The dark side of a fully wired world

Three billion people, about 40 per cent of the world’s population, are connected to the internet. Mobile penetration is even greater, with seven billion subscriptions globally, half of them in Asia and the Pacific.

Real-time, people-to-people connectivity across time, space and even linguistic barriers is only half of this remarkable story.

Connecting machines with machines — the “internet of things” — is about to pass a remarkable threshold. US networking giant Cisco Systems estimates that by the end of this year about 15 billion devices will be connected to each other via the internet (excluding computers and mobiles). This figure is expected to grow to 40 billion by 2020.

For those old enough to remember the pre-digital age, there is no doubt that the world is a richer and better place for the enabling information and communications technology that may soon justify the term the internet of everything. Indeed, it is already difficult to imagine life without the internet and our smartphones.

Unfortunately, this enriching technology has a dark side. Cyberspace is increasingly populated by criminals, terrorists and pedophiles who seek to exploit the net for illicit purposes.

Less well known is a legally and morally grey area where spies and soldiers play out a shadowy high-stakes game of cat and mouse on behalf of competing nation-states intent on gaining commercial and military advantage and cyber dominance, particularly in the case of leading players such as the US, China and Russia.

Navigating and regulating this world to maximise the benefits while minimising the dark and grey side threats presents daunting challenges and dilemmas for all governments, especially in the area of national security, where the opportunities for social disruption, economic loss and strategic shock are greatest.

The recent North Korean hack of Sony Pictures is a sobering and instructive reminder of the damage cyber attacks can inflict on internet-dependent societies and the difficulty of responding to them.

In November last year, as Sony Pictures was preparing to release The Interview , a comedy whose plot features a fictional CIA plot to assassinate North Korean leader Kim Jong-un, cyber-terrorists using the pseudonym Guardians of Peace hacked into the company’s computer network.

The Guardians then deleted large quantities of information and stole a trove of confidential data including, in a deeply ironic twist, the yet-to-be-released next James Bond movie in which 007 battles the evil SPECTRE, an org­anisation that assuredly would have considered cyber theft a core business had author Ian Fleming been writing in this day and age.

Embarrassing details of private emails between Sony executives, as well as client information, were then leaked, accompanied by threats from the hackers invoking the spectre of 9/11 to attack any cinema showing the movie unless The Interview was immediately withdrawn from circulation.

Sony’s capitulation set off a storm of protest from an unlikely coalition of civil libertarians, free-speech advocates and foreign policy hawks, who condemned the company for cowardice, caving in to terrorists and setting a dangerous precedent that would only encourage future cyber terrorism.

Sony’s problem was how to balance the need to limit the financial and reputational damage to its brand against its client responsibilities — in this case, film distributors, cinemas and the viewing public.

What if the Guardians of Peace carried out their threat to target cinemas showing the movie? Would Sony be held legally and morally accountable?

However, if Sony was caught on the horns of a dilemma, the US government faced an even thorn­ier set of choices as the attack quickly morphed into a full-blown national security crisis.

The immediate issue for the Obama administration was the so-called attribution problem — how to identify, with a high degree of confidence, the source of the ­attack.

Without such knowledge it is difficult to calibrate an effective response, running the risk that it could prove counterproductive should the retaliation be seen as disproportionate or, worse, misdirected.

It is generally harder to identify an attacker in cyberspace and be sure of the motive because hackers typically disguise their attacks by routing them through multiple internet addresses and servers to avoid punitive action by the targeted state, or to conceal an intelligence or criminal operation where continued access depends on the victim not being aware of a successful penetration.

This is especially so when the perpetrator has a less powerful military or cyber capability, which is why cyber attacks are becoming the new weapons of choice for weaker states and cyberspace has become such a fertile operating environment for criminals and terrorists.

Even when a government is confident that it knows the source of the attack it may be impossible to prove it in a court of law or, more important, the court of public opinion, because the targeted country is frequently reluctant to disclose the highly sensitive intelligence methods used to establish the real identity of the attacker.

This is exactly what happened in the Sony case. The Obama administration, acutely aware that it could not afford to ignore the hack for fear of encouraging more, decided to name North Korea publicly based on classified CIA analysis tracing the attacks to a ­secretive, elite North Korean cyber team.

Predictably, Pyongyang denied responsibility, a denial given some plausibility by Western cyber experts (without access to classified US intelligence), who publicly doubted Pyongyang’s culpability.

The US response provides a pointer to the way in which future cyber conflicts are likely to play out.

Realising that a military strike against North Korea would be seen by many as provocative and disproportionate, enabling the latter to portray itself as a victim, Washington fired off a digital warning shot.

Only a few hours after Barack Obama declared that the US would launch a “proportional response” to Pyongyang’s “act of cyber vandalism”, North Korea’s internet services and 3G network mysteriously were shut down for several days by an unexplained cyber outage.

Another lesson from the Sony hack is that critical national infrastructure, both government and privately owned, is increasingly vulnerable to cyber sabotage and that the threshold for destructive attacks is falling alarmingly while defences are proving inadequate to the task.

So far, the vast majority of state-sponsored cyber attacks have been aimed at stealing information for intelligence purposes or to gain economic advantage.

This is itself a serious issue, particularly for more developed countries, which are heavily dependent on the internet and have more to lose in the battle for economic sup­remacy as their key comparative advantage is in intellectual property, a composite of knowledge and technology.

Five years ago, former US deputy secretary of defence Bill Lynn quantified the annual loss of IP in the US to cyber theft as many times larger than that contained in the vast Library of Congress.

And in 2011 a senior US intelligence official compared the impact to stealing whole industries, describing it as “the biggest transfer of wealth in a short period of time that the world has ever seen”.

Even allowing for a degree of hyperbole, it is clear that the digital theft of IP is already a substantial problem, with cyber crime in all its dimensions costing the global economy an estimated $US400 billion ($510bn) annually.

China has been particularly adept at exploiting the internet’s vulnerabilities, making industrial espionage an integral part of its economic and strategic policy and officially declaring its intention to become a cyber power.

It has stolen terabytes of IP from other countries, including detailed blueprints for Australia’s next-generation F-35A fighter ­aircraft, a theft confirmed last month by US National Security Agency whistleblower Edward Snowden.

However, of even greater concern than cyber theft is the very real prospect that critical infrastructure, which is the beating heart of the emerging internet of things, will be deliberately targeted for destruction by hostile states using purpose-built malware, mal­icious codes far more sophisticated than those used by North Korea against Sony Pictures.

This is no longer the realm of science fiction or Hollywood films. States are routinely targeting the infrastructure of adversaries in what amounts to an undeclared cyber war.

The US and Israel were almost certainly responsible for the 2010 Stuxnet computer worm that was cleverly designed to disable the centrifuges crucial to Iran’s nuclear enrichment program.

A few years later, Iran demonstrated its emerging capabilities by erasing data from three-quarters of the corporate computers belonging to Aramco, Saudi Arabia’s national oil company.

Russia has been particularly aggressive in its use of cyber weapons, attacking the communications systems of Georgia an Ukraine during its conflicts with both states.

There also are strong indications that a Russian cyber attack was responsible for a mysterious explosion in eastern Turkey near the town of Refahiye, which closed down a competing oil pipeline for three weeks in 2008.

While states are hesitant to unleash their full cyber capabilities for fear of retaliation, the nightmare scenario for security professionals is that terrorists may soon develop the capability to attack critical infrastructure and they will not be deterred from doing so by the threat of retaliation.

Eugene Kaspersky, chief executive of Kaspersky Lab, a prominent cyber security company, warned of such a threat this week. Kaspersky gave voice to the concerns of many experts in the field that governments and the private sector are simply not up to the task of deflecting advanced cyber attacks by terrorist groups deploying specialised hackers to sabotage critical infrastructure such as power grids, banks and air traffic control systems. Given these worrying developments, it is hardly surprising that cyber defence and protection of critical national infrastructure have risen to the top of the Australia’s security agenda, along with combating the intertwined threat posed by trans­national terrorists, who have already demonstrated considerable skill in using the internet to recruit for, and proselytise, their radical political agendas.

Unfortunately, our capacity to defend national cyberspace is hindered by two significant impediments, one structural and the other attitudinal.

There is no overarching national policy for cyber security and no single entity has ownership of what passes for policy, with cyber responsibilities spread among more than a dozen often competing departments, agencies and ­sectors.

On the positive side of the ledger, the seriously out-of-date 2009 cyber security strategy is finally being reviewed, an Australian Cyber Security Centre has been established to centralise operational capabilities, and the 2013 national security strategy recognises “malicious cyber activity” as one of the seven key national security risks confronting Australia.

However, the long-promised cyber security white paper intended to provide a clear policy direction and priorities has yet to appear. Instead, we have a disjointed aggregation of cyber initiatives that, individually and collectively, fall short of what is ­required.

An even greater problem is well-intentioned but misguided opposition to the need for updated and strengthened national security legislation to deal with the growing and rapidly evolving cyber security landscape, exemplified by the contentious and still unresolved debate over the extent and length of time metadata can be retained for exploitation by the police and security agencies.

Of course, Australia is not alone in confronting these policy conundrums. Democracies everywhere are struggling to find the right balance between internet privacy and national security.

So this is a necessary and healthy debate for Australia to have. But there won’t be a good outcome unless two widely held misperceptions are recognised and corrected.

The first is that Australia, along with its Five Eyes intelligence partners — the US, Britain, Canada and New Zealand — has been engaged in unjustifiable mass surveillance of its citizens, using counter-terrorism as an excuse.

Some civil liberties groups and human rights activists have been particularly vocal in opposing attempts to strengthen national security laws, seeing them as unnecessary and detrimental to established civil liberties and human rights conventions.

An associated misperception is the belief that intelligence and law enforcement agencies are prone to go rogue, pursuing their institutional interests at the expense of the broader community and operating outside the rule of law or without political authorisation.

Therefore they need to be subject to more onerous and restrictive legislation, since politicians may not have the incentive or knowledge to rein them in.

These siloed views ignore actual practice and the considerable political and legal constraints on internet and mobile surveillance by the intelligence and law enforcement communities of all Five Eyes democracies.

Mass surveillance by the state would imply that democracies such as Australia were no different from dictatorships or authoritarian regimes, in that all com­munications are routinely and systematically monitored in a way that subverts the right to privacy and allows governments to take action against their own citizens exploiting the information gleaned. Such fears are not grounded in reality.

ASIO, which is responsible for domestic security and is the lead counter-terrorism agency, cannot routinely monitor, let alone access, email or telephone conversations without a legal warrant. The consequences for ASIO of deliberately breaching this protocol would be serious for the organ­isation as well as for the officials ­involved.

How would we know whether ASIO is in breach of its own covenants? In addition to parliamentary and internal oversight, the office of the Inspector-General of Intelligence and Security was established in 1987 to provide an independent review of the intelligence and security agencies. It ensures that “they act legally and with propriety, comply with ministerial guidelines and directives, and respect human rights.”

In May last year, the incumbent Inspector-General, Vivienne Thom, dismissed as fanciful “and quite wrong” the notion that the phone and internet data of Australians was routinely collected and examined by the intelligence and security agencies.

Thom revealed that she could inspect warrant applications before they were approved by the Attorney-General and that she rarely found anything wrong — “other than technical issues” — with agencies’ warrants.

It is true that the Australian Signals Directorate, which is responsible for collecting foreign signals intelligence, does harvest large quantities of data from overseas, including metadata, through its powerful collection systems.

But the information extracted must be relevant to a very specific and narrow set of government-­endorsed intelligence targets.

ASD’s role is akin to looking for the proverbial needle in a digital haystack and it would be disingenuous to characterise the org­anisation as being complicit in the mass surveillance of Australians.

There is no evidence to suggest that Australia’s intelligence and security agencies have been guilty of rogue behaviour, widespread breaches of civil liberties or unsanctioned, systematic communications browsing and exploitation that has resulted in injustice or ­discrimination.

Although mistakes do occur, the existing system of checks and balances and the robust nature of our democracy make it highly unlikely that Australia will become a mass surveillance state.

Reassuring sceptics that this is so must be part of a concerted effort to place cyber security at the forefront of national development.

This task will require effective government leadership, an honest appraisal of the risks Australia faces, and a recognition that the dark and grey sides of the cyber world cannot be wished away, and that cutting-edge cyber skills are now a key measure of national power and economic prosperity.

None of this will be possible without a cyber security white paper.