Cyber wrap
8 Jun 2016|

The ghosts of social media accounts past have come back to haunt millions of people this week, with the release of user credentials for 360 million MySpace users being released for sale online. Selling stolen credentials can be a lucrative business, and reseller has reportedly added 1 billion records to its database in the past month. One high profile victim was Facebook founder and CEO Mark Zuckerberg, who has been caught red handed breaking the cardinal rule of password security and reusing the same password for multiple sites (yeah I know…we all do it). Zuckerberg’s Twitter and Pinterest accounts were hacked using the password ‘dadada’, which also appeared as one of 100 million LinkedIn credentials leaked last month. If you want to check if any of your old accounts have been compromised, click here.

The annual Shangri-La Dialogue devoted a dedicated special session to cyber issues for the first time over the weekend. William Saito, special adviser on cybersecurity to the Japanese Cabinet noted that Japan was focussed on defending infrastructure critical to the 2020 Tokyo Olympic games from cyber threats, while the head of Singapore’s Cyber Security Agency David Koh highlighted the ability of malicious cyber actors to take advantage of the seams in regulation between countries to avoid punishment. One of the largest barriers to greater cooperation on cybersecurity is the different objectives of major international states for the future of the internet, which former US National Intelligence Officer for Cybersecurity Sean Kanuck noted means that ‘it probably isn’t a surprise that the accomplishments to date have been modest’.

US Defense Secretary Ash Carter also noted the growing anxiety in the Asia–Pacific about China’s actions in cyberspace at Shangri-La. These comments echoed Carter’s speech to the US Naval Academy on 27 May, which moved beyond the usual calling out of Chinese cyber espionage and linked China’s behaviour in cyberspace to its actions in the South China Sea. His criticism at the Academy also had a heavy trade focus, saying that Chinese regulation of digital trade undercuts the principles of the global system from which China has benefitted. It’s likely Carter’s message was also intended to hit home before the Sino-US Strategic and Economic Dialogue in Beijing this week, where cyber issues were also high on the agenda. The Wall Street Journal has a good summary of new Chinese cyber regulations here and there’s a more in-depth discussion of Chinese cyber laws from The Diplomat here.

The NATO conference in Warsaw next month will focus on the alliance’s cyber capabilities and threats. German Major General Ludwig Leinhos, head of the Bundeswehr’s fledgling Cyber Command, told reporters that he expects that NATO will officially designate cyberspace as an operational domain of warfare. NATO’s refocus on Russia has brought with it attention on Russia’s asymmetric capabilities including cyber capabilities. However, despite warnings of a new arms race by figures such as Mikko Hypponen, a US Defense spokesperson told Russian news outlet Sputnik this week that due to Russian actions in Ukraine, the US has no plans to discuss cyberspace with the Russian military.

There have been renewed calls in India to stand up a Cyber Command, first promised in 2013 after a cyber espionage campaign targeting Indian government officials was reported by FireEye. The group, suspected to be a Pakistani APT previously observed by FireEye, used spear phishing tactics to dupe officials into opening a Microsoft Word document that dropped a malicious payload called BreachRAT, opening a backdoor to the users information. ASPI has previously commented on the slowness of India’s implementation of its 2013 National Cyber Policy in the 2015 Cyber Maturity in the Asia–Pacific report.

On a final note, make sure to check out ASPI’s latest publication, Agenda for Change 2016: Strategic choices for the next government released yesterday. The International Cyber Policy Centre has summed up the key cyber issues facing the next government and made five key recommendations them to quickly address critical  cyber policy challenges, and to take a leading role—regionally and globally—in overcoming cyber threats:

  1. Effectively implement the recently announced Australian Cyber Security Strategy.
  2. Deliver an international cyber strategy. Appoint an ambassador who will be able to hit the ground running and quickly engage internationally. Increase the budget for capacity building in line with regional aspirations outlined in the international strategy.
  3. Devise a strategy to fill IT skills shortages in the immediate short-term (<2years).
  4. Ensure that the government’s threat information sharing centres are accessible, productive and effective. Removing red tape around security classifications and access to information will be crucial, as will providing threat information that’s timely, relevant and actionable.
  5. Release a publicly accessible Defence Department policy on how cyber operations, both offensive and defensive, are governed and integrated into broader Defence activities. This will support the coherent development of those capabilities, assist efforts to shape international cyber policy in line with the whole-of-government strategy and maintain a rules-based global order as outlined in the 2016 DWP.

Late news just in, New Zealand has announced that it has an offensive cyber capability in its new Defence White Paper, released today. Defence Minister Gerry Brownlee told media that New Zealand has developed the capability to deter cyber interference in critical defence networks. In case you missed it, Jim Lewis has explained the rationale for such capabilities for ASPI here, and on The Strategist earlier today.