Tuesday, January 24, 2017

You've Been Hacked - how far should governments go to protect against the influence of foreign states?

Like most people with a broad digital footprint I've been hacked multiple times, usually in fairly minor ways.

Around ten years ago I had my PayPal account hacked through malware in the Amazon site, costing me $300.

PayPal staff insisted this was a legitimate payment for goods (which I hadn't ordered) being delivered to my legitimate address in Norway (despite having provably never visited the country). I've been very cautious & limited in my PayPal use since, and never recommend them.

Over Christmas last year my Social Media Planner site was hacked and seeded with malware. Fortunately my IT team was able to identify, isolate and address the matter, without affecting visitors, but costing me financially (two weeks downtime). It's fine now BTW, with extra protections in place.

I've had a Skype account taken over by someone in Eastern Europe, who used it for phishing before I could reclaim it, had basic account details stolen in Yahoo, LinkedInDropBox and a range of other large-scale hacks of commercial services over the last five years - excluding the Ashley Madison hack (I've never been a member).

I'm not the only one affected by any means, well over 10 billion accounts were hacked in 2016 alone, with Australian politicians, police and judges outed as affected in at least one of these hacks (and a few in this one too).

Much of this widespread hacking results in the theft of limited personal information. On the surface it may appear to pose little risk to individuals or organisations. 

However the individual reuse of passwords and usernames can turn these hacks into a jackpot. This allows hackers, and clients they sell hacked data to, to access a wider range of accounts for individuals, potentially uncovering richer information that is useful for identity theft, economic theft, intelligence gathering or for influencing decisions and behaviour.

Despite all the reports of hacking, it seems many people still treat this lightly - the world's most popular password remains '123456'.

Most governments, however, do not. Securing their networks is a major challenge and a significant expense item. The data agencies hold has enormous political and economic value that could be easily misused to the detriment of the state if it falls into the wrong hands, or into the right hands at the wrong time.

It's not simply about troop movements or secret deals - early access to economic or employment data, access to the 'negotiables' and 'non-negotiables' for a trade deal, or even to the locations and movements of senior political figures (to know who they meet and for how long) can be used for the financial and political advantage of foreign interests at the expense of a state's own interests.

For the most part, Australia's government is decent at managing its own network security. This isn't perfect by any means, but there's a good awareness of the importance of security across senior bureaucrats and largely effective ongoing efforts by agencies to protect the secure data they hold.

However in today's connected world national interest goes far beyond the networks directly controlled and managed by governments. As we've seen from the US (and now Germany), political parties and individual politicians have also become hacking targets for foreign interests,

This isn't surprising. Politicians, potential politicians and even academics have long been targets for funding assistance and free or subsidised study trips to nations hoping to cultivate influence in various ways. In fact these approaches provide some positive benefits as well - by creating personal relationships between powerful people that can lead to improved national relationships, trade deals and even avert wars.

Hacking, however, has few of these positives, as we saw in the release of Democratic National Congress emails by Wikileaks, which were most likely obtained through Russian state-sponsored hacking and likely was designed to influence the US's election outcome.

Whether you believe the cumulative findings of the US intelligence community or not, it is certain that foreign states, and potentially large multi-nationals corporations, will continue to target political parties, and individual politicians, seeking insights into how they think and levers of overt and covert influence for economic and political gain.

Hacking will continue to grow as one of the major tools in this work.

The Australian Government is taking this seriously - and kudos to them for this.

However even this focus on political parties neglects a wide range of channels for influencing current and potential future politicians. What about their other memberships and personal accounts?

Politicians and potential politician are well-advised to position themselves in various community and business groups to improve their networks, build relationships and future support. They are also just as likely as other Australians to use the internet - for work and personal reasons.

This means they're likely to have numerous online accounts with both domestic and foreign-owned services, with varying levels of security and access control. 

On top of this, it's not simply politicians who may be the targets of influence. Political advisors and activists often shape and write party policy positions, despite never being publicly elected. Influence an advisor and you can influence policy, as the many registered lobbyists know only too well.

Equally bureaucrats across government often are exposed to material that could, if shared with foreign interests, cause some form of harm to a state. We've seen this in insider trading by an ABS staff member, where the economic gain to the individual public servant outweighed his good judgement and public duty.

While bureaucrats are security assessed to a significant degree (unlike our politician) and selection processes are in place, backed by rules and penalties, to screen out the 'bad eggs', the potential for public servants to be influenced through hacking their personal accounts has risen along with their internet use.

Right now we're in an environment where the number of attack vectors on a politician, an advisor and on individual public servants, is much higher than at any past time in history - while our tools for protecting against foreign influences have not kept up.

Of course this goes both ways - our government also has the capacity, and often the desire, to influence decisions or negotiations by other states. We've seen ample evidence of this, although it isn't really a topic our government wants to discuss.

The question for me, and I don't have a solid answer yet, is how far technically should a government go to limit the influence of foreign states.

Should governments merely advise political parties on how to secure themselves better?

Or should governments materially support parties with trained personnel, funding or even take over the operation of their networks (with appropriate Chinese walls in place)?

What type of advice, training or support should agencies provide to their staff and Ministerial advisors to help them keep their entire footprint secure, not just their use of work networks, but all their digital endeavours?

And what can be done to protect future politicians, advisors and bureaucrats, from wide sweeps of commercial services collecting data that could be useful for decades to come?

We need to have a more robust debate in this country about how foreign states and commercial interests may be seeking to influence our policies, and decide as citizens the level of risk we're prepared to accept.

Until this occurs, in a mature and informed fashion, Australia is hurtling forward into an unknown future. A future where our political system may be under constant siege from those who seek to influence it, in ways that are invisible to citizens but more wide-reaching and dangerous to our national interest than any expense scandal.

If this isn't the future that we want, then it is up to us to define what we want, and work across government and the community to achieve it.

No comments:

Post a Comment