Cyber wrap
5 Oct 2016|

The inaugural Australia-US Cyber Security Dialogue was held in Washington D.C., by CSIS and ASPI the week before last. The event, announced by Prime Minister Turnbull and President Obama in January, brought together senior representatives from government, the private sector and academia to discuss common challenges and opportunities in cyberspace. The dialogue covered cyber developments in the Asia–Pacific, the fight against cybercrime and practical methods of advancing an innovative and secure digital economy for both countries. At the close of the dialogue, Prime Minister Turnbull delivered a keynote address followed by remarks from the US Secretary of Homeland Security Jeh Johnson. Check out the full speeches here and standby for upcoming blog pieces that will offer an insight into the dialogue discussions.

ICPC also launched its new report Cyber Maturity in the Asia-Pacific 2016 at New America in Washington DC last week. Peter W. Singer moderated an expert panel, including ICPC’s Dr Tobias Feakin, Denise Zheng of CSIS and Ryan Gillis from Palo Alto Networks, to discuss the findings of the report and broader themes of regional cyber policy development. Check out full video here.

While we were away, it was revealed that Yahoo! suffered a cybersecurity breach dating back to 2014. The breach exposed the names, emails, phone numbers, birthdays and encrypted passwords of at least 500 million customers—making it ‘the biggest hack the world has ever seen’. Apparently, the organisation’s lazy approach to security in favour of more convenient user-friendly methods is what led to this headline-grabbing cyber incident. Such negligence has prompted several lawsuits, as well as a critical open letter from six US senators, demanding that Yahoo! answer specific questions on how the breach came about and was subsequently handled by the organisation. Meanwhile, rumours are circulating over the true scale of the incident, with a former company insider putting the figure at between one to three billion compromised accounts. And in terms of attribution, the act was originally cast as being state-sponsored, however a recent cybersecurity firm report points the finger at an eastern European crime gang thought to be selling the data onto third parties. While at first glance the breach looks like a simple case of corporate incompetence, latest reports suggest the incident may have had something to do with an intelligence sharing arrangement the company had with the US government, involving the routine scanning of millions of customer emails. Well,  now that’s awkward for everyone.

Staying stateside, the first of three presidential debates took place last week featuring White House hopefuls Hillary Clinton and Donald Trump, with ‘the cyber’ briefly taking centre stage. Sadly, the candidates’ cybersecurity debate was content-light to put it mildly, mostly circling around the attribution of the DNC hack, with Clinton pointing the finger squaring at Moscow and Trump putting forward the ‘400-pound hacker’ as his best guess. Critics were left listing cyber issues that deserved serious attention at the debate, such as encryption, data-breach disclosures and protection of critical national infrastructure. Nevertheless, other experts were simply pleased cybersecurity made it onto the agenda. You can watch all seven enlightening minutes of the cybersecurity segment here.

At midnight on 30 September, after years of planning and discussion, the Internet Assigned Numbers Authority (IANA) function of the US National Telecommunications and Information Administration (NTIA) was handed over to the Internet Corporation for Assigned Names and Numbers (ICANN). The IANA functions underpin the operation of the global internet allowing users to search names rather than numeric addresses to find information (e.g. aspistrategist.org.au instead of 104.20.14.180). NTIA, part of the Department of Commerce, previously contracted ICANN to manage its IANA responsibilities. The move to hand over these functions to ICANN is the culmination of a policy announced in 1998 by the US government to transition management of the Internet’s domain name system to the international multistakeholder community. The process was met with opposition, including failed eleventh hour injunction filed by Ted Cruz and three other Republican state attorney generals to stop the process. The injunction was a last minute effort by Cruz after his attempt to convince Congress to include a rider to its continuing resolution preventing the transfer also failed.

Closer to home, it’s been reported that the Australian government has experienced another data-breach incident overnight. The information of more than 96,000 public servants has been compromised from the APS internal staff census, with confirmation that the data-set was downloaded almost 60 times before the information was taken down. The news comes less than a week after an embarrassing leak of patients’ health records in a Medicare data breach by the Health Department, which is now being investigated by the Australian Privacy Commissioner Timothy Pilgrim.