Menu

Cyber spy powers

Jul 30, 2019 • 14m43s

Home Affairs is pushing for new powers to allow the Australian Signals Directorate to embed in corporate computer systems – transforming the body into one that disrupts crime and other attacks onshore.

play

 

Cyber spy powers

46 • Jul 30, 2019

Cyber spy powers

[Theme music]

ELIZABETH:

From Schwartz Media, I’m Elizabeth Kulas. This is 7am.

The Department of Home Affairs is pushing for new powers to allow the Australian Signals Directorate to embed in corporate computer systems. The changes are part of a transformation of the directorate – from a surveillance body to one that disrupts crime and other attacks onshore. Karen Middleton on the changing face of cyber war.

Archival tape — Unidentified man 1:

“Global hunt is underway for those responsible for an unprecedented cyber hack of Australia's major political parties as they prepare for the upcoming federal election…”

Archival tape — Unidentified woman 1:

“Governments and citizens around the world are still just beginning to understand the full impact of cyber warfare...”

Archival tape — Unidentified woman 2:

“This is the first time we’ve seen malware that can actually disrupt power systems and the electric grid. It’s only the second known malware that can disrupt industrial control system”

Archival tape — Unidentified man 2:

“From our cars on the road, to drones in the sky, to literally the pacemakers inside our heart are all digitally connected.”

Archival tape — Unidentified woman 3:

“So we’re vulnerable?”

Archival tape — Unidentified man 2:

“We’re vulnerable and it’s going to have life and death consequences if we don’t get on top of this...”

ELIZABETH:

Karen, in Australia what would a cyber attack look like?

KAREN:

Potentially it could be a disaster. If you think about, say, our electricity grid if there was an attack on the power grid and all the power went out we can imagine what the impact of that would be on our entire daily lives.

ELIZABETH:

Karen Middleton is chief political correspondent at The Saturday Paper.

KAREN:

You know, if the health system was attacked and say, you know, all the intensive care units in hospitals couldn't function, or if our water supply was turned off. All these things are controlled to some degree by computers and this is what these agencies are now worrying about. That this is the new frontier, really, of warfare.

ELIZABETH:

And so the core agency concerned with cyber security in Australia is the Australian Signals Directorate. What is it that they actually do?

KAREN:

Up until last year their main mandate was surveillance. The ASD, which was previously known as the Defence Signals Directorate, is based on the defence portfolio so its mandate really was focused on the defence of Australia.

What changed last year was the government set it up as a statutory authority so it can now disrupt activities offshore. That's different to just monitoring. It can actually get inside computer systems now legally and stop things from happening or even attack back if necessary.

ELIZABETH:

So Karen those are changes that have already happened. These are new powers that allow the ASD to intervene overseas and attack back, as you say. Were those controversial when they were granted last year?

KAREN:

Well no, it really happened fairly quietly and because it was still focused offshore it was, I suppose, an incremental advance. So the change to disruption was a significant one, to be able to actively stop things from happening rather than just watching what's happening and passing information to law enforcement agencies and ASIO and ASUS which are our domestic and foreign spy agencies. So they've got increased power.

ELIZABETH:

And now there is a renewed push to further expand the powers of the ASD. What's the call this time?

KAREN:

Well the idea that's coming from the Home Affairs Department but has, as I understand it, the backing of some other departments is to set up a potential system where the ASD could work very closely with the corporate sector. So currently they are liaising with the corporate sector. They are particularly focused on the electricity sector and telecommunications. And they're in discussions with the companies that run those systems to make sure that they are well protected and to offer assistance if there is an attack on their systems to make sure that they can withstand that attack.

But it's a voluntary arrangement, those companies can accept or reject that offer of help. And there's also often a delay and sometimes time is of the essence when you're dealing with computer viruses or malware that can spread very, very rapidly. So this proposal means that they would, at the extreme I guess, be in some cases embedded inside computer systems of private companies.

As it's been put to me, they wouldn't be right in the core and there would be protections for privacy and that's where some of that controversy has come in. Does this mean they're going to be able to see all of our banking details, all of our health details all of our phone records, that kind of thing? The people I've been talking to are insisting that that is not the case but they're the sort of questions that people will be asking.

ELIZABETH:

You've mentioned that Home Affairs is sort of leading this call, but who else is involved in pushing for these expanded powers for the ASD?

KAREN:

The Home Affairs Department has been the key one because it's the overarching policy driver in national security now. But I'm told that a proposal like this would have to involve departments like Defence and communications and the Attorney-General's department that is the chief lawmaking law advisory department.

So there are a range of portfolios it would affect.

ELIZABETH:

The department secretary for Home Affairs is Mike Pezzullo. He's also been involved in calling for these powers to be expanded. What is the case that he's making?

KAREN:

Well he is the chief advocate, I guess, in public for these expanded powers. In fact, it's been put to me that it's not the ASD asking for the powers, that it is very much Mike Pezzullo and Home Affairs proposing that they need them.

I'm being told there's a bit of agitation within ASD that they've been portrayed as some kind of power hungry organisation that wants to expand its remit and that that that's not the case, but that Home Affairs believes that it needs the powers to combat things like a terrorist attack or perhaps child sex exploitation.

And that's the example that both Mike Pezzullo and his Minister Peter Dutton give very often; an offence being committed offshore, some kind of act of exploitation of a child that was being say, live streamed, and that coming into Australian servers and being viewed within Australia, that they wouldn't necessarily be able to see where it was originating but if they could identify the servers here in Australia they could shut them down and they could shut down, you know, the people who are viewing them.

ELIZABETH:

And this new proposal for expanded ASD powers is linked to Annika Smethurst’s reporting for The Sunday Telegraph from last year. Can you explain that connection?

[Music starts]

KAREN:

Yes. So that is what this is about. The story that Anika Smethurst has published was based on top secret classified departmental note to the Defence Minister that was alerting her to the proposals and some correspondence between Mike Pezzullo and the head of ASD Mike Burgess about whether these powers could be extended to include disruption onshore, and to include the kind of embedding inside private sector agencies that we've been talking about. So not just surveillance but disruption of systems within Australia.

Now I'm being told that that's at the extreme end that it wouldn't always have to involve that kind of thing, that it would be sometimes potentially just close cooperation. But that story got Mike Pezzullo certainly very angry. He spoke to a Senate estimates committee about it afterwards and said it wasn't accurate and that there were personal data protections. He was being cagey about whether or not this idea was going forward. So it's sort of been sitting off to the side since then.

But that story was what brought the issue to light. It's now come back and it's being put forward again with Prime Minister Morrison at the helm, with the objective of trying to better protect Australians, is the argument.

ELIZABETH:

We’ll be right back.

[Music ends]

[Advertisement]

ELIZABETH:

New powers are being sought for the Australian Signals Directorate which would see that agency essentially allowed to embed within private computer systems that control some of the critical infrastructure in this country. How would that arrangement actually work?

KAREN:

Well the way it was explained to me is if you think of the core computer system of, say, the transport network as a locked room then that it wouldn't be suggesting that ASD would put its technology inside that room where it could access all the information from the way we swipe on and off trams, trains, buses, etc., but that it would be in a kind of Ante-room. There would be a kind of connected but separate room where this capability would sit with an access door that was normally locked until there was an emergency. That way, the ASD offices that have skills to combat very sophisticated attacks from outside or hacking could access the system immediately. It would obviously be with the cooperation of the organisations.

There is concern that's been put to me that some companies haven't been willing to accept help. So it's not clear whether there would be any kind of compulsion involved but they would be sitting very close to the core of that computer system protected from accessing data until there was an emergency and then going in to fix a problem. But they'd have to be protocols around what data could be seen and what could be done with it.

ELIZABETH:

So they're saying: if there's a need, if we satisfy the kind of conditions around our need to access it, in those cases we have increased speed and access. We wouldn't be delayed in the way that we currently are. Certainly that kind of a setup, though, must be raising concerns about these powers. What is the discussion around what those checks and balances would be or is that part of the discussion not as developed as the rest of the proposal?

KAREN:

Oh no I think that those discussions would have to be very highly developed. I mean these agencies, they're not cowboys. They are very conscious of their legal obligations and that they need to be operating within the law, and the people that raised questions about the expanding powers of agencies say we just need to make sure that the accountability measures are keeping up with the pace of the of the offensive and defensive actions that they are being allowed to take.

ELIZABETH:

Karen, you spoke to John Blaxland who's the former head of the Australian Strategic and Defence Studies Centre at the ANU. What was the case that he put forward for expanding these powers, with the necessary measures to check those powers?

KAREN:

If you look at the key countries that are engaging in cyber warfare that we know of, China and Russia in particular, are taking a whole of government approach to these exercises. So there isn't the delineation between the private and public sectors in those countries. And when they are taking a whole of government approach, it's difficult for Western countries that carefully separate their systems under a democracy to make sure that the privacy is protected.

It's difficult for countries like ours to then combat such comprehensive attacks. So that's the challenge, he says, facing Democratic governments now, to work out how we can maintain democratic principles but be well enough equipped to combat such attacks when they come. He likens it to kind of a new Cold War frontier.

And we have the added complication that when you see traditional warfare, kinetic warfare as the military types like to call it, you can much more easily find out who's responsible for it, who dropped the bomb, who fired the missile. But when the whole objective online is to keep these things secret and hidden and the sophistication of technology means that it's sometimes just about impossible to work out the origin of a of a piece of malware, that makes this whole operation much more difficult. And it really challenges some of the principles and values that we've held dear in our Australian democracy.

ELIZABETH:

And Karen, to be clear, the threat here is immense?

KAREN:

Yes. The scale of this threat is huge. Mike Pezzullo, the head of Home Affairs himself, gave a speech in Perth late last year. He said that a significant cyber attack would could be as damaging both to our systems and physically damaging, harming people, as nuclear attack.

ELIZABETH:

And was that the same speech where Pezzullo said in his mind, this is the virtual equivalent of a Luftwaffe bombing raid?

KAREN:

He was using the metaphor of that kind of a bombing raid from World War Two and saying the first indication, you know, of the virtual equivalent of that could come in a kind of information war room where they would have both the private and public sector technologies working together, say, a bank or an energy supplier, and then they would, and he used very colourful language, he said then they would cue the cyber spitfires and hurricanes of the Australian Signals Directorate.

But he made the point in the same comment that they had to have the relevant legal and constitutional issues resolved first and that it would require diligent and creative policymaking and strategic planning.

And the officials here in Australia argue that it's a matter of time before we see a major attack that could disable our systems and they're trying to get ahead of it.

[Music starts]

ELIZABETH:

And Karen, where is the proposal now?

KAREN:

Well my understanding is that a proposal will shortly go up to the National Security Committee of Cabinet. It may well take a while, but the best information I can get about the timetable is that it will be coming soon.

ELIZABETH:

Karen thank you so much.

KAREN:

Thanks Elizabeth.

[Music ends]

[Advertisement]

[Music starts]

ELIZABETH:

Elsewhere in the news:

Barnaby Joyce has stepped back from an interview he gave the Courier-Mail, in which he complained of the financial hardship he experienced, despite a salary of more than $200,000 a year. In the article, he said he’d taken to butchering his own sheep to save money. Joyce says the point he was making was that he struggles on a good salary, which is evidence of the need to raise Newstart.

And former Western Sydney Labor MP Emma Husar has reached an out-of-court settlement in her defamation case against the news website Buzzfeed. Husar was suing Buzzfeed over an article she says painted her as "sexually perverted" and contributed to her decision not to re-contest her seat. The details of the settlement are not known.

This is 7am. I’m Elizabeth Kulas. See you Wednesday.

[Theme ends]

The Department of Home Affairs is pushing for new powers to allow the Australian Signals Directorate to embed in corporate computer systems. The changes are part of a transformation of the directorate – from a surveillance body to one that disrupts crime and other attacks onshore. Karen Middleton on the changing face of cyber war.

Guest: Chief political correspondent for The Saturday Paper Karen Middleton.

Background reading:

Home Affairs pushes for cyber spy powers in The Saturday Paper
The Saturday Paper
The Monthly

Listen and subscribe in your favourite podcast app (it's free).

Apple podcasts Google podcasts Listen on Spotify

Share:

7am is hosted by Elizabeth Kulas. The show is produced by Emile Klein, Ruby Schwartz and Atticus Bastow with Michelle Macklem. Our editor is Erik Jensen. Our theme music is by Ned Beckley and Josh Hogan of Envelope Audio.

Tags

security cyberwar asd homeaffairs defence pezzullo




Subscribe to hear every episode in your favourite podcast app:
Apple PodcastsGoogle PodcastsSpotify

00:00
14:43
46: Cyber spy powers