On Why Attack Isn’t Our Best Means Of Cyber-Defence
This morning’s news that the SIS engaged in attacks on the Indian High Commission and Embassy of Iran during the late 1980s/early 1990s should come as no surprise. Down the years, there’s been an Orwellian tendency to depict the role of our spy agencies as re-active, and being all about the provision of “defence” and “security” here at home. In reality, that’s not what they’re about. Regularly, our membership of the Five Eyes alliance has seen our spy agencies act as willing guns for hire for whatever contract work that MI6 or the CIA may have in mind.
This is not unusual. After all, is our Defence spending really about protecting New Zealand territory, or mainly about enabling force projection in overseas locations? Certainly, the armed forces do tend to pride themselves on their capacity to project force well beyond our borders, as much as on their ability to “protect” the homeland from foreign aggressors. In fact, as the NZDF has indicated in its own reviews and White Papers for the past decade or more, the actual threat to New Zealand’s borders from foreign powers is vanishingly slim to non-existent. As then Defence Minister Gerry Brownlee said in a major speech delivered in Beijing in 2016:
New Zealand maintains a direct interest in security and prosperity in the South Pacific.We do not expect that the South Pacific will face an external military threat.
The insecurity agencies
Much the same reasoning goes for the role of the “security” services as well. Security projection – as defined and deployed by our Five Eyes partners - tends to be the top order of business, as India and Iran ( among others) have found out to their cost. Over the same period, our spy agencies have done a remarkably poor job of detecting and protecting us from major security threats here at home, whether that be the Rainbow Warrior bombing or the attacks on the Christchurch mosques. Encroaching on the civil liberties of citizens and/or spying on our friends, enemies and trading rivals is more their strength. To the point where Parliament has needed to step in and retro-actively legitimise some of their actions.
That’s one reason why the claim by the spy agencies this morning that their actions have always been ‘authorised” is a hollow assurance. Reportedly, the Prime Ministers at the time of the Iran/India raids – Geoffrey Palmer and Jim Bolger – claim to have been unaware of the raids. David Lange, in the intro to one of Nicky Hager’s books, claimed to have been unaware of the expansion of the international spying apparatus being installed in New Zealand. Regularkly, the SIS has been found to have acted unlawfully. In 2013, it was revealed that as many as 85 Kiwis
may have been illegally spied upon by the GCSB, including the illegal surveillance operation carried out against Kim Dotcom. In 1999, the courts found the SIS had illegally burgled the home of protester Aziz Choudry, for which compensation was paid. There’s a pattern evident here. Even the bungled attempt to vilify the Algerian refugee Ahmed Zaoui seemed to be driven by the SIS wishing to demonstrate to its Five Eyes partners that it was on the ball when it came to detecting and cracking down on alleged Moslem extremism, wherever it could mistakenly find it.
“Cybersecurity” does sounds like a warm, and desirable state of existence. No doubt, we all want to keep our computers secure from hackers, scammers and ransomware extortionists. The term “cybersecurity” tends to conjure up images of ninja attacks by elite North Korean hackers and Russian troll farms out to (a) steal the intellectual property of our corporates, and (b) disrupt the strategies of our politicians and diplomats. Not to mention the theft and extortion rackets emanating from criminal gangs like the Lazarus Group and Hidden Cobra, whose names seem torn from the pages of a James Bond novel.
Undoubtedly, some of this does happen. There are some very bad players active out there in cyberspace. Yet cyber-security also seems to be about democratic governments building and deploying platforms for pro-active cyber offensives. Sometimes these attacks are at the behest of allies who want to know if we can help them garner inside information about their trading rivals – even though in other contexts, we regard the targets as being our friends. Cybersecurity, in other words, is not merely about optimising resistance and resilience on the home front. This week, the Australians have been upfront about what they have in mind -
Australia will recruit 500 cyber spies and build on its offensive capabilities to take the online fight overseas in a $1.3 billion funding boost……The Australian Signals Directorate will also share intelligence with government departments and companies in near real time as part of the biggest ever cash injection to Australia's cyber defences. Prime Minister Scott Morrison [announced] the ASD will be given more than $1 billion over the next decade to disrupt foreign cyber criminals and better identify malicious hacks.
For the conspiracy-minded…this announcement came ten days after Aussie PM Scott Morrison announced that the country was under cyberattack from an operation sponsored by a foreign power. Helpfully, Aussie security agencies confirmed to the media that China was the likely point of origin. After an initial flurry of panic, this announcement turned out to be not a fresh onslaught but merely more of the same sort of attacks – yet escalating, right? –that mounted since 2019 at least, against Australian government and corporate websites. These raids have included a criminal ransomeware attack against a hospital in Victoria last October. Also it seems, a gang of criminal hackers (or criminals in cahoots with hostile foreign powers) may have been trying to steal Australia’s research into a Covid-19 vaccine….
Deliberately or otherwise, the media firestorm about Australia being under cyber-attack has proved to be the curtain-raiser for a billion dollar plus boost to Australia’s capacity for cyber force projection against…who, exactly? Morrison declined to be specific. As mentioned though, the government’s cybersecurity network was – off the record – very helpful in pointing the media in the direction of China.
That figures. Australia’s lead agency and co-ordinating organisation on cyber security matters is the Australian Cyber Security Centre (ACSC) and this unit is based entirely within the Australian Signals Directorate (ASD) which is itself part of the Australian Department of Defence. Not surprisingly then, both the ACSC and ASD have been pointing the finger of blame for the ongoing waves of cyberattacks at China – not at Eastern European criminal cyber gangs, not at North Korea, and not at Russia. China co-incidentally, was singled out in the 2017 Defence White Paper as the main regional threat to the Asia-Pacific region.
Point being : the cyber-wing of Australia’s defence force projection/containment policy aimed at China has just received a humongous $1.3 billion boost to its funding. Australian taxpayers have been spooked into thinking that at any moment, a twentysomething Chinese hacker might be about to shut down their local hospital and/or the nation’s electricity grid in the midst of a pandemic.
The Kiwi Connection
What is the New Zealand interest in all of this ? Right now, NZDF is stretching public tolerance for its expensive wants and needs, given the huge multi-billion sums involved in buying new planes to update (a) our air surveillance and submarine detection capability and (b) our heavy airlift capability, while also paying off (c) a new tanker for the Navy. However, the next big ticket items on the NZDF shopping list are very likely to be in cybersecurity and cyberdefence. As it always does, the Defence establishment will come to Cabinet arguing that we surely need to remain compatible with our allies across the Tasman.
Therefore…and if Australia is anything to go by, the New Zealand public will first be softened up for this mega-investment with stories about the vulnerability of our corporate intellectual property, our national infrastructure and our local hospitals and utilities. Ransomware attacks will be elevated into national emergencies. The SIS and GCSB, which have suffered a loss of public esteem from a series of gaffes and dropped balls in recent years, can be relied on to come asking for the extra technological platforms and extra personnel to do their job in cyberspace so much better.
Again, and as in Australia, those capacities will have more to do with policies of force projection and China containment as defined by our foreign alliances, than with providing anything that’s likely to make New Zealanders safer here at home.
Footnote One : Besides hiring 500 new spies, the breakdown in how the Aussies plan to spend that $1.3 billion funding boost is instructive. Some $31 million will be devoted expressly to pre-emptive attacks on offshore cyber targets. Another $25 million will go into creating a new platform to enable business and government to share intelligence information, and then pre-emptively block any emerging threats identified as a result. The Australian Signals Directorate – which pumped up the threats (and pointed the media towards identifying China as the main culprit) looks like being a very big winner :
The ASD will be given new capabilities to allow the agency and Australia's major telcos to prevent malicious cyber attacks ever reaching millions of Australians by blocking known malicious websites and computer viruses more quickly. The cyber body - which is part of the Department of Defence - will also be given $118 million to expand its data science and intelligence capabilities to identify emerging cyber threats to Australia over the next 10 years.
Note the emphasis in all of this on cyber-projection and pre-emptive action, but rationalised to taxpayers as cyber-protection.
Footnote Two : Talking of expensive cybersecurity gear….remember the urgent calls a couple of months ago that New Zealand needed to get an app up and running as a vital tool to track and trace Covid-19 infections? Reportedly, six million Australians downloaded their Covidsafe contact tracing app. Evidently, it hasn’t been a raging success in enhancing Australia’s ability to detect contacts not already known :
The Australian government has admitted its Covid-19 contact tracing app has not identified a single contact not already known….
Footnote Three: And here, hot off the presses, is an outline of Australia’s new and expansionist plans for defence force forward projection, in the post-Covid world.