News this week that companies bidding to build Australia’s next generation of submarines could be targets of Russian and Chinese hackers hasn’t surprised anyone. But it remains to be seen if Defence will adopt the suggestion of former Army Chief Peter Leahy and Senator Nick Xenophon to return to typewriters and couriers to transmit classified information.
What was surprising was the revelation that contractors to the US Defense Information Systems Agency (DISA) outsourced work on classified US military networks to uncleared Russian programmers. The two firms involved, NetCracker and Computer Sciences Corporation, have both denied any liability, but have agreed to pay a combined US$12.75 million in civil penalties to close the investigation by the US Justice Department. The original whistle blower complaint, made in 2011 but withheld until now, stated that numerous viruses had been loaded onto DISA network by the Russian programmers.
This experience hasn’t caused the US to reconsider outsourcing offensive cyber capabilities to private industry partners. Defense One reports that a US$460 million contract will be offered to provide services to US Cyber Command including planning ‘cyber fires’ and ‘cyberspace joint munition’ assessments. The US is increasingly open about its plans for offensive cyber capabilities, however other countries generally remain reticent to discuss their plans for this sensitive capability development area.
The hack of Sony last year unearthed long-standing questions about what constitutes the use of force in cyberspace, and what a proportionate response to a cyber incident may be. Last week members of the US House Intelligence Committee’s NSA and Cybersecurity Subcommittee requested that the US Government pursue the development of binding international rules for cyberspace, stating that it’s in the ‘best interests of all nations’ to have normative behaviour in cyberspace laid out in a cyber treaty, including answering questions regarding use of force in cyberspace.
While not legally binding, the next edition of Tallinn Manual will seek to address those same questions. The successor to the 2013 manual, which focused on the application of international law to cyberspace during war, the 2016 edition will reportedly focus on legal issues regarding cyber incidents below the threshold of cyber warfare. Those incidents are more common between states but harder to respond to in accordance with international law, and without escalating conflict unnecessarily.
Last week saw the release of the full text of the Trans-Pacific Partnership (TPP), which as part of its broad trade growth and liberalisation agenda seeks to create the conditions for the growth of digital trade in the Pacific. The TPP mandates the use and acceptance of electronic signatures, paperless trading and specifically restricts data sovereignty and the ability of governments to demand software source code as a condition of sale. David Fidler from the Council on Foreign Relations has provided a good summary of the e-commerce chapter of the agreement. He notes that the TPP provides a possible model for future agreements that preserves an open and global internet, and possibly counterbalances Chinese influence.
The struggle to balance privacy concerns, government data collection requirements and commercial continues this week. In the UK, the Government has released a bill to update its existing surveillance and oversight legislation, within which the requirement for ISPs and telcos to retain two years of records on individual’s internet activity has garnered the most attention. Australia’s own metadata retention scheme may be delayed due to the inability of most providers to actually collect and store the information, but our intelligence watchdog, the Inspector General of Intelligence and Security, has reportedly begun to recruit analysts to oversee intelligence agency compliance with the scheme. On the other side of the scales, in Belgium Facebook has been ordered to stop tracking internet use of non-Facebook account holders who use Facebook or be hit with a daily fine of €250,000.