tag:theconversation.com,2011:/us/topics/cyber-security-centre-4632/articlesCyber Security Centre – The Conversation2023-05-26T05:04:02Ztag:theconversation.com,2011:article/2064032023-05-26T05:04:02Z2023-05-26T05:04:02ZThe highly secretive Five Eyes alliance has disrupted a China-backed hacker group – in an unusually public manner<figure><img src="https://images.theconversation.com/files/528460/original/file-20230526-17-odlsck.jpg?ixlib=rb-1.1.0&rect=69%2C59%2C3233%2C2092&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Dennis Desmond</span>, <span class="license">Author provided</span></span></figcaption></figure><p>This week the Five Eyes alliance – an intelligence alliance between Australia, the United Kingdom, Canada, New Zealand and the United States – <a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF">announced its investigation</a> into a China-backed threat targeting US infrastructure. </p>
<p>Using stealth techniques, the attacker – referred to as “Volt Typhoon” – exploited existing resources in compromised networks in a technique called “<a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3406058/nsa-and-partners-identify-china-state-sponsored-cyber-actor-using-built-in-netw/">living off the land</a>”.</p>
<p>Microsoft made a concurrent <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">announcement</a>, stating the attackers’ targeting of Guam was telling of China’s plans to potentially disrupt critical communications infrastructure between the US and Asia region in the future.</p>
<p>This comes hot on the heels <a href="https://www.nknews.org/pro/how-new-us-cybersecurity-task-force-can-effectively-target-north-korean-hackers/">of news</a> in April of a North Korean supply chain attack on Asia-Pacific telecommunications provider 3CX. In this case, hackers gained access to an employee’s computer using a compromised desktop app for Windows and a compromised signed software installation package.</p>
<p>The Volt Typhoon announcement has led to a rare admission by the US National Security Agency that Australia and other Five Eyes partners are engaged in a targeted search and detection scheme to uncover China’s clandestine cyber operations.</p>
<p>Such public admissions from the Five Eyes alliance are few and far between. Behind the curtain, however, this network is persistently engaged in trying to take down foreign adversaries. And it’s no easy feat. </p>
<p>Let’s take a look at the events leading up to Volt Typhoon – and more broadly at how this secretive transnational alliance operates.</p>
<h2>Uncovering Volt Typhoon</h2>
<p>Volt Typhoon is an “advanced persistent threat group” that has been active since at least mid-2021. It’s believed to be sponsored by the Chinese government and is targeting critical infrastructure organisations in the US. </p>
<p>The group has focused much of its efforts on Guam. Located in the Western Pacific, this US island territory is home to a significant and growing US military presence, including the air force, a contingent of the marines, and the US navy’s nuclear-capable submarines. </p>
<p>It’s likely the Volt Typhoon attackers intended to gain access to networks connected to US critical infrastructure to disrupt communications, command and control systems, and maintain a persistent presence on the networks. The latter tactic would allow China to influence operations during a potential conflict in the South China Sea. </p>
<p>Australia wasn’t directly impacted by Volt Typhoon, according to official statements. Nevertheless, it would be a primary target for similar operations in the event of conflict.</p>
<p>As for how Volt Typhoon was caught, this hasn’t been disclosed. But Microsoft documents highlight previous observations of the threat actor attempting to dump credentials and stolen data from the victim organisation. It’s likely this led to the discovery of compromised networks and devices.</p>
<h2>Living-off-the-land</h2>
<p>The hackers initially gained access to networks through internet-facing Fortinet FortiGuard devices, such as routers. Once inside, they employed a technique called “living-off-the-land”. </p>
<p>This is when attackers rely on using the resources already contained within the exploited system, rather than bringing in external tools. For example, they will typically use applications such as PowerShell (a Microsoft management program) and Windows Management Instrumentation <a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/">to access</a> data and network functions.</p>
<p>By using internal resources, attackers can bypass safeguards that alert organisations to unauthorised access to their networks. Since no malicious software is used, they appear as a legitimate user. As such, living-off-the-land allows for lateral movement within the network, and provides opportunity for a persistent, long-term attack.</p>
<p>The simultaneous announcements from the Five Eyes partners points to the seriousness of the Volt Typhoon compromise. It will likely serve as a warning to other nations in the Asia-Pacific region.</p>
<h2>Who are the Five Eyes?</h2>
<p><a href="https://www.theguardian.com/world/2013/dec/02/history-of-5-eyes-explainer">Formed in 1955</a>, the Five Eyes alliance is an intelligence-sharing partnership comprising Australia, Canada, New Zealand, the UK and the US. </p>
<p>The alliance was formed after World War II to counter the potential influence of the Soviet Union. It has a specific focus on signals intelligence. This involves intercepting and analysing signals such as radio, satellite and internet communications. </p>
<p>The members share information and access to their respective signals intelligence agencies, and collaborate to collect and analyse vast amounts of global communications data. A Five Eyes operation might also include intelligence provided by non-member nations and the private sector.</p>
<p>Recently, the member countries expressed concern about China’s de facto military control <a href="https://theconversation.com/explainer-why-is-the-south-china-sea-such-a-hotly-contested-region-143435">over the South China Sea</a>, its suppression of <a href="https://theconversation.com/china-is-taking-a-risk-by-getting-tough-on-hong-kong-now-the-us-must-decide-how-to-respond-139294">democracy in Hong Kong</a>, and threatening moves towards Taiwan. The latest public announcement of China’s cyber operations no doubt serves as a warning that Western nations are paying strict attention to their critical infrastructure – and can respond to China’s digital aggression.</p>
<p>In 2019, Australia was <a href="https://theconversation.com/a-state-actor-has-targeted-australian-political-parties-but-that-shouldnt-surprise-us-111997">targeted</a> by Chinese state-backed threat actors gaining unauthorised access to Parliament House’s computer network. Indeed, there is evidence that China is engaged in a concerted <a href="https://theconversation.com/australia-is-under-sustained-cyber-attack-warns-the-government-whats-going-on-and-what-should-businesses-do-141119">effort to target</a> Australia’s public and private networks.</p>
<p>The Five Eyes alliance may well be one of the only deterrents we have against long-term, persistent attacks against our critical infrastructure.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/deterring-china-isnt-all-about-submarines-australias-cyber-offence-might-be-its-most-potent-weapon-204749">Deterring China isn't all about submarines. Australia's 'cyber offence' might be its most potent weapon</a>
</strong>
</em>
</p>
<hr>
<p> </p><img src="https://counter.theconversation.com/content/206403/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dr Desmond previously received funding through an ARC Linkage Grant and has worked with the US intelligence community and Five Eyes partners in the past. </span></em></p>The Five Eyes alliance is critical to hunting and detecting foreign cyber actors, but tends to work in secret.Dennis B. Desmond, Lecturer, Cyberintelligence and Cybercrime Investigations, University of the Sunshine CoastLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1725982022-01-02T18:46:27Z2022-01-02T18:46:27ZThis New Year, why not resolve to ditch your dodgy old passwords?<figure><img src="https://images.theconversation.com/files/437494/original/file-20211214-17-eck9dj.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4937%2C3316&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Elise Amendola/AP</span></span></figcaption></figure><p>Most of the classic New Year resolutions revolve around improving your health and lifestyle. But this year, why not consider cleaning up your passwords too?</p>
<p>We all know the habits to avoid, yet so many of us do them anyway: using predictable passwords, never changing them, or writing them on sticky notes on our monitor. We routinely ignore the <a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">recommendations for good passwords</a> in the name of convenience.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/0SkdP36wiAU?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">What’s wrong with your pa$$w0rd?</span></figcaption>
</figure>
<p>Choosing short passwords containing common names or words is likely to lead to trouble. Hackers can often guess a person’s passwords simply by using a computer to work through a long list of commonly used words.</p>
<p>The <a href="https://nordpass.com/most-common-passwords-list/">most popular choices</a> have changed very little over time, and include numerical combinations such as “123456” (the most common password for five years in a row), “love”, keyboard patterns such as “qwerty” and, perhaps most ludicrously, “password” (or its Portuguese translation, “senha”). </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=210&fit=crop&dpr=1 600w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=210&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=210&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=264&fit=crop&dpr=1 754w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=264&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/434393/original/file-20211129-21-1x6v2sn.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=264&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">2017-2019* list of common passwords from SplashData, 2020-2021# from NordPass.</span>
</figcaption>
</figure>
<p>Experts have long advised against using words, places or names in passwords, although you can strengthen this type of password by jumbling the components into sequences with a mixture of upper- and lowercase characters, as long as you do it thoroughly.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?</a>
</strong>
</em>
</p>
<hr>
<p>Complex rules often lead users to choose a word or phrase and then substitute letters with numbers and symbols (such as “Pa33w9rd!”), or add digits to a familiar password (“password12”). But so many people do this that these techniques don’t actually make passwords stronger. </p>
<p>It’s better to start with a word or two that isn’t so common, and make sure you mix things up with symbols and special characters in the middle. For example, “wincing giraffe” could be adapted to “W1nc1ng_!G1raff3”</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">Choose better passwords with the help of science</a>
</strong>
</em>
</p>
<hr>
<p>These secure passwords can be harder to remember, to the extent you might end up having to write them down. That’s OK, as long as you keep the note somewhere secure (and definitely not stuck to your monitor).</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=348&fit=crop&dpr=1 600w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=348&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=348&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=437&fit=crop&dpr=1 754w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=437&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/434395/original/file-20211129-13-eorqcu.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=437&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Passwords on a sticky note are still a bad idea in the workplace.</span>
</figcaption>
</figure>
<p>Reusing passwords is another common error – and one of the biggest. Past data leaks, such as that suffered by <a href="https://www.ncsc.gov.uk/blog-post/linkedin-2012-hack-what-you-need-know">LinkedIn in 2012</a>, mean billions of old passwords are now circulating among cyber criminals. </p>
<p>This has given rise to a practice called “<a href="https://www.wired.com/story/what-is-credential-stuffing/">credential stuffing</a>” – taking a leaked password from one source and trying it on other sites. If you’re still using the same old password for multiple email, social media or financial accounts, you’re at risk of being compromised.</p>
<h2>Pro tip: use a password manager</h2>
<p>The simplest and most effective route to good password hygiene is to use a <a href="https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/buying-guides/password-managers">password manager</a>. This lets you use unique strong passwords for all your various logins, without having to remember them yourself.</p>
<p>Password managers allow you to store all of your passwords in one place and to “lock” them away with a strong level of protection. This can be a single (strong) password, but can also include face or fingerprint recognition, depending on the device you are using. Although there is some risk associated with storing your passwords in one place, experts consider this much less risky than using the same password for multiple accounts.</p>
<p>The password manager can automatically create strong, randomised passwords for each different service you use. This means your LinkedIn, Gmail and eBay accounts can no longer be accessed by someone who happens to guess the name of your childhood pet dog. </p>
<p>If one password is leaked, you only have to change that one – none of the others are compromised.</p>
<p>There are <a href="https://en.wikipedia.org/wiki/List_of_password_managers">many password managers</a> to choose from. Some are free (such as Keepass) or “freemium” (offering the option to upgrade for more functionality like Nordpass), while others charge a one-off fee or recurring subscription (such as 1Password). Most allow you to securely sync your passwords across all your devices, and some let you safely share passwords between family members or work groups.</p>
<p>You can also use the password managers built into most web browsers or operating systems (with many phones offering this functionality in the browser or natively). These tend to have fewer features and may pose compatibility issues if you want to access your password from different browsers or platforms.</p>
<p>Password managers take a bit of getting used to, but don’t be too daunted. When creating a new account on a website, you let the password manager create a unique (complex) password and store it straight away – there’s no need to think of one yourself!</p>
<p>Later, when you want to access that account again, the password manager fills it in automatically. This is either through direct integration with the browser (typically on computers) or through a separate application on your mobile device. Most password managers will automatically “lock” after a period of time, prompting for the master password (or face/finger verification) before allowing access again.</p>
<h2>Protect your most important passwords</h2>
<p>If you don’t like the sound of a password manager, at the very least change your “critical” account passwords so each one is strong and unique. Financial services, email accounts, government services, and work systems should each have a separate, strong password. </p>
<p>Even if you write them down in a book (kept safely locked away) you will significantly reduce your risk in the event of a data breach on any of those platforms.</p>
<p>Remember, however, that some sites provide delegated access to others. Many e-commerce websites, for example, give you the option of logging in with your Facebook, Google or Apple account. This doesn’t expose your password to greater risk, because the password itself is not shared. But if the password is compromised, using it would grant access to those delegated sites. It is usually best to create unique accounts - and use your password manager to keep them safe.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227">Facebook hack reveals the perils of using a single account to log in to other services</a>
</strong>
</em>
</p>
<hr>
<p>Adopting a better approach to passwords is a simple way to reduce your cyber-security risks. Ideally that means using a password manager, but if you’re not quite ready for that yet, at least make 2022 the year you ditch the sticky notes and pets’ names.</p><img src="https://counter.theconversation.com/content/172598/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lorrie Cranor receives funding from Bosch, Carnegie Corporation of New York, Carnegie Mellon CyLab, DARPA, DuckDuckGo, Facebook, an endowed professorship established by the founders of FORE Systems, Google, Highmark Health, Innovators Network Foundation, NSA, and NSF. She is affiliated with the Computing Research Association, the Future of Privacy Forum, the Aspen Institute Cybersecurity Group, the Center for Cybersecurity Policy and Law, and the Consumer Reports Digital Lab Advisory Council.</span></em></p><p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Start 2022 by improving your password hygiene. Ideally you can use a password manager, but at the very least make sure your financial, social and work accounts each has their own strong, unique login.Paul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLorrie Cranor, Professor of Computer Science and of Engineering & Public Policy, Carnegie Mellon UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1705502021-10-26T06:01:31Z2021-10-26T06:01:31ZThe government wants to expand the ‘digital identity’ system that lets Australians access services. There are many potential pitfalls<figure><img src="https://images.theconversation.com/files/428176/original/file-20211025-15-1hznum5.jpg?ixlib=rb-1.1.0&rect=53%2C0%2C6000%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Rodion Kutsaev/Unsplash</span>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>The federal government has been asking the public for <a href="https://www.digitalidentity.gov.au/have-your-say/phase-3">feedback on proposed legislation</a> to create a “trusted digital identity” system. The aim is for Australians to use it to prove their identity when accessing public services.</p>
<p>I first found out about the draft Trusted Digital Identity Bill not through my research at the intersection of society and technology, but through my mother-in-law. She found out about it in private social media channels, and her local women’s group was seeking support to craft their feedback, which emphasises concern for privacy and civil liberties in Australia. </p>
<p>After asking around among major stakeholders, it seems this piece of legislation has largely slipped under the radar since it was unveiled on October 1.</p>
<p>But what will a national digital identity system actually involve, who will it serve, and if we need it, how should it be implemented?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Australia's National Digital ID is here, but the government's not talking about it</a>
</strong>
</em>
</p>
<hr>
<h2>What does ‘digital identity’ mean?</h2>
<p>The government’s proposed <a href="https://www.digitalidentity.gov.au/about-digital-identity">Digital Identity</a> system promises a “safe, secure and convenient way to prove who you are online every time you access government services”. In other words, it aims to streamline your experience by avoiding the need to repeatedly identify yourself when accessing a range of government services. </p>
<p>Currently, you can create a digital identity using a “myGovID” to access 80 government services. This allows you to link your data across services such as Medicare, Centrelink and the Australian Tax Office. The new legislation proposes an expansion of powers to outsource the process of identity verification to approved Australian businesses. Presumably, this could lead to an expansion of acceptance of the digital ID system so it can be used more widely than just to access government services.</p>
<p>This would be done by linking your MyGov account on the MyGovID smartphone app, and providing an existing identity document (such as a passport, driver’s licence or birth certificate), to an identity provider. Under the proposal, any Australian business can apply to join the “Trusted Digital Identity Framework” to become an identity accreditor. The legislation would establish an agency to oversee these accreditations, and to govern how data will be handled in the scheme. The technical standards of the proposed scheme have not yet been published.</p>
<p>But this goes against all the standard advice about not linking all of your personal information, such as tax history and medical history, as it can lead to mass analytics, behaviour profiling, targeted advertising, and more (as we saw in the Cambridge Analytica scandal). </p>
<p>The proposal also comes amid the ongoing “datafication” of the population, which has been turbocharged by the COVID pandemic. Digital rights advocacy groups have already <a href="https://theconversation.com/the-covidsafe-app-was-just-one-contact-tracing-option-these-alternatives-guarantee-more-privacy-137400">voiced alarm</a> at the mass collection, collation and storage of personal data, often on a mandatory basis, using hastily implemented platforms such as contact-tracing apps.</p>
<p>Without a careful and measured approach, the digital identity proposal risks repeating the same mistakes.</p>
<p>The government says the proposed digital identity system will be entirely voluntary, and that the system is not designed to replace identification documents such as your birth certificate, visa, driver’s licence or passport. </p>
<p>It also says the system will not be used to access or record COVID vaccinations, and that the information collected will not be used for purposes such as consumer profiling or marketing.</p>
<p>Of course, Australians who opt to use the system are being asked to put their trust in the government to share their data with “verified” identity providers. </p>
<p>Ironically enough, there are quite a few issues that still need to be resolved before Australians can place their trust in the government’s plan to issue them with a “trusted digital identity”.</p>
<h2>Potential pitfalls</h2>
<p>I have several concerns about the government’s digital identity legislation in its current form.</p>
<ul>
<li><p>It is opaque on details, particularly with regard to the proposed use of new technologies such as biometric matching (using biological characteristics to identity an individual) and automated decision-making. </p></li>
<li><p>It potentially creates a “honeypot” of personal data stored in a centralised database that would offer a tempting target for cyber criminals or hostile nations. The government has promised the data will be “private and secure and protected by strict security protocols”. But government databases have <a href="https://www.webberinsurance.com.au/data-breaches-list">suffered numerous previous hacks</a>, such as the “cybersecurity incident” last year that led to the Australian Defence Force’s <a href="https://ia.acs.org.au/article/2020/australian-defence-force-database-hacked.html">recruitment records</a> being offline for ten days.</p></li>
<li><p>It’s not clear how the trustworthiness of third-party identity verification providers who store these data will be verified and guaranteed, or what recourse would be available in the event of a breach.</p></li>
<li><p>There is a potential lack of accountability for third-party access, onselling, and monetisation of data – precisely the problem that has blighted our relationship with Big Tech over the past few years. </p></li>
<li><p>The establishment of a centralised “oversight authority” is an archaic approach that disempowers individuals from owning their personal information. </p></li>
</ul>
<p>Australians can’t simply disengage from digitisation. But rather than blithely hand over our data, we should think carefully and collectively about the long-term effects of creating national, centralised databases of sensitive personal information.</p>
<p>The digital infrastructure to own and control access to our own digital identity already exists. Blockchain communities have <a href="https://www.brightid.org/">built it</a>; it’s time we used it.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-covidsafe-app-was-just-one-contact-tracing-option-these-alternatives-guarantee-more-privacy-137400">The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy</a>
</strong>
</em>
</p>
<hr>
<h2>Hope for alternatives</h2>
<p>Senator Andrew Bragg last week tabled the <a href="https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Financial_Technology_and_Regulatory_Technology/AusTechFinCentre/Final_report">final report</a> of the Senate Select Committee on Australia as a Technology and Financial Centre. It recommends Australia embrace technologies such as <a href="https://www.industry.gov.au/about-us/national-blockchain-roadmap-steering-committee">blockchain</a> and decentralised computing, in a bid to become an international hub for financial technology. </p>
<p>Despite this, there is still no apparent appetite to use this technology to encrypt the data stored by our domestic public services. Contrast that with Estonia, an international leader in digitisation, which maintains an <a href="https://e-estonia.com/blockchain-healthcare-estonian-experience/">immutable blockchain-based record</a> of who in government has accessed medical health records.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-australia-can-learn-about-e-government-from-estonia-35091">What Australia can learn about e-government from Estonia</a>
</strong>
</em>
</p>
<hr>
<p>Leaving aside the question of whether a digital identity system is even necessary or desirable, perhaps the biggest disappointment about the current legislation is the lack of creativity about data governance to determine how the system could be more safely implemented.</p>
<p>I’m not saying “don’t trust the government with your data”. What I am saying is that the digital identity data should be regarded as critical national infrastructure, and protected as such by giving people the ability to own their identity. </p>
<p>The broader context here is not one of legislation or technological architecture. It is a social question of collectively defining what a digital Australia should look like in the long term, and making it one that serves the public interest. Citizens should be able to own and govern their personal information with confidence, both now and into the future.</p>
<hr>
<p><em>The opportunity for individuals and organisations to <a href="https://www.digitalidentity.gov.au/have-your-say/phase-3">respond to the Digital Identity Bill</a> closes on October 27.</em></p><img src="https://counter.theconversation.com/content/170550/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Kelsie Nabben receives funding from RMIT University as a PhD student. She is a Board member of industry association Blockchain Australia. </span></em></p>Without careful planning and implementation, the government risks making many of the same mistakes ushered in by the hasty ‘datafication’ of society, which has been turbocharged by the pandemic.Kelsie Nabben, Researcher / PhD Candidate, RMIT Blockchain Innovation Hub / Digital Ethnography Research Centre, RMIT UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1603162021-05-10T13:40:51Z2021-05-10T13:40:51ZHuawei’s ability to eavesdrop on Dutch mobile users is a wake-up call for the telecoms industry<figure><img src="https://images.theconversation.com/files/399429/original/file-20210507-21-1xvdf6c.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C3994%2C2000&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/young-woman-mobile-phone-headphones-walks-1289685550">viewimage/Shutterstock</a></span></figcaption></figure><p>Chinese technology provider Huawei was <a href="https://www.theguardian.com/technology/2021/apr/19/huawei-may-have-eavesdropped-on-dutch-mobile-networks-calls">recently accused</a> of being able to monitor all calls made using Dutch mobile operator KPN. The revelations are from a <a href="https://www.silicon.co.uk/5g/dutch-report-huawei-kpn-monitoring-393727">secret 2010 report</a> made by consultancy firm Capgemini, which KPN commissioned to evaluate the risks of working with Huawei infrastructure.</p>
<p>While the full report on the issue has not been made public, <a href="https://nltimes.nl/2021/04/17/huawei-able-eavesdrop-dutch-mobile-network-kpn-report">journalists reporting on the story</a> have outlined specific concerns that Huawei personnel in the Netherlands and China had access to security-essential parts of KPN’s network – including the call data of millions of Dutch citizens – and that a lack of records meant KPN couldn’t establish how often this happened.</p>
<p>Both KPN and Huawei have denied any impropriety, though in the years since the 2010 report, Huawei has increasingly found itself labelled a <a href="https://theconversation.com/can-huawei-survive-the-us-sanctions-144810">high-risk vendor</a> for telecoms companies to work with, including by the UK’s <a href="https://www.ncsc.gov.uk/files/Advice-on-use-equipment-from-high-risk-vendors-in-UK-telecoms.pdf">National Cyber Security Centre</a>.</p>
<p>To better understand this story, and to consider whether other telecoms networks may have had similar security vulnerabilities to KPN’s, we need to look at how complex mobile networks are run. KPN essentially granted Huawei “<a href="https://www.telecomtv.com/content/security/kpn-shaken-to-the-core-by-huawei-espionage-allegations-41287/">administrator rights</a>” to its mobile network by outsourcing work to the Chinese firm. Legislation is only now catching up to prevent similar vulnerabilities in telecoms security.</p>
<h2>Commercial pressures</h2>
<p>Huawei is one of the <a href="https://cntechpost.com/2021/03/09/huaweis-share-of-global-telecoms-equipment-market-increases-to-31/">three dominant radio equipment providers</a> in the world, alongside Ericsson and Nokia. These giant technology companies provide the base stations and equipment that deliver mobile phone signals. Operators like KPN increasingly pay these companies not only to buy the equipment, but also for them to support and maintain it.</p>
<p>The telecoms market in which KPN operates is one of the most price-competitive in the world. European mobile operators saw <a>average revenues per user in 2019</a> of €14.90 (£12.85) a month, compared with €36.90 a month in the USA. European spend on telecoms services are also <a href="https://technews.tmcnet.com/channels/mobile-voip/articles/230239-european-mobile-service-providers-face-arpu-issues.htm">reducing</a> <a href="https://www.ofcom.org.uk/__data/assets/pdf_file/0017/105074/cmr-2017-uk.pdf">year-on-year</a> as operators compete to offer the best deals to consumers.</p>
<p>Lower revenues force operators to carefully manage costs. This means that operators have been keen to outsource parts of their businesses to third parties, <a>especially since the late 2000s</a>. </p>
<p>Large numbers of highly skilled engineers are an expensive liability to have on the balance sheet, and can often appear underused when things are running smoothly. Such jobs are often outsourced, with <a href="https://www.mobileworldlive.com/asia/asia-news/optus-to-cut-jobs-after-outsourcing-to-nokia">personnel transferring</a> to the outsourced provider, to help operators to cut their payroll costs.</p>
<h2>Outsourcing gone too far</h2>
<p>When everything is working, very few people notice outsourcing. But when things go wrong, outsourcing can often significantly complicate recovery, or create a large “single point of failure” or security issue. </p>
<p>In the UK, for instance, mobile operator O2 has seen <a href="https://www.theregister.com/2012/07/13/o2_outage_cause/">at least one outage</a> which has been linked to the use of outsourced functions. Where large numbers of operators <a href="https://telecoms.com/491082/inside-ericsson/">rely on the same outsourcing partner</a>, any issue or security breach affecting the outsourced provider can have a widespread impact.</p>
<p>Still, outsourcing by mobile operators is widespread. And firms in the UK and across Europe have often turned to Huawei to provide <a href="https://www.mobileeurope.co.uk/press-wire/9588-three-uk-joins-telefonica-by-outsourcing-core-management-to-huawei">IT services</a> and to help build <a href="https://www.information-age.com/o2-outsources-core-network-management-to-huawei-2103318/">core networks</a>. In 2010, Huawei was managing security-critical functions of KPN’s core network.</p>
<h2>Administrator access</h2>
<p>At the same time, equipment suppliers like Huawei are trying to move away from merely selling equipment and towards providing a <a href="https://www.thefastmode.com/expert-opinion/18162-the-ultimate-guide-to-open-ran-openran-integration-part-2-integration-stages-and-models">managed service</a>, including installation, maintenance and support. This helps them create recurring revenue in an industry that has generally been dominated by large five-year or ten-year purchasing cycles.</p>
<p>But as these vendors add services to their repertoire, they gain wider access to the mobile networks they work with. This could include <a href="https://www.ncsc.gov.uk/files/Advice-on-use-equipment-from-high-risk-vendors-in-UK-telecoms.pdf">certain security-critical parts</a> of telecoms networks, which are often designed to work in trusted, secure environments. </p>
<p>In the scenario where a vendor like Huawei also provides a managed service, they find themselves sitting in a uniquely privileged position, with inside knowledge of their own equipment, and with direct access to trusted management interfaces.</p>
<p>This creates the high-tech equivalent of putting all your eggs in one basket. It’s akin to giving the combinations of the bank vault to the same security guard in charge of the CCTV camera footage. It’s difficult to reliably monitor operations carried out by the vendor without relying on that vendor’s own software.</p>
<p>In cases where a vendor has been designated as high-risk as a result of their <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/923309/Huawei_Cyber_Security_Evaluation_Centre__HCSEC__Oversight_Board-_annual_report_2020.pdf">own product security practices</a>, it’s very difficult to know whether that vendor didn’t do anything untoward. This is the situation KPN apparently found themselves in with Huawei back in 2010.</p>
<figure class="align-center ">
<img alt="A man on the phone walking in front of a Huawei store" src="https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=410&fit=crop&dpr=1 600w, https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=410&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=410&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=515&fit=crop&dpr=1 754w, https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=515&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/399428/original/file-20210507-13-ze5g4u.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=515&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Huawei’s privileged access to KPN’s network could have allowed the Chinese firm to listen to calls made by Dutch citizens.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/man-talking-on-mobile-phone-he-1208284561">viewimage/Shutterstock</a></span>
</figcaption>
</figure>
<h2>Are changes needed?</h2>
<p>With at least one operator aiming to reduce European operating expenditure by <a href="https://www.ft.com/content/8d2287ad-d0a3-4972-9b0d-9e32846f3164">€1.2 billion</a>, and 5G deployments bringing new opportunities for managed services and software-based solutions to be used in networks, decisions around outsourcing will continue to play an important role for mobile operators going forwards. </p>
<p>But legislation is rapidly catching up. The UK has proposed a <a href="https://www.gov.uk/government/collections/telecommunications-security-bill">telecoms security bill</a>, and associated <a href="https://www.gov.uk/government/publications/draft-electronic-communications-security-measures-regulations">draft secondary legislation</a> includes requirements for network operators to monitor all activity carried out by third party providers, to identify and manage the risks of using them, and to have a plan in place to maintain normal network operations if their supplier’s service is disrupted. </p>
<p>For some operators, it’s conceivable this might mean bringing key skills back in-house to ensure there’s someone watching the (outsourced) watchmen. In the case of KPN, these measures would likely have prevented Huawei from having seemingly unchecked and privileged access to its customers’ mobile data.</p><img src="https://counter.theconversation.com/content/160316/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greig is a member of the UK 5G security group, depute chair of the UK Telecoms Data Taskforce, and is involved in the delivery of 5G Testbeds & Trials projects, funded by DCMS.</span></em></p>Dutch mobile operator KPN was warned in 2010 that Huawei could snoop on millions of its customers’ calls.Greig Paul, Lead Mobile Networks and Security Engineer, University of Strathclyde Licensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/582082016-04-21T04:32:58Z2016-04-21T04:32:58ZThe Cyber Security Strategy is only a small step in the right direction<figure><img src="https://images.theconversation.com/files/119580/original/image-20160421-8026-149i5q7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber crime costs the Australian economy millions of dollars a year.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Prime Minister Malcolm Turnbull today released the government’s <a href="https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf">Cyber Security Strategy</a>. A total of A$230 million will be spent over the next four years to “enhance Australia’s cyber security capability and deliver new initiatives”. </p>
<p>The initiatives generally involve improving Australia’s general awareness and capabilities to defend against cybersecurity attacks, and potentially launch its own cyberattacks.</p>
<p>More specifically, they involve partnering with the private sector in setting the “strategic agenda through annual Cyber Security meetings”. </p>
<p>This partnership will extend to participation in the <a href="https://www.acsc.gov.au/">Australian Cyber Security Centre</a>, which will be moved to a new facility. It will also involve sharing more information between security agencies and the private sector.</p>
<p>There will be increased funding of research into the economic costs of cyberattacks in order to allow organisations to manage investment in cybersecurity defences. </p>
<p>The Computer Emergency Response Team (<a href="https://www.cert.gov.au/">CERT</a>) will be bolstered, along with extra funding for the Australian Signals Directorate (<a href="http://www.asd.gov.au/">ASD</a>), Australian Crime Commission (<a href="https://crimecommission.gov.au/">ACC</a>) and Australian Federal Police (<a href="http://www.afp.gov.au/">AFP</a>) for increased expertise and improved ability to detect and defend against cybersecurity vulnerabilities. </p>
<p>Another element of the strategy is to expand Australia’s ability to grow its own cybersecurity industry through increased funding for research and development in this area. A <a href="http://www.innovation.gov.au/page/cyber-security-growth-centre">Cyber Security Growth Centre</a> will be established to add to the existing <a href="http://www.business.gov.au/advice-and-support/IndustryGrowthCentres/Pages/default.aspx">Industry Growth Centres</a>.</p>
<p><a href="http://www.csiro.au/en/Research/D61">Data61</a> will receive more funding to focus on cybersecurity innovation, and universities will also receive funding for training, research and education of undergraduate and postgraduates in the area of cybersecurity. </p>
<h2>Reading between the lines</h2>
<p>Although this new investment in cybersecurity will be generally welcomed, there are <a href="http://www.itnews.com.au/news/revealed-australias-new-cyber-security-strategy-418000">already</a> questions about whether it is going to be enough to do the job. </p>
<p>The US this year announced a <a href="http://www.reuters.com/article/us-obama-budget-cyber-idUSKCN0VI0R1">US$5 billion increase in funding for cybersecurity</a> to US$19 billion, and the UK last year pledged <a href="https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security">£1.9 billion</a> to the same cause.</p>
<p>Another question in response to the strategy is what exactly is meant by championing an “open, free and secure internet”. The definition of “open and free” likely depends on your particular point of view. </p>
<p>The government’s strategy calls for an “Australian Cyber Ambassador” to lead national efforts to ensure the internet is free from censorship, but also to support privacy and the rule of law. </p>
<p>But would upholding privacy extend to stopping the government from surveillance activities on its own citizens? Clearly, this would be at odds with the government’s <a href="https://www.ag.gov.au/dataretention">metadata retention legislation</a>. </p>
<p>“Open and free” may also not extend to any radical changes in the application of shutting down access to pirate sites distributing <a href="https://theconversation.com/from-convicts-to-pirates-australias-dubious-legacy-of-illegal-downloading-39912">illegal or pirated content</a>. </p>
<h2>Safe havens</h2>
<p>Another interesting question is what’s meant by the desire to shut down cyber criminal “safe havens”. </p>
<p>The report mentions that attacks often originate from overseas, but it is not clear how a country would go about shutting down attacks originating from China, for example. </p>
<p>One intriguing possibility is that an anonymised network like [Tor](<a href="https://theconversation.com/au/topics/tor">https://www.torproject.org/</a> could potentially be shut down. Tor has long been recognised as a haven for cybercriminals and, increasingly, the starting point for <a href="https://blog.cloudflare.com/the-trouble-with-tor/">cyberattacks</a>. </p>
<p>Security researchers have already <a href="http://www.itnews.com.au/news/close-door-on-tor-or-face-liability-for-threats-researchers-408435">stepped</a> up calls for businesses to block Tor traffic as a protective measure. </p>
<p>The cybersecurity strategy also hints at the fact that Australia has, or is in the process of developing, a cyber offensive capability. This is the first time this capability has been publicly alluded to. </p>
<p>The increased focus on cybersecurity is a much needed initiative. The threat of cyberattacks affects individuals and organisations alike. And, like other threats to our environment, if left unchecked, they could significantly hinder society’s ability to function normally and to continue growing. </p>
<p>Our reliance on technology is now a given and cybersecurity is as important a consideration as protecting our health, food and water sources and general environment. From that perspective, the cybersecurity strategy is a welcome but very small step in the right direction.</p><img src="https://counter.theconversation.com/content/58208/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Glance does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyber security is now a priority for the government, with $230 million committed to its new Cyber Security Strategy. But is it enough?David Glance, Director of UWA Centre for Software Practice, The University of Western AustraliaLicensed as Creative Commons – attribution, no derivatives.