The chief of the Australian Signals Directorate, Mike Burgess, has issued a blunt warning to Australia’s business community and their boards that mounting private offensive hacking attacks in the name of cyber or corporate security won’t be tolerated by the signals agency.
In a landmark speech the Australia Strategic Policy Institute in Canberra on Monday night, the cyber tzar put a rare broadside into the business community for contemplating private offensive capabilities, revealing deep concerns within the government over some corporate behaviour.
“Worryingly I've heard of board rooms in Australia contemplating the prospect of hacking back to defend themselves against potential attacks,” Burgess told a room full of policy and security officials in Canberra.
“That should not be part of any organisation's cyber security strategy; that would be an illegal act here in Australia,” Burgess said.
“An obligation to protecting corporate assets does not extend to breaking the law. No board or company should spend a dollar on getting advice on hacking back.”
The overt public reprimand over opaque offensive/defensive tactics by some companies and their security providers provides a window into rising frustration within government security circles that rogue security practitioners have started operating under the radar of authorities in terms of offensive activity and advice.
A major concern for ASD, which is part of Defence, and likely the Australian Federal Police and the Australian Security and Intelligence Organisation, is that potential cyberattacks launched by Australian companies, or at their behest, risk misattribution and an escalation in malicious activity.
One real scenario is that a privateer attack could be mis-interpreted as being state sanctioned, leading to serious economic and international relations damage as well as potential retribution.
Two sectors understood to in the frame for contemplating going “freelance” are the resources and mining industry as well as parts of the financial services industry.
Complicating matters is a widespread belief in the financial services industry that geopolitics is a primary driver of malicious state sanctioned cyber activity against western institutions, namely fraud, as payback for state sanctions being applied.
Burgess offered a helping hand to Australian companies thinking of going rogue to stay on the right course.
“If you are contemplating this, please speak to the Australian Cyber Security Centre, we can either help you focus on what matters, or in the case where your cyber security strategy is world class, we may be able to help you further,” Burgess said.
China still in focus
The ASD chief also articulated the reasoning behind recent bans on Chinese telco companies Huawei and ZTE on any participation in the 5G rollout across Australia, though as is the convention did not publicly identify the firms by name.
Burgess said with “strategic and economic power is shifting east” along with “the centres of expertise for technology, research and development” ASD had an “important role in advising government how to best navigate major technology and strategic shifts”.
He also sought to elevate ASD’s role well above its technical expertise and assert the agency’s key role as strategic advisor in a cyber enabled world.
“We are no longer an agency which solely provides best practice advice to network administrators,” Burgess quipped, also noting the exclusion of the Chinese suppliers was not done “lightly” or without exploring other options.
“This decision…was supported by technical advice from my agency, all elements of my agency. Our intelligence and offensive cyber experts that led the formation of our cyber security advice. Offence informs defence,” Burgess said.
“Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.
“But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network,” Burgess continued.
“In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.
At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks,” Burgess said.
The comments add a new layer of context to the decision by the government to exclude the Chinese suppliers that came on the last day of Malcolm Turnbull’s Prime Ministership.
“5G technology will underpin the communications that Australians rely on every day, from our health systems and the potential applications of remote surgery, to self-driving cars and through to the operation of our power and water supply,” Burgess said.
“The stakes could not be higher.”