‘Catastrophic is the right word. On the scale of 1 to 10, this is an 11’, says Bruce Schneier of the Heartbleed bug that emerged since our last cyberwrap. Heartbleed has been revealed as a flaw in the OpenSSL code that, under normal conditions, encrypts and protects Internet traffic, like usernames, passwords, digital certificates, cookies and credit card numbers. The faulty code has been in place since March 2012 and affects a huge swathe of the Internet including big names like Facebook, Google, Instagram, YouTube, Dropbox and Twitter. The bottom line seems to be change your passwords now and then again once the websites you use have patched the flaw. Mashable have put together a list of popular sites where password changes might be necessary. You can do your own searches here.
While Heartbleed has been kicking around for over two years, the fallout is as yet —and could remain— unknown. Aside from spurring fear and a flurry of password changes, the discovery shines a light on areas of the web that aren’t usually given much thought. OpenSSL code isn’t maintained by an esoteric tech business in Silicon Valley, but rather, by a handful of volunteers scattered across the globe. Recriminations have started as to the Australian government’s response to Heartbleed, with fingerpointing directed at the Attorney General’s Department for not equipping CERT Australia with a solid public response.
Over to the US, and the Pulitzer Prize for Public Service was awarded last week to The Guardian and The Washington Post for their stories on NSA surveillance. Peter W. Singer of Brookings believes that the accolade amounts to the first ‘cyber Pulitzer’, recognising that all issues are ‘being reshaped by the cyber realm, whether it’s communications, commerce, critical infrastructure, or conflict…’. As the scandal du jour, the NSA revelations have provided a backdrop for seemingly any public conversation on intelligence or surveillance since June 2013. On Heartbleed, for example, it wasn’t long before some outlets were reporting that the NSA knew about— and exploited— the vulnerability for intelligence collection purposes. While the NSA and the White House both issued denials, it may be difficult for some to accept the official line in a post-Snowden era.
On the Aussie cyber front, the Defence Science and Technology Organisation (DSTO) has released a consultation paper, the responses from which will inform the development of a national security science and technology (S&T) policy. The program will focus on ‘aiding, enhancing and future-proofing the Australian Cyber Security Centre (ACSC) capability; advanced tools and techniques particularly for ACSC transition of technology and processes to national networks; and establishing national S&T workforce and skills that are relevant and responsive to operational cyber security needs’. Consultations will conclude 1 May. Take a look at the paper here (PDF).
There’s been some interesting research out in the past week. The prowess of the Syrian Electronic Army, Iran’s role as an increasingly potent cyber player and China’s expansive data theft campaigns were all key elements of the evolving cyber threat landscape identified in the Mandiant’s M-Threats paper. Pew Research Centre polls show that 18% of American adults have had important personal information stolen online, up from 11% in July 2013. While we can look to increasing technical sophistication or malware proliferation to explain that jump, the only way to turn the tide is by replacing inaction with ownership when it comes to personal cyber security.
Finally, Minister for Communications Malcolm Turnbull was on hand last Tuesday to help ASPI’s International Cyber Policy Centre launch its inaugural Cyber Maturity in the Asia-Pacific 2014 report and interactive map. The report looks beyond rhetoric of cyberwar and cybercrime, using the rubric of maturity to study the presence, implementation and operation of cyber-related structures, policies, legislation and organisations. The report looks at a spectrum of issue areas to build a more comprehensive understanding of the field and spur discussion and debate around how the region can constructively engage in cyberspace.
With the hope that the report will be ‘suitably controversial’, the International Cyber Policy Centre team welcomes your input, comments, and criticisms. Join the discussion @ASPI_ICPC using #cybermaturity.
David Lang is an intern in ASPI’s International Cyber Policy Centre.