Interior Secretary Mike Pezzullo compared the hacked organization, which refuses assistance from the Australian Signal Authority (ASD), to refusing to cooperate in an aviation accident investigation.
One such example was discussed as evidence by the Parliamentary Joint Committee on Information Security (PJCIS) on Friday.
“It was a nationally famous incident involving a nationally renowned company. [ASD director-general Rachel Noble] And I refuse to give it a name at this point. ”
According to Noble, ASD first learned of the attack from media reports.
“We try to contact the company to find out if the media coverage is true, and they don’t want to talk to us, so we keep pushing.” Noble said.
“Sometimes we need to use our own very advanced level contacts through the people in this building [Parliament] A person who may know a member of the board or the chair of the board to establish trust and build a willingness to cooperate. ”
When hacked companies work together, ASD can usually map the network to identify the crimes involved on the first day.
For example, when the Victorian healthcare system was hit by a ransomware attack in 2019, the malware was quickly identified and the network was restored and up and running in four days.
“What we left them with was tools, training, and identification capabilities to protect themselves from similar attacks, but we quickly identified what was happening again,” Noble said. Says.
However, it took a week for an unnamed company to become a lawyer and ASD to get even basic network information.
“Five days later, we’re still working very slowly to help provide data and deploy tools so we can see what’s happening on the network. This lasts 13 days.” Noble said.
“This incident had a national impact on our country. On the 14th day, we could only provide general protection advice and the network was still down. Three months later, they re-issued. Infected and restarted. ”
Noble says this is why ASD requires the authority granted by the law currently under consideration. Intelligence and Security: Review of Security Law Amendment (Important Infrastructure) Bill 2020..
“This law, in fact, only gives us more leverage through internal affairs to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place.” She said.
“From my point of view, the best part of this law is that when they take care of themselves, it doesn’t work for my people, and if their defenses are much higher, they are low. It prevents level crime, so it may be possible to focus on much more sophisticated and highly organized criminal organizations and state officials. ”
Unregulated libertarian cyberplanes endanger the Commons
Petzlo says Congress has an obligation to “think about cyberspace regulation as much as we think about other commons regulations.”
“Of course, every time one of the planes goes down, we work with investigators to inspect all bodies and debris of parts and assist in safety investigations,” he said.
He said he not only learned lessons from the crash, but also regulated the movement of aircraft through the sky.
“The development of the Internet was organic, driven by a somewhat unusual combination of libertarian impulses on the one hand and profit-driven motives on the other,” Pezullo said.
“Every time you connect, you are not flying safely in the airspace. We do not tolerate that our airspace is not governed or regulated by the country.”
See: How the FBI and AFP accessed encrypted messages in the Trojan Shield survey
Noble stimulated the benefits of working with ASD.
“Our people at ASD engage in hand-to-hand combat with criminals and state-based sectors every day. Not only the unique intelligence we can collect, but also the benefits of top-secret intelligence from around the world. I have received it. [and] A 75-year investment in the technical ability to analyze and unpack it with an incredible attitude and ability to understand what is happening on the Australian Internet through cyber defenses. ”
Why do companies refuse to help? Apart from potential philosophical objections, Noble provided a variety of theories.
First, there is what she called “the arrogance of ICT professionals.” The organization wants to believe that it has technical skills, so no help is needed.
“We understand that people feel that way, usually before they really fully understand what they’re dealing with,” Noble said.
Second, the scenario in which Noble believes to take a lawyer to a room is when the organization does not have an incident response plan. They don’t know how to manage public communications, supplier and customer relationships, potential brand damage, and other commercial interests.
Third, there are liability issues, from the duties and negligence of directors to acting on the advice of ASD, which has a negative impact on the company.
As PJCIS Chairman James Patterson pointed out, some submitters to the investigation said that protection from the responsibilities provided by the bill may not be sufficient.
Petzlo said the review of this important infrastructure law should not be seen as a stand-alone action. There is work being done as part of the 2020 cybersecurity strategy. This is the Companies Act, the duties of directors, [and] Better regulatory practices in this area. ”
“Actuarial cost and risk pricing, reinsurance pool depth, case law, etc. are not particularly well-formed to ensure fairness to management working on this,” Pezullo said. It was.
“We’re really in the early stages of flight. The enemy just learned how to fly and got a better plane than most companies at the moment.”
Confuse the Caribbean Cyber Pirates
Pezullo said the government needed to continue the attack on a wide range of questions about dealing with malicious attackers online.
Police and intelligence agencies, sometimes with the help of military cyber forces, are attacking these attackers in “shelters,” but some are out of reach.
“Unfortunately, in some states, we either close our eyes or actively enable and sponsor our activities. Unfortunately, state protection makes these malicious actors bold,” he said. Stated.
One model to tackle this challenge may be the global counter-terrorism model introduced after 9/11 to address al-Qaeda, but Petzullo suggested something completely different.
“Another model worth considering by the Commission when considering this bill and reviewing its report is the campaigns that took place in the 17th, 18th, and early 19th centuries. The law is lawless. A sea of pirates of the world, including Caribbean pirates who were defeated by His Majesty’s Royal Navy warships in cooperation with bringing them into the sea. ”
“This is a problem we can address, just as the UK has overcome piracy, but we need tools to do so, including the legal authority we need.”
A nationally renowned Australian company that served as a lawyer to resist the help of ASD
Source link A nationally renowned Australian company that served as a lawyer to resist the help of ASD