clear that significant resources have been put at their disposal.</p>
<p>Central to their strategy is the active exploitation of vulnerabilities. They meticulously search for and take advantage of weaknesses across target systems and software. By identifying these security gaps, they manage to bypass protective measures and infiltrate sensitive environments, aiming to access and extract valuable information.</p>
<p>In gathering intelligence, these operatives scour publicly available sources – including the media and public government reports – to accumulate critical data on their targets. This could range from specifics about an organisation’s IT infrastructure and employee details to potential security lapses. Such intelligence lays the groundwork for highly targeted and effective cyberattacks.</p>
<p>Meanwhile, they scan for vulnerabilities in the system itself, uncovering essential details like open ports and the services running on them. This will include any software that may be ripe for exploitation due to known vulnerabilities.</p>
<p>The operatives then leverage all this information to gain unauthorised access. They exploit system flaws to induce unexpected behaviours, allowing for the installation of malware, data theft and system control. </p>
<p>The ultimate aim of these operations is the exfiltration of data, such as the names and addresses of British voters in the case of the Electoral Commission. They illicitly copy, transfer, or retrieve data from compromised systems, targeting personal information, intellectual property and government or commercial secrets. </p>
<h2>The pencil is mightier than the keyboard</h2>
<p>It was known by August 2023 that the Electoral Commission had come under attack but the suspects have only now been named publicly.</p>
<p>Despite the breach, the Electoral Commission claims that the core elements of the UK’s electoral process remain secure and that there will be <a href="https://www.electoralcommission.org.uk/media-centre/electoral-commission-response-cyber-attack-attribution-0">“no impact”</a> on the security of elections. This is in part because so much of the British system is paper based. People are processed by hand when they go to a polling station on election day, they use pencil and a paper ballot to vote, and their votes are counted by hand.</p>
<p>These factors make it very difficult to influence the outcome of a British election via a cyberattack, unlike in countries that use electronic voting machines or automated vote counting. Paper ballots and records, being tangible and physically countable, provide a verifiable trail. So even in the event of a cyber intrusion, the fundamental act of casting and counting votes remains untainted by digital vulnerabilities. </p>
<h2>Stronger systems are still needed</h2>
<p>The attack nevertheless raises questions about the effectiveness of existing monitoring and logging systems for detecting data breaches. The attack accessed not only the electoral registers but also the commission’s email and control systems. The data potentially accessed included UK citizens’ full names, email addresses, home addresses and phone numbers.</p>
<p>Nor is the commission the only target in the British political system. The National Cyber Security Centre (NCSC) assesses with a high degree of certainty that APT31, an advanced persistent threat group affiliated with the Chinese state, has engaged in reconnaissance activities targeting <a href="https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians">UK parliamentarians</a>.</p>
<p>To secure its elections from cyber threats like those from APT31, the UK government is already improving the overall resilience of its elections cyberinfrastructure. It is working closely with the NCSC to identify threats and emerging trends. These efforts are likely to include regular security audits, penetration testing and the adoption of secure software development practices to ensure that systems are robust.</p>
<p>What’s perhaps most significant in the case of the Electoral Commission hack, however, is the fact that the UK government has called China out so explicitly. This is a strategy decided on with allies as a way of holding perpetrators more accountable. </p>
<p>Publicly attributing cyber attacks to specific state actors or groups sends a clear message that such activities are being monitored and will not go unchallenged. This strategy of transparency and accountability is pivotal in establishing international norms and expectations for state behaviour in cyberspace.</p><img src="https://counter.theconversation.com/content/226668/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Soraya Harding does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>British elections are pencil and papers affairs, which makes them difficult to hack. But the breach of millions of people’s details is still a deeply serious matter.Soraya Harding, Senior lecturer in Cybersecurity Intelligence and Digital Forensics, University of PortsmouthLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2238152024-03-24T11:52:13Z2024-03-24T11:52:13ZAddressing deepfake porn doesn’t require new criminal laws, which can restrict sexual fantasy and promote the prison system<figure><img src="https://images.theconversation.com/files/582946/original/file-20240319-28-spiry0.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6240%2C4156&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Deepfake pornography plays a role in sexual fantasy and expression.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>After <a href="https://www.theverge.com/2024/1/25/24050334/x-twitter-taylor-swift-ai-fake-images-trending">deepfake pornography of Taylor Swift went viral</a> on the social media platform X (formerly Twitter), <a href="https://www.thecut.com/2024/01/taylor-swift-ai-deepfake-trending-social-media.html">Swifties sprung into action</a>. They organized to report violations of X’s “<a href="https://help.twitter.com/en/rules-and-policies/manipulated-media">Synthetic and Manipulated Media</a>” policy and flooded the platform with real images of Swift in an attempt to alter X’s algorithm.</p>
<p>The incident <a href="https://www.theguardian.com/music/2024/jan/26/taylor-swift-deepfake-pornography-sparks-renewed-calls-for-us-legislation">renewed calls for federal legislation</a> regarding deepfake porn. But whether we need to “<a href="https://www.wired.com/story/taylor-swift-deepfake-porn-artificial-intelligence-pushback/">defeat</a>” deepfake porn by <a href="https://www.theverge.com/2018/2/7/16982046/reddit-deepfakes-ai-celebrity-face-swap-porn-community-ban">censoring</a> and <a href="https://www.theguardian.com/society/2023/jun/27/sharing-deepfake-intimate-images-to-be-criminalised-in-england-and-wales">criminalizing</a> it is up for debate — or at least it should be. </p>
<p>As a criminologist and sexuality studies scholar with expertise in the <a href="https://carleton-ca.academia.edu/LaraKaraian">legal regulation of sex and sexual expression</a>, the push to conflate deepfake porn with misogyny and sexual harm is concerning, as is the call for new criminal laws.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/GgSduzVDV08?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">ABC News looks at the circulation of fake explicit images of Taylor Swift on X.</span></figcaption>
</figure>
<h2>Are deepfakes sexual violence?</h2>
<p>Deepfake refers to the use of artificially intelligent (AI) machine-learning applications to generate original but “fake” audio, images or videos that may appear authentic. Deepfake pornography (DFP) refers to products that are sexually explicit in nature. </p>
<p>According to a <a href="https://www.homesecurityheroes.com/state-of-deepfakes/#key-findings">2023 report by cybersecurity firm Home Security Heroes</a>, DFP makes up 98 per cent of all deepfake videos online, and 99 per cent of DFP features women. Notably, 94 per cent of these women work in the entertainment industry. </p>
<p>An <a href="https://regmedia.co.uk/2019/10/08/deepfake_report.pdf">earlier study of DFP by Deeptrace Labs</a> found that of those in the entertainment industry, most of the 10 most frequently represented individuals were actresses from western countries, followed by South Korean K-pop singers.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ai-can-now-create-fake-porn-making-revenge-porn-even-more-complicated-92267">AI can now create fake porn, making revenge porn even more complicated</a>
</strong>
</em>
</p>
<hr>
<p>Given their gendered, sexual and seemingly “non-consensual” nature, DFP has been widely described as gender-based sexual violence requiring <a href="https://www.congress.gov/bill/117th-congress/house-bill/9631/text?s=1&r=79">greater civil and criminal regulation of both AI and deepfake porn producers</a>. </p>
<p>Others, however, suggest that deepfake porn may be <a href="https://cardozolawreview.com/deeply-fake-deeply-disturbing-deeply-constitutional-why-the-first-amendment-likely-protects-the-creation-of-pornographic-deepfakes/">deeply constitutional</a> sexual expression, and that new laws should be put off until more research about the impacts of pornographic deepfakes on those depicted, as well as on internet users, can be conducted. </p>
<p>Deepfake porn raises concerns about false representations — for instance, falsely depicting an individual as sexually active, into a certain type of sex or involved in the porn industry. Whether this constitutes sexual violence — even if a person is distressed by fake videos of them — is not self-evident.</p>
<p>Many valid reasons exist for why deepfake porn may be created and shared, and why it should not be interpreted or criminalized as “<a href="https://theconversation.com/ai-can-now-create-fake-porn-making-revenge-porn-even-more-complicated-92267">image based sexual abuse</a>” or “<a href="https://www.brookings.edu/wp-content/uploads/2016/05/sextortion1-1.pdf">virtual rape</a>.” These reasons include, but are not limited to the social value of sexual fantasy — including seemingly “deviant” fantasies — and the need to resist prison expansionism and the carceral state.</p>
<h2>Need for new laws?</h2>
<p>Deepfakes, as with the <a href="https://www.wired.com/story/meta-youtube-ai-political-ads/">cheapfakes</a> that preceded them, can be created for malicious purposes including harassment, spreading disinformation and extortion. In instances where the use of one’s image is deeply upsetting to the individual depicted, legal avenues such as civil privacy, intentional infliction of emotional distress, invasion of privacy laws that address “<a href="https://canlii.ca/t/sxjg">false light</a>” (making false or misleading claims about a person that cause harm to them) and take-down orders may help address their concerns. </p>
<p>When it comes to deepfake porn and minors, Canada’s child pornography and its <a href="https://laws-lois.justice.gc.ca/eng/acts/C-46/section-162.1.html">Intimate Images</a> provisions likely apply. And in cases where DFP images and videos are used to harass or extort individuals, laws already exist to address these harms. On or offline, however, there are reasons to resist <a href="https://doi.org/10.1093/socpro/spz013">pro-criminalization strategies</a>.</p>
<p>Queer and sex-radical feminists have long established that even though sex and gender are related, theories of gender oppression cannot wholly explain <a href="https://read.dukeupress.edu/books/book/1560/chapter/173938/Thinking-SexNotes-for-a-Radical-Theory-of-the">sex and sexual politics</a>. Importantly, <a href="https://doi.org/10.1080/15313204.2018.1474827">anti-sexual violence feminists and anti-carceral scholars</a> have pointed out the limits and harms of using criminal law to respond to sexual violence for sexual violence victims, the accused and society more broadly. </p>
<p>Before we can determine whether sexual violence is the best framework for describing and responding to deepfake porn, we need a better understanding of deepfake porn prosumers — those who produce, consume and share their creations — as well as the importance of sexual fantasy, at the individual and collective levels.</p>
<h2>Deepfake porn prosumers</h2>
<p>It’s becoming increasingly difficult to interview or conduct research with deepfake porn prosumers given how widely they are described as <a href="https://www.washingtonpost.com/technology/2018/12/30/how-fake-porn-opponents-are-fighting-back/">depraved</a>, as the embodiment of “<a href="https://doi.org/10.1080/23268743.2019.1675091">toxic geek masculinity</a>,” and as driven by an interest in <a href="https://www.vice.com/en/article/nekqmd/deepfake-porn-origins-sexism-reddit-v25n2">owning women’s bodies</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a man is silhouetted against a computer screen showing blurred out images" src="https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=495&fit=crop&dpr=1 600w, https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=495&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=495&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=622&fit=crop&dpr=1 754w, https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=622&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/583169/original/file-20240320-20-zoul2p.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=622&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Given what we know about the demographics of computer programmers and porn consumers, it’s likely that most DFP prosumers are men.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>Research suggests, however, that many deepfake porn creators are hobbyists who are more interested in contributing “to the development of such technology as <a href="http://doi.org/10.22215/timreview/1282">solving an intellectual puzzle</a>… rather than as a way to trick or threaten people.” </p>
<p>It’s likely that most deepfake prosumers are men, given what we know about the demographics of <a href="https://datausa.io/profile/soc/computer-programmers">computer programmers</a> and <a href="https://www.statista.com/statistics/661314/gender-distribution-of-pornhubcom-website-traffic-in-selected-european-countries/">porn consumers</a>.</p>
<p>Insights from clinical practice suggests that when men do create “fake porn” misogyny rarely serves as a key motivator. Clinical psychologist David J. Ley observes that more of these cases are “driven by <a href="https://www.psychologytoday.com/ca/blog/women-who-stray/201901/the-psychology-behind-fake-porn">feelings of loss, shame, hope, and fantasy</a> than by misogyny and anger.” Similar to Photoshopped “porno collages,” deepfakes serve as a means to explore fantasies that are likely impossible to fulfill.</p>
<p>But is sexual fantasy a valid reason to create and share deepfake porn on public and paid platforms? </p>
<h2>Sexual fantasy and deepfakes</h2>
<p>Sexual fantasy is <a href="https://doi.org/10.1177/13634607221106667">more complicated</a> and more <a href="https://doi.org/10.1037/0033-2909.117.3.469">important to our sex lives and to our social well-being</a> than people typically realize or acknowledge. For many, sexual fantasy is private and limited to their mind’s eye. </p>
<p>Others, however, see sexual fantasy as something to be <a href="https://scholarship.law.wm.edu/wmlr/vol58/iss2/3">manifested as written text, images or digital files, and publicly shared</a> for free or for a fee. </p>
<p>Critical race feminist scholars have demonstrated that <a href="https://doi.org/10.15767/feministstudies.41.2.409">sexual fantasy is both a product of and productive of our complex realities</a>, but that a line can also be drawn between fantasy and reality given the important roles that fantasy plays in our individual and collective lives.</p>
<p>At the individual level, <a href="https://doi.org/10.1111/jsm.12734">a study that surveyed 1,516 adult cis men and women about their sexual fantasies</a> found that more than half of the respondents — 51.7 per cent of women and 61.9 per cent of men — fantasized about sex with a celebrity.</p>
<p>Sexual fantasy research has also helped establish that few sexual fantasies are statistically unusual or rare. This includes fantasies which have previously been deemed perverted or <a href="https://doi.org/10.1111/jsm.12734">atypical</a>, such as <a href="https://www.bloomberg.com/news/newsletters/2023-11-29/us-federal-laws-fail-to-protect-most-deepfake-pornography-victims">those that involve violence or humiliation</a>. These fantasies are not only common, but are also “<a href="https://doi.org/10.1016/j.copsyc.2022.101496">unlikely to be revealing of actual behavior</a>.”</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="two pairs of women's legs wearing heels in red lighting" src="https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=373&fit=crop&dpr=1 600w, https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=373&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=373&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=469&fit=crop&dpr=1 754w, https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=469&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/583173/original/file-20240320-24-adu4i5.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=469&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Fantasy plays an important role in individual and collective lives.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>According to Ley, <a href="https://www.psychologytoday.com/ca/blog/women-who-stray/201901/the-psychology-behind-fake-porn">reasons for publicly sharing sexual fantasies</a> range from seeking approval, demonstrating technical prowess and playing with taboo to bonding with those who share the same interests or to arouse others in the way they are aroused so as to feel less alone for having these interests and desires. </p>
<p>As legal scholar Andrew Gilden writes: </p>
<blockquote>
<p>the actual process of coming to terms with one’s sexual identity often entails extensive fantasizing, experimentation, education, and social interaction. And these processes <a href="https://scholarship.law.wm.edu/wmlr/vol58/iss2/3/">are often far less romantic</a>, much less ‘dignified,’ and far less ‘PG’ than envisioned by the evolving legal narratives of sexuality.</p>
</blockquote>
<h2>Consent and fantasy</h2>
<p>Thinking about deepfake porn through the lens of sexual fantasy also helps us make sense of lack of consent in DFP. Consent does not factor into people’s sexual fantasies in the same ways as it does their physical sexual relations: I don’t need permission to fantasize about someone, but I do need permission to have sex with them. </p>
<p>Consent is a primarily <a href="https://www.leaf.ca/news/the-law-of-consent-in-sexual-assault/">legal term</a>, that, at its most general, means voluntary agreement to engage in sexual activity. The use of consent language to refer to the creative process of DFP as “image-based sexual abuse” or “virtual rape” shuts down a <a href="https://www.upress.umn.edu/book-division/books/sex-and-harm-in-the-age-of-consent">nuanced conversation about sexual harm and freedom</a>. </p>
<h2>Expanding definitions</h2>
<p>Ultimately, sexual fantasy cannot fully explain the phenomenon of deepfake porn. But failing to acknowledge the limits of gender-based sexual violence frameworks comes with its own harms, including the ever-growing definition of sex crime and the <a href="https://doi.org/10.1093/socpro/spz013">expansion of the carceral state</a>.</p>
<p>We need to think carefully about the social and cultural motivations and intent of content creators, in addition to the potential effects of their creations. We need to consider whether expanding the scope of criminal law to address emotional harm in virtual spaces will bring about the changes we want to see, including the reduction of sexual violence. We also need to acknowledge that criminal law has largely failed to prevent, and indeed <a href="https://www.ucpress.edu/book/9780520385818/the-feminist-war-on-crime#:%7E:text=In%20their%20quest%20to%20secure,and%20diverting%20resources%20toward%20law">perpetuates, emotional and physical violence at a level that requires great awareness and care</a>. </p>
<p>Concerns about sexual autonomy should inform debates about emerging technologies, but alternative frameworks for making sense of and responding to deepfake porn should be considered before we censor and criminalize deepfake porn producers, consumers and products.</p><img src="https://counter.theconversation.com/content/223815/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lara Karaian receives funding from the Social Sciences and Humanities Research Council.</span></em></p>Deepfake pornography raises questions about consent, sexuality and representation. The issue is more complicated than online misogyny — new criminal laws are not our best response.Lara Karaian, Associate Professor, Criminology and Criminal Justice, Carleton UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2262222024-03-20T05:45:30Z2024-03-20T05:45:30ZPolitics with Michelle Grattan: Cyber expert Lesley Seebeck on TikTok’s future in Australia<figure><img src="https://images.theconversation.com/files/583058/original/file-20240320-22-b7bprd.jpg?ixlib=rb-1.1.0&rect=29%2C29%2C4854%2C2716&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Imaged Provided by Lesley Seebeck</span></span></figcaption></figure><p>The United States House of Representatives has passed a bill to force TikTok’s owner, ByteDance, to either sell TikTok to a non-Chinese company or face a ban in the US.</p>
<p>While the measure won’t come into effect until the American Senate agrees, it has re-engaged a debate over TikTok’s risk to national security, as well as its impact on young people and the implications for free speech if there was a ban. </p>
<p>The Albanese government has flagged it won’t blindly follow the US action but instead will rely on advice from its security agencies. </p>
<p>The government, however, earlier banned TikTok from official devices. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/if-tiktok-is-banned-in-the-us-or-australia-how-might-the-company-or-china-respond-225889">If TikTok is banned in the US or Australia, how might the company – or China – respond?</a>
</strong>
</em>
</p>
<hr>
<p>Lesley Seebeck, former CEO of the Cyber Institute, Australian National University, and former chief investment and advisory officer at the Digital Transformation Agency, joins us to discuss the concerns about TikTok.</p>
<p>On the security implications, Seebeck offers some advice</p>
<blockquote>
<p>I think, certainly, banning on the official devices is worthwhile. I’d also strongly recommend that any journalists or anyone that may feel that they’re of interest to the Chinese state also think twice about having TikTok on their phones. </p>
</blockquote>
<p>While the American bill offers TikTok an out if it is sold to a non-Chinese company, Seebeck says that is unlikely to happen,</p>
<blockquote>
<p>The problem is that China has made it clear that it will not sell it […] which tells you a lot about the fact that China sees this as a strategic asset […] This is very sensitive technology that would be handed over. </p>
</blockquote>
<p>On why there’s so much concern around China owning TikTok,</p>
<blockquote>
<p>If you looked at China 20 years ago, we would be much more comfortable because it was not the place it is now becoming – more and more authoritarian and assertive under XI Jinping. Things like the national security laws are deeply concerning – the one that’s just passed in Hong Kong – [they] give us a sense of what could be exerted extraterritoriality.</p>
</blockquote>
<p>Seebeck highlights why TikTok’s data collection differs from that of other platforms like Facebook.</p>
<blockquote>
<p>People often say, well, TikTok’s collecting data, but so does Facebook and all the rest. But it’s a different way of doing things, because what drives TikTok is the algorithm and that real time responsiveness, which makes it so attractive.</p>
<p>What TikTok does, it’s a constant refresh of data to drive that algorithm. So every time you click on a video […] or you might be following an influencer, and they change, it’s this constant interaction. So the data they’re collecting allows a lot more granularity and a lot more sense about what you might do.</p>
</blockquote><img src="https://counter.theconversation.com/content/226222/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michelle Grattan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>TikTok has come into the spotlight after the US. congress proposed a bill to force it's sale away from Chinese owned company ByteDance. To discuss this we're joined by Cyber expert Lesley Seebeck.Michelle Grattan, Professorial Fellow, University of CanberraLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2257492024-03-15T15:15:16Z2024-03-15T15:15:16ZIs TikTok’s parent company an agent of the Chinese state? In China Inc., it’s a little more complicated<figure><img src="https://images.theconversation.com/files/582050/original/file-20240314-28-369bin.jpg?ixlib=rb-1.1.0&rect=5%2C5%2C3553%2C2358&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Some U.S. lawmakers have grown concerned about TikTok.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/people-walk-past-an-advertisement-featuring-the-tiktok-logo-news-photo/2075608549?adppopup=true">Greg Baker/AFP via Getty Images.</a></span></figcaption></figure><p>Does the Chinese government have officials inside TikTok’s parent company, ByteDance, pulling the strings? And does the storing of data from the popular social media app outside of China protect Americans?</p>
<p>These questions appear to dominate the current thinking in the U.S. over <a href="https://www.nytimes.com/2024/03/13/technology/tiktok-ban-house-vote.html">whether to ban TikTok</a> if its owner, Chinese technology giant ByteDance, <a href="https://www.cnbc.com/2024/03/14/tiktok-ban-china-would-block-sale-of-short-video-app.html">refuses to sell the platform</a>.</p>
<p>But in my opinion – forged through <a href="https://scholar.google.com/citations?user=vXeBa0kAAAAJ&hl=en">40 years as a scholar of China, its political economy and business</a> – both questions obscure a more interesting point. What’s more, they suggest a crucial misunderstanding of the relationship between state and private enterprise in China.</p>
<p>Simply put, there’s no clear line between the state and society in China in the same way that there is in democracies. The Chinese Communist Party – which is synonymous with the Chinese state – both owns and is the nation. And that goes for private enterprises, too. They operate like joint ventures in which the government is both a partner and the ultimate boss. Both sides know that – even if that relationship isn’t expressly codified and recognizable to outside onlookers.</p>
<h2>ByteDance under the microscope</h2>
<p>Take ByteDance. The company has become the focus of scrutiny in the U.S. largely due to the outsized influence that its subsidiary <a href="https://www.pewresearch.org/internet/2024/02/22/how-u-s-adults-use-tiktok/">plays in the lives of young Americans</a>. Some <a href="https://www.reuters.com/technology/us-house-vote-force-bytedance-divest-tiktok-or-face-ban-2024-03-13/">170 million Americans</a> are TikTok users, and U.S. politicians fear their data has a direct route back to the Chinese state via ByteDance, which has its head offices in Beijing.</p>
<p>Location aside, concerned voices in the U.S. cite the evidence of former ByteDance employees who suggest <a href="https://apnews.com/article/tiktok-china-bytedance-user-data-d257d98125f69ac80f983e6067a84911">interference from the Chinese government</a>, and reports that the state has quietly <a href="https://www.theinformation.com/articles/beijing-tightens-grip-on-bytedance-by-quietly-taking-stake-china-board-seat">taken a direct stake and a board seat</a> at Beijing ByteDance Technology Co. Ltd., ByteDance’s Chinese subsidiary.</p>
<p>Grilled by the House Committee on Energy and Commerce in March 2023, TikTok’s Singaporean CEO Shou Zi Chew <a href="https://apnews.com/article/tiktok-ban-ceo-congressional-hearing-bytedance-china-44d948c5b0ba18e2a714e0fa62d52779">said unequivocally</a> that ByteDance was not “an agent of China or any other country.”</p>
<p>The history of the Chinese government’s dealings with private companies suggests something more subtle, however.</p>
<h2>The rise of China Inc.</h2>
<p>Over its century-long history, the Chinese Communist Party has sought to exercise control over all aspects of the country, including its economy. In its early days, this control took the form of a heavy-handed <a href="https://www.investopedia.com/terms/c/command-economy.asp">command economy</a> in which everything was produced and consumed according to government planning.</p>
<p>China took a step in a more capitalist direction in the latter half of the 20th century after the death of Mao Zedong, founder of the People’s Republic of China. But even the <a href="https://www.cato.org/publications/chinas-post-1978-economic-development-entry-global-trading-system">reforms of Deng Xiaoping</a> in the late 1970s and 1980s – credited for opening up China’s economy – were in the service of party goals. Because China’s economy was in ruins, the party’s emphasis was on economic development, and it loosened its grip on power to encourage that. The continuation of party control was still paramount – it just needed to reform the economy to ensure that goal.</p>
<p>That didn’t mean the party wanted pluralism. After decades of economic growth, and with a GDP surpassing that of the U.S. when <a href="https://www.scmp.com/economy/china-economy/article/3085501/china-overtakes-us-no-1-buying-power-still-clings-developing">measured by purchasing power parity</a>, the Chinese government once again started to shift its focus to a comprehensive control of China.</p>
<p>In recent years, under the increasingly <a href="https://www.uscc.gov/sites/default/files/2022-11/Chapter_1--CCP_Decision-Making_and_Xi_Jinpings_Centralization_of_Authority.pdf">centralized control of Xi Jinping</a>, the Chinese government has evidently opted to run the entire country as a <a href="http://doi.org/10.1108/IJOEM-12-2019-1103">giant corporation</a>, with the ruling party as its management.</p>
<h2>A party with unusual power</h2>
<p>Unlike political parties in democracies, which people freely join and leave, the Chinese Communist Party resembles a secret society. <a href="http://www.xinhuanet.com/english/download/Constitution_of_the_Communist_Party_of_China.pdf">To join</a>, you need to be introduced by two party members and tested for an extended period, and then pledge to die for the party’s cause. Quitting it also <a href="http://www.xinhuanet.com//politics/2017-02/05/c_1120413145.htm">needs approval by the party</a>. <a href="https://doi.org/10.1111/corg.12023">Orders are implicit</a>, and protecting one’s superior is crucial. </p>
<p>People who don’t cooperate face serious consequences. In 2022, an official warned a resident who disobeyed the official’s order in COVID-19 testing that three generations of the resident’s descendants <a href="https://www.rfa.org/cantonese/news/generation-05122022062839.html">would be adversely affected</a> if he were uncooperative. The same is true of businesses: Ride-sharing company Didi incurred the party’s displeasure by listing its stocks in the U.S., and was harshly punished and forced to delist as a result – <a href="https://www.reuters.com/technology/china-fines-didi-global-12-bln-violating-data-security-laws-2022-07-21/">losing more than 80% of its value</a>. </p>
<p>Since those who disobey the party are weeded out or are punished and seen to have learned their lessons, all surviving and successful private businesses are <a href="https://www.wsj.com/articles/jack-ma-makes-ant-offer-to-placate-chinese-regulators-11608479629?page=1">party supporters</a> – either voluntarily or otherwise.</p>
<p>The rapid emergence of <a href="https://doi.org/10.1017/9781009076210">China Inc.</a> has caught even seasoned Chinese entrepreneurs off guard. Consider the case of <a href="https://www.npr.org/2021/07/28/1021651586/chinese-billionaire-sun-dawu-is-sentenced-to-18-years-for-provoking-trouble">Sun Dawu</a>, a successful agricultural entrepreneur known for advocating for rural reform and the rights of farmers. That offended the party, and in 2020, authorities confiscated all his assets and sentenced him to 18 years in prison.</p>
<p>As if that weren’t enough, China’s National Intelligence Law granted broad powers to the country’s spy agencies and obligates companies to assist with intelligence efforts. That’s why some American lawmakers are concerned that ByteDance could be <a href="https://www.atlanticcouncil.org/blogs/new-atlanticist/will-the-us-crack-down-on-tiktok-six-questions-and-expert-answers-about-the-bill-in-congress/">forced to hand over Americans’ private data</a> to the Chinese state. <a href="https://newsroom.tiktok.com/en-au/the-truth-about-tiktok">TikTok denies</a> this is the case. However, recently <a href="https://www.pbs.org/newshour/world/leaked-hacking-files-show-chinese-spying-on-citizens-and-foreigners-alike">leaked files</a> of I-Soon, a Chinese hacking firm, reveal public-private collusion in data sharing is common in China.</p>
<p>That’s why I’m not convinced by TikTok’s argument that American users’ data is safe because it’s stored <a href="https://newsroom.tiktok.com/en-us/tiktok-facts-how-we-secure-personal-information-and-store-data">outside of China</a>, in the U.S., Malaysia and Singapore. I also don’t think it’s relevant whether the party has members on the ByteDance board or gives explicit orders to TikTok.</p>
<p>Regardless of whether ByteDance has formal ties with the party, there will be the tacit understanding that the management is working for two bosses: the investors of the company and – more importantly – their political overseers that represent the party. But most importantly, when the interests of the two bosses conflict, the party trumps.</p>
<p>As such, as long as ByteDance owns TikTok, I believe ByteDance will use TikTok to support the party – not just for its own business survival, but for the safety of the personnel of ByteDance and TikTok, and their families.</p><img src="https://counter.theconversation.com/content/225749/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Shaomin Li does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In China, ‘private’ businesses aren’t entirely private and the ultimate boss is the CCP, not the CEO.Shaomin Li, Eminent Scholar and Professor of International Business, Old Dominion UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2238772024-02-20T18:24:56Z2024-02-20T18:24:56ZCybersecurity for satellites is a growing challenge, as threats to space-based infrastructure grow<figure><img src="https://images.theconversation.com/files/576506/original/file-20240219-26-38pqkp.jpg?ixlib=rb-1.1.0&rect=17%2C0%2C3976%2C2994&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/satellite-over-earth-119852509">Andrzej Puchta / Shutterstock</a></span></figcaption></figure><p>In today’s interconnected world, <a href="https://www.esa.int/Enabling_Support/Preparing_for_the_Future/Discovery_and_Preparation/Space_technology_for_life_on_Earth">space technology forms the backbone</a> of our global communication, navigation and security systems. Satellites orbiting Earth are pivotal for everything from GPS navigation to international banking transactions, making them indispensable assets in our daily lives and in global infrastructure.</p>
<p>However, as our dependency on these celestial guardians escalates, so too does their allure to adversaries who may seek to compromise their functionality through cyber means. A satellite’s service could be interrupted, or at worst the spacecraft could be disabled. The expansion of the digital realm into space has opened new frontiers for cyber threats, posing unprecedented challenges.</p>
<p>This emerging battleground highlights the urgent need for robust cybersecurity measures to protect our space assets from sophisticated attacks that threaten global stability and security. </p>
<p>Recent cyber incidents, such as the <a href="https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview">2022 attack on the KA-SAT network</a>, highlight the immediate vulnerability of satellites. The network, owned by global communications giant Viasat, faced a sophisticated cyber assault that disrupted its services across Europe. While the perpetrators have not been officially confirmed, many suspect Russia’s involvement.</p>
<p>As we witness an increase in state-sponsored attacks and the commercialisation of hacking tools, the stakes for securing space assets extend beyond technical challenges to encompass potential disruption to the world economy and diplomatic relations between countries that operate satellite networks. The focus on space security has been thrown into the spotlight recently by the claim that Russia is developing a <a href="https://theconversation.com/russias-space-weapon-anti-satellite-systems-are-indiscriminate-posing-a-risk-to-everyones-spacecraft-223935">space-based anti-satellite weapon</a> – possibly one that’s nuclear-powered.</p>
<h2>Evolving threats</h2>
<p>The shift from analogue to digital has transformed space technology vulnerabilities, <a href="https://www.lse.ac.uk/ideas/projects/space-policy/publications/Cyberattacks-on-Satellites#:%7E:text=Cyber%2Dattacks%20on%20satellites%20are,operators%20for%20obvious%20commercial%20reasons.">exposing them to a spectrum of cyber threats</a>. Initially, from the late 1950s onwards, concerns centred around physical tampering and espionage, but as the technology advanced, digital vulnerabilities became the forefront of security challenges. </p>
<p>With adversaries now employing artificial intelligence (AI) and machine learning to find new vulnerabilities, the complexity of attacks goes well beyond traditional strategies for defending satellites.</p>
<p>Early breaches such as the <a href="https://www.usni.org/magazines/proceedings/2021/february/asat-goes-cyber#:%7E:text=In%20late%201998%2C%20a%20joint,although%20direct%20evidence%20is%20scarce.">hacking of US-German satellites in 1998</a> were precursors to the complex cybersecurity landscape we navigate today. Modern adversaries leverage sophisticated techniques to exploit vulnerabilities in satellite communications and data transmission, aiming to disrupt, intercept, or corrupt the invaluable data they carry. </p>
<p>This evolution signifies a pivotal shift in how we must approach the security of space technology, underscoring the importance of anticipating and mitigating digital threats. This includes end-to-end encryption to make data transmission harder to hack or disrupt, and better detection of suspicious activity in advance of an attack. There’s a cost to implementing these security measures, however, such as limitations on computer processing power and bandwidth.</p>
<h2>Vulnerabilities in the void</h2>
<p>The isolation of satellites in orbit and their reliance on wireless communications expose them to specific threats such as signal jamming, spoofing – disguising communications from a suspicious source as those of a known, trusted source – and the interception of data. </p>
<p>Additionally, the limitations on processing power and bandwidth in space exacerbate the challenge of implementing routine software updates and patches, leaving systems vulnerable to exploitation. </p>
<p>Software vulnerabilities within satellite systems can be exploited from great distances, allowing attackers to potentially take control of them. This vulnerability is compounded by the ever-increasing complexity of satellites and their software. </p>
<p>The void of space does not shield these assets from cyber adversaries; instead, it presents a domain rife with unique challenges. These challenges require innovative solutions.</p>
<p>In response to these escalating cyber threats, a united front has formed among space agencies, technology companies and security experts. This effort is focused on developing robust defence mechanisms to protect satellites and other space-based technologies. </p>
<p>Key initiatives include establishing secure communication protocols, implementing end-to-end encryption for data transmission, and deploying AI-powered anomaly detection systems to identify suspicious activities in satellite networks. Beyond initiatives by <a href="https://www.nasa.gov/general/nasa-issues-new-space-security-best-practices-guide/">Nasa</a> and the <a href="https://www.esa.int/Space_Safety">European Space Agency (Esa)</a>, <a href="https://www.weforum.org/agenda/2022/05/increased-cybersecurity-for-space-based-services/">other international collaborations</a> have taken shape, reflecting a widespread commitment to space cybersecurity. </p>
<p>Agreements among countries in the <a href="https://www.forbes.com/advisor/business/what-is-five-eyes/">Five Eyes intelligence alliance</a> (consisting of the US, UK, Canada, Australia and New Zealand) and partnerships with private-sector leaders in space technology underscore the global acknowledgment of the importance of securing space assets. These cooperative endeavours are crucial not only for safeguarding national security interests, but for ensuring the uninterrupted operation of the myriad services that rely on space technology.</p>
<h2>Cyber defences in space</h2>
<p>The development of AI-driven security protocols and quantum encryption is poised to revolutionise the protection of space assets. </p>
<p>AI-driven security offers the potential to predict and counteract cyber threats in real-time, continually adapting to new challenges. However, this technology is still under development and faces significant challenges, including the availability of limited data sets for training in the unique context of space. </p>
<p>Similarly, <a href="https://www.ibm.com/topics/quantum-cryptography">quantum encryption</a> in theory offers impervious security by making use of the field of physics known as quantum mechanics. But this is still in the research and development stage for space applications – practical deployment of such technologies in space will require a great deal more innovation and testing.</p>
<h2>Global implications</h2>
<p>Cybersecurity in space extends far beyond the technical realm, affecting international relations, cooperation, and competition. There is a drive towards greater protection for space infrastructure. International collaboration would be ideal to achieve this, but such an aim faces challenges due to competing interests and varying levels of trust between nations. </p>
<p>The economic repercussions of cyberattacks on space infrastructure are profound. A significant cyber incident could cost billions in damages, disrupting global services and requiring extensive resources for mitigation and recovery. </p>
<p>The complex interplay between the need for collective security measures, the hurdles in achieving global cooperation, and the potential for catastrophic economic impact underscores the intricate relationships between cybersecurity in space, international relations, and economic stability.</p>
<p>Progress in cybersecurity measures in outer space is not just a technical necessity but a global imperative, to safeguard the future of space exploration and the integrity of critical space infrastructure. Addressing the evolving landscape of cyber threats demands ongoing vigilance, innovation, and a unified approach among all those involved in spaceflight.</p><img src="https://counter.theconversation.com/content/223877/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sylvester Kaczmarek is chief technology officer at OrbiSky Systems.</span></em></p>The capability for attacking satellites in space using cyber technology is advancing fastSylvester Kaczmarek, Chief Technology Officer, Imperial College LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2235462024-02-15T02:32:37Z2024-02-15T02:32:37ZThe government wants to criminalise doxing. It may not work to stamp out bad behaviour online<figure><img src="https://images.theconversation.com/files/575741/original/file-20240214-26-jtev2h.jpg?ixlib=rb-1.1.0&rect=19%2C9%2C6510%2C4337&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>This week, Prime Minister Anthony Albanese <a href="https://www.theguardian.com/australia-news/2024/feb/12/albanese-government-to-propose-legislation-to-crack-down-on-doxing">announced</a> the government was seeking to strengthen laws to combat doxing. Its ongoing review into Australian privacy law will now be expanded to include doxing, as will other laws covering hate crime and hate speech. </p>
<p>Doxing (sometimes doxxing) is shorthand for “document drop” and is the act of publishing identifying material about someone publicly, without their consent. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1757200478457266258"}"></div></p>
<p>Doxing someone can lead to real-life harms, potentially including job loss, violence against the person, their family members and pets, and serious mental health issues.</p>
<p>What any legislation from that review will look like is hard to say at this point. But how has it worked internationally, and would it work here?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/doxing-or-in-the-public-interest-free-speech-cancelling-and-the-ethics-of-the-jewish-creatives-whatsapp-group-leak-223323">Doxing or in the public interest? Free speech, 'cancelling' and the ethics of the Jewish creatives' WhatsApp group leak</a>
</strong>
</em>
</p>
<hr>
<h2>What are other countries doing?</h2>
<p>New laws around doxing came into effect in <a href="https://www.government.nl/latest/news/2023/07/12/use-of-personal-data-for-the-objective-of-harassment-to-become-criminal-offence">The Netherlands</a> at the start of the year. This makes it illegal for Dutch citizens to obtain and share other people’s personal information without their permission and then use it to harass or target them. </p>
<p>Dutch conspiracy theorist Huig Plug was <a href="https://nltimes.nl/2024/02/02/conspiracy-theorist-huig-plug-arrested-doxxing-prosecution-office-staffer">arrested</a> earlier this month under the new legislation for allegedly doxing a member of the public prosecutor’s staff.</p>
<p>In the United States, laws like this are state-based. <a href="https://www.simmrinlawgroup.com/california-penal-code-section-653-2/">California</a> has a special part of its law around so-called “indirect cyber harassment”, which is defined essentially as doxing. </p>
<p>In both of these examples, the doxer has to have intent to harm. They are posting the information because they want someone to, say, lose their job or be opened up to harassment. </p>
<p>The Dutch law goes slightly further in that it is also an offence to make someone’s job harder, as opposed to causing them to lose their job completely. The Dutch laws also carry harsher punishments for doxing people such police, lawyers and politicians. </p>
<p>From a legal perspective, showing intent to do someone harm can actually be a harder bar to pass than people might think. So, if Australian law follows this pattern, it could be difficult for plaintiffs to prove that being doxed has caused them genuine harm.</p>
<h2>Not a new problem</h2>
<p>Doxing isn’t a new phenomenon and there have been some high-profile doxing cases over the past few years. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-doxing-and-how-can-you-protect-yourself-223428">What is doxing, and how can you protect yourself?</a>
</strong>
</em>
</p>
<hr>
<p>One of the most famous global events was the <a href="https://www.theatlantic.com/technology/archive/2015/09/organizational-doxing-ashley-madison-hack/403900/">Ashley Madison</a> data breach in 2015, which resulted in <a href="https://www.theguardian.com/technology/2016/feb/28/what-happened-after-ashley-madison-was-hacked">job losses and suicides</a>. The current discussion, however, hinges around the <a href="https://www.theage.com.au/national/hundreds-of-jewish-creatives-have-names-details-taken-in-leak-published-online-20240208-p5f3if.html">sharing of information</a> from a private WhatsApp group of 600 people and in the context of the ongoing war in Gaza.</p>
<p>We’ve seen the hasty introduction of legislation in these types of circumstances in the past, most notably the Sharing of Abhorrent Violent Material Act, which legal scholars <a href="https://theconversation.com/livestreaming-terror-is-abhorrent-but-is-more-rushed-legislation-the-answer-114620">criticised</a> at the time for a lack of detail and it’s rushed introduction to parliament.</p>
<p>We saw similar concerns when the Morrison government introduced anti-trolling laws in 2021. I wrote at the time the law <a href="https://theconversation.com/the-governments-planned-anti-troll-laws-wont-help-most-victims-of-online-trolling-172743">wouldn’t help victims that much</a>, partly because it was practically impossible to police.</p>
<p>While the current discussion into changes in the law around doxing are happening, it’s worth revisiting some of these issues.</p>
<h2>How can we police the internet?</h2>
<p>The first thing to note is that it’s really hard to police what happens on the internet. There are several reasons for this.</p>
<p>The main one is that the internet is what we call inter-jurisdictional. There’s a mess of different laws around the world, and no real way to use them if you’re in a different country. This means if someone in The Netherlands doxes you in Australia, you can’t sue them under their laws, because you aren’t a citizen there. You also can’t do anything under Australia’s laws, because the perpetrator is not a citizen here. In short, to make this work, we would need global cooperation akin to Interpol.</p>
<p>The second reason is because Australian laws apply only to people currently in the country, there are many ways to get around them online. People can use anonymous accounts and virtual private networks (VPNs) to hide and make it hard to trace exactly who the culprit is and where they are.</p>
<p>The third comes down to the definition of what’s considered “public”. For example, a lot of doxing is done in smaller private groups with the express purpose of that community attacking specific people. That private information is still being shared without the consent or knowledge of the victims. In fact, as the journalist Ginger Gorman <a href="https://www.amazon.com.au/Troll-Hunting-Ginger-Gorman-ebook/dp/B07MC4C851">notes</a> this is the type of behaviour that “predatory trolls” often engage in.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/trolling-and-doxxing-graduate-students-sharing-their-research-online-speak-out-about-hate-210874">Trolling and doxxing: Graduate students sharing their research online speak out about hate</a>
</strong>
</em>
</p>
<hr>
<p>Finally, do we really need these laws when existing ones already cover many of the behaviours associated with doxing?</p>
<p>The biggest of these are found in the <a href="https://www.legislation.gov.au/C2004A04868/2022-11-10/text/2">federal criminal code</a>, a piece of legislation that deals with the use of telecommunications for crimes. It outlines the “use a carrier service” to threaten, harass or menace someone. This includes “hoax threats”. Penalties for these behaviours range from five to ten years in jail. There’s similar wording in the <a href="https://www.legislation.gov.au/C2021A00076/latest/text">Online Safety Act</a>.</p>
<p>While it’s great to see the government working to reform and strengthen existing legislation, I’m not convinced that these types of laws will have much impact given the complexity of policing online behaviours.</p><img src="https://counter.theconversation.com/content/223546/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jennifer Beckett receives funding from the Australian Research Council, through the Discovery grants scheme for work on online hostility in Australia. </span></em></p>Anthony Albanese has flagged a crack-down on people’s personal details being shared online without consent. But like so much of the internet, it’s hard to police.Jennifer Beckett, Lecturer in Media and Communications, The University of MelbourneLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2230862024-02-09T00:56:45Z2024-02-09T00:56:45ZDesperate for Taylor Swift tickets? Here are cybersecurity tips to stay safe from scams<p>The global superstar Taylor Swift is bringing her Eras tour to Australia later this month, with sold-out shows in Sydney and Melbourne. With Swifties numbering in the thousands, fans who didn’t initially secure tickets are understandably desperate to find some. </p>
<p>Enter the many fraudsters seizing this opportunity. Sadly, the Australian Competition and Consumer Commission (ACCC) <a href="https://www.accc.gov.au/media-release/swifties-beware-scammers-are-in-their-cruel-summer-era">has reported over A$135,000</a> already lost to ticket fraud for the Swift concerts. The actual losses are likely to be much higher. </p>
<p>Hackers are also targeting the accounts of ticket holders in order to steal and resell legitimate tickets.</p>
<p>So how can you protect yourself if you are looking to buy or sell Eras tickets, or just want to keep your Ticketek account safe?</p>
<h2>The problem is ticket fraud</h2>
<p>In recent years, there has been a shift to electronic ticketing for events. This uses a unique barcode (or QR code) which can be dynamic. In the case of Ticketek, electronic tickets are linked to the purchaser’s phone number to reduce fraud.</p>
<p>Electronic ticketing aims to overcome a range of problems, such as counterfeit tickets, duplicate tickets and ticket scalping. Unsurprisingly, scammers have updated their techniques, too. </p>
<p>When purchasing tickets, it can be difficult to know if it is an authentic website, a genuine ticket and a legitimate transaction. </p>
<p>For example, scammers are selling <a href="https://www.scamwatch.gov.au/news-alerts/scam-alert-taylor-swift-tickets">non-existent tickets</a> across a range of social media platforms. They are also creating fake, legitimate-looking websites that lure in unsuspecting victims to hand over their personal details and money in return for heartache. </p>
<p>Many fraudsters are also tricking people with ticket sales on Facebook. Excited fans send the requested payment (usually a cash transfer), but will not receive their promised tickets and are not likely to recover the money.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="An example Facebook post advertising a " src="https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=486&fit=crop&dpr=1 600w, https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=486&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=486&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=610&fit=crop&dpr=1 754w, https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=610&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/574515/original/file-20240208-26-e030ed.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=610&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Facebook has many groups where Taylor Swift fans are on the lookout for tickets, making them vulnerable to scammers.</span>
<span class="attribution"><span class="source">Facebook</span></span>
</figcaption>
</figure>
<h2>Hacked accounts</h2>
<p>The prevalence of hacking drives a lot of the ticket fraud. This is particularly evident through the only official reseller of Eras tickets (and many other events) – Ticketek Marketplace. </p>
<p>Some people have had their Ticketek accounts <a href="https://au.news.yahoo.com/taylor-swift-fans-see-tickets-disappear-ticketek-works-to-curb-scammers-203020815.html">hacked</a>, and offenders have been able to make transactions without the owner’s consent. By the time they realise, it is too late – the owner may have lost their tickets with nothing in return. </p>
<p>There are also many <a href="https://www.9news.com.au/national/taylor-swift-ticket-scammers-hunt-victims-on-facebook-for-australia-eras-tour/d1776810-154e-4f52-aa40-6375eb4285d8">reports</a> of victims whose known contacts (family or friends) message them on social media offering the chance to buy tickets. This approach reduces red flags or suspicions, as it uses existing trust and relationships to get a payment.</p>
<p>However, victims soon find their family member or friend has had their account hacked. Again, there is no ticket and no chance of recovering funds. </p>
<p>Hacking genuine accounts to perpetrate fraud is common. Recently, <a href="https://www.abc.net.au/news/2024-01-31/booking-com-scams-surge-phishing-australians-thousands-dollars/103390292">hackers gained unauthorised access</a> to hotel provider accounts on the popular accommodation website Booking.com. They then communicated with guests to gain direct payments and financial details. </p>
<h2>If I’d only played it safe</h2>
<p>There are no foolproof guarantees when trying to buy resold tickets. But you can look out for warning signs and take steps to reduce the risk of fraud or being hacked.</p>
<p><strong>Only buy tickets through the authorised seller website.</strong> In the case of Swift, that’s Ticketek Marketplace. While customers are reporting <a href="https://www.smh.com.au/culture/music/look-what-you-made-me-do-desperate-swifties-abandon-ticketek-in-risky-hunt-for-tickets-20240118-p5ey6b.html">long wait times</a> and less than satisfactory user experiences right now, it is still the most likely place to have genuine tickets. </p>
<hr>
<hr>
<p><strong>Do not, under any circumstances, buy tickets on social media such as Facebook.</strong> This includes from known contacts. There is no guarantee that the ticket exists or the person is genuine. There is also no recourse for lost payment. </p>
<p><strong>Never provide or confirm your payment details outside of Ticketek.</strong> Do not transfer any cash via a bank transfer to a seller. There are no seller fees on Ticketek Marketplace, and no reason to pay outside of the regulated system. </p>
<p><strong>Ensure you have strong passwords on all your accounts.</strong> Do not use the same password on several accounts. This is vitally important to protect yourself against many types of harm, not just ticket fraud. </p>
<p><strong>Enable two-factor authentication on any accounts you can.</strong> This provides an additional layer of protection should your password be compromised.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-multi-factor-authentication-and-how-should-i-be-using-it-191591">What is multi-factor authentication, and how should I be using it?</a>
</strong>
</em>
</p>
<hr>
<p><strong>Use a credit card where possible</strong> rather than debit card or cash transfers. You may be able to dispute a transaction or charge if you have used your credit card and may be able to recover any lost funds.</p>
<p><strong>Take screenshots of any communications and transactions</strong> when purchasing tickets online. While this will not prevent fraud, it does make it easier to report an incident or figure out what happened. </p>
<p><strong>Always confirm in person or over the phone with any known contacts</strong> who have messaged an offer or requested funds. With the prevalence of hacking into accounts, you may not be communicating with the person you think you are. </p>
<h2>No one teaches you what to do</h2>
<p>If you think you have been a victim of ticket fraud, contact your bank or financial institution immediately. The quicker you can do this, the better. </p>
<p>You should also contact the platform through which you made the transaction (such as Ticketek Marketplace). </p>
<p>You can report any financial losses to <a href="https://www.cyber.gov.au/report-and-recover/report">ReportCyber</a>, which is an online police reporting portal for cyber incidents, as well as <a href="https://www.scamwatch.gov.au/report-a-scam">Scamwatch</a>, to assist with education and awareness activities.</p>
<p>If you need support or assistance for any compromise of your identity, contact <a href="https://www.idcare.org/">iDcare</a>.</p><img src="https://counter.theconversation.com/content/223086/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Cassandra Cross has previously received funding from the Australian Institute of Criminology and the Cybersecurity Cooperative Research Centre.</span></em></p>Australian fans who didn’t manage to snag Eras tickets are on the hunt – and scammers are capitalising on this. Here’s everything you need to know to protect yourself.Cassandra Cross, Associate Dean (Learning & Teaching) Faculty of Creative Industries, Education and Social Justice, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2074662024-01-29T13:35:03Z2024-01-29T13:35:03ZCybercrime victims who aren’t proficient in English are undercounted – and poorly protected<figure><img src="https://images.theconversation.com/files/571294/original/file-20240124-17-fn5zlh.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5472%2C3645&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">People in the U.S. with limited English proficiency are particularly vulnerable to cybercrime.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/couple-paying-bills-royalty-free-image/1177949333">LPETTET/E+ via Getty Images</a></span></figcaption></figure><p>In the United States, the Internet Crime Complaint Center serves as a critical component in the FBI’s efforts to combat cybercrime. The <a href="https://www.ic3.gov/">center’s website</a> provides educational resources to help individuals and businesses protect themselves from cyberthreats and also allows them to report their victimization by submitting complaints related to internet crimes. The Internet Crime Complaint Center also publishes <a href="https://www.ic3.gov/Home/AnnualReports">annual reports</a> summarizing the current state of internet crime, trends and notable cases. </p>
<p>However, the information and resources, including the reporting form, posted on the center’s website are only available in English. This excludes a substantial number of internet users and victims of cybercrime: people with limited English proficiency. In addition to leaving out many people who are more vulnerable to cyberthreats, one consequence is that the Internet Crime Complaint Center’s annual Internet Crime Reports are incomplete and inaccurate. </p>
<p>The lack of information and resources on cybersecurity and internet safety in languages other than English on the Internet Crime Complaint Center website further widens the “<a href="https://cltc.berkeley.edu/underserved_populations/">security gap</a>,” a divide that has emerged between those who can manage and mitigate potential cybersecurity threats and those who cannot. Because there isn’t an appropriate reporting mechanism and structure for people with limited English proficiency to report their victimization, data and statistics on cyber victimization within this population are severely limited.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/APlx5qqB2_Y?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">This U.S. Justice Department video explains why government agencies must provide meaningful access to services to people with limited English proficiency.</span></figcaption>
</figure>
<h2>Cybercrime and prevention</h2>
<p>I’m a <a href="https://scholar.google.com/citations?hl=en&user=ruz_DVsAAAAJ&view_op=list_works&sortby=pubdate">criminologist</a>. My colleagues and I conducted focus groups with a sample of adult internet users with limited English proficiency to <a href="https://doi.org/10.52306/2578-3289.1160">examine their experiences with nine forms of cybercrime</a> and <a href="https://doi.org/10.1080/15564886.2024.2329765">explore their knowledge of cybersecurity</a>.</p>
<p>We recruited 18 Spanish- and six Vietnamese-speaking internet users for the study based on the evidence that limited English proficiency individuals in the U.S. <a href="https://ucanr.edu/blogs/blogcore/postdetail.cfm?postnum=19019">tend to be Latino or Asian</a>, and among the Asian ethnic groups Vietnamese Americans are <a href="https://www.migrationpolicy.org/article/vietnamese-immigrants-united-states-5">the least proficient in English</a>.</p>
<p>We asked participants whether they had encountered any of the following during the previous 12 months: </p>
<ul>
<li>They received a phishing email, which is a deceptive message with the intent of tricking them into divulging sensitive information such as login credentials, personal details or financial information.</li>
<li>Their computer was infected with a computer virus. </li>
<li>They received online harassment; for example, a message from someone that threatened, insulted or harassed them. </li>
<li>They were the victim of an online scam; for example, they sent money to an individual or organization that they encountered online and later found to have misrepresented themselves. </li>
<li>They were notified that their financial account had been hacked. </li>
<li>They were notified that their email, social media, shopping or other account had been hacked. </li>
</ul>
<p>Study participants encountered all nine types of cybercrime. The most common types of cyber victimization they experienced were computer virus, reported by seven participants; phishing emails, reported by six participants; notification that their financial account had been hacked and their personal data was at risk, reported by six participants; and notification that another type of account had been hacked, reported by six participants.</p>
<p>We asked participants whether they had engaged in the following cybersecurity measures during the previous 12 months: </p>
<ul>
<li>Have antivirus, anti-spyware, or firewall software installed on their computer and laptop. </li>
<li>Create strong passwords for their online accounts. </li>
<li>Employ two-factor authentication procedure. </li>
<li>Avoid unsecured wireless networks such as free Wi-Fi at airports. </li>
<li>Avoid websites that are not protected by Secure Sockets Layer, or SSL, encryption, meaning look for URLs to begin with https rather than http.</li>
<li>Use a strong password or encryption to secure their home’s wireless network. </li>
<li>Employ email filters to block suspicious senders and attachments. </li>
<li>Check email senders and attachments to avoid phishing and online scams. </li>
<li>Be cautious when providing personal information to a third party.</li>
<li>Take extra steps such as shredding documents with personal information to prevent data theft. </li>
</ul>
<p>The answer choices were yes, no and I don’t know. In all cases except creating strong passwords, more participants reported “no” than “yes,” and in all cases, the combination of participants who reported “no” and “I don’t know” significantly exceeded the number of participants who reported “yes.”</p>
<h2>Closing the security gap</h2>
<p>Executive Order 13166, signed in 2000, <a href="https://www.justice.gov/crt/executive-order-13166">requires federal agencies to improve access</a> to services for people with limited English proficiency. U.S. Attorney General Merrick Garland issued a memorandum on Nov. 21, 2022, directing the Justice Department’s Civil Rights Division to <a href="https://www.justice.gov/d9/pages/attachments/2022/11/21/attorney_general_memorandum_-_strengthening_the_federal_governments_commitment_to_language_access_0.pdf">share best practices and exchange information</a> about language access with other federal agencies.</p>
<p>I believe that it’s important to close the security gap and attain accurate data and statistics on cyber victimization. Internet- and computer-based crime is <a href="https://www.statista.com/topics/2588/us-consumers-and-cyber-crime/#topicOverview">one of the fastest-growing security threats</a> in the U.S. </p>
<p>Getting a full and accurate picture of the problem requires that data and statistics on cybercrime and cyber victimization include victims who have limited English proficiency as well as those who are English-proficient. </p>
<p>And just as public campaigns related to health and safety tend to be available in multiple languages to reach diverse audiences, I believe all users, regardless of their language skills, should have the knowledge and skills to protect themselves from cybercrime.</p><img src="https://counter.theconversation.com/content/207466/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>I, Fawn Ngo, received an internal grant, the Creative Scholarship Grant, from my institution, the University of South Florida, to provide gift cards for the focus group participants. To compensate for their time, each participant received a $25 Target gift card. I did not receive any external funding.</span></em></p>The federal government’s web portal for reporting cybercrimes is of little use if you have limited proficiency with English.Fawn Ngo, Associate Professor of Criminology, University of South FloridaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2209792024-01-23T17:17:57Z2024-01-23T17:17:57ZThe top risks from technology that we’ll be facing by the year 2040<figure><img src="https://images.theconversation.com/files/570631/original/file-20240122-38659-ct7kbz.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C5455%2C3637&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hand-businessman-using-laptop-caution-warning-2263791387">The 4Stock Team</a></span></figcaption></figure><p>Bewilderingly rapid changes are happening in the technology and reach of computer
systems. There are exciting advances in artificial intelligence, in the masses of tiny interconnected devices we call the <a href="https://www.zdnet.com/article/what-is-the-internet-of-things-everything-you-need-to-know-about-the-iot-right-now/">“Internet of Things”</a> and in wireless connectivity.</p>
<p>Unfortunately, these improvements bring potential dangers as well as benefits. To get a safe future we need to anticipate what might happen in computing and address it early. So, what do experts think will happen, and what might we do to prevent major problems?</p>
<p>To answer that question, Our research team from universities in Lancaster and Manchester turned to the science of looking into the future, which is called “forecasting”. No one can predict the future, but we can put together forecasts: descriptions of what may happen based on current trends. </p>
<p>Indeed, long-term forecasts of trends in technology <a href="https://www.sciencedirect.com/science/article/abs/pii/S0040162502001865?casa_token=EvYkcjUyAtcAAAAA:l0b2wIChPdSxqXAxuGklh3FvNDxnftrjIBG0MCJddE4vY78BPMT6jfLbuXl2n0Qt9u88eY8HB5qo">can prove remarkably accurate</a>. And an excellent way to get forecasts is to combine the ideas of many different experts to find where they agree.</p>
<p>We <a href="https://ieeexplore.ieee.org/document/10380243/">consulted 12 expert “futurists”</a> for a new research paper. These are people whose roles involves long-term forecasting on the effects of changes in computer technology by the year 2040. </p>
<p>Using a technique called <a href="https://en.wikipedia.org/wiki/Delphi_method">a Delphi study</a>, we combined the futurists’ forecasts into a set of risks, along with their recommendations for addressing those risks.</p>
<h2>Software concerns</h2>
<p>The experts foresaw rapid progress in artificial intelligence (AI) and connected systems, leading to a much more computer-driven world than nowadays. Surprisingly, though, they expected little impact from two much hyped innovations: <a href="https://en.wikipedia.org/wiki/Blockchain">Blockchain</a>, a way to record information that makes it impossible or difficult for the system to be manipulated, they suggested, is mostly irrelevant to today’s problems; and <a href="https://www.technologyreview.com/2019/01/29/66141/what-is-quantum-computing/">Quantum computing</a> is still at an early stage and may have little impact in the next 15 years.</p>
<p>The futurists highlighted three major risks associated with developments in computer software, as follows.</p>
<h2>AI Competition leading to trouble</h2>
<p>Our experts suggested that many countries’ stance on AI as an area where they want to gain a competitive, technological edge will encourage software developers to take risks in their use of AI. This, combined with AI’s complexity and potential to surpass human abilities, could lead to disasters.</p>
<p>For example, imagine that shortcuts in testing lead to an error in the control systems of cars built after 2025, which goes unnoticed amid all the complex programming of AI. It could even be linked to a specific date, causing large numbers of cars to start behaving erratically at the same time, killing many people worldwide.</p>
<h2>Generative AI</h2>
<p><a href="https://research.ibm.com/blog/what-is-generative-AI">Generative AI</a> may make truth impossible to determine. For years, photos and videos have been very difficult to fake, and so we expect them to be genuine. Generative AI has already radically changed this situation. We expect its ability to produce convincing fake media to improve so it will be <a href="https://www.dhs.gov/sites/default/files/publications/increasing_threats_of_deepfake_identities_0.pdf">extremely difficult to tell whether some image or video is real</a>.</p>
<p>Supposing someone in a position of trust – a respected leader, or a celebrity – uses social media to show genuine content, but occasionally incorporates convincing fakes. For those following them, there is no way to determine the difference – it will be impossible to know the truth.</p>
<h2>Invisible cyber attacks</h2>
<p>Finally, the sheer complexity of the systems that will be
built – networks of systems owned by different organisations, all depending on each other – has an unexpected consequence. It will become difficult, if not impossible, to get to the root of what causes things to go wrong. </p>
<p>Imagine a cyber criminal hacking an app used to control devices such as ovens or fridges, causing the devices all to switch on at once. This creates a spike in electricity demand on the grid, creating major power outages. </p>
<p>The power company experts will find it challenging to identify even which devices caused the spike, let alone spot that all are controlled by the same app. Cyber sabotage will become invisible, and impossible to distinguish from normal problems.</p>
<figure class="align-center ">
<img alt="Pylon." src="https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/570861/original/file-20240123-23-9wj5y.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Cyber attacks could cause electricity surges on the grid, leading to outages.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/electricity-pylons-field-rape-seed-flowers-2149061413">David Calvert / Shutterstock</a></span>
</figcaption>
</figure>
<h2>Software jujitsu</h2>
<p>The point of such forecasts is not to sow alarm, but to allow us to start addressing the problems. Perhaps the simplest suggestion the experts suggested was a kind of software jujitsu: using software to guard and protect against itself. We can make computer programs perform their own safety audits by creating extra code that validates the programs’ output – effectively, <a href="https://dl.acm.org/doi/abs/10.1145/3540250.3549081">code that checks itself</a>.</p>
<p>Similarly, we can insist that methods already used to ensure safe software operation continue to be applied to new technologies. And that the novelty of these systems is not used as an excuse to overlook good safety practice.</p>
<h2>Strategic solutions</h2>
<p>But the experts agreed that technical answers alone will not be enough. Instead, solutions will be found in the interactions between humans and technology. </p>
<p>We need to build up the skills to deal with these human technology problems, and new forms of education that cross disciplines. And governments need to establish safety principles for their own AI procurement and legislate for AI safety across the sector, encouraging responsible development and deployment methods.</p>
<p>These forecasts give us a range of tools to address the possible problems of the future. Let us adopt those tools, to realise the exciting promise of our technological future.</p><img src="https://counter.theconversation.com/content/220979/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>This research was funded by the UK North West Partnership for Security and Trust, which is funded through GCHQ. The funding arrangements required this article to be reviewed to ensure that its contents did not violate the UK Official Secrets Act nor disclose sensitive, classified or personal information.</span></em></p><p class="fine-print"><em><span>Louise Dennis does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A new study consulted futurists for their predictions about technological evolution.Charles Weir, Research Fellow and Lecturer, Lancaster UniversityLouise Dennis, Senior Lecturer in Computer Science, University of ManchesterLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2161982023-12-14T13:40:03Z2023-12-14T13:40:03ZPhishing scams: 7 safety tips from a cybersecurity expert<figure><img src="https://images.theconversation.com/files/558278/original/file-20231108-27-qgt394.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Phishers are crafty and their scams are always evolving.</span> <span class="attribution"><span class="source">weerapatkiatdumrong</span></span></figcaption></figure><p>Recently, one of my acquaintances, Frank, received an email late on a Monday afternoon with the subject line, “Are you still in the office?” It appeared to come from his manager, who claimed to be stuck in a long meeting without the means to urgently purchase online gift vouchers for clients. He asked for help and shared a link to an online platform, from which Frank bought R6,000 (about US$325) worth of gift vouchers. Once he’d sent the codes he received a second email from the “boss” requesting one more voucher.</p>
<p>At that point, Frank reached out to his boss through WhatsApp and discovered he’d been duped. Frank had fallen prey to a phishing scam. </p>
<p>This is just one example of many from my own circles. Other friends and relatives – some of them seasoned internet users who know about the importance of cybersecurity – have also fallen prey to phishing scams. </p>
<p>I am a cybersecurity professional who conducts <a href="https://www.wits.ac.za/staff/academic-a-z-listing/m/mau-maz/thembekilemayayisewitsacza/">research</a> on and teaches various cybersecurity topics. In recent years I have noticed (and confirmed through <a href="https://iacis.org/iis/2023/4_iis_2023_294-310.pdf">research</a>) that some organisations and individuals seem fatigued by cybersecurity awareness efforts. Is it possible that they assume most people are technologically astute and constantly well-informed? Or could it simply be that fatigue has set in because of the demanding nature of cybersecurity awareness campaigns? Though I have no definitive answer, I suspect the latter.</p>
<p>The reality is that phishing scams are here to stay and the methods employed in their execution continue to evolve. Given my expertise and experience, I would like to offer seven tips to help you stay safe from phishing scams. This is especially important during the festive season as people shop for gifts and book holidays online. These activities create more opportunities for cybercriminals to net new victims. However, these tips are appropriate throughout the year. Cybercriminals don’t take breaks – so you shouldn’t ever drop your guard.</p>
<h2>What is phishing?</h2>
<p>“Phishing” is a strategy designed to deceive people into revealing sensitive information such as credit card details, login credentials and, in some instances, identification numbers. </p>
<p>The most common form of phishing is via email: phishers send fraudulent emails that appear to be from legitimate sources. The messages often contain links to fake websites designed to steal login credentials or other sensitive information. The same email will be sent to many addresses. Phishers can obtain emails from places such as corporate websites, existing data breaches, social media platforms, business cards or other publicly available company documents.</p>
<p>Cybercriminals know that casting their net wide means they’ll surely catch some.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/meet-the-yahoo-boys-nigerias-undergraduate-conmen-60757">Meet the ‘Yahoo boys’ – Nigeria's undergraduate conmen</a>
</strong>
</em>
</p>
<hr>
<p>Voice phishing (vishing) is another form of this scam. Here, perpetrators use voice communication, like a phone call in which the caller falsely claims to be a bank official and seeks to assist you in resetting your password or updating your account details. Other common vishing scams centre on offering discounts or rewards if you join a vacation club, provided you disclose your personal credit card information.</p>
<p>Social media phishing, meanwhile, happens when scammers create fake accounts purporting to be real people (for instance, posing as Frank’s boss). They then start interacting with the real person’s connections to deceive them into giving up sensitive information or performing financial favours.</p>
<p>Cybercriminals also employ SMS phishing (smishing), using text messages to target individuals to reveal sensitive information such as login credentials or credit card details by clicking on malicious links or downloading harmful attachments. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/online-fraudsters-colonial-legacies-and-the-north-south-divide-in-nigeria-187879">Online fraudsters, colonial legacies and the north-south divide in Nigeria</a>
</strong>
</em>
</p>
<hr>
<p>Who is behind these scams? Typically, these are seasoned and cunning scammers who have honed their skills in the world of phishing over an extended period. Some work alone; others belong to syndicates.</p>
<h2>Phishing skills</h2>
<p>Successful phishers have a variety of skills. They combine psychological tactics and technical prowess. </p>
<p>They are master manipulators, playing on victims’ emotions. Individuals are deceived into believing they’ve secured a substantial sum, often millions, through a jackpot win. This scheme falsely claims that their cellphone number or email was used for entry. Consequently, the victim doesn’t seek clarification. Excited about getting the windfall payment quickly, they give their personal information to cybercriminals.</p>
<p>These scammers even tailor their approach to match individuals’ personal beliefs. For example, if you have an affinity for ancestral worship, be prepared for a message from someone claiming to be a medium, asserting that your great-great-grandfather is requesting a money ritual involving a deposit to a particular account and promising multiplication of your funds – even though your ancestors have communicated no such information. </p>
<p>Likewise, if you are a devout Christian, someone claiming to be “Prophet Profit” might attempt to contact you through a messaging platform, suggesting that a monetary offering to their ministry will miraculously resolve all your financial challenges. It’s simply too good to be true.</p>
<h2>Seven tips</h2>
<p>So, how can you avoid e-mail phishing scams? Here are my tips.</p>
<p><strong>1.</strong> Before acting on an email that seems to be from a trusted colleague or friend – especially if it involves an unusual request – check whether the communication is authentic. Contact them directly through a telephone call.</p>
<p><strong>2.</strong> If you encounter suspicious emails at work and are unsure of what to do, promptly report them to your IT department.</p>
<p><strong>3.</strong> Exercise caution when disclosing your contact information, such as email addresses and phone numbers, on public platforms. Malicious individuals may exploit this information for harmful purposes.</p>
<p><strong>4.</strong> Be vigilant when responding to unsolicited emails or messages that request personal information or immediate action.</p>
<p><strong>5.</strong> Validate the sender’s email address. When in doubt, use official contact details from an organisation’s official website to get in touch instead of replying to the message.</p>
<p><strong>6.</strong> Don’t click on dubious links. Always double-check the URL before entering sensitive data.</p>
<p><strong>7.</strong> Keep your devices, anti-spam and anti-malware software up to date. Use strong and unique passwords or multi-factor authentication.</p><img src="https://counter.theconversation.com/content/216198/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Thembekile Olivia Mayayise received research funding from the Diversifying Academy Grant at Wits University.
</span></em></p>Cybercriminals don’t take breaks, so you shouldn’t ever drop your guard.Thembekile Olivia Mayayise, Senior Lecturer, University of the WitwatersrandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2168662023-12-14T13:12:48Z2023-12-14T13:12:48ZWhy federal efforts to protect schools from cybersecurity threats fall short<figure><img src="https://images.theconversation.com/files/565284/original/file-20231212-19-mthmhn.jpg?ixlib=rb-1.1.0&rect=35%2C35%2C5928%2C3943&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The cost of safeguarding America's schools from cybercriminals could run as high as $5 billion.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/payments-system-hacking-online-credit-cards-payment-royalty-free-image/1355213459?phrase=school+cybersecurity&adppopup=true">boonchai wedmakawand via Getty Images</a></span></figcaption></figure><p>In August 2023, the White House <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/">announced</a> a plan to bolster cybersecurity in K-12 schools – and with good reason. Between 2018 and mid-September 2023, there were <a href="https://www.k12dive.com/news/ransomware-attacks-targeting-schools-colleges/694313/">386 recorded cyberattacks</a> in the U.S. education sector and cost those schools $35.1 billion. K-12 schools were the primary target.</p>
<p>The new White House initiative includes a collaboration with federal agencies that have cybersecurity expertise, such as <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/">the Cybersecurity and Infrastructure Security Agency, the Federal Communications Commission</a> and <a href="https://www.the74million.org/article/white-house-takes-on-urgent-k-12-cybersecurity-threat-at-first-ever-summit/">the FBI</a>. Technology firms like Amazon, Google, Cloudflare, PowerSchool and D2L have <a href="https://www.cnbc.com/2023/08/08/white-house-launches-effort-to-secure-k-12-schools-from-cyberattacks.html">pledged to support the initiative</a> with training and resources. </p>
<p>While the steps taken by the White House are positive, as someone who <a href="https://www.uncg.edu/employees/nir-kshetri/">teaches</a> and conducts <a href="https://scholar.google.com/citations?user=g-jALEoAAAAJ&hl=en&oi=ao">research</a> about cybersecurity, I don’t believe the proposed measures are enough to protect schools from cyberthreats. Here are four reasons why:</p>
<h2>1. Schools face more cyberthreats than other sectors</h2>
<p>Cyberattacks on K-12 schools <a href="https://blog.sonicwall.com/en-us/2023/03/sonicwall-data-shows-attacks-on-schools-skyrocketing/">increased more than eightfold</a> in 2022. Educational institutions <a href="https://theconversation.com/ransomware-criminals-are-targeting-us-universities-141932">draw the interest of cybercriminals</a> due to their <a href="https://resources.securityscorecard.com/all/education-report-cybersecurity?xs=226460#page=1">weak cybersecurity</a>. This weak cybersecurity provides an opportunity to access networks containing highly sensitive information.</p>
<p>Criminals can <a href="https://www.ftc.gov/news-events/news/press-releases/2011/09/ftc-testifies-childrens-identity-theft">exploit students’ information</a> to apply for fraudulent government benefits and open <a href="https://www.computer.org/csdl/magazine/co/2018/05/mco2018050092/13rRUwfqpHi">unauthorized bank accounts and credit cards</a>. In testimony to the House Ways and Means Subcommittee on Social Security, a Federal Trade Commission official noted that children’s Social Security numbers are uniquely valuable because they have no credit history and can be paired with any name and date of birth. Over 10% of children enrolled in an identity protection service were <a href="https://www.ftc.gov/news-events/news/press-releases/2011/09/ftc-testifies-childrens-identity-theft">discovered to have loans</a>.</p>
<p>Cybercriminals can also use such information to launch ransomware attacks against schools. Ransomware attacks involve locking up a computer or its files and demanding payment for their release. The ransomware victimization rate in the education sector <a href="https://assets.sophos.com/X24WTUEQ/at/j74v496cfwh4qsvgqhs4pmw/sophos-state-of-ransomware-education-2023-wp.pdf">surpasses that of all other surveyed industries</a>, including health care, technology, financial services and manufacturing.</p>
<p>Schools are especially vulnerable to cyberthreats because more and more schools are <a href="https://chicago.chalkbeat.org/2020/4/3/21225466/chicago-plans-to-give-100-000-tech-devices-to-students-here-are-the-rules">lending electronic devices</a> to students. Criminals have been found to <a href="https://www.kaspersky.com/blog/back-to-school-malware-2019/28316/">hide malware</a> within online textbooks and essays to dupe students into downloading it. Should students or teachers inadvertently download malware onto school-owned devices, criminals can launch an attack on the entire school network.</p>
<p>When faced with such an attack, schools can be <a href="https://buffalonews.com/news/local/experts-say-ransomware-attack-on-buffalo-public-schools-should-have-been-anticipated/article_60a77598-8446-11eb-8b6b-d3137700ab43.html">desperate to comply</a> with criminals’ demands to <a href="https://www.nytimes.com/2020/11/19/nyregion/schools-closing.html">ensure students’ access to learning</a>.</p>
<h2>2. Schools lack cybersecurity personnel</h2>
<p>K-12 schools’ poor cybersecurity performance can be attributed, in part, to lack of staff. About <a href="https://www.edweek.org/technology/k-12-tech-leaders-dont-feel-prepared-for-cyberattacks/2023/05">two-thirds of school districts</a> lack a full-time cybersecurity position. Those with cybersecurity staff often <a href="https://edtechmagazine.com/k12/article/2023/10/school-cybersecurity-becomes-focus-feds-and-k-12-leaders">don’t have the budget</a> for a chief information security officer to oversee and manage the district’s strategy. Often, <a href="https://edtechmagazine.com/k12/article/2023/10/school-cybersecurity-becomes-focus-feds-and-k-12-leaders">the IT director takes on this role</a>, but they have a broader responsibility for IT operations without a specific emphasis on security.</p>
<h2>3. Schools lack cybersecurity skills</h2>
<p>The <a href="https://www.plantemoran.com/explore-our-thinking/insight/2020/11/cybersecurity-in-k12-schools-how-to-prevent-a-data-breach">lack of cybersecurity skills</a> among existing staff hinders the development of strong cybersecurity programs.</p>
<p>Only <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">10% of educators</a> say that they have a deep understanding of cybersecurity. The majority of students say that they have <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">minimal or no knowledge</a> about cybersecurity. Cybersecurity awareness tends to be even <a href="https://cyber.org/sites/default/files/2020-06/The%20State%20of%20Cybersecurity%20Education%20in%20K-12%20Schools.pdf">lower in higher-poverty districts</a>, where students have <a href="https://www.darkreading.com/cyberattacks-data-breaches/preventing-cyberattacks-schools-k-12-cybersecurity-education">less access</a> to cybersecurity education.</p>
<p>The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/07/biden-harris-administration-launches-new-efforts-to-strengthen-americas-k-12-schools-cybersecurity/#:%7E:text=Today%2C%20Secretary%20of%20Education%20Miguel,our%20schools'%20cybersecurity%2C%20protect%20American">300 K-12 schools, school districts and other organizations involved in K-12 education</a> in the forthcoming school year. With <a href="https://research.com/universities-colleges/number-of-public-schools-in-the-us#:%7E:text=There%20are%20130%2C930%20K%2D12,%5BNCES%5D%2C%202020">130,930 K-12 public schools</a> and <a href="https://ballotpedia.org/Public_school_district_(United_States)">13,187 public school districts</a> in the U.S., CISA’s plan serves only a tiny fraction of them.</p>
<h2>4. Inadequate funding</h2>
<p><a href="https://www.fcc.gov/">The FCC</a> has proposed a pilot program that would allocate <a href="https://docs.fcc.gov/public/attachments/DOC-395069A1.pdf">$200 million</a> over three years to boost cyberdefenses. With an annual budget of $66.6 million, this falls short of covering the entirety of cybersecurity costs, given that it will cost an estimated $5 billion to adequately secure the nation’s K-12 schools.</p>
<p><a href="https://nordlayer.com/blog/cost-benefit-analysis-of-cybersecurity-spending/">The costs encompass</a> hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. <a href="https://www.govpilot.com/blog/how-to-train-government-workers-on-cyber-security-attacks">Frequent training</a> is also needed to respond to evolving threats. As technology advances, cybercriminals adapt their methods to exploit vulnerabilities in digital systems. Teachers must be ready to address such risks.</p>
<h2>Costs are sizable</h2>
<p>How much should schools and districts be spending on cybersecurity? Other sectors can serve as a model to guide K-12 schools.</p>
<p>One way to determine cybersecurity funding is by the number of employees. In the financial services industry, for example, these costs range from <a href="https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget">$1,300 to $3,000</a> per full-time employee. There are <a href="https://www.weareteachers.com/how-many-teachers-are-in-the-us/">over 4 million teachers</a> in the United States. Setting cybersecurity spending at $1,300 per teacher – the low end of what financial firms spend – would require K-12 schools to spend a total of $5 billion.</p>
<p>An alternate approach is to determine cybersecurity funding relative to IT spending. On average, <a href="https://venturebeat.com/security/benchmarking-your-cybersecurity-budget-in-2023/#:%7E:text=On%20average%20in%202022%2C%20enterprises,their%20IT%20budgets%20on%20cybersecurity">U.S. enterprises are estimated to spend 10%</a> of their IT budgets on cybersecurity. Since K-12 schools were estimated to spend <a href="https://edtechevidence.org/wp-content/uploads/2021/07/FINAL-K12-EdTech-Funding-Analysis_v.1.pdf">more than $50 billion</a> on IT in the 2020-21 fiscal year, allocating 10% to cybersecurity would also require them to spend $5 billion.</p>
<p>Another approach is to allocate cybersecurity spending as a proportion of the total budget. In 2019, cybersecurity spending represented <a href="https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget">0.3%</a> of the federal budget. Federal, state and local governments collectively allocate <a href="https://educationdata.org/public-education-spending-statistics#:%7E:text=Public%20K%2D12%20expenditures%20total,education%20or%20%247%2C430%20per%20student">$810 billion</a> for K-12 education. If schools set cybersecurity spending at 0.3%, following the example of federal agencies, that would require an annual budget of $2.4 billion.</p>
<p>By contrast, a fifth of schools <a href="https://www.securitymagazine.com/articles/99982-the-hidden-cost-of-the-cybersecurity-deficit-in-k-12-education">dedicate less than 1% of their IT budgets</a> – not their entire budgets – to cybersecurity. In <a href="https://www.edweek.org/technology/k-12-tech-leaders-dont-feel-prepared-for-cyberattacks/2023/05">12% of school districts</a>, there is no allocation for cybersecurity at all.</p><img src="https://counter.theconversation.com/content/216866/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cybercriminals target schools because they’re uniquely vulnerable. A cybersecurity expert explores whether a new White House initiative will be enough to deter bad actors.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2194062023-12-10T22:09:09Z2023-12-10T22:09:09ZDigital ID will go mainstream across Australia in 2024. Here’s how it can work for everyone<figure><img src="https://images.theconversation.com/files/564405/original/file-20231207-23-kahv7b.jpg?ixlib=rb-1.1.0&rect=4%2C0%2C2904%2C1634&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/woman-in-black-shirt-standing-in-front-of-black-metal-screen-Jlqm6p_nntk">Simon Lee / Unsplash</a></span></figcaption></figure><p>In a world promising self-driving cars and artificial general intelligence, the prospect of a new form of digital identity verification can feel … less than exciting.</p>
<p>And yet digital identity is about to be unleashed in Australia and around the world. In 2024, many years before most of us experience the joy of commuting in our fully autonomous car, new forms of digital ID will profoundly change how we engage with government and business. For example, digital ID may remove the pain of handing over physical copies of your driver’s licence, passport and birth certificate when renewing your Working with Children Check or setting up a new bank account.</p>
<p>How can we gain the benefits of digital ID – convenience, efficiency, lower risk of cybercrime – while minimising the attendant risks, such as privacy leaks, data misuse, and reduced trust in government? </p>
<p>In <a href="https://jmi.org.au/news/facial-verification-tech-in-nsw-digital-identity-new-report-unveils-path-to-enhanced-governance-and-training">a new paper</a> released today by the Human Technology Institute, we propose legal and policy guardrails to improve user safeguards and build community trust for the rollout of digital ID in New South Wales. While the paper focuses on NSW, it contains ten principles to support the development of any safe, reliable and responsible digital identity system.</p>
<h2>Across Australia, governments are kickstarting digital identity initiatives</h2>
<p>Some forms of digital identification already operate in Australia at scale. For example, the <a href="https://www.idmatch.gov.au/">Document Verification Service</a> was introduced as early as 2009 to automate checking of important documents such as passports. </p>
<p>Last year this service was used <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/IDVerificationBills23/Report/Chapter_1_-_Introduction">more than 140 million times</a> by roughly 2,700 government and private sector organisations. A limited form of facial verification technology was used well over a million times.</p>
<p>A key problem, however, is that Australia has not had an effective legal framework to govern even the existing digital ID system. This is starting to change. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-national-digital-id-scheme-is-being-proposed-an-expert-weighs-the-pros-and-many-more-cons-214144">A national digital ID scheme is being proposed. An expert weighs the pros and (many more) cons</a>
</strong>
</em>
</p>
<hr>
<p>In June this year, the federal government released a <a href="https://www.homeaffairs.gov.au/criminal-justice/files/national-strategy-for-identity-resilience.pdf">national strategy for digital identity resilience</a>. In its final sittings for 2023, the Australian Parliament <a href="https://ministers.ag.gov.au/media-centre/delivering-strong-safeguards-identity-verification-services-07-12-2023">passed the Identity Verification Services Bill 2023</a>, which provides some important protections for privacy and other rights. </p>
<p>Also in December, the government proposed a second law, the <a href="https://ministers.ag.gov.au/media-centre/strengthening-australias-digital-id-system-30-11-2023">Digital ID Bill 2023</a>. This bill would provide rules for a major expansion of Australia’s system of digital identification.</p>
<p>Notwithstanding this recent flurry of activity in the federal government, NSW has long been Australia’s leading jurisdiction in this area. It announced its <a href="https://www.nsw.gov.au/customer-service/media-releases/nsw-government-unveils-future-of-digital-identity">Digital ID program</a> in April 2022 and has quietly worked to put in place the key elements of what could become a world-leading digital ID system, with strong community safeguards.</p>
<h2>What is a ‘digital identity’, and what are the risks?</h2>
<p>The technologies at the heart of digital ID are powerful and carry risks. </p>
<p>In particular, facial verification technology matches an individual’s face data against a recorded reference image. It may also incorporate “liveness detection”, which checks that the face to be verified belongs to a genuine individual requesting a service in real time (as opposed to a photograph, for example). </p>
<p>NSW’s digital identity initiative uses both these technologies.</p>
<p>Overall, digital identity should mean <em>less</em> of our personal information is collected and used by third parties. For example, when someone enters a pub and a bouncer asks for ID, the only information the bouncer needs to know is that the patron is over 18. The bouncer doesn’t need other personal information on their licence, such as their address or organ donor status. </p>
<p>Good design and regulation would ensure the digital ID service can verify someone’s age without disclosing other sensitive data.</p>
<p>On the other hand, these technologies use sensitive personal information and this brings risks when they are used to make decisions that affect people’s rights. Errors may result in an individual being denied an essential government service. </p>
<p>Because a digital ID system would by its nature collect sensitive personal information, it also poses risks of identity fraud or hacking of personal information.</p>
<h2>Making digital ID safe</h2>
<p>There must be robust safeguards in place to address these risks.</p>
<p>Accountable digital identity systems should be voluntary, not compulsory. They need to ensure citizens have options for choice and consent, and should be usable and accessible for everyone. </p>
<p>Digital ID also needs to be safe. It should protect the sensitive personal information of users and make sure this data is not used for other, unintended purposes like law enforcement.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Australia's National Digital ID is here, but the government's not talking about it</a>
</strong>
</em>
</p>
<hr>
<p>To achieve these aims, we recommend that NSW Digital ID be grounded in legislation that enshrines:</p>
<ul>
<li><p><strong>user protections</strong>, including providing for privacy and data security of all users</p></li>
<li><p><strong>performance standards</strong>, ensuring that digital identity performs to a high standard of accuracy and be fit for purpose, with public reporting by the responsible government agency or department on relevant independent benchmarking and technical standards compliance</p></li>
<li><p><strong>oversight and accountability</strong>, with both internal and external monitoring, and clear redress mechanisms</p></li>
<li><p><strong>interoperability</strong> with other government systems.</p></li>
</ul>
<p>These principles are not specific to NSW. They are relevant and transferable to other jurisdictions looking to develop digital identity systems. </p>
<p>Whether Australia’s digital identity transformation is a success depends on how digital identity systems are established in law and practice. It is crucial that robust governance mechanisms are in place to ensure digital identity systems are safe, secure and accountable. Only then will Australians embrace and trust the digital transformation that is afoot.</p>
<hr>
<p><em>HTI’s work to develop independent expert advice outlining a governance framework and training strategy for NSW Digital ID was funded by a <a href="https://jmi.org.au/2022-policy-challenge-grant-winners/">James Martin Institute Policy Challenge Grant</a>.</em></p><img src="https://counter.theconversation.com/content/219406/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Edward Santow works for the UTS Human Technology Institute. The Institute has received a funding grant from the James Martin Institute for Public Policy to support the project mentioned in this article. Prof Santow also serves as an independent member of the NSW Government's AI Review Committee, which has provided some advice on the NSW Government's use of digital identification.</span></em></p><p class="fine-print"><em><span>Lauren Perry works for the UTS Human Technology Institute. The Institute has received a funding grant from the James Martin Institute for Public Policy to support the project mentioned in this article</span></em></p><p class="fine-print"><em><span>Sophie Farthing works for the UTS Human Technology Institute. The Institute has received a funding grant from the James Martin Institute for Public Policy to support the project mentioned in this article. </span></em></p>2024 will see a massive expansion in Australia’s digital ID system. Good tech and strong guardrails will make Australia a world leader in this important area.Edward Santow, Professor & Co-Director, Human Technology Institute, University of Technology SydneyLauren Perry, Responsible Technology Policy Specialist - Human Technology Institute, University of Technology SydneySophie Farthing, Head, Policy Lab, Human Technology Institute, University of Technology SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2174222023-12-05T17:50:44Z2023-12-05T17:50:44ZWant to know if your data are managed responsibly? Here are 15 questions to help you find out<figure><img src="https://images.theconversation.com/files/563436/original/file-20231204-21-5svi2j.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5990%2C3506&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Organizations that gather information should establish a framework for responsibly managing user data.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 100px; border: none; position: relative; z-index: 1;" allowtransparency="" allow="clipboard-read; clipboard-write" src="https://narrations.ad-auris.com/widget/the-conversation-canada/want-to-know-if-your-data-are-managed-responsibly-here-are-15-questions-to-help-you-find-out" width="100%" height="400"></iframe>
<p>As the volume and variety of data about people increases, so does the number of ideas about how data might be used. Studies show that many <a href="https://doi.org/10.1186/s12910-016-0153-x">people want their data</a> to be used for <a href="https://doi.org/10.1787/276aaca8-en">public benefit</a>. </p>
<p>However, the research also shows that public support for use of data is conditional, and only given when risks such as those related to <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">privacy</a>, <a href="https://wellcome.figshare.com/articles/journal_contribution/The_One-Way_Mirror_Public_attitudes_to_commercial_access_to_health_data/5616448">commercial exploitation</a> and <a href="https://www.jmir.org/2021/8/e26162/">artificial intelligence misuse</a> are addressed. </p>
<p>It takes a lot of work for organizations to establish data governance and management practices that mitigate risks while also encouraging beneficial uses of data. So much so, that it can be challenging for responsible organizations to communicate their data trustworthiness without providing an overwhelming amount of technical and legal details.</p>
<p>To address this challenge our team undertook a multiyear project to identify, refine and publish a short list of <a href="https://doi.org/10.23889/ijpds.v8i4.2142">essential requirements for responsible data stewardship</a>.</p>
<p>Our 15 minimum specification requirements (min specs) are based on a review of the scientific literature and the practices of 23 different data-focused organizations and initiatives. </p>
<p>As part of our project, we compiled over 70 public resources, including examples of organizations that address the full list of min specs: <a href="https://www.ices.on.ca/data-repository-requirements/">ICES</a>, the <a href="https://static1.squarespace.com/static/5d8b7b3eabff3c4f1954d802/t/63c9b2638614cc5609a3a0d3/1674163135114/hdc-minspecs.">Hartford Data Collaborative</a> and the <a href="https://www.unb.ca/nbirdt/data/privacy/index.html">New Brunswick Institute for Research, Data and Training</a>.</p>
<p>Our hope is that information related to the min specs will help organizations and data-sharing initiatives share best practices and learn from each other to improve their governance and management of data.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a woman sitting on a sofa on a laptop" src="https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=393&fit=crop&dpr=1 600w, https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=393&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=393&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=494&fit=crop&dpr=1 754w, https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=494&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/563439/original/file-20231204-23-rmsqh4.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=494&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">People want to know that organizations can responsibly gather and manage data.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<h2>Minimum specification requirements</h2>
<p>We also think the min specs can help people know what to expect of responsible data stewards. To support people in using the min specs, we translated them into plain language questions that individuals can pose to the organizations that collect, use or share their data:</p>
<p><strong>Legal</strong></p>
<p>1) What laws, consent forms or other documents give you the authority to collect, use or share data?</p>
<p><strong>Governance</strong></p>
<p>2) Where do you publicly state the purpose behind your data-focused activities?</p>
<p>3) Which committee or group is accountable for important decisions such as who can use data and how they can use it?</p>
<p>4) How do you achieve transparency about your data holdings, data access policies and other information that people want to know about their data?</p>
<p>5) How do you acknowledge and respect <a href="https://www.stateofopendata.od4d.net/chapters/issues/indigenous-data.html">Indigenous Data Sovereignty</a>? </p>
<p>6) What measures are in place to ensure you adapt and respond to new threats and opportunities?</p>
<p><strong>Management</strong></p>
<p>7) What policies, processes and procedures do you have to cover the entire data life cycle from collection through to use, sharing and destruction?</p>
<p>8) How do you address cybersecurity and data protection?</p>
<p>9) How do you identify and manage risks related to data?</p>
<p>10) What data documentation do you have to help people understand the data you hold?</p>
<p><strong>Data users</strong></p>
<p>11) Is there mandatory privacy and security training that data users must complete?</p>
<p>12) What are the consequences if data users do things they are not allowed to do with data?</p>
<p><strong>Stakeholder and public engagement</strong></p>
<p>13) How do you engage with stakeholders such as the organizations that provide you with data and the organizations that use the knowledge you generate?</p>
<p>14) How can members of the public be informed and get involved in the decisions you make about data?</p>
<p>15) What special measures do you have to engage and involve groups who have a special interest in your activities or decisions?</p>
<h2>Transparent and trustworthy</h2>
<p>These min spec questions can serve as a framework to improve data governance and management practices.</p>
<p>It is our hope that the more that members of the public request this kind of information, the more that organizations will proactively make it available or adapt their practices.</p>
<p>In this way, the min specs can help increase the transparency and trustworthiness of data holding organizations, which can, in turn, lead to more support for data being shared and used for public benefit.</p><img src="https://counter.theconversation.com/content/217422/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>P. Alison Paprica has received funding from the Canadian Institutes of Health Research and other national and provincial research funders in Canada. </span></em></p><p class="fine-print"><em><span>Amy Hawn Nelson receives funding from Robert Wood Johnson Foundation, Annie E. Casey Foundation, the Ford Foundation and the Walton Family Foundation. </span></em></p><p class="fine-print"><em><span>Donna Curtis Maillet receives funding from the Canadian Institutes of Health Research and other national and provincial research funders in Canada. </span></em></p><p class="fine-print"><em><span>Kimberlyn McGrail receives funding from the Canadian Institutes of Health Research and other national and provincial research funders in Canada.</span></em></p><p class="fine-print"><em><span>Michael J. Schull receives funding from the Canadian Institutes of Health Research and the Government of Ontario.</span></em></p>Responsible data stewardship must take many factors into account including legal requirements, data governance, cybersecurity and user privacy.P. Alison Paprica, Professor (adjunct) and Senior Fellow, Institute for Health Policy, Management and Evaluation, Dalla Lana School of Public Health, University of TorontoAmy Hawn Nelson, Research Faculty, Actionable Intelligence for Social Policy (AISP), University of PennsylvaniaDonna Curtis Maillet, Privacy Officer, New Brunswick Institute for Research, Data and Training, Research associate, Faculty of Law, University of New BrunswickKimberlyn McGrail, Professor of Health Services and Policy Research, University of British ColumbiaMichael J. Schull, Professor, Department of Medicine, University of TorontoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2165812023-11-22T17:05:13Z2023-11-22T17:05:13ZThe vast majority of us have no idea what the padlock icon on our internet browser is – and it’s putting us at risk<figure><img src="https://images.theconversation.com/files/559630/original/file-20231115-15-zfe1h.jpg?ixlib=rb-1.1.0&rect=50%2C0%2C5568%2C3692&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The padlock icon which appears in most internet browser address bars. </span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/web-browser-closeup-on-lcd-screen-1353121223">Robert Avgustin/Shutterstock</a></span></figcaption></figure><p>Do you know what the padlock symbol in your internet browser’s address bar means? If not, you’re not alone. <a href="https://www.tandfonline.com/doi/full/10.1080/10447318.2023.2266789">New research</a> by my colleagues and I shows that only 5% of UK adults understand the padlock’s significance. This is a threat to our online safety. </p>
<p>The padlock symbol on a web browser simply means that the data being sent between the web server and the user’s computer is encrypted and cannot be read by others. But when we asked people what they thought it meant, we received an array of incorrect answers.</p>
<p>In our study, we asked a cross section of 528 web users, aged between 18 and 86 years of age, a number of questions about the internet. Some 53% of them held a bachelor’s degree or above and 22% had a college certificate, while the remainder had no further education. </p>
<p>One of our questions was: “On the Google Chrome browser bar, do you know what the padlock icon represents/means?” </p>
<p>Of the 463 who responded, 63% stated they knew, or thought they knew, what the padlock symbol on their web browser meant, but only 7% gave the correct meaning. Respondents gave us a range of incorrect interpretations, believing among other things that the padlock signified a secure web page or that the website is safe and doesn’t contain any viruses or suspicious links. Others believed the symbol means a website is “trustworthy”, is not harmful, or is a “genuine” website. </p>
<figure class="align-left ">
<img alt="A symbol of a circle next to a straight line over a straight line and a circle." src="https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Google’s new ‘tune icon’ which replaces the padlock icon in Chrome’s address bar.</span>
<span class="attribution"><a class="source" href="https://blog.chromium.org/2023/05/an-update-on-lock-icon.html">Google Chromium</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Not understanding symbols like the padlock icon, can pose problems to internet users. These include increased security risks and simply hindering effective use of the technology.</p>
<p>Our findings corroborate research by <a href="https://support.google.com/chrome/thread/222182314/the-lock-icon-replaced-with-a-tune-icon-in-the-google-chrome-address-bar?hl=en">Google</a> itself, who in September, replaced the padlock icon with a <a href="https://www.thesslstore.com/blog/google-to-replace-the-padlock-icon-in-chrome-version-117/#:%7E:text=But%20that's%20about%20to%20change,to%20have%20HTTPS%20by%20default.">neutral symbol</a> described as a “tune icon”. In doing so, Google hopes to eradicate the misunderstandings that the padlock icon has afforded. </p>
<p>However, Google’s update now raises the question as to whether other web browser companies will join forces to ensure their designs are uniform and intuitive across all platforms.</p>
<h2>Web browser evolution</h2>
<p>Without a doubt, the browser, which is our point of entry to the world wide web, comes with a lot of responsibility on the part of web companies. It’s how we now visit web pages, so the browser has become an integral part of our daily lives. </p>
<p>It’s intriguing to look back and trace the evolution of the web’s design from the early 1990s to where we are today. Creating software that people wanted to use and found effective was at the heart of this <a href="https://www.interaction-design.org/literature/topics/human-computer-interaction">evolution</a>. The creation of functioning, satisfying, and most importantly, consistently designed user interfaces was an important goal in the 1990s. In fact, there was a drive in those early days to create web interface designs that were so consistent and intuitive that users would not need to think too much about how they work. </p>
<p>Nowadays, it’s a different story because the challenge is centred on helping people to think before they interact online. In light of this, it seems bizarre that the design of the web browser in 2023 still affords uncertainty through its design. Worse still, that it is inconsistently presented across its different providers. </p>
<p>It could be argued that this stems from the <a href="https://www.investopedia.com/ask/answers/09/browser-wars-netscape-internet-explorer.asp">browser wars</a> of the mid-1990s. That’s when the likes of Microsoft and former software company, Netscape, tried to outdo each other with faster, better and more unique products. The race to be distinct meant there was inconsistency between products. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/LOWOLJci8d8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The rise and fall of Netscape and the browser wars of the 1990s.</span></figcaption>
</figure>
<h2>Internet safety</h2>
<p>However, introducing distinct browser designs can lead to user confusion, misunderstanding and a false sense of security, especially when it is <a href="https://www.interaction-design.org/literature/article/principle-of-consistency-and-standards-in-user-interface-design">now widely known</a> that such inconsistency can breed confusion, and from that, frustration and lack of use. </p>
<p>As an expert in human-computer interaction, it is alarming to me that some browser companies continue to disregard <a href="https://www.nngroup.com/articles/ten-usability-heuristics/">established guidelines</a> for usability. In a world where web browsers open the doors to potentially greater societal risks than the offline world, it is crucial to establish a consistent approach for addressing these dangers. </p>
<p>As a minimum, we need web browser companies to join forces in a concerted effort to shield users, or at the very least, heighten their awareness regarding potential online risks. This should include formulating one unified design across the board that affords an enriched and safe user experience.</p><img src="https://counter.theconversation.com/content/216581/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Fiona Carroll does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The padlock symbol simply means that the data being sent between the web server and the user’s computer is encrypted and cannot be read by others. But many people don’t know that.Fiona Carroll, Reader in Human Computer Interaction, Cardiff Metropolitan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2181172023-11-22T03:42:35Z2023-11-22T03:42:35ZAn expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways<p>After lengthy deliberation, the Australian government has released its <a href="https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy">2023–2030 Cyber Security Strategy</a>, which aims to make Australia one of the most cyber-secure nations in the world by 2030. It’s a worthy goal, considering Australia was ranked as the fifth-most powerful cyber nation in a <a href="https://www.belfercenter.org/sites/default/files/files/publication/CyberProject_National%20Cyber%20Power%20Index%202022_v3_220922.pdf">2022 report</a> by Harvard University’s Kennedy School. </p>
<p>The strategy outlines a range of ways Australia can protect its people, businesses and organisations into the next decade. Importantly, it has come at a time when the country is reeling from a series of major cyber incidents, including the <a href="https://theconversation.com/a-new-cyber-taskforce-will-supposedly-hack-the-hackers-behind-the-medibank-breach-it-could-put-a-target-on-australias-back-194532">Medibank</a> and <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus</a> data breaches last year, a nationwide Optus blackout earlier this month, and the more recent <a href="https://theconversation.com/major-cyberattack-on-australian-ports-suggests-sabotage-by-a-foreign-state-actor-217530">closure of ports</a> across the country due to a cyber breach. </p>
<h2>Key takeaways</h2>
<p>Among other things, the strategy aims to:</p>
<ul>
<li>protect critical infrastructure</li>
<li>provide businesses and organisations with tools to bolster their cyber resilience, especially against ransomware attacks</li>
<li>ensure businesses secure products and services to protect customers</li>
<li>attract skilled migrants to establish a diverse cyber security workforce</li>
<li>prioritise critical threats from the most sophisticated actors</li>
<li>engage international partners to share threat intelligence and develop new capabilities</li>
<li>expand cyber awareness programs to educate the public.</li>
</ul>
<p>The government has dedicated $586.9 million to achieving these goals, on top of $2.3 billion committed to existing cyber initiatives, including the <a href="https://www.asd.gov.au/about/what-we-do/redspice">REDSPICE program</a> aimed at enhancing the intelligence and cyber capabilities of the Australian Signals Directorate.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/budget-2022-9-9-billion-towards-cyber-security-aims-to-make-australia-a-key-offensive-cyber-player-180321">Budget 2022: $9.9 billion towards cyber security aims to make Australia a key 'offensive' cyber player</a>
</strong>
</em>
</p>
<hr>
<p>The most significant investment of $290.8 million will go towards protecting businesses and citizens. A further $143.6 million will be invested in strengthening critical infrastructure, including major telecommunications infrastructure. </p>
<p>By comparison, $9.4 million will be used to build a cyber threat sharing platform for the health sector, and only $4.8 million will go to establishing consumer standards for smart devices and software.</p>
<p>The strategy will also expand the <a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Digital ID program</a>, to “reduce the need for people to share sensitive personal information with the government and businesses to access services online” – but details on this were scant.</p>
<h2>Plans to ‘break the ransomware business model’</h2>
<p>The strategy notes ransomware is “one of the most disruptive cyber threats” in the world – and costs Australia’s economy up to $3 billion in damages each year. The government will make a “ransomware playbook” to help businesses respond to and bounce back from cyber extortion. </p>
<p>It will also work with industry to co-design a mandatory no-fault ransomware reporting scheme to encouraging reporting on ransom incidents. We know, based on past experiences with the <a href="https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/what-is-a-notifiable-data-breach#">Notifiable Data Breaches</a> scheme, that businesses <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023">sometimes won’t report</a> breaches for fear of public backlash. A no-liability reporting scheme could change this, and provide important data that will further bolster our defences against ransom attacks. </p>
<p>The strategy also “strongly discourages” making ransom payments. This makes sense, as these payments inevitably fuel the ransomware economy and fund criminals’ future attacks. </p>
<p>Controversially, however, Minister for Cyber Security Clare O’Neil has considered introducing a blanket ban on such payments at some time <a href="https://australiancybersecuritymagazine.com.au/cyber-security-minister-eyes-blanket-ransomware-ban-in-two-years/">in the next few years</a>.</p>
<p>This could have negative impacts. For instance, a business that legally can’t pay a ransom may not be able to recover stolen data, resulting in permanent data and financial loss. Attackers may also release the stolen data online out of spite. We saw this happen after last year’s <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus data breach</a>. </p>
<p>There’s also a risk that announcing an impending ban could make Australia more attractive to criminals in the short term, as they may scramble to carry out as many attacks as possible before payments are made illegal. The impact of this would be lessened if businesses adopt a disciplined approach to regular data backups.</p>
<h2>Smart devices and apps</h2>
<p>Another strategic initiative will involve working with industry to establish a mandatory cyber security standard (in line with international standards) for consumer-grade smart devices sold in Australia.</p>
<p>The government will also introduce a voluntary cyber security labelling scheme for smart devices. Ideally, such a scheme would keep the public informed about the level of security on the many different devices they own. However, given it’s voluntary, it’s hard to say whether it will have a substantial impact. </p>
<p>Another voluntary code of practice will be introduced for app stores and app developers.</p>
<h2>What are the challenges?</h2>
<p>If it’s implemented well, the strategy could result in a substantial decrease in cyber crime, greater safety for the public and a thriving cyber sector. </p>
<p>Currently, businesses and individuals struggle with a lack of cyber awareness and skills. They don’t have the resources, nor the incentive, to invest in cyber security. This strategy could change that. </p>
<p>The greatest challenge is the complexity and diversity of cyber threats, which are constantly evolving. Today’s threats may not have crossed anyone’s mind a few year ago. This inherent unpredictability may render some of the assumptions in the strategy redundant in the coming years.</p>
<p>Then there are inevitable trade-offs that come with competing values such as privacy, security, innovation and regulation. For example, a project that strongly maintains the privacy of consumers may end up sacrificing transparency. Similarly, too much transparency can lead to security risks. </p>
<p>We’ll need to innovate in the cyber security domain to stay ahead of criminals. But as we’ve seen in other areas of the tech sector, innovation that outruns regulation is often more harmful than helpful. Striking the balance is difficult. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/openais-board-is-facing-backlash-for-firing-ceo-sam-altman-but-its-good-it-had-the-power-to-218154">OpenAI’s board is facing backlash for firing CEO Sam Altman – but it’s good it had the power to</a>
</strong>
</em>
</p>
<hr>
<p>Moreover, there’s a noticeable lack of detail in many of the initiatives outlined
in the strategy. This could make it difficult to measure its progress and impact as a high-level strategic document.</p>
<p>Success will depend on voluntary action and cooperation from stakeholders, which may not be enough to ensure compliance and accountability from some businesses and individuals.</p>
<p>Any shortcomings could be managed by making the strategy inclusive and consultative. If it caters to the needs of all, it may indeed become a successful seven-year plan.</p><img src="https://counter.theconversation.com/content/218117/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia could become one of the world’s strongest cyber nations – but the success of the new strategy will come down to the details.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2182552023-11-21T11:37:59Z2023-11-21T11:37:59ZNew cyber policy to harden defences against our ‘fastest growing threat’<figure><img src="https://images.theconversation.com/files/560744/original/file-20231121-17-7gkv3i.jpg?ixlib=rb-1.1.0&rect=39%2C0%2C6491%2C4346&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The Albanese government’s cyber security policy aims to make Australian citizens, businesses and government agencies harder targets as they face what minister Clare O'Neil describes as “the fastest growing threat that we face as a nation”. </p>
<p>The policy, to be released on Wednesday by O'Neil, who is Minister for Home Affairs and Minister for Cyber Security, is also designed to enable victims to bounce back faster from attacks that can’t be prevented. </p>
<p>A modest $586.9 million has been announced for the “action plan”, which runs to 2030. This is on top of the commitment to $2.3 billion for existing initiatives out to 2030. </p>
<p>Of the extra money, the largest slice is $290.8 million for support for small and medium-sized businesses, building public awareness, fighting cyber crime, breaking the ransomware business model, and strengthening the security of Australians’ identities. </p>
<p>Some $143.6 million will be invested in strengthening the defences of critical infrastructure and improving government cyber security. </p>
<p>Among the initiatives on critical infrastructure, telecommunication providers would be aligned to the same standards as other critical infrastructure entities by moving the security regulation of the sector from the Telecommunications Act to the Security of Critical Infrastructure Act. The policy says this is “commensurate with the criticality and risk profile of the sector”. </p>
<p>There will also be funding for establishing consumer standards for smart devices and software; building a threat sharing platform for the health sector; professionalising the cyber workforce and accelerating the cyber industry, and investing in regional co-operation and leadership in cyber governance forums internationally. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-finally-has-a-dedicated-minister-for-cyber-security-heres-why-her-job-is-so-important-184322">Australia finally has a dedicated minister for cyber security. Here's why her job is so important</a>
</strong>
</em>
</p>
<hr>
<p>The government wants Australia to be “a world leader” in cyber security by 2030. </p>
<p>The policy sets three time “horizons”. In 2023-25, the foundations will be strengthened. addressing critical gaps and building better protections. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/politics-with-michelle-grattan-industry-minister-ed-husic-on-the-artificial-intelligence-revolution-207224">Politics with Michelle Grattan: Industry minister Ed Husic on the artificial intelligence revolution</a>
</strong>
</em>
</p>
<hr>
<p>In 2026-28, the cyber industry would be further scaled up and a diverse cyber workforce would be grown. In 2029-30, “ We will advance the global frontier of cyber security. We will lead the development of emerging cyber technologies.” </p>
<p>O'Neil says in a press release: “Australia is a wealthy country and a fast adopter of new technologies, which makes us an attractive target for cyber criminals. Millions of Australians have had their data stolen and released online in the past year. </p>
<p>"Cyber also presents major opportunities for Australia – the global cyber industry is growing rapidly, and it is here to stay.” </p>
<p>Delivering the cyber strategy would require close collaboration between government and industry, O'Neil said.</p>
<p>Darren Goldie, who was recently appointed by O'Neil as National Cyber Security Coordinator, won’t be around for the policy release. He has been recalled to the Defence Department, in relation to a workforce complaint.</p><img src="https://counter.theconversation.com/content/218255/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michelle Grattan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The policy, to be released on Wednesday by O'Neil, who is Minister for Home Affairs and Minister for Cyber Security, is also designed to enable victims to bounce back faster from attacks that can’t be preventedMichelle Grattan, Professorial Fellow, University of CanberraLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2176792023-11-16T23:59:02Z2023-11-16T23:59:02ZWhat is LockBit, the cybercrime gang hacking some of the world’s largest organisations?<p>While ransomware incidents have been occurring for more than 30 years, only in the last decade has the term “ransomware” appeared regularly in popular media. Ransomware is a type of malicious software that blocks access to computer systems or encrypts files until a ransom is paid.</p>
<p>Cybercriminal gangs have adopted ransomware as a get-rich-quick scheme. Now, in the era of “ransomware as a service”, this has become a prolific and highly profitable tactic. Providing ransomware as a service means groups benefit from affiliate schemes where commission is paid for successful ransom demands.</p>
<p>Although only one of the many gangs operating, LockBit has been increasingly visible, with several high-profile victims recently appearing on the group’s website.</p>
<p>So what is LockBit? Who has fallen victim to them? And how can we protect ourselves from them?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233">International ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies</a>
</strong>
</em>
</p>
<hr>
<h2>What, or who, is LockBit?</h2>
<p>To make things confusing, the term LockBit refers to both the malicious software (malware) and to the group that created it.</p>
<p>LockBit <a href="https://www.kaspersky.com/resource-center/threats/lockbit-ransomware">first gained attention in 2019</a>. It’s a form of malware deliberately designed to be secretly deployed inside organisations, to find valuable data and steal it.</p>
<p>But rather than simply stealing the data, LockBit is a form of ransomware. Once the data has been copied, it is encrypted, rendering it inaccessible to the legitimate users. This data is then held to ransom – pay up, or you’ll never see your data again.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723850461898281180"}"></div></p>
<p>To add further incentive for the victim, if the ransom is not paid, they are threatened with publication of the stolen data (often described as double extortion). This threat is reinforced with a countdown timer on LockBit’s blog on <a href="https://theconversation.com/explainer-what-is-the-dark-web-46070">the dark web</a>.</p>
<p>Little is known about the LockBit group. Based on their website, the group doesn’t have a specific political allegiance. Unlike some other groups, they also don’t limit the number of affiliates:</p>
<blockquote>
<p>We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year.</p>
</blockquote>
<p>Notably, LockBit have rules for their affiliates. Examples of forbidden targets (victims) include:</p>
<ul>
<li>critical infrastructure</li>
<li>institutions where damage to the files could lead to death (such as hospitals)</li>
<li>post-Soviet countries such as Armenia, Belarus, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.</li>
</ul>
<p>Other ransomware providers have also claimed they won’t target institutions like hospitals – but this doesn’t guarantee victim immunity. Earlier this year a <a href="https://www.theregister.com/2023/01/04/lockbit_sickkids_ransomware/">Canadian hospital was a victim of LockBit</a>, triggering the group behind LockBit to post an apology, offer free decryption tools and allegedly expel the affiliate who hacked the hospital. </p>
<p>While rules may be in place, there is always potential for rogue users to <a href="https://www.scmagazine.com/analysis/ransomware-groups-dont-abide-by-promises-not-to-target-healthcare">target forbidden organisations</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1609857321315835906"}"></div></p>
<p>The final rule in the list above is an interesting exception. According to the group, these countries are off limits because a high proportion of the group’s members were “born and grew up in the Soviet Union”, despite now being “located in the Netherlands”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/putins-russia-people-increasingly-identify-with-the-soviet-union-heres-what-that-means-181129">Putin's Russia: people increasingly identify with the Soviet Union – here's what that means</a>
</strong>
</em>
</p>
<hr>
<h2>Who’s been hacked by LockBit?</h2>
<p>High-profile victims include the United Kingdom’s Royal Mail and Ministry of Defence, and Japanese cycling component manufacturer Shimano. Data stolen from aerospace company Boeing was leaked just this week after the company refused to pay ransom to LockBit.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit website screenshot showing download links for stolen data" src="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=562&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=562&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=562&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=706&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=706&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=706&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s website on the dark web is used to publish stolen data if the ransom is not paid.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<p>While not yet confirmed, the recent ransomware incident experienced by the Industrial and Commercial Bank of China has been <a href="https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank%20https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank">claimed by LockBit</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723060456888193238"}"></div></p>
<p>Since appearing on the cybercrime scene, LockBit has been linked to almost <a href="https://www.cyber.gov.au/about-us/advisories/understanding-ransomware-threat-actors-lockbit">2,000 victims in the United States alone</a>.</p>
<p>From the list of victims seen below, LockBit is clearly being used in a scatter-gun approach, with a wide variety of victims. This is not a series of planned, targeted attacks. Instead, it shows LockBit software is being used by a diverse range of criminals in a service model.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit blog screenshot showing victims with countdown timer" src="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=294&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=294&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=294&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s blog on the dark web provides a showroom for public shaming of their victims.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<h2>How we can protect ourselves</h2>
<p>In recent years, ransomware as a service (RaaS for short) has become popular.</p>
<p>Just as organisations use software-as-a-service providers – such as licensing for office tools like Microsoft 365, or accounting software for payroll – malicious services are providing tools for cybercriminals.</p>
<p>Ransomware as a service enables an inexperienced criminal to deliver a ransomware campaign to multiple targets quickly and efficiently – often at minimal cost and usually on a profit-sharing basis.</p>
<p>The RaaS platform handles the malware management, data extraction, victim negotiation and payment handling, effectively outsourcing criminal activities.</p>
<p>The process is so well developed, such groups even provide guidelines on how to become an affiliate, and what benefits one will gain. With a 20% commission of the ransom being paid to LockBit, this system can generate significant revenue for the group – including the deposit of 1 Bitcoin (approximately A$58,000) required from new users.</p>
<p>While ransomware is a growing concern around the globe, good cybersecurity practices can help. Updating and patching our systems, good password and account management, network monitoring and reacting to unusual activity can all help to minimise the likelihood of any compromise – or at least limit its extent.</p>
<p>For now, whether or not to pay a ransom is a matter of preference and ethics for each organisation. But if we can make it more difficult to get in, criminal groups will simply shift to easier targets.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-considering-a-ban-on-cyber-ransom-payments-but-it-could-backfire-heres-another-idea-194516">Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/217679/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Prolific and highly profitable, LockBit provides ransomware as a service. Aspiring cybercriminals sign up to the scheme, and the group takes a cut. Here’s how it works.Jennifer Medbury, Lecturer in Intelligence and Security, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2175332023-11-13T06:16:44Z2023-11-13T06:16:44ZHas the cyberattack on DP World put Australia’s trade at risk? Probably not … this time<p>Australians getting ready for Christmas this week had reason to believe even the best of preparations were not enough after a cyberattack hit all its major ports.</p>
<p>DP World, which operates container ports in Australia and the region, first detected problems last Friday so unplugged its systems to minimise the impact while it examined what had happened.</p>
<p>While operations <a href="https://www.abc.net.au/news/2023-11-13/dp-world-deals-with-impact-of-cyber-attack/103097658">resumed at the ports Monday</a>, the cause is still unclear and the incident continues to be investigated.</p>
<p>With responsibility for about 40% of freight movement at Australian ports, and a significant 10% of global trade through its international operations, the attack disrupted the flow of goods coming from ports DP World operates.</p>
<p>Deliveries of <a href="https://www.dfat.gov.au/trade/resources/trade-at-a-glance/Documents/top-goods-services.html">import items</a> such as videogames, air-conditioners, furniture and pharmaceuticals were held up.</p>
<p>As well, Australian exports of goods including processed meat, dairy products and fruits, all with limited shelf life, were delayed.</p>
<h2>Why this cyber attack is significant</h2>
<p>While DP World seems to be recovering, the incident highlights the potential vulnerability of global networks. </p>
<p>Supply chains rely on fully integrated solutions, from sellers overseas to buyers in Australia, to work efficiently. Information technology is embedded into them through equipment automation and data processing. Product visibility, customs clearance and checks for <a href="https://www.agriculture.gov.au/biosecurity-trade/import/arrival">biosecurity risks</a> rely on cargo information detailing where goods come from, who is responsible for them and their trading value. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723541050328023478"}"></div></p>
<p>With sensitive data linked to the movement of containers, it is no wonder logistics professionals recognise cybersecurity as a major threat to operations – not to mention their obligations under the <a href="https://www.legislation.gov.au/Details/C2022C00160">Security of Critical Infrastructure Act</a>.</p>
<p>If there is still no certainty of the specific nature of the incident with DP World, there are few likely causes.</p>
<p>Ransomware has been on the rise, with incidents aligned to prolific cyber-criminal gangs including REVil and more recently LockBit.</p>
<p>In an attack, data is usually extracted from an organisation and then rendered inaccessible to users – typically using encryption. The organisation will usually receive a ransom demand to “unlock” the data, often payable using a crypto-currency.</p>
<p>In recent years the trend of double-extortion has become common, where the criminals incentivise their victims to pay by threatening to release the data publicly if they refuse.</p>
<p>While refusal is a possibility, the nature of the disruption could mean a loss of access to critical systems and information. If data is inaccessible, operations would need to be halted, leading to even greater losses.</p>
<p>Recovering systems would require restoration from backups and a thorough inspection for any traces of the original infection or compromise. Finally, checks would be needed to ensure no data had been lost and to identify any missing consignment data after the previous backup had taken place.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/major-cyberattack-on-australian-ports-suggests-sabotage-by-a-foreign-state-actor-217530">Major cyberattack on Australian ports suggests sabotage by a 'foreign state actor'</a>
</strong>
</em>
</p>
<hr>
<p>If the incident is a direct cyber-attack that infiltrated systems and stole or modified data, this would also require a complete system shutdown. Without the integrity of systems, consignment data cannot be trusted and the Australian Border Force would be unable to verify the content of shipments. There would also be issues with the collection of duties, taxes and fees.</p>
<p>Disconnecting DP World from networks allowed the investigating team to inspect systems to look for impacted systems and to evaluate the depth of any infection. This process also needs to consider the original infection mechanism – you don’t want the systems re-infected.</p>
<h2>The timing could have been worse</h2>
<p>The cyberattack caused the ports operated by DP World to start filling up with containers, but it had not yet become critical.</p>
<p>While Black Friday, Cyber Monday and Christmas are an extra busy time for retailers, there is usually a marginal increase in movement compared to other times of the year, typically less than 10%. With around <a href="https://www.bitre.gov.au/sites/default/files/documents/water_069_0.pdf">1.4 million containers</a> to be moved in the last three months of the year, the impact of losing a few days should be minimal.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/is-australia-a-sitting-duck-for-ransomware-attacks-yes-and-the-danger-has-been-growing-for-30-years-161818">Is Australia a sitting duck for ransomware attacks? Yes, and the danger has been growing for 30 years</a>
</strong>
</em>
</p>
<hr>
<p>Big retailers typically start making orders for Christmas in August, with deliveries starting as early as October. While they keep inventory in check, it is unlikely that operations work in just-in-time mode.</p>
<p>Especially in Australia, where the distance from major global flows, the lack of alternatives such as railroad imports and lessons learned from COVID has bred risk averse businesses that are extra cautious to avoid empty shelves.</p>
<p>Also, ports can quickly recover. When container volumes go up, extra labour and equipment can be organised to increase the output of a terminal. In the last three years the number of time slots used by trucks has seldom reached 90% of total availability.</p>
<p>DP World should quickly be able to resolve any backlogs arising from this incident. </p>
<h2>The hidden problem behind this attack</h2>
<p>A problem for Australia is the potential effect of the cyberattack on its reputation as a shipping destination. When port facilities fill up with containers to the point where ships are delayed, costs quickly escalate to millions of dollars.</p>
<p>And numbers haven’t been shiny lately.</p>
<p>The <a href="https://www.bitre.gov.au/sites/default/files/documents/water_069_0.pdf">Maritime Waterline 69 report</a> shows ship turnaround time increased from 35 hours early in 2020 to more than 50 hours in 2022. Port congestion went from a little over 10% of ships waiting for more than two hours to over 22%. And average waiting time at anchorage went up from 17.3 hours before COVID to 126.5 hours in mid-2022.</p>
<p>Add the risk of cyberattacks to this and Australian ports may lose their competitiveness, with fewer companies interested in sending their ships down here - or requiring a premium price to do so.</p>
<p>While the DP World cyberattack is unlikely to upset Christmas, the aggregated impact such attacks could have on Australia’s reputation as an important shipping hub, must be taken seriously.</p><img src="https://counter.theconversation.com/content/217533/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Flavio Macau receives funding from the Planning and Transport Research Centre - PATREC. He is currently involved in the Last Mile Delivery (LMD) project which looks at parcel distribution to the end consumer. This article, and the ports impacted in this incident, are not connected with the LMD project or the funding provided by PATREC.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland receives funding from the Cyber Security Cooperative Research Centre. He is currently involved in the Augmenting Cyber Defence Capability (ACDC) project which looks at cyber security in Maritime Ports. This article, and the ports impacted in this incident, are not connected with the ACDC project or the funding provided by the Cyber Security Cooperative Research Centre.</span></em></p>A cyberattack on one of Australia’s biggest port operators has highlighted the potential vulnerability of the global economy.Flavio Macau, Associate Dean - School of Business and Law, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2175302023-11-13T02:19:18Z2023-11-13T02:19:18ZMajor cyberattack on Australian ports suggests sabotage by a ‘foreign state actor’<figure><img src="https://images.theconversation.com/files/558984/original/file-20231112-17-mgtyva.jpg?ixlib=rb-1.1.0&rect=98%2C44%2C5793%2C3574&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/aerial-shipping-containers-botany-bay-sydney-699787051">Janelle Lugge/Shutterstock</a></span></figcaption></figure><p>A serious cyberattack has disrupted operations at several of Australia’s largest ports, causing delays and congestion. Late on Friday, port operator <a href="https://www.dpworld.com/supply-chain-solutions/ports-and-terminals">DP World</a> detected an IT breach that affected critical systems used to coordinate shipping activity.</p>
<p>DP World is one of Australia’s largest port operators, handling approximately <a href="https://www.news.com.au/technology/online/hacking/cybersecurity-incident-major-aussie-ports-locked-down-after-breach-rocks-ports-operator-dp-world/news-story/5f9b85e0009f26d1027592d0634fff05">40% of the nation’s container trade</a> across terminals in Brisbane, Sydney, Melbourne and Fremantle.</p>
<p><a href="https://www.abc.net.au/news/2023-11-11/dp-world-australian-ports-cyber-security-incident/103094358">DP World reacted</a> quickly to contain the breach, including shutting down access to their port networks on land, to prevent further unauthorised access. This means they essentially “pulled the plug” on their internet connection to limit possible further harm.</p>
<p>DP World <a href="https://www.channelnewsasia.com/world/port-operator-dp-world-australia-cyber-incident-police-investigating-3915016">senior director Blake Tierney said</a> it is still possible to unload containers from ships, but the trucks that transport the containers cannot drive in or out of the terminals. This is a precaution when the full extent of a data breach is not known. </p>
<p>The latest media reports suggest cargo could be stranded at the ports <a href="https://www.theguardian.com/australia-news/2023/nov/13/australian-port-operator-hit-by-cyber-attack-says-cargo-may-be-stranded-for-days">for several days</a>.</p>
<p>Australian Federal Police and the Australian Cyber Security Centre <a href="https://www.msn.com/en-ae/news/world/dp-world-australia-makes-significant-progress-to-restore-operations-after-cyber-attack/ar-AA1jMEHJ">are investigating</a> the source and nature of the attack, <a href="https://www.msn.com/en-gb/news/world/australia-locks-down-ports-after-nationally-significant-cyberattack/ar-AA1jKAFg">deemed a</a> “nationally significant incident” by federal cybersecurity coordinator Darren Goldie.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723578782416814170"}"></div></p>
<h2>Is there evidence of this being a malicious attack?</h2>
<p>The timing, scale and impact of the disruption do suggest this was a targeted attack.</p>
<p>It occurred on a Friday night, when most staff were off duty and less likely to notice or respond to the incident. The target was a major port operator that handles a significant share of Australia’s trade and commerce. Such an attack can have serious consequences for Australia’s economy, security and sovereignty.</p>
<p>The identity and motive of the attackers are not yet known, but the skills needed to mount such an attack suggest a foreign state actor trying to undermine Australia’s national security or economic interests.</p>
<p>In recent years, cyberattacks on ports and shipping have become more common. For instance, in February 2022, several <a href="https://www.euronews.com/2022/02/03/oil-terminals-disrupted-after-european-ports-hit-by-cyberattack">European ports</a> were hit by a cyberattack that disrupted oil terminals. In another incident early this year, a <a href="https://therecord.media/ransomware-attack-on-maritime-software-impacts-1000-ships">ransomware attack</a> on maritime software impacted more than 1,000 ships. Also in January 2023, the <a href="https://maritime-executive.com/article/cyberattack-threatens-release-of-port-of-lisbon-data">Port of Lisbon</a> was targeted by a ransomware attack which threatened the release of port data. </p>
<p>These incidents <a href="https://www.navy.gov.au/media-room/publications/soundings-42">highlight the vulnerability</a> of the maritime industry to cyber threats and the need for increased cybersecurity measures. </p>
<h2>How might the attack have happened?</h2>
<p>So far, the details have not been disclosed. But based on what we know about similar cases, it is possible the attack took advantage of vulnerabilities in DP World’s system. These vulnerabilities are normally closed by applying a “patch” in the same way your browser needs updating every week or two to keep it safe from being hacked.</p>
<p>Once hackers gained access, the breach likely pivoted to infiltrate the operational systems that directly manage port activities. Failing to isolate and secure these control networks allowed the incident to impact operations. </p>
<p>It is also possible access was gained via a phishing email or a malicious link. Such an attack may have tricked an employee or a contractor into opening an attachment or clicking on a link that installed malware or ransomware on the network.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-click-that-link-how-criminals-access-your-digital-devices-and-what-happens-when-they-do-109802">Don't click that link! How criminals access your digital devices and what happens when they do</a>
</strong>
</em>
</p>
<hr>
<h2>Now what?</h2>
<p>DP World is working urgently to rebuild affected systems from backups. However, resetting port management networks is a complicated process that could take days or weeks. Until the operator’s core systems are securely restored, cargo flows may face ongoing delays.</p>
<p>The Australian government is <a href="https://australiancybersecuritymagazine.com.au/australian-government-monitors-significant-stevedore-cyber-attack/">closely involved in managing the situation</a>, providing support and advice to DP World and other affected parties through the <a href="https://www.cisc.gov.au/">Critical Infrastructure Centre</a> and the <a href="https://www.cisc.gov.au/engagement/trusted-information-sharing-network">Trusted Information Sharing Network</a>. These government agencies are equipped to provide timely support in times of crisis. </p>
<h2>How can we prevent future attacks?</h2>
<p>The DP World cyberattack is a clear warning of the risks to the essential transportation services that power Australia’s trade and commerce. </p>
<p>Ports are difficult targets. To cause such a disruption, the attackers would have to be highly skilled and plan ahead. The fact ports have been successfully hacked more than once in recent times suggests threats from cybercriminals are steadily increasing. </p>
<p>For companies such as DP World, it’s important to continuously monitor networks in real time, promptly install security updates and keep critical systems separated from each other. </p>
<p>Dedicated, well-resourced cybersecurity personnel, employee training and incident response plans are key to improving preparedness.</p>
<p>Ports should closely coordinate with government counterparts and industry partners on intelligence sharing and cybersecurity best practices. Cyberthreats evolve so quickly, always being prepared for the latest one is a significant challenge. </p>
<p>For a seamless flow of goods, we need to be constantly vigilant of potential threats to our supply chain infrastructure. This latest attack is an urgent reminder that cyber resilience must be a top priority.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-to-make-fragile-global-supply-chains-stronger-and-more-sustainable-169310">How to make fragile global supply chains stronger and more sustainable</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/217530/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Port operator DP World handles roughly 40% of Australia’s sea freight. Over the weekend its ports were disrupted by what appears to be a malicious, targeted cyberattack.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2078012023-09-26T12:24:57Z2023-09-26T12:24:57ZRemote workers are more aware of cybersecurity risks than in-office employees: new study<figure><img src="https://images.theconversation.com/files/549154/original/file-20230919-4851-ll13sr.jpg?ixlib=rb-1.1.0&rect=170%2C51%2C5520%2C3745&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Remote workers lack the same institutional cyber protection as their in-office colleagues.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/mid-adult-woman-holding-mobile-phone-while-using-royalty-free-image/734166095?phrase=remote%20worker%20from%20home">Maskot/Getty Images</a></span></figcaption></figure><p>Workers who telecommute tend to be more aware of cybersecurity threats than those who spend most of their time in a physical office and are more likely to take action to ward them off, according to <a href="https://doi.org/10.1016/j.cose.2023.103266">our new peer-reviewed study</a>. </p>
<p>Our findings are based on <a href="https://www.mturk.com/">Amazon Mechanical Turk</a> survey data collected from 203 participants who recently switched to full-time remote work, as well as from 147 in-office workers, across multiple organizations within the United States. We didn’t collect data on hybrid workers. </p>
<p>We asked employees the same series of questions about their work arrangements as well as their understanding of <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories">cybersecurity threats</a>, and the actions they’ve taken to defend against them. </p>
<p>To account for other factors likely to influence how an employee responds to perceived cybersecurity threats and risks, we controlled for key participant characteristics and various factors, including age, gender, industry type, company size, job position and the duration of remote work. In addition, we tried to ensure the robustness of our data by conferring with other experts and using various statistical techniques.</p>
<p>We found that remote workers, on average, were more mindful of cybersecurity threats and could better recognize safe cybersecurity practices and protection measures compared with office-based employees. Similarly, our data showed that remote workers were more likely to take cybersecurity precautionary measures than their in-office counterparts. </p>
<p>Why might this be the case?</p>
<p>When employees work from the office, they generally expect their organization to provide and deploy security countermeasures to deal with cyber threats and risks. As a result, in-office workers may become complacent about cybersecurity awareness. This could account for in-office workers taking fewer steps to shore up their cybersecurity.</p>
<p>In contrast, the lack of an institutional cybersecurity framework forces remote workers to become more mindful of the risks they may be exposed to. </p>
<h2>Why it matters</h2>
<p><a href="https://theconversation.com/what-are-passkeys-a-cybersecurity-researcher-explains-how-you-can-use-your-phone-to-make-passwords-a-thing-of-the-past-196643">Employees are the first line</a> of defense against cybersecurity attacks, which <a href="https://www.crowdstrike.com/cybersecurity-101/attack-surface/">have been on the rise</a>. Cyber attacks around the world <a href="https://www.securitymagazine.com/articles/98810-global-cyberattacks-increased-38-in-2022#:%7E:text=New%20data%20on%20cyberattack%20trends,according%20to%20Check%20Point%20Research.">increased 38% in 2022</a>, according to Check Point Research, which provides cyber threat intelligence. </p>
<p>And <a href="https://www.shrm.org/hr-today/news/all-things-work/pages/the-weakest-link-in-cybersecurity.aspx">one of the main ways hackers manage</a> to worm their way into corporate computer networks is via employees – <a href="https://theconversation.com/you-know-how-to-identify-phishing-emails-a-cybersecurity-researcher-explains-how-to-trust-your-instincts-to-foil-the-attacks-169804">for example, with a phishing email</a>. </p>
<p>During the early days of the COVID-19 pandemic when much of the workforce was sent home due to lockdowns, <a href="https://www.peoplemanagement.co.uk/article/1743115/half-of-firms-worried-remote-working-has-increased-cybersecurity-threat-poll-finds">cybersecurity was a big concern</a>. In cybersecurity jargon, it increased the “<a href="https://www.crowdstrike.com/cybersecurity-101/attack-surface">attack surface</a>,” or the sum of all ways an organization’s network is exposed to potential security risks. <a href="https://zipdo.co/statistics/remote-work-cybersecurity/#:%7E:text=70%25%20of%20employers%20consider%20cybersecurity,the%20adoption%20of%20remote%20work.">Companies worried</a> whether employees working remotely would take cybersecurity seriously. </p>
<p>With remote work becoming increasingly the norm for many companies, our research suggests that this risk isn’t as great as once feared. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/YFRK_sImKkQ?wmode=transparent&start=1037" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Cybersecurity training video for workers.</span></figcaption>
</figure>
<h2>What still isn’t known</h2>
<p>We still need to determine whether heightened cybersecurity awareness and precautionary behavior among remote workers will diminish over time. Research suggests that cybersecurity awareness acquired through training and knowledge programs <a href="https://www.usenix.org/system/files/soups2020-reinheimer_0.pdf">tends to dissipate over time</a>. </p>
<p>As remote working arrangements become more mainstream, does security complacency set in for these workers? It is important to know how long the increased cybersecurity awareness will enable precaution-taking behavior and how remote workers can renew and sustain this vigilance. </p>
<p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take on interesting academic work.</em></p><img src="https://counter.theconversation.com/content/207801/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A survey of remote and office workers found that people working from home were more likely to take steps to protect themselves against cybersecurity threats.Joseph K. Nwankpa, Associate Professor of Information Systems & Analytics, Miami UniversityPratim Milton Datta, Professor of Information Systems & Cybersecurity, Kent State University Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2141442023-09-25T20:07:19Z2023-09-25T20:07:19ZA national digital ID scheme is being proposed. An expert weighs the pros and (many more) cons<figure><img src="https://images.theconversation.com/files/549952/original/file-20230925-23-z55xpj.jpg?ixlib=rb-1.1.0&rect=49%2C0%2C4040%2C2152&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>In 2018-19, identity crime directly and indirectly cost Australia <a href="https://www.aic.gov.au/sites/default/files/2020-08/sr29_identity_crime_and_misuse_in_australia_2019.pdf">an estimated</a> A$3.1 billion.</p>
<p>To address such costs, the federal government is proposing a national digital identity scheme that will let people <a href="https://www.digitalidentity.gov.au/digital-identity-for-you/digital-id-for-everyday-life-0">prove their identity</a> without having to share documents such as their passport, drivers licence or Medicare card.</p>
<p>Finance Minister Katy Gallagher <a href="https://ministers.pmc.gov.au/gallagher/2023/digital-id-and-ai-insights-how-albanese-government-leading-digital-evolution">opened consultations</a> for the <a href="https://www.digitalidentity.gov.au/sites/default/files/2023-09/Exposure%20draft%20of%20the%20Digital%20ID%20Bill%202023.pdf">draft bill</a> last week, with plans to introduce the legislation to parliament by the end of the year. </p>
<p>Let’s look at what it proposes, and what it could mean for you.</p>
<h2>What would change?</h2>
<p>The digital ID scheme would initially be regulated by the Australian Competition and Consumer Commission and the Australian Information Commissioner, with a view to eventually establish a new governing body. </p>
<p>The draft bill package includes strong updates to security requirements for how organisations store people’s IDs, as well as the reporting of data breaches and suspected identity fraud. </p>
<p>In her <a href="https://ministers.pmc.gov.au/gallagher/2023/digital-id-and-ai-insights-how-albanese-government-leading-digital-evolution">speech to</a> the Australian Information Industry Association, Gallagher outlined a four-phase rollout.</p>
<ul>
<li>Phase one: establishing the legislation and accreditation of private and public providers.</li>
<li>Phase two: adding state- and territory-issued IDs to the scheme for use with federal government services. </li>
<li>Phase three: bringing recognition of the digital ID into the private sector. This would, for instance, allow you to use your digital ID to apply for a bank loan without having to provide your identity documents or copies.</li>
<li>Phase four: allowing accredited private sector digital IDs to help verify you when accessing certain government services. </li>
</ul>
<h2>How would it work?</h2>
<p>For the general public, the voluntary scheme would come in the form of a <a href="https://www.9news.com.au/national/national-digital-identity-scheme-explained-australia/c203a38a-8697-4d35-80dd-e36ec1959c30">smartphone app</a>, requiring biometric information (such as a face print) to be unlocked.</p>
<p>To prove your identity to a participating organisation, you would log into the organisation’s website and select <a href="https://www.digitalidentity.gov.au/how-digital-id-works">MyGovID</a> as your verification method. </p>
<p>You would then log into your MyGovID app and give consent for your identity to be verified with that organisation. In this way, you could verify your identity to the organisation without needing to share your drivers licence, passport or similar. </p>
<p>Gone will be the days of 100 points of ID and copies of documents stored all over the internet. </p>
<h2>The upside of the proposal</h2>
<p>The <a href="https://www.afr.com/technology/millions-caught-in-data-breaches-before-optus-or-medibank-20221109-p5bwsc">Medibank, Optus</a> and <a href="https://www.latitudefinancial.com.au/latitude-cyber-incident/">Latitude</a> data breaches of 2022–23 have demonstrated the lack of regulation and enforcement of identity protection legislation in Australia. </p>
<p>A welcome part of the draft bill is the increased power given to the Australian Information Commissioner, as well as restrictions on how organisations request, store and disclose people’s <a href="https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/what-is-personal-information">personal identifying information</a>.</p>
<p>The bill also outlines minimum cybersecurity standards, and requires regular review of organisations dealing with identity data. </p>
<h2>Unresolved MyGovID security flaws</h2>
<p>In releasing the draft bill, the government has highlighted a voluntary national digital identity – the MyGovID – which is already <a href="https://ministers.dese.gov.au/robert/6-million-australians-using-digital-identity-access-online-services">being used by</a> more than 6 million Australians and 1.3 million businesses.</p>
<p>MyGovID is a government-issued authenticator app which verifies your identity using one of three factors: something you know (such as a password), something you are (such as a biometric scan), or something you have (such as a verified phone number, where you can receive one-time codes). Adding additional factors makes verification more secure.</p>
<p>In 2020, security researchers warned the public <a href="https://www.itnews.com.au/news/researchers-say-not-to-use-mygovid-until-login-flaw-is-fixed-553601">against using MyGovID</a> due to security flaws in its design. It’s unclear if these have been addressed. The Australian Tax Office <a href="https://www.zdnet.com/article/ato-declines-to-fix-code-replay-flaw-within-mygovid/">declined to fix</a> the issue when raised.</p>
<p>Governments in Australia also have a <a href="https://www.governmentnews.com.au/government-agencies-report-34-data-breaches/">poor track record</a> of securing our information. </p>
<p>According to <a href="https://www.webberinsurance.com.au/data-breaches-list#twentythree">Webber Insurance</a>, 14 of the 44 recorded data breaches between January to June this year were reported by government authorities. These included the Department of Home Affairs, and the Northern Territory, Tasmania, ACT and NSW governments. </p>
<p>This is on top of <a href="https://www.abc.net.au/news/2022-11-28/cyber-black-market-shows-medibank-optus-hack-just-the-surface/101700974">data breaches involving</a> the Australian Tax Office, National Disability Insurance Scheme and MyGov, as reported by the ABC last year.</p>
<p>More worryingly, the <a href="https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act/rights-and-responsibilities">privacy act</a> has a loophole which allows some state and government authorities to remain exempt from compulsory data breach reporting. As such, we don’t know just how many government data breaches have occurred. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-government-wants-to-expand-the-digital-identity-system-that-lets-australians-access-services-there-are-many-potential-pitfalls-170550">The government wants to expand the 'digital identity' system that lets Australians access services. There are many potential pitfalls</a>
</strong>
</em>
</p>
<hr>
<h2>A honey trap for hackers</h2>
<p>Even if the government carries out its end of the bargain securely, the proposed scheme would still only be as secure as your phone. Having a weak password, losing your phone, or having your phone hacked could lead to data being compromised.</p>
<p>Also, streamlining distributed identification systems in this way will create an irresistible target for hackers. In cybersecurity this is called a <a href="https://au.norton.com/blog/iot/what-is-a-honeypot">honeypot</a>, or honey trap. </p>
<p>Just as honey is irresistible to bears, these data lures are irresistible to hackers. Failure to secure the data would make it a one-stop-shop for identity theft and extortion.</p>
<p>Perhaps most concerning is how closely the proposed scheme resembles government surveillance. By linking all our personal identification data across federal and state jurisdictions, as well as private entities, we would be giving the federal government complete oversight of our lives. </p>
<p>Small changes to the law, such as those <a href="https://www.sbs.com.au/news/article/why-human-rights-groups-are-concerned-about-australias-online-surveillance-bill/wiagbhtah">quietly made in</a> the Surveillance Legislation Amendment (Identify and Distrupt) Act in 2021, could mean our locations could be tracked, and all our interactions with public and private organisations recorded.</p>
<h2>What can you do?</h2>
<p>It’s clear the draft bill has a number of issues. That said, all hope is not lost. </p>
<p>The government has committed to genuine consultation on its proposal. However, you don’t have much time to <a href="https://www.digitalidentity.gov.au/have-your-say">have your say</a>: public submissions are being sought until October 10. </p>
<p>This extremely short consultation period doesn’t provide much confidence a fit-for-purpose solution will be created. </p>
<p>While protecting our digital identities is a welcome and well-overdue part of this proposed bill, getting it wrong could lead to harm at an even larger scale. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Australia's National Digital ID is here, but the government's not talking about it</a>
</strong>
</em>
</p>
<hr>
<p><em>Correction: This article has been updated to clarify state and government authorities are not always exempt from data breach disclosure requirements under the Privacy Act. It also previously said the draft bill explicitly maintained a loophole that allowed these entities to remain exempt. This line has been removed, as it’s unclear from the draft exactly which government agencies and authorities are exempt.</em></p><img src="https://counter.theconversation.com/content/214144/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Erica Mealy is member of the Australian Computer Society, the Australian Information Security Association, and the International Association for Public participation (IAP2). Erica is not a member of nor affiliated with any political organisations.</span></em></p>The draft bill has a number of issues, ranging from an insecure mechanism that leaves people’s data vulnerable to attacks, to a lack of mandatory disclosure of data breaches.Erica Mealy, Lecturer in Computer Science, University of the Sunshine CoastLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2136852023-09-22T12:30:58Z2023-09-22T12:30:58ZSpyware can infect your phone or computer via the ads you see online – report<figure><img src="https://images.theconversation.com/files/549436/original/file-20230920-25-eqmqt5.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4508%2C3003&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A new type of spyware means those online ads could go from annoying to menacing.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/VirusOutbreakUnemploymentBenefits/b08e140ac8b54973ba793dd93b806b6d/photo">AP Photo/Julio Cortez</a></span></figcaption></figure><p>Each day, you leave digital traces of what you did, where you went, who you communicated with, what you bought, what you’re thinking of buying, and much more. This mass of data serves as a library of clues for personalized ads, which are sent to you by a sophisticated network – <a href="https://theconversation.com/why-bad-ads-appear-on-good-websites-a-computer-scientist-explains-178268">an automated marketplace</a> of advertisers, publishers and ad brokers that operates at lightning speed. </p>
<p>The ad networks are designed to shield your identity, but companies and governments are able to combine that information with other data, particularly phone location, <a href="https://www.google.com/books/edition/Ethics_of_Data_and_Analytics/E51kEAAAQBAJ?hl=en&gbpv=1&dq=advertising+privacy&pg=PA161&printsec=frontcover">to identify you and track your movements and online activity</a>. More invasive yet is <a href="https://csrc.nist.gov/glossary/term/spyware">spyware</a> – malicious software that a government agent, private investigator or criminal installs on someone’s phone or computer without their knowledge or consent. Spyware lets the user see the contents of the target’s device, including calls, texts, email and voicemail. Some forms of spyware can take control of a phone, including turning on its microphone and camera.</p>
<p>Now, according to <a href="https://www.haaretz.com/israel-news/2023-09-14/ty-article-magazine/.highlight/revealed-israeli-cyber-firms-developed-an-insane-new-spyware-tool-no-defense-exists/0000018a-93cb-de77-a98f-ffdf2fb60000">an investigative report</a> by the Israeli newspaper Haaretz, an Israeli technology company called Insanet has developed the means of delivering spyware via online ad networks, turning some targeted ads into Trojan horses. According to the report, there’s no defense against the spyware, and the Israeli government has given Insanet approval to sell the technology.</p>
<h2>Sneaking in unseen</h2>
<p>Insanet’s spyware, Sherlock, is not the first spyware that can be installed on a phone without the need to trick the phone’s owner into clicking on a malicious link or downloading a malicious file. <a href="https://www.nsogroup.com/">NSO</a>’s <a href="https://theconversation.com/what-is-pegasus-a-cybersecurity-expert-explains-how-the-spyware-invades-phones-and-what-it-does-when-it-gets-in-165382">iPhone-hacking Pegasus</a>, for instance, is one of the most controversial spyware tools to emerge in the past five years.</p>
<p>Pegasus relies on vulnerabilities in Apple’s iOS, the iPhone operating system, to infiltrate a phone undetected. Apple issued a <a href="https://support.apple.com/en-us/HT213905">security update</a> for <a href="https://www.theverge.com/2023/9/8/23864150/ios-16-6-1-iphone-security-vulnerability-0-day-exploit-patch-update">the latest vulnerability</a> on Sept. 7, 2023.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Diagram showing the different entities involved in real time bidding, and the requests and responses" src="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=348&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=348&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=348&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=438&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=438&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=438&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">When you see an ad on a web page, behind the scenes an ad network has just automatically conducted an auction to decide which advertiser won the right to present their ad to you.</span>
<span class="attribution"><span class="source">Eric Zeng</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>What sets Insanet’s Sherlock apart from Pegasus is its exploitation of ad networks rather than vulnerabilities in phones. A Sherlock user creates an ad campaign that narrowly focuses on the target’s demographic and location, and places a spyware-laden ad with an ad exchange. Once the ad is served to a web page that the target views, the spyware is secretly installed on the target’s phone or computer.</p>
<p>Although it’s too early to determine the full extent of Sherlock’s capabilities and limitations, the Haaretz report found that it can infect Windows-based computers and Android phones as well as iPhones.</p>
<h2>Spyware vs. malware</h2>
<p>Ad networks have been used to deliver malicious software for years, a practice dubbed <a href="https://www.csoonline.com/article/567045/what-is-malvertising-and-how-you-can-protect-against-it.html">malvertising</a>. In most cases, the malware is aimed at computers rather than phones, is indiscriminate, and is designed to lock a user’s data as part of a ransomware attack or steal passwords to access online accounts or organizational networks. The ad networks constantly scan for malvertising and rapidly block it when detected.</p>
<p>Spyware, on the other hand, tends to be aimed at phones, is targeted at specific people or narrow categories of people, and is designed to clandestinely obtain sensitive information and monitor someone’s activities. Once <a href="https://usa.kaspersky.com/resource-center/threats/spyware">spyware infiltrates your system</a>, it can record keystrokes, take screenshots and use various tracking mechanisms before transmitting your stolen data to the spyware’s creator. </p>
<p>While its actual capabilities are still under investigation, the new Sherlock spyware is at least capable of infiltration, monitoring, data capture and data transmission, according to the Haaretz report.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/R0RVI7bghj8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The new Sherlock spyware is likely to have the same frightening capabilities as the previously discovered Pegasus.</span></figcaption>
</figure>
<h2>Who’s using spyware</h2>
<p>From 2011 to 2023, at least 74 governments engaged in contracts with commercial companies <a href="https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229">to acquire spyware or digital forensics technology</a>. National governments might deploy spyware for surveillance and gathering intelligence as well as combating crime and terrorism. Law enforcement agencies might similarly use spyware <a href="https://www.nbcnews.com/tech/security/iphone-spyware-lets-cops-log-suspects-passcodes-when-cracking-doesn-n1209296">as part of investigative efforts</a>, especially in cases involving cybercrime, organized crime or national security threats. </p>
<p>Companies might use spyware <a href="https://www.wsj.com/articles/the-new-ways-your-boss-is-spying-on-you-11563528604">to monitor employees’ computer activities</a>, ostensibly to protect intellectual property, prevent data breaches or ensure compliance with company policies. Private investigators might use spyware to <a href="https://www.hg.org/legal-articles/private-investigator-on-cellphone-spyware-42193">gather information and evidence for clients</a> on legal or personal matters. Hackers and organized crime figures might use spyware to <a href="https://www.cisa.gov/sites/default/files/publications/spywarehome_0905.pdf">steal information to use in fraud or extortion schemes</a>.</p>
<p>On top of the revelation that Israeli cybersecurity firms have developed a defense-proof technology that appropriates online advertising for civilian surveillance, a key concern is that Insanet’s advanced spyware was legally authorized by the Israeli government for sale to a broader audience. This potentially puts virtually everyone at risk. </p>
<p>The silver lining is that Sherlock appears to be expensive to use. According to an internal company document cited in the Haaretz report, a single Sherlock infection costs a client of a company using the technology a hefty US$6.4 million.</p><img src="https://counter.theconversation.com/content/213685/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Claire Seungeun Lee does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>You probably won’t be targeted by spyware, but if you are, odds are you won’t know about it. The latest spyware slips in unseen through online ads as you go about your digital life.Claire Seungeun Lee, Associate Professor of Criminology and Justice Studies, UMass LowellLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2111832023-08-11T03:30:58Z2023-08-11T03:30:58ZOut of the shadows: why making NZ’s security threat assessment public for the first time is the right move<p>Today’s release of the <a href="https://www.nzsis.govt.nz/assets/NZSIS-Documents/New-Zealands-Security-Threat-Environment-2023.pdf">threat assessment</a> by the New Zealand Security Intelligence Service (SIS) is the final piece in a defence and security puzzle that marks a genuine shift towards more open and public discussion of these crucial policy areas.</p>
<p>Together with July’s <a href="https://www.mfat.govt.nz/en/media-and-resources/release-of-mfats-2023-strategic-foreign-policy-assessment-navigating-a-shifting-world-te-whakatere-i-tetahi-ao-hurihuri/">strategic foreign policy assessment</a> from the Ministry of Foreign Affairs, and the <a href="https://www.dpmc.govt.nz/publications/aotearoas-national-security-strategy-secure-together-tatou-korowai-manaaki">national security strategy</a> released last week, it rounds out the picture of New Zealand’s place in a fast-evolving geopolitical landscape.</p>
<p>From increased strategic competition between countries, to declining social trust within them, as well as rapid technological change, the overall message is clear: business as usual is no longer an option.</p>
<p>By releasing the strategy documents in this way, the government and its various agencies clearly hope to win public consent and support – ultimately, the greatest asset any country possesses to defend itself.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1689766535588626432"}"></div></p>
<h2>Low threat of violent extremism</h2>
<p>If there is good news in the SIS assessment, it is that the threat of violent extremism is still considered “low”. That means no change since the threat level was reassessed last year, with a terror attack considered “possible” rather than “probable”.</p>
<p>It’s a welcome development since the threat level was lifted to “high” in the
immediate aftermath of the Christchurch terror attack in 2019. This was lowered
to “medium” about a month later – where it sat in September 2021, when another extremist attacked people with a knife in an Auckland mall, seriously
injuring five.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/nzs-first-national-security-strategy-signals-a-turning-point-and-the-end-of-old-certainties-210885">NZ’s first national security strategy signals a 'turning point' and the end of old certainties</a>
</strong>
</em>
</p>
<hr>
<p>The threat level stayed there during the escalating social tension resulting from the government’s COVID response. This saw New Zealand’s <a href="https://www.rnz.co.nz/news/national/479858/graham-philip-receives-three-year-jail-term-for-acts-of-sabotage">first conviction for sabotage</a> and increasing threats to politicians, with the SIS and police intervening in at least one case to mitigate the risk.</p>
<p>After protesters were cleared from the grounds of parliament in early 2022, it was
still feared an act of extremism by a small minority was likely.</p>
<p>These risks now seem to be receding. And while the threat assessment notes that the online world can provide havens for extremism, the vast majority of those expressing vitriolic rhetoric are deemed unlikely to carry through with violence in the real world.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-number-8-wire-days-for-nzs-defence-force-are-over-new-priorities-will-demand-bigger-budgets-211182">The 'number 8 wire' days for NZ's defence force are over – new priorities will demand bigger budgets</a>
</strong>
</em>
</p>
<hr>
<h2>Changing patterns of extremism</h2>
<p>Assessments like this are not a crystal ball; threats can emerge quickly and be near-invisible before they do. But right now, at least publicly, the SIS is not aware of any specific or credible attack planning.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=844&fit=crop&dpr=1 600w, https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=844&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=844&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1061&fit=crop&dpr=1 754w, https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1061&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/542256/original/file-20230811-19-g5255y.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1061&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p>Many extremists still fit well-defined categories. There are the politically motivated, potentially violent, anti-authority conspiracy theorists, of which there is a “small number”. </p>
<p>And there are those motivated by identity (with white supremacist extremism the dominant strand) or faith (such as support for Islamic State, a decreasing and “very small number”).</p>
<p>However, the SIS describes a noticeable increase in individuals who don’t fit within those traditional boundaries, but who hold mixed, unstable or unclear ideologies they may tailor to fit some other violent or extremist impulse.</p>
<h2>Espionage and cyber-security risks</h2>
<p>There also seems to be a revival of the espionage and spying cultures last seen during the Cold War. There is already the first <a href="https://www.nzherald.co.nz/nz/proceedings-relating-to-new-zealands-first-military-case-of-espionage-to-recommence-in-private/MT76QKKICZAUPJCC5T77LIIO6A/">military case of espionage</a> before the courts, and the SIS is aware of individuals on the margins of government being cultivated and offered financial and other incentives to provide sensitive information.</p>
<p>The SIS says espionage operations by foreign intelligence agencies against New Zealand, both at home and abroad, are persistent, opportunistic and increasingly wide ranging.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cutting-edge-new-aircraft-have-increased-nzs-surveillance-capacity-but-are-they-enough-in-a-changing-world-209495">Cutting-edge new aircraft have increased NZ’s surveillance capacity – but are they enough in a changing world?</a>
</strong>
</em>
</p>
<hr>
<p>While the government remains the main target, corporations, research institutions and state contractors are now all potential sources of sensitive information. Because non-governmental agencies are often not prepared for such threats, they pose a significant security risk.</p>
<p>Cybersecurity remains a particular concern, although the Government Communications Security Bureau (GCSB) recorded 350 incidents in 2021-22, which was a decline from 404 incidents recorded in the previous 12-month period.</p>
<p>On the other hand, a growing proportion of cyber incidents affecting major New Zealand institutions can be linked to state-sponsored actors. Of the 350 reported major incidents, 118 were connected to foreign states (34% of the total, up from 28% the previous year).</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1689784740931321856"}"></div></p>
<h2>Russia, Iran and China</h2>
<p>Although the SIS recorded that only a “small number” of foreign states engaged in deceptive, corruptive or coercive attempts to exert political or social influence, the potential for harm is “significant”.</p>
<p>Some of the most insidious examples concern harassment of ethnic communities within New Zealand who speak out against the actions of a foreign government.</p>
<p>The SIS identifies Russia, Iran and China as the three offenders. Iran was recorded as reporting on Iranian communities and dissident groups in New Zealand. In addition, the assessment says:</p>
<blockquote>
<p>Most notable is the continued targeting of New Zealand’s diverse ethnic Chinese communities. We see these activities carried out by groups and individuals linked to the intelligence arm of the People’s Republic of China.</p>
</blockquote>
<p>Overall, the threat assessment makes for welcome – if at times unsettling – reading. Having such conversations in the open, rather than in whispers behind closed doors, demystifies aspects of national security.</p>
<p>Most importantly, it gives greater credibility to those state agencies that must increase their transparency in order to build public trust and support for their unique roles within a working democracy.</p><img src="https://counter.theconversation.com/content/211183/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Alexander Gillespie does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The Security Intelligence Service needs public support and trust to do its work well. Adding a degree of transparency to it’s annual threat assessment should help.Alexander Gillespie, Professor of Law, University of WaikatoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2110812023-08-08T13:41:05Z2023-08-08T13:41:05ZInternet shutdowns: here’s how governments do it<figure><img src="https://images.theconversation.com/files/541286/original/file-20230804-17-3ju57z.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">BigNazik/GettyImages</span></span></figcaption></figure><p>Senegal’s government has shut down internet access in response to <a href="https://www.reuters.com/world/africa/senegal-government-cuts-mobile-internet-access-amid-deadly-rioting-2023-06-04/">protests about the sentencing of opposition leader Ousmane Sonko</a>. This is a <a href="https://www.accessnow.org/campaign/keepiton/">tactic</a> governments are increasingly using during times of political contention, such as elections or social upheaval. The shutdowns can be partial or total, temporary or prolonged. They may target specific platforms, regions, or an entire country.</p>
<p>I’m a researcher who investigates the <a href="https://link.springer.com/article/10.1007/s11558-022-09483-z">causes</a> and <a href="https://journals.sagepub.com/doi/full/10.1177/00223433231168190">consequences</a> of internet access disruptions and censorship in various African countries. This includes understanding how shutdowns work. </p>
<p>It’s important to understand the complex technicalities behind internet shutdowns, for at least two reasons. </p>
<p>First, understanding how an internet shutdown works shows whether or how it can be circumvented. This makes it possible to support affected communities. </p>
<p>Second, the way a shutdown works shows who is responsible for doing it. Then the responsible actors can be held to account, both legally and ethically. </p>
<p>Different forms of shutdowns require different levels of technical sophistication. More sophisticated forms are harder to detect and attribute. </p>
<p>There are two common strategies governments use to disrupt internet access: <a href="https://ieeexplore.ieee.org/document/6678649">routing disruptions and packet filtering</a>.</p>
<h2>How to shut down the internet</h2>
<p><strong>Routing disruptions</strong></p>
<p>Every device connected to the internet, whether it’s your computer, smartphone, or any other device, has an IP (internet protocol) address assigned to it. This allows it to send and receive data across the network. </p>
<p>An autonomous system is a collection of connected IP networks under the control of a single entity, for instance an internet service provider or big company. </p>
<p>These autonomous systems rely on protocols – called border gateway protocols – to coordinate routing between them. Each system uses the protocol to communicate with other systems and exchange information about which internet routes they can use to reach different destinations (websites, servers, services etc). </p>
<p>So, if an autonomous system, like an internet service provider, suddenly withdraws its border gateway protocol routes from the internet, the block of IP addresses they administer disappears from the routing tables. This means they can no longer be reached by other autonomous systems. </p>
<p>As a consequence, customers using IP addresses from that autonomous system can’t connect to the internet.</p>
<p>Essentially this tactic stops information from being transmitted. Information can’t find its destination, and people using the internet will not be able to connect. </p>
<p>The disruption of border gateway protocols can easily be detected from the outside due to changes in the global routing state. They can also be attributed to the internet service provider administering a certain autonomous system. </p>
<p>For instance, data suggests that the infamous <a href="https://policycommons.net/artifacts/1302785/egyptian-government-attacks-egypts-internet/1906077/">internet shutdown in Egypt in 2011</a> – an unprecedented blackout of internet traffic in the entire country – was the result of tampering with border gateway protocols. It could be <a href="https://ieeexplore.ieee.org/document/6678649">traced back to individual autonomous systems</a> and hence internet service providers. </p>
<p>Border gateway protocol disruptions that entirely disconnect customers from the internet are rare. These disruptions can easily be detected by outside observers and traced back to individual organisations or service providers. In addition, shutting down entire networks is the most indiscriminate form of an internet shutdown and can <a href="https://freemyinternet.info/3_about_internet_shutdowns">cause significant collateral damage</a> to a country’s economy.</p>
<p><strong>Packet filtering</strong></p>
<p>To target specific content, governments often use packet filtering – shutting down only parts of the internet. </p>
<p>Governments can use packet filtering techniques to block or disrupt specific content or services. For instance, internet service providers can block access to specific IP addresses associated with websites or services they wish to restrict, such as 15.197.206.217 associated with the social media platform WhatsApp. </p>
<p>Governments also increasingly use <a href="https://democracyinafrica.org/a-new-anti-democratic-tool-the-deep-packet-inspection-technique/">deep packet inspection</a> technology as a tool to filter and block specific content. It’s commonly used for surveillance. Deep packet inspection infrastructure enables the inspection of data packets and hence the content of communication. It’s a more tailored approach to blocking content and makes circumvention more difficult. </p>
<p>In <a href="https://ooni.org/post/2023-senegal-social-media-blocks/">Senegal</a>, internet service providers likely used deep packet inspection to block access to WhatsApp, Telegram, Facebook, Instagram, Twitter and YouTube. </p>
<p>When internet shutdowns are done through packet filtering, only individuals within the affected network are able to detect the shutdown. Therefore, <a href="https://ensa.fi/active-probing/">active probing</a> is required to detect the shutdown. This is a technique that’s used by cybersecurity researchers and civil society actors to study the extent and methods of internet censorship in different regions.</p>
<h2>Violation of rights</h2>
<p>Though the two most common strategies are <a href="https://ieeexplore.ieee.org/document/6678649">routing disruptions and packet filtering</a>, there are many other tools governments can use. For instance, <a href="https://www.ncr-iran.org/en/news/iran-protests/iran-is-moving-towards-a-complete-internet-shutdown-one-bite-at-a-time/">domain name system manipulation</a>, <a href="https://www.cambridge.org/core/journals/political-science-research-and-methods/article/hot-topics-denialofservice-attacks-on-news-websites-in-autocracies/A50BD0533D1132765F64C2700E5822FC">denial of service attacks</a>, or the blunt sabotage of physical infrastructure. A <a href="https://www.accessnow.org/wp-content/uploads/2022/06/A-taxonomy-of-internet-shutdowns-the-technologies-behind-network-interference.pdf">detailed overview</a> of techniques is provided by Access Now, an NGO defending digital civil rights of people around the world.</p>
<p>There is wide agreement that internet shutdowns are a violation of fundamental rights such as freedom of expression. However, governments are developing increasingly sophisticated means to block or restrict access to the internet. It’s therefore important to closely monitor the ways in which internet shutdowns are being implemented. This will help to provide circumvention strategies and hold the implementers to account.</p><img src="https://counter.theconversation.com/content/211081/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lisa Garbe does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>There are different tactics that governments can use to block the internet, some more sophisticated than others.Lisa Garbe, Research Fellow, WZB Berlin Social Science Center.Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2093842023-07-31T12:21:15Z2023-07-31T12:21:15ZCyber governance in Africa is weak. Taking the Malabo Convention seriously would be a good start<figure><img src="https://images.theconversation.com/files/538831/original/file-20230723-40270-cicrdz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">African countries are lagging behind in digital advancements.</span> <span class="attribution"><span class="source">Wikimedia Commons</span></span></figcaption></figure><p>_Several African countries are pursuing digital transformation ambitions – applying new technologies to enhance the development of society. But concerns exist over the absence of appropriate policies across the continent to create a resilient and secure cyber environment. </p>
<p><em><a href="https://www.bradford.ac.uk/staff/nifeanyiajufo/">Nnenna Ifeanyi-Ajufo</a>, a <a href="https://www.tandfonline.com/doi/full/10.1080/25741292.2023.2199960">technology law expert</a>, explains the current cyber governance situation in Africa.</em></p>
<h2>What is cyber governance and why is it so important?</h2>
<p>Cyber governance is an important aspect of the international cybersecurity strategy for preventing and mitigating cyber threats. It features oversight processes, decision-making hierarchies and international cooperation. It also includes systems for accountability and responsible state behaviour in cyberspace. In recent years, cyber governance has been prominent in diplomatic and political agendas when regions or countries need to work together.</p>
<p>To promote digital transformation, cyberspace must be made secure and stable, using appropriate governance standards. </p>
<p>Digital transformation offers Africa tremendous opportunities. These include the economic empowerment of citizens, transparent governance and less corruption. But digital transformation can only happen on the continent if its digital spaces are trusted, secure and resilient. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/its-time-for-governments-to-help-their-citizens-deal-with-cybersecurity-100771">It's time for governments to help their citizens deal with cybersecurity</a>
</strong>
</em>
</p>
<hr>
<h2>How are African governments doing on this front?</h2>
<p>Not very well. In 2014, the African Union Commission adopted the <a href="https://au.int/sites/default/files/treaties/29560-treaty-0048_-_african_union_convention_on_cyber_security_and_personal_data_protection_e.pdf">African Union Convention on Cybersecurity and Personal Data Protection</a>. It is also known as the Malabo Convention. It is supposed to provide principles and guidelines to ensure cybersecurity and stability in the region. </p>
<p><a href="https://dataprotection.africa/wp-content/uploads/2305121.pdf#page=2">Only 15</a> out of the 55 AU member states have ratified the convention. These include Ghana, Mauritius, Togo and Rwanda. </p>
<p>Cyber governance has political dimensions. African countries are rooted in historical and cultural contexts that have an impact on politics and governance. Governance mechanisms in the region are further affected by political instability and conflicts. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/five-things-south-africa-must-do-to-combat-cybercrime-186089">Five things South Africa must do to combat cybercrime</a>
</strong>
</em>
</p>
<hr>
<p>The borderless nature of cyberspace presents particular challenges. This is especially so for African states that are accustomed to controlling activities in their territory. </p>
<p>The result of this has been a misunderstanding of cyber governance. This has manifested in internet shutdowns and restrictions of online activities for citizens. We have seen recent examples of this in <a href="https://theconversation.com/senegals-internet-shutdowns-are-another-sign-of-a-democracy-in-peril-207443">Senegal</a>, <a href="https://www.mfwa.org/network-disruptions-how-govts-in-west-africa-violated-internet-rights-in-2022/">Burkina Faso</a>, <a href="https://www.amnesty.org/en/latest/news/2023/03/ethiopians-in-social-media-blackout-for-second-month/">Ethiopia</a> and <a href="https://www.mfwa.org/network-disruptions-how-govts-in-west-africa-violated-internet-rights-in-2022/">Nigeria</a>.</p>
<p>African leaders’ views on regulating the digital space vary. This is clear from their reluctance to ratify the Malabo Convention. </p>
<p>Often, international standards collide with the realities of developing states. This is true for states in Africa that are on the wrong side of the digital divide. This means they lack the capacity, skills and infrastructure to govern cyberspace to international standards. Overall, this limited institutional and technical capacity implies that effective cyber governance may not exist in practice for Africa. </p>
<p>There are some good stories, though. Ghana has <a href="https://africacenter.org/spotlight/ghana-multistakeholder-cyber-security/">ratified</a> the Malabo Convention and the <a href="https://www.coe.int/en/web/cybercrime/the-budapest-convention">Convention on Cybercrime</a> of 2001. It also passed a <a href="http://ir.parliament.gh/bitstream/handle/123456789/1800/CYBERSECURITY%20ACT%2C%202020%20%28ACT%201038%29.pdf?sequence=1">Cybercrime Act</a> into law in 2020 and has developed a robust <a href="https://afyonluoglu.org/PublicWebFiles/strategies/Africa/Ghana%202014%20National%20Cyber%20Security%20Policy%20and%20Strategy-EN.pdf">cybersecurity strategy</a>. </p>
<h2>What needs to happen to bring all countries in line?</h2>
<p>Preserving cyber stability is a collaborative effort. African countries need to find ways to work together to foster appropriate policies or strategies. Adopting the Malabo Convention would show that countries see the importance of cooperation in governing the digital environment. </p>
<p>Greater coordination is also necessary at a regional level. For example, the Southern African Development Community has adopted <a href="https://www.itu.int/en/ITU-D/Cybersecurity/Documents/SADC%20Model%20Law%20Cybercrime.pdf">a model law on cybercrime</a>. The Economic Community of West African States has developed a <a href="https://issafrica.org/ctafrica/uploads/Directive%201:08:11%20on%20Fighting%20Cyber%20Crime%20within%20ECOWAS.pdf">directive on fighting cybercrime</a>. Regional organisations have a key role to play in formulating policies and delivering outcomes. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/senegals-internet-shutdowns-are-another-sign-of-a-democracy-in-peril-207443">Senegal's internet shutdowns are another sign of a democracy in peril</a>
</strong>
</em>
</p>
<hr>
<p>Beyond ratifying the Malabo Convention, African states must also rethink best practices and the value of strategic regional partnerships. These partnerships are important because they create shared responsibility in a borderless space.</p>
<p>Africa must approach diplomacy strategically in this space and seek increased representation at global dialogues. The African Union remains largely absent from the evolving UN processes on cyber governance development. This implies that African interests, realities and domestic capabilities won’t get enough attention in the processes. There is also a need to bridge the institutional and technical gaps that have prevented African states from participating fully. </p>
<p>Committing to the Malabo Convention would provide a framework for united cyber governance norms and standards across the continent. As the international community continues to define these standards, Africa should be included.</p><img src="https://counter.theconversation.com/content/209384/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nnenna Ifeanyi-Ajufo does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The borderless nature of cyberspace presents particular challenges for African states used to controlling activities in their territory.Nnenna Ifeanyi-Ajufo, Professor of Technology Law, University of BradfordLicensed as Creative Commons – attribution, no derivatives.