When Prime Minister Scott Morrison announced this week that a “sophisticated state actor” had targeted the big Australian political parties in a major cyber attack, the revelation threw up more questions than answers.
Who did it and how? What data did they get their hands on? How vulnerable is our data – and our democracy?
To make sense of it all, we’re hearing today from Nigel Phair, the director of UNSW Canberra Cyber and an expert on the intersection of crime, technology and society.
He said that while hacks like these should be seen as “the new normal” there was good reason to be concerned.
“Just merely having a breach is quite a big deal. Secondly, you look at the information that they hold. Political parties have information on donors – who they are and how much they give and what they want for it. They have information on the electorate, they have information on their own party politics and tactics for Senate Estimates for Question Time, those sorts of things,” he said.
“So that’s a lot of rich data that you could then use as a nation state to infiltrate other areas to perhaps change voter outcomes.”
The hackers may have used social engineering techniques such as phishing to gain access to the data, he said.
“They are quite unsophisticated attacks. It’s often spoofing an organisation or a person and getting someone, an end user, to reveal login credentials. And because we share passwords across multiple logins, that’s how you gain access to a trophy asset,” he said, adding that the hack served as a reminder to use a password manager and ensure all passwords are long and strong.
“I think we should be very concerned. We’ve got a great case study from the US. We’re very allied to the US and when you look at how nation states have disrupted that election I think it’s a given that there are many out there that’ll disrupt ours.”
You can read an edited transcript of the interview below.
New to podcasts?
Podcasts are often best enjoyed using a podcast app. All iPhones come with the Apple Podcasts app already installed, or you may want to listen and subscribe on another app such as Pocket Casts (click here to listen to Trust Me, I’m An Expert on Pocket Casts).
You can also hear us on Stitcher, Spotify or any of the apps below. Just pick a service from one of those listed below and click on the icon to find Trust Me, I’m An Expert.
Additional audio editing by Wes Mountain, production assistance from Bageshri Savyasachi.
Kindergarten by Unkle Ho, from Elefant Traks
ABC news report
AAP (Various)/Shutterstock/The Conversation
SUNANDA CREAGH: And so what’s the main concern? Why was everybody so worried about this, particularly earlier this week?
NIGEL PHAIR: I think when you look at the history with the attack in the US on the DNC (Democratic National Committee), and a lot that’s been reported in the US about nation states trying to infiltrate the election process over there and change people’s voting habits and we’re some weeks/months from an election here – it strikes at the heart of what could be our dear beloved democracy, when you have nation state actors trying to influence voting outcomes.
SUNANDA CREAGH: And what do you think this week’s events tell us about the cyber security weaknesses here in Australia?
NIGEL PHAIR: It tells us that no organisation is immune. It tells us that cyber is another vector for people trying to win the hearts and minds of people.
SUNANDA CREAGH: If I was a sophisticated nation state using this as a strategy to achieve that goal, how might this sort of hack help me achieve that goal? What do you think they were actually trying to do here?
NIGEL PHAIR: There’s a number of things that they’ve achieved. Firstly, is the goal of doing the hack. When we look at parliament house, we look at the political parties, when we think about it, they’re revered from a democratic perspective. Just merely having a breach is quite a big deal.
Secondly, you look at the information that they hold. Political parties have information on donors – who they are and how much they give and what they want for it. They have information on the electorate, they have information on their own party politics and tactics for Senate Estimates for Question Time, those sorts of things. So a lot of rich data that you could then use as a nation state to infiltrate other areas to perhaps change voter outcomes.
SUNANDA CREAGH: China has strongly denied that it was involved but a lot of speculation has focused on that country, as opposed to Russia or another state actor that’s been linked to this kind of behaviour in other contexts. In Australia, why do you think speculation has focused on China as a potential perpetrator?
NIGEL PHAIR: Basically because they’re a near neighbour to ours, they’re in our arc of instability. They’re well known for their theft of intellectual property online. They’re well known for not adhering to the international norms of cyberspace. Add that all up and that’s why people keep pointing the finger at them.
SUNANDA CREAGH: And I believe there’s news reports that China was linked to other previous hacks of universities and parliament and other key pieces of computer infrastructure around Australia. Is that right?
NIGEL PHAIR: That’s right. They’ve been well known to do a range of cyber attacks on a range of different organisations – government, non-government, commercial etc.
SUNANDA CREAGH: So in the context of concerns that Australians have about the government’s capacity to keep our personal information safe – and I’m thinking here about the talk around My Health Record, the census – what does this hack tell us, if anything, about how capable the government and people in power are at guarding our private details?
NIGEL PHAIR: I think we need to go back a couple of steps before we start to think about this. Government, what they haven’t done is take the citizenry of Australia on a journey. They haven’t explained to them what it means to participate in a digital economy. What it means to be a good online citizen and transact with government and social media, commercially, e-commerce. If we had that narrative from the outset then people could understand that the internet is just another public place where they act ethically and lawfully and responsibly to what they do in the real world, then I think we wouldn’t be having this discussion. Because people would be able to have an informed decision about what it means to participate with My Health Record, or participate in an online census or other government instruments. But at the moment we just never had that background and people don’t have the certainty and because of that they make knee-jerk reactions.
SUNANDA CREAGH: Where do you land on this issue, do you think the government is capable of keeping that data safe?
NIGEL PHAIR: I think the government is capable of keeping it safe. The systems around My Health Record for example are really quite secure and there’s a lot of technologies, a lot of process and a lot of policy to ensure. But the reality is if there is going to be a breach of my health record, it’ll probably happen at a doctor’s surgery where there’s an unpatched or unprotected computer, or a user not using a good password, or accidentally emailing the wrong patient records to someone. It will be the end user compromise which we’ll see will be the failure. And that’s what the government isn’t investing in. It’s great to say they have a great secure system themselves but again we need to wind the clock back several years and start telling people this is what it means.
SUNANDA CREAGH: Just on this hack, how might it have been actually perpetrated? Can you just explain that to me in really basic terms?
NIGEL PHAIR: We don’t know yet until the forensic examination is done about how it occurred. Invariably, it was most probably some sort of social engineering attack against someone on the network. Most probably a phishing attack or something similar, where a person is targeted rather than the network itself is targeted. But again, until we know the forensics, we’re just speculating.
SUNANDA CREAGH: And those phishing and social engineering attacks, am I right in thinking they mainly focus on trying to get somebody to reveal their password or their login details to another person who is perhaps impersonating somebody else or impersonating an official password reset type email. Is that the sort of thing you mean there about the social engineering?
NIGEL PHAIR: Invariably, they are quite unsophisticated attacks. It’s spoofing an organisation or a person. Getting someone, an end user, to reveal login credentials and because we share passwords across multiple logins, that’s how you gain access to a trophy asset.
SUNANDA CREAGH: So the lesson there for all of us really is never reuse your password details and get a password manager. Am I right?
NIGEL PHAIR: You are right.
SUNANDA CREAGH: We’ve heard some commentators saying that this is the new normal, that this type of attack really should be expected in this day and age. What do you think about that?
NIGEL PHAIR: It’s been the new normal for quite some time. The reality is, most organisations get hacked just don’t know they’ve been hacked. This is all of a sudden a trophy matter, it’s come at the time where parliament is sitting, so it’s really got some attention in society, which is a great thing. And added to that the government that’s come out and actually said this is what’s happened and that is a completely different policy shift, whereas before it was swept under the carpet.
SUNANDA CREAGH: Do you think that’s a positive policy shift?
NIGEL PHAIR: There’s a great positive. We need to start having a conversation about what it means to be online and what it means to participate. And the fact is there’s countries out there, there’s actors out there trying to do us harm and Australians need to be brought into that confidence.
SUNANDA CREAGH: There was a lot of talk about this at the start of this week, but it really has sort of shifted off the news headlines toward the end of the week and some people are now saying that was a lot of noise over what? And I’ve seen some media commentators saying that this was an announcement that fed into a narrative of fear as election day draws closer. And that is a criticism that’s been directed at the government in the past in their rhetoric around border control and security in more general terms. To what extent do you see this announcement as about safety and awareness and how much of it is politics?
NIGEL PHAIR: I couldn’t put a percentage on either way but I focus purely on the safety and awareness side of it. I just think that’s the value of the message – is the safety and awareness.
SUNANDA CREAGH: It’s an important message to get out to make people aware of those risks. And, as you say, bring them into that conversation around online security and online participation in an active globally networked world, is that right?
NIGEL PHAIR: That’s right.
SUNANDA CREAGH: So what needs to be done? What should governments do to reduce risks and educate people?
NIGEL PHAIR: So the first thing for their internal networks, they need to do a proper risk management exercise. They need to identify the key target assets they hold and work out how sensitive that information is and put appropriate controls around where that data sits. Whether it’s a technology stack, whether it’s internal, cloud-based, those sort of decisions. And secondly, who has access to it, why they have access to it and how they access it. And once you start doing some simple things like that, you’ll find the cyber security posture of parliament house or a political party or anyone else in corporate Australia can really change the way that they’re viewed from a cyber security perspective.
SUNANDA CREAGH: And if, and I know this is speculation, but if the source of the problem was somebody sharing their login credentials or being victim to a phishing scam or victim to some social engineering then it sounds like it’s possible that some education is needed around that issue and what to be aware of and how not to get tricked online.
NIGEL PHAIR: Well, that’s a tough one. There aren’t sufficient technical controls to protect our data and ourselves online. In fact, we should’ve looked for any technical silver bullet. Likewise, we know education doesn’t work either. But education is all we have. So all we can keep doing is reinforce the message, particularly amongst young people as they grow up and participate in the online economy, and hopefully as time goes on we’ll be better protected for it.
SUNANDA CREAGH: In other words, not forgetting to address the capacity for human error in our effort to cover off and protect ourselves from technical error.
NIGEL PHAIR: Human error, but also the use of third parties and outlying people that you might not have specific command and control over.
SUNANDA CREAGH: And going back to this week’s hack, if I am an individual who has given my details as a donor or as a supporter to a political party, what does this hack tell us about what we as individuals might do in future to protect our data?
NIGEL PHAIR: Well, if you think you’ve (experienced) a loss of your data through this process, the first thing to do – contact the party that you’ve made say the donation or whatever it might be to. Secondly would be to start thinking about how that data or information that’s been stolen might be used against you - whether it’s identity theft or takeover, for example. So you need to start monitoring your bank accounts, you need to start thinking about consumer credit that might be done in your name. So you should be probably doing a credit reference check.
SUNANDA CREAGH: What advice do you give to people who want to use best practice in keeping their details safe online?
NIGEL PHAIR: Best thing you can do is use strong and long passwords. More stealthy it is, the harder it will be to guess by anyone else. Second, don’t replay the same password across multiple logins. Thirdly, be really wary when online and navigating around social media and e-commerce and other places. Really think about where you put your personal information in and why you’re placing it into a particular website or a portal.
SUNANDA CREAGH: Now, in the US we’ve heard about state actors really appearing to have an influence on election outcomes. How concerned do you think Australians should be about that happening here?
NIGEL PHAIR: I think we should be very concerned, we’ve got a great case study from the US. We’re very allied to the US and when you look at nation states that have disrupted that election I think it’s a given that there’s many out there that’ll disrupt ours.
SUNANDA CREAGH: So what can we do about that?
NIGEL PHAIR: It’s a tough one. We need to start working with all the players involved. And this is where the social media companies come into it. Your Googles, your Facebooks, your Twitters, your Instagrams etc. Because that’s the place of choice that nation states will use to send out any bespoke messaging.
SUNANDA CREAGH: Should we be changing any progression we’re making in Australia towards electronic voting?
NIGEL PHAIR: We have zero progression towards electronic voting, unfortunately, and I think it’s a great thing. But because we had the census failure, because we had the robo-debt issues, because we had the My Health Record issues, as a population there’s no way in my generation that we will see electronic voting. We just won’t countenance it because of the perceived risks. I’m a pro-online guy. We doom and gloom everything online too much and I’m guilty for doing that. But we want people to participate online. We are great and early adopters of mobile smart devices and we love being online itself, so it makes sense for service delivery to be online, it makes sense to order your food online, to do social media, participate in everything, there’s a lot of good benefit. But because we hear this messaging all the time about the government can’t deal with online issues, there’s already this level of distrust and dissatisfaction out there that voting will just be another one of those things. And the facts just don’t support that.
SUNANDA CREAGH: Would there be anything that you’d change about the way political parties collect or are allowed to collect data on people given that they seem to be a perfect target or a growing target?
NIGEL PHAIR: Oh, there’s lots I’d change. Primary to that is the Privacy Act and adherence to the privacy principles of which political parties don’t need to.
SUNANDA CREAGH: In what way? What change would you make?
NIGEL PHAIR: Well, I’d ensure that political parties have to adhere to the privacy principles when it comes to the collection, the storage, retention and dissemination of personally identifying information.
SUNANDA CREAGH: And what are the privacy principles?
NIGEL PHAIR: Well the privacy principles, there’s 13 of them, inform organisations in Australia where they have a turnover of more than A$3 million about how they should collect data, how they should store that data, how they should disseminate it and how they should destroy it. There’s some simple advice that’s provided by the Australian Office of the Information Commissioner. And they’re quite easy to adhere to, but unfortunately political parties are exempt from that and I see that as being a bad thing.
SUNANDA CREAGH: So we’re at a point where I guess you’d have to assume that basically anybody could be a target for a hack and any organisation could be. So what options are there for organisations like political parties that don’t have My Health Record level of security set ups or government scale security set ups?
NIGEL PHAIR: Well, the first thing they have to do is acknowledge that they’re are a target. Then they have to go through a risked-based process to understand what their information assets are, what their technology stack is, and who has access to it and make sound investment decisions around that. We can no longer, as a society, just say “it’s not us that gets hacked, it’s always someone else”. I mean, there is a cost of participating online.
SUNANDA CREAGH: Nigel Phair, thank you so much for talking to us.
NIGEL PHAIR: Pleasure.