11 December 2015
In the deep silence of the internet, cyber warfare is raging on but official responses seem to come at all different volumes. Some high-profile hacks – such as those against Ashley Madison, Sony Pictures and US Defence Department personnel – will dominate the news cycle for months on end. They’ll raise questions of national security, diplomacy, infidelity; prompt international truces and shiny new NBN security centres. While other hacks have a strange habit of vanishing overnight – however concerning.
Crikey looked back on some of the more uncomfortable security breaches authorities might sooner have us forget.
The BoM compromised
Last week, the news broke across the ABC that Australia’s Bureau of Metrology had come under attack from hackers. According to political editor Chris Uhlmann, anonymous officials confirmed there had been a serious cyber security breach inside the Bureau, thought to have originated from China, and expected to cost “hundreds of millions of dollars ” to fix.
“It’s China,” one source was quoted as saying.
A classified brief, seen by the ABC, revealed that the breach began before the leadership change in September and was still an ongoing problem. It urgently recommended a complete overhaul of the BoM’s IT systems – which include one of Australia’s largest supercomputers as well as a direct link to the Department of Defence.
But, while the Australian government acknowledged the ABC report, it refused to comment on the situation for “security reasons”. A similarly tight-lipped response came from the Australian Federal Police and then the BoM itself, which announced it was still fully operational.
China, meanwhile, was quick to deny any involvement.
“The Chinese government is opposed to all forms of cyber-attacks,” said spokesperson for the foreign ministry Hua Chunying. “We believe it is not constructive to make groundless accusations.”
And, with that, all official comment on this large and costly security breach seemed to evaporate.
Former AFP cyber expert Nigel Phair, who criticised the secrecy surrounding the hack on 3AW, said Australia’s “poor response” to the BoM breach was a symptom of outdated cyber security laws.
Unlike countries such as the US, Australia has no legislation in place requiring that data breaches be publicly disclosed.
“That doesn’t mean the US have more attacks than we do, although realistically I’d say they do, it means no one talks about the ones happening here,” Phair told Crikey. “Of course, if you’re not going to confirm or deny that something happened, then logically, something happened. The BoM is one of the most trusted brands in Australia and cyber security is all about trust. It would have been better for the government to immediately admit the hack and then assure the public it was being taken care of.”
Instead, a day after the attack, coincidence had it that the federal government opened up consultation on a proposed Serious Data Breach Notification Bill, running until March 2016.
US nuclear regulator hack
In August last year, online security site Nextgov reported that the US Nuclear Regulatory Commission (NRC) had suffered at least three major cyber-attacks between 2011 and 2014, two of which were carried out by “foreign agents”.
The exclusive came from an Inspector General’s report the site had obtained through an open-information request and was not acknowledged publicly at the time of the attacks’ discovery – even with those handy disclosure laws.
Two of the incidents targeted NRC email accounts using “spear-plishing techniques”, one hack luring staff into a “cloud-based Google spreadsheet” to enter official data.
The NRC, which regulates America’s entire nuclear industry, keeps records of reactor conditions and plants with weapons-grade material.
All information that could be highly valuable to a foreign nation, according to cyber-security firms such as Fireeye.
Speaking to Nextgov about the incident, director of the digital and cyberspace policy program at the Council on Foreign Relations Adam Segal said that spear-plishing was a technique “we’ve seen the Chinese and the Russians use before”.
“A nation state is going to be more interested in the NRC than you would imagine common criminals would be,” Mr Segal said.
NRC spokesperson David Macintyre said the commission had since cleared its systems, but exactly what information had been entered into the Google spreadsheet remained unknown.
The Pentagon’s email black out
While it could be assumed that a cyber-attack on America’s centre for defence would dominate national attention for weeks, especially one reported to be from Russia, the story of a breach which shut down the Pentagon’s email network for more than a fortnight vanished surprisingly quickly.
In August 2014, in another spear-plishing attack, the emails of more than 4,000 military and civilian staff working for the Joint Chief of Staff were compromised.
The system was taken offline soon after the hack was detected and no classified networks were affected but officials admitted the hack did penetrate the server through an entry point previously thought secure.
Of course, it wasn’t the first time Russian hackers were suspected of accessing US government networks, as Defence Secretary Ashton Carter revealed publicly in June.
In 2014, another email attack compromised unclassified White House correspondence. This year, it was revealed that the breach even reached as far up as the Oval Office, with evidence of cyberespionage found within the inbox of President Barack Obama himself.
By contrast, the personal email account used by Democratic presidential candidate Hilary Clinton so controversially during her time as Secretary of State was considered secure, according to Correct the Record executive Director Issac Wright.
Canadian hack disclosed too late
Up in the Great White North, the Canadian National Research Council was the victim of a “highly sophisticated” cyber attack last year.
Disclosing the attack on July 29, the Canadian Treasury board said the hack was the work of a “Chinese state-sponsored actor”.
While not the first cyber-attack on a Canadian government body, it was the first time Canada had officially levelled the blame at China.
But, in March 2015, internal government emails leaked to the media revealed that officials were aware of the hack well over a week before it was admitted publicly.
Experts said the delay in disclosure might have prevented other departments from protecting themselves in time and a security officer at Environment Canada complained of being “caught off guard” by the attack.
After the public statement by the Treasury board, officials were directed to “clamp down communications” and cite “national security reasons” when deflecting the media.
The hack prompted a $32 million overhaul of council IT systems.
Virtually every attack on the Department of Veteran Affairs
But one of the most popular targets of online hackers is still the US Department of Veteran Affairs. The last decade has seen it hacked by at least eight foreign-sponsored agents.
In 2013, the extent of the problem became clear when former VA security chief Jerry Adams testified in Congress that the department had been aware of the attacks since March 2010 and that they continued “to this very day”.
That includes here in 2015 – when VA employees were even caught up in the Ashley Madison hack and named as the most frequent users of the site out of any other non-military government department staff.
The VA staff email appeared 104 times on the Ashley Madison registry.
Here at home, with the Turnbull government’s “nimble” new innovation push being rolled out around Australia, that $30 million set aside to combat online hacking can’t come soon enough.
By Sherryn Groch