Wednesday, 28 October 2020
We're just one week away from the US presidential election, and the eyes of the world are on the democratic processes of the United States. Unfortunately, the attention of groups of state backed hackers from around the world has also been trained on the US election as the US's adversaries seek to interfere in that great nation's democratic process. Last week the FBI, the Director of National Intelligence and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency publicly attributed another cyberattack on the 2020 election to Iranian backed hackers. A campaign of emails using the threat of violence to coerce voter behaviour began arriving in the inboxes of Democrat registered voters in Alaska, Arizona and Florida, purportedly coming from the far right Proud Boys group. Iranian hackers spoofed the Proud Boys email domain to enable these threatening emails to look like legitimate emails from the organisation. The source of the voter data used to build email target lists is still unknown, but there does not appear to be evidence that they came from hacks of government voter data registration. These attacks follow the successful hack-and-leak campaign undertaken by Russian backed hackers in the 2016 US presidential election.
These attacks are a salutary warning for Australia. They're part of an accelerating trend in which nation-state hackers target IT systems of non-government democratic institutions in an effort to interfere in another country's democratic process. These so-called hack-and-leak campaigns have emerged as a high-impact and increasingly common threat to sovereignty in democratic nations. This form of foreign interference involves a foreign adversary stealing data from the IT systems of a democratic institution and then publicly releasing it, often with fake data mixed into the release. The 2016 US presidential election is just one of these examples. We've seen similar attacks on the UK, French, German and many other democratic elections in recent times. Indeed, the Australian Strategic Policy Institute has identified at least 20 elections that have been targeted by these operations.
More often than not the targets of these hacks are not government or parliamentary IT systems but the IT systems of other democratic institutions such as political parties, media outlets, think tanks, NGOs and research institutes. Indeed, a recent report from Microsoft found that NGOs were the most common targets for nation-state cyberoperations, constituting 32 per cent of all nation-state attacks. Australia is currently unprepared for cyberattacks on democratic institutions outside of government. There are currently no institutional frameworks to build resilience against foreign interference through cyberattacks on non-governmental democratic institutions. An Iranian Proud-Boys-style attack would be easily replicable in Australia via attacks on the IT infrastructure of Australia's political parties.
After the February 2019 cyberattacks on the networks of this chamber and the major political parties, the Prime Minister told this House that our democratic process was 'our most critical piece of national infrastructure'. But today, while the government does consider the IT systems of this Parliament House and the AEC to be critical infrastructure, the IT systems of other organisations targeted in this attack, like our political parties, are not treated as critical infrastructure. In 2017 the four major parties received one-off grants to assist the organisations to implement the Australian Signals Directorate Top Four mitigations on their IT systems, and in 2019 MYEFO provided a further $2.7 million over four years for the four major parties. But Australia lacks an ongoing institutional framework to build resilience against cyberattacks on non-governmental democratic institutions.
While government security agencies provide robust cybersecurity protections for their parliamentary email systems, these protections stop when MPs use private email systems, social media accounts, CRMs, privately hosted websites and smartphone apps. The cyber-resilience of these non-governmental democratic institutions falls through the cracks of our current arrangements. While each of Home Affairs, ASIO, ASD and the Department of Parliamentary Services have some indirect responsibility, none take ownership of the issue. While I'm sure there would be a significant incident response in the wake of a successful attack, there's little done to prevent these attacks in the first place or to build resilience through our information system to mitigate the impact of such attacks once they occur. There's no capacity-building program for our democratic institutions, no targeted cyberhygiene training, no real-time sharing of threat intelligence and no assistance with vulnerability assessments. Nor are there any public awareness campaigns on the nature of this threat to our sovereignty or any clear institutional responsibility for identifying and informing the public about cyberenabled foreign interference. The government is currently undertaking a consultation paper on Australia's current arrangements for protecting critical infrastructure and systems of national significance, and it reframes critical infrastructure as 'infrastructure supporting systems crucial to Australia's economy, security and sovereignty'. But despite the demonstrable threat that cyberattacks on non-government democratic institutions pose to our sovereignty, the paper fails to address this challenge. When the vector of this threat is a hack-and-leak campaign against these targets the government is blind to the threat. As a result, these non-government democratic institutions are left to face advanced persistent threats from sophisticated state backed hackers largely on their own. It's not a fair fight, and the stakes couldn't be higher.