Cyber wrap
2 Mar 2016|

Russell Offices

Last Thursday’s release of the Defence White Paper heralded more money and manpower for cyber security in Defence. Head of ASPI’s International Cyber Policy Centre, Tobias Feakin, analysed the cyber elements of the White Paper and its associated Investment Plan on The Strategist last week, covering the key developments for cyber policy in the DWP. The biggest takeaway is that cyber threats were included as one of the six key drivers that will shape Australia’s security environment over the next two decades. To counter this, Defence’s Integrated Investment Plan has allocated $300 million to be spent on cybersecurity from a total of $195 billion to be spent in the intelligence, surveillance and reconnaissance, space, electronic warfare and cyber security capability stream, plus a further $5 billion to update Defence’s ICT systems, out to 2025.

An additional 1,700 positions—consisting of 900 ADF and 800 APS personnel—will be dedicated to intelligence, space and cyber positions, although it’s unclear how many are specifically committed to cybersecurity. While there’s a good amount of cyber threat-related language throughout the White Paper, both Feakin and Richard Chirgwin from the Register were critical of the comparatively small spend on cybersecurity, the vagueness of the language on cyber policy, threats and personnel numbers.

The US Department of Defense  released its budget request for cybersecurity in the 2017 budget last Friday. The Pentagon has asked for a 15% increase on the 2016 budget, bringing the total spend on defensive and offensive cyber capabilities to US$6.7 billion in 2017 and US $34.6 billion out to 2021. During his testimony at the House Appropriations defense subcommittee hearing, US Secretary of Defense Ash Carter discussed the future of US Cyber Command, saying the current arrangement—where Cyber Command is a sub-unified command of Strategic Command—was ‘not necessarily optimal’ and options to raise it as a full combatant command were still being examined.

Also from the Pentagon this week was the news of a new campaign targeting Daesh’s ability to use social media and conduct financial and logistical arrangements online.

Also across the Pacific, the dispute between the US government and Apple took another turn this week as a Federal judge in New York ruled in Apple’s favour in another case regarding access to encrypted data on an iPhone. Ellen Nakashima from the Washington Post notes that as the two cases involve different iPhone operating systems the technical assistance requested is also different to that requested to unlock the phone of one of the San Bernadino gunmen, but both cases rely on the application of 1789’s All Writs Act. The US Justice Department’s response was that they’ve asked for the decision to be reviewed, and further added that Apple had agreed to assist until the government’s request for assistance was made public through the court proceedings. Apple is now also reportedly considering full-disc encryption of iCloud data to further protect the privacy of its customers. This data, backed up from customers’ iOS devices, isn’t currently encrypted when stored by Apple. Such a change would make it impossible for Apple to access the data backups it keeps in iCloud—but would also mean that anyone who forgets their password can forget ever recovering their data as Apple would be unable to reset subscriber passwords.

In a report from  Swedish cybersecurity company Unleash Research Labs, the Myanmar Army has been named as the source of the cyber attacks that targeted pro-democracy news outlets before last November’s elections. Talking with The Diplomat, one of the report’s authors linked several hacktivist groups in Myanmar to the Myanmar Defence Service Computer Directorate’s network, which they used to target media outlets that opposed the military junta, and also targeted Thai police websites in retaliation for the death sentences imposed on two Myanmar men for killing two British tourists in southern Thailand. The Myanmar government denied the allegations.

And finally, the long-running transition of the Internet Assigned Numbers Authority to a multi-stakeholder model is approaching its end, as the final plan for the transition comes up for agreement at a meeting in Morocco next week. The proposed plan, released in October 2015, will attempt to better balance the influence of governments and the broader internet community, and transfer the domain names and intellectual property currently held by the Internet Corporation for Assigned Names and Numbers to an Internet Engineering Task Force-sponsored trust.