Australian Signals Directorate (ASD) is in the Defensive and Offensive Front-line
ASD’s motto ‘Reveal their secrets, Protect our own’ still applies even though its classic signals intelligence role now has an added focus on new targets which involve not only nation state actors, but also terrorist and special issue groups, as well as criminal organisations.
There are six recognised types of cyber operations:
- Distributed Denial of Service – The intentional paralysing of a computer network by flooding it with data sent simultaneously from many individual computers,
- Espionage – The act of obtaining confidential information without the information holder’s consent,
- Defacement – The unauthorized act of changing the appearance of a website or social media account,
- Data Destruction – The use of malicious software to destroy data on a computer or to render a computer inoperable,
- Sabotage – The use of malware that causes a disruption to a physical process, such as the provision of electricity or normal function of nuclear centrifuges,
- Doxing – The act of searching and publishing private or identifying information about an individual or group on the internet, typically with malicious intent, and ASD can be expected to have defensive and offensive strategies and capabilities for all of these.
At the end of July 2018, the month in which ASD became a statutory authority, Mike Burgess, Director-General ASD, said in a speech to the Security Innovation Network Conference 61 in Melbourne:
“Our mission runs from providing intimate support to military operations through to countering terrorism, countering transnational crime and identifying and countering cyber threats that challenge the security, prosperity and personal freedoms that underpin our rich and vibrant society.
“ASD’s purpose is to defend Australia from global threats and help advance Australia’s national interests. We do this by mastering technology, and the application of technology to inform, protect and disrupt.
- Informing by covert acquisition of foreign information not publicly available (known in our business as SIGINT, signals intelligence)
- Protecting, by comprehensively understanding the cyber threat, providing proactive advice and assistance to improve the management of cyber risk by government, business and the community, and
- Disrupting, by applying our offensive cyber capabilities offshore, to support military operations, counter-terrorism, counter cyber espionage and serious cyber-enabled crime.
“ASD’s strategic objectives include:
- Delivering strategic advantage for Australia by providing foreign intelligence that protects and advances Australia’s national interest
- Improving cyber security, across Australia
- Supporting military operations, enabling the war fighter, and protecting Defence personnel and assets
- Countering cyber-enabled threats, protecting Australia and Australians by countering cyber-enabled crime and disrupting terrorists’ use of the internet offshore
- Providing trusted timely advice and expertise to government, business and the community.”
OFFENSIVE CYBER WARFARE CAPABILITY
When former Prime Minister Malcolm Turnbull announced in April 2016 that Australia possessed offensive cyber capabilities, not many observers would have been surprised. After all, if the peak body for cyber security, the ASD, knew about the types of cyber-attacks being mounted against Australian governments, critical infrastructure, leading organisations and members of the public, they surely would have understood how to use these tools against legitimate and sanctioned targets.
The former Prime Minister’s announcement emphasised Australia’s compliance with international law ‘The use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order and our obligations under international law.’
ASD provides offensive cyber capability for military operations controlled by Defence’s Information Warfare Division, while law enforcement, deterrence of and remediation after civilian cyber-attacks is subject to civilian control, creating dual channels of process and approval. Both channels lead to the National Security Council.
To avoid confusing the general public, announcements on military use of offensive cyber capability will be expected from the Minister of Defence, while announcements of law enforcement use would be made by one of the Minister of Home Affairs, the Attorney-General or the Minister of Justice.
Head Land Capability, Major General Kathryn Toohey, whose career after graduating from Duntroon started in RA Sigs and whose early postings included 7th Signals Regiment (Electronic Warfare), has said:
“The modern battlespace is becoming increasingly congested, with a commensurate increase in the risk of collateral damage. This is especially true in urban environments, as recent operations in Iraq have demonstrated. The availability of ‘non-kinetic’ attack options is increasingly important for commanders at all levels – from the tactical to the strategic – because the use of kinetic options requires heightened precision and confidence in an adversary’s location. Electronic attack provides a useful non-kinetic option, where the element of precision is only required in the electromagnetic spectrum. This means electronic attack can commence before the necessary precision is available to strike by other means.”
In practice, military cyber operations are conducted by electronic warfare personnel who ‘may have the opportunity to work in one of the following areas: Signals Analysis – analyse data collected from the tactical EW teams and pass critical information to the commander; Electronic Attack – deny, disrupt and deceive enemy communications; Tactical Cyber Warfare – understand how networks, ICT systems and different operating systems talk to each other when enemy elements are maneuvering around the battle space’
TRAINING ADF CYBER WARRIORS
Speaking at LAND FORCES 2018 in Adelaide, Minister for Defence, the Hon Christopher Pyne MP, announced that Elbit Systems of Australia will deliver a Cyber Range training platform including infrastructure, network design and build, train the trainer, training and teaching materials and support.
Managing Director of Elbit Systems of Australia, Dan Webster said:
“The Company is delighted to be providing cyber expertise to the ADF. We will be supporting Defence in training their ‘Cyber Warriors’ who will defend against the real cyber threats we are faced with every day. Trainees will learn to identify, track, investigate, respond to and remediate a cyber-attack.”
The cyber security technology has been developed by global cyber specialist Cyberbit, a subsidiary of Elbit Systems Ltd. Cyber training ranges will be installed at ADF facilities in Melbourne, Sydney, Adelaide and Canberra. The fully self-contained cyber security training network will be capable of training 50 students concurrently.
KEY PROTECTION AGAINST AND REMEDIATION AFTER CYBER ATTACKS
ASD, through its Australian Cyber Security Centre (ACSC) department, has published a list of eight strategies (quoted below) to mitigate cyber security incidents to assist organisations in protecting their systems against a range of cyber threats. The mitigation strategies can be customised based on each organisation’s risk profile and the cyber threats they are most concerned about.
‘While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a successful large-scale cyber security incident.
‘The first four strategies in priority order are:
- Application whitelistingof approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers, which will prevent malicious code from executing.
- Patch applicationsg. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Security vulnerabilities in applications can be used to execute malicious code on systems.
- Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. This is because Microsoft Office macros can be used to deliver and execute malicious code on systems.
- User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
‘A further three mitigation strategies can limit the extent of cyber security incidents:
- Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. ASD advise Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
- Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Security vulnerabilities in operating systems can be used to further the compromise of systems.
- Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
‘While daily backups of important new/changed data, software and configuration settings will help recover data and system availability. These should be stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.’
WHAT IS HAPPENING WITH CIVILIAN SYSTEMS?
Sadly, cyber threats are becoming more common, and because of the range of successful attacks to civilian systems it is now a legal requirement for organisations to report data breaches to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme which commenced on 22 February 2018.
As organisations have become familiar with the NDB requirements the notifications have increased month by month. The numbers are February part month (8), March (55), April (65), May (87), and June (90).
The latest analytical report available to APDR was for notifications 1 April and 30 June 2018 which revealed 242 notifications, of which 59% resulted from malicious or criminal attacks, 36% were caused by human error, and 5% were system faults.
The kinds of personal information involved in data breaches was contact information (89% of breaches), financial details (42%), identity information (39%), health information (25%), tax file numbers (19%), and other sensitive information (8%).
As Mike Burgess, Director-General ASD, has said:
“The successful identification and management of cyber-security risk across the community, businesses and governments is critically important.
“Thoughtful and sound investment in your future is critical. We all use the innovation word today, but what research does your organisation invest in? And when it comes to identifying and managing cyber risks, know what is important to your business and your customers.
“Do you know the value of your data? Do you know what systems and services you are dependent upon? Do you really know what risks you carry?
“I know this gets complicated quickly. We are all dependent on technology and connectivity and there are few people who actually understand how it all works. However, managing this risk isn’t rocket science.”
THE ‘INTERNET OF THINGS’ (IOT) CHALLENGE
The UK’s National Cyber Security Centre (NCSC), a branch of GCHQ, the UK equivalent of ASD, has been set up to monitor hacking threats and develop cyber security strategy and is especially concerned about the IoT. They have developed a Code of Practice for all parties associated with IOT devices. No doubt ASD’s department ACSC will be examining their Code recommendations closely.
News from the UK reports that ‘the NCSC have been developing new rules as the hacking threat to the UK from criminal and state-backed groups mounts. Hundreds of millions of once “dumb” products are being linked to the Internet. But these devices pose a growing security threat because they are increasingly vulnerable to cyber-attacks and hacking. The past year has seen digital flaws found in everything from smart teddy bears that could be turned into spy cameras to robot vacuum cleaners that can be hacked into listening devices
‘Security researchers have previously warned as many as 15% of off-the-shelf devices can be hacked by a simple Google search to find the default log in details.’
It seems highly probable to APDR that the ACSC, a department of ASD, will be developing a similar Code of Practice with the advent of many more IOT devices in this country.