“Senior sources” in federal government agencies have reportedly confirmed that China is believed to be behind recent cyber attacks targeting all levels of government in Australia, as well as the private sector.
Prime Minister Scott Morrison had avoided blaming China at his press conference on Friday morning.
“I’d simply say this, and that is, the threshold for public attribution on a technical level is extremely high,” he said.
“Australia doesn’t judge lightly in public attributions, and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest.”
It doesn’t take a genius to figure out that China was the likely culprit, however.
Having unnamed sources leak a confirmation means that China has been named, but Morrison has plausible deniability.
“Of course it is China,” tweeted Tom Uren, senior analyst in cybersecurity at the Australian Strategic Policy Institute’s International Cyber Policy Centre.
“There are a few countries that have the capability: Russia, China, US, UK, and perhaps Iran and NK [North Korea], although they may not have the scale.” Uren said.
“Only China in this list will have the appetite for such a broad approach.”
According to Uren, Morrison was sending signals to two audiences, one internal and one external.
“For domestic audiences: Cue the sound of a thousand CISOs knocking to ask for more resources as ‘the PM just said this is important’,” Uren said.
“For the Chinese: We are getting tired of this and it’s escalated to the highest levels. Final warning or we’ll be much more public. MinDef [the Minister for Defence, Linda Reynolds] appearing was interesting and is designed to reinforce seriousness.”
This diplomatic angle also explains why Morrison called a press conference to ring such a loud but content-free cyber warning bell.
Morrison put on his serious voice to tell us they were sophisticated state-based attacks — they’re always sophisticated — and that they’ve been happening “over many months” and “the frequency has been increasing”.
Which is to say, it’s a day with a Y in it.
Reynolds said we need to ensure that “any web or email servers are fully updated with the latest software” and “always use multifactor authentication”.
We should also floss our teeth once a day and visit the dentist twice a year.
Morrison couldn’t help but throw in some political boasting, of course.
He reminded us of his AU$156 million election commitment to build cyber resilience, and that the long-overdue 2020 Cyber Security Strategy will be released “in the coming months”.
But the only concrete announceable was the Australian Cyber Security Centre’s Advisory 2020-008
It’s just another routine warning about the tactics, techniques, and procedures of this particular adversary, and what organisations should do to protect themselves. It’s hardly worth bothering the prime minister for that.
The risk of empty press conferences
Burying coded messages in an otherwise pointless press conference may make sense for diplomacy, but it runs the risk of leaving domestic audiences wondering whether the government knows what it’s talking about.
Morrison didn’t really say anything other than “There are many cybers happening and they are bad”. But we already knew that.
He struggled with journalists’ questions, having to admit that investigations haven’t revealed any large-scale personal data breaches. He was unable to say how many organisations have been hit other than “many”, and couldn’t name any of them.
Vague hand-waving isn’t a good look, especially given the government’s less than stellar performance when it comes to computering.
Remember claims by the Minister for Incompetence, sorry, Minister for Government Services Stuart Robert that the myGov portal had been blown away by a denial of service attack?
Remember that whole robo-debt thing, which was ruled to be illegal?
Shall I go on?
What about the glory that is COVIDSafe?
Crying “Cyber wolf!” without being able to point to concrete facts that people can relate to could easily lead to more urgent messages being ignored.
Remember, as pinboard.in creator Maciej Cegłowski tweeted in another context, “The whole point of ‘The Boy Who Cried Wolf’ was that there was an actual wolf”.
And as Uren noted, “It’s also interesting to think about what triggered this response by [Morrison]. The frog has been boiling for years, so what made us jump?” Indeed. Stay tuned.