Cyber wrap

 PLA

In news that won’t shock anyone, word came this week that China has established extensive offensive hacking units within its military and civilian government set-ups. But it’s the source of these reports that makes this story interesting: The PLA. In the organisation’s latest version of The Science of Military Strategy, China, for the first time, has acknowledged the presence of its cyber espionage and net warfare capabilities.

The disclosure is curious given one of the government’s favourite responses to challenges of online malfeasance is often to plead ignorance. As Joe McReynolds explained in the Daily Beast article, ‘it means that the Chinese have discarded their fig leaf of quasi-plausible deniability’. ‘As recently as 2013, official PLA publications have issued blanket denials such as, “The Chinese military has never supported any hacker attack or hacking activities.” They can’t make that claim anymore’.

It will be interesting to see how—if at all—the admission will impact Chinese language on international state based and corporate espionage claims.

Researchers from the University of Melbourne and University of Michigan uncovered a vulnerability this week in the NSW state election’s online voting system. The researchers discovered the hole when assessing the security of the iVote system’s practice voting site, which is identical to the real website. The pair discovered that whilst the iVote website used a server with safe SSL configuration, it included JavaScript from an external server that was vulnerable to man-in-the middle attacks.

After informing CERT Australia of the security flaw, the issue has now been rectified, but not before 66,000 votes were cast. The researchers still hold ongoing fears surrounding the websites security and have called on the NSW government to ‘back away from voting online at least until there are fundamental advances in computer security’.

The Japanese government is bolstering its impressive cyber engagement program with ASEAN countries. The government is now targeting capacity building and end user education, with a particular focus on boosting mobile cyber hygiene via TV campaigns. The large uptick in mobile based internet users based in ASEAN countries and the broader Asia-Pacific has created a new generation of cyber users – ones that are not necessarily schooled in the finer details of cyber security. Japanese universities and private companies have also agreed to train interns from ASEAN countries, with the aim of building capacity for future generations.

Since January, Washington has seen growing Congressional momentum on cybersecurity legislation. The most promising push is coming from the Senate Intelligence Committee which has recently passed the Cybersecurity Information Sharing Act. In many ways this bill is a rehash of previous cybersecurity bills that have been stalled by privacy advocates. Democratic leadership in the House Intelligence Committee, set to release its counterpart to the Senate bill, has suggested that both chambers have addressed many of these privacy concerns and expressed optimism over the potential for Congress to take much needed action on cybersecurity.

In a less controversial space, two congressmen are planning on introducing the Student Digital Privacy and Parental Rights Act, to prohibit companies that operate school services from using or disclosing student data for advertisements. This effort incorporates principles from President Obama’s January push for cyber legislation, suggesting that there is hope for the White House and Congress to work together on cyber issues.

Speaking of the United States, the much maligned F-35 Lightning program is looking to develop a pod-mounted cyber-attack system. Although only in the prototyping phase, this news adds an exciting (airborne) addition to ever present tumult over #cyberwar.

Of course we should be wary of feeding the hype machine, as Alex Grigsby reminds us that unrealistic expectations and fears lead to unreasonable demands on policy makers and law enforcement. Looking into the inconceivably popular CSI:Cyber, Grisby joins the chorus of experts suggesting that hype hinders intelligent discussion.

On the opposite end of the spectrum, a recent report suggests that poor awareness and lack of government initiative has left Bangladesh vulnerable to cyberattacks. Pointing at a string of high-profile security breaches in the country, the report recommends enactment of appropriate cyber law to legalise and regulate the country’s internet. The ability to strike the proper balance to spur policy movement and increase awareness—whilst avoiding hype—will continue to be a critical challenge for those pushing for a mature cyber discussion domestically and internationally.

 Jessica Woodall and Klee Aiken are analysts in ASPI’s International Cyber Policy Centre. Image courtesy of Flickr user Luther Bailey.