The Weekly Cybers #32
Australia and New Zealand agree that a cyber attack could trigger the ANZUS Treaty, the government blows $340 million on the abandoned GovERP project, and much more.
Welcome
After the big fat Trust Exchange story last week, things are back to normal. And by normal, I mean discovering that the government blew $340 million on a failed IT project and hardly any of it is usable.
Australia has joined New Zealand in deciding that a cyber attack could count as an armed conflict, triggering the ANZUS Treaty.
And as usual there’s eleventy plenty stories ranging from the regulation of social media to a transformation plan at Home Affairs, plus the usual smattering of AI news.
Cyber attacks could trigger ANZUS Treaty
The prime ministers of Australia and New Zealand have agreed that a cyber attack on either of their nations could constitute an armed attack, potentially triggering a joint response under Article IV of the ANZUS Treaty, the long-standing collective security agreement between the two nations and the US.
In a joint communique released last Friday:
Prime Ministers recognised the increasingly important role cyberspace plays in national security and the importance of trans-Tasman cooperation in respect of the threats posed by malicious cyber activity. Prime Ministers affirmed that international law applies in cyberspace. In the event of a cyber-attack that threatened the territorial integrity, political independence or security of either of our nations, Australia and New Zealand would consult together under the ANZUS Treaty to determine appropriate options to address the threat. They also affirmed that a cyber-attack on either nation could constitute an armed attack under Article IV of the ANZUS Treaty. A decision on whether such a cyber-attack would constitute an armed attack would be made on a case-by-case basis through close consultations between Australia and New Zealand.
Prime ministers Anthony Albanese and Christopher Luxon also “expressed concern” at the proliferation of foreign interference, espionage, misinformation and disinformation, and economic coercion, which “pose risks to trust in institutions and social cohesion”.
GovERP project blew $340 million on... nothing
After ten years of work and $340 million spent on building a whole-of-government back office system, almost nothing useful can be salvaged from the abandoned GovERP project.
The language of the expert panel’s assessment is bureaucratically understated, but the message is clear. Take their first key observation, for example:
The shifts in GovERP’s scope, changes in ownership, and limited stakeholder consistency (as evidenced by multiple changes to the entities identified for initial onboarding) have culminated in a program that has not delivered as originally intended. The volatility, and ambiguity in ownership and accountability, has resulted in an under-delivering project. The need for well-functioning ERP capabilities across government has not abated.
Apparently the one thing that is useable is the map of user needs. But rather than building one big system to do everything for everybody, the panel recommends “smaller-scale projects over shorter time limits”.
For the full drama, see the The GovERP reuse assessment.
In what may well be related news, the Digital Transformation Agency (DTA) is recruiting a permanent CIO.
FINDING THIS NEWSLETTER USEFUL? It’s currently unfunded, so do please consider throwing in a tip.
Also in the news
- Josh Taylor from the Guardian posts, “I had been chasing the privacy regulator [Office of the Australian Information Commissioner] for a while on how they would ensure Clearview AI wasn’t still using images of Australians in its facial recognition tech. Turns out they're giving up.” Controversially, Clearview AI claims to have scraped 50 billion faces from the internet, and has been caught offering trials to lower-level law enforcement officials, supposedly without their superiors knowing. Anyway, here’s the OAIC’s statement.
- Meanwhile, Australia's long-awaited new privacy legislation has been pushed back to September. InnovationAus* reports that “not all of the 106 recommendations from the Privacy Act Review agreed or agreed in principle by the government are expected to make their way into the final bill”. We’ll definitely take a close look when it eventually appears.
- The Criminal Code Amendment (Deepfake Sexual Material) Bill 2024 was passed, creating criminal penalties for sharing “non-consensual deepfake sexually explicit material”, and an aggravated offence of creating such material.
- Also passed was the Telecommunications Amendment (SMS Sender ID Register) Bill 2024, which will record who’s using text IDs for their texts rather than a phone number.
- Snapchat has rejected the push for social media age limits, saying that any changes to the law should be enforced by companies like Apple and Google.
- “A clumsily crafted bot network posting about the Linda Reynolds and Brittany Higgins defamation trial likely originated from foreign influencers wielding culturally divisive topics to sow discord,” reports ABC News.
- Over at Seriously Risky Business, cybersecurity analyst Tom Uren takes a look at the digital ID Trust Exchange (TEx) proposal announced by Bill Shorten last week. “We expect that the project will be a short-term failure and long-term success,” he writes.
- The Australian Securities and Investment Commission (ASIC) reckons it took down more than 7,300 phishing and investment scam websites last financial year, with investment trading scams being the most common.
- The CSIRO is partnering with Google to develop tools to automatically detect and fix software vulnerabilities in critical infrastructure systems.
- The Department of Home Affairs has published a one-page transformation agenda (PDF). Their vision? “We build our nation and secure our future by fostering an environment where we can all succeed through a culture of excellence, integrity, openness and collaboration,” and the vague hand-waving doesn’t stop there. There’s more background at The Mandarin, Home Affairs collaboration with central agencies and national intelligence community scrutinised.
- Former Coalition government minsters have spent another $1 million in taxpayer-funded legal expenses for robodebt, with Scott Morrison topping the list with $461,445.
- The Australian Cyber Security Centre (ACSC) and its international counterparts have released another guide, Best Practices for Event Logging and Threat Detection.
- Something you might find handy, an updated glossary of abbreviations and acronyms for groups or topics used by the Department of Prime Minister and Cabinet. “IT” stand for Information Technology, apparently, but there are better ones.
- Finally, a piece I missed last week but which is still worth reading, Tom Burton at the AFR on the Trust Exchange (TEx) announced last week: The story behind the click-to-prove revolution ($). “The federal government’s ambitious move to enable an economy wide click-to-prove digital verification system marks a major shift towards giving citizens and consumers power over their own data.”
Data breaches and hacks of note
- Ransomware gang RansomHub has dumped data from its Australian victims, including Hudson Civil Engineering, Kempe Engineering, McDowall Affleck, Pierre Diamonds, and Regent Caravans, according to Cyber Daily. The gang has also been seen using malware to switch off endpoint protection.
Elsewhere
- Medibank’s annual report reveals that the cost of fixing its cybers after their 2022 data breach is expected to reach $126 million by mid-2025, not counting any legal penalties they may face. ““We expect by the end of FY25 the vast majority of the work we need to do in that program will be complete, so then looking into FY26 the costs will continue, but the majority of those costs then will be associated with the litigation.”
- “Australians overwhelmingly support regulating social media and censoring harmful content, with six in 10 people polled backing an unproven proposal to ban access to children,” according to ABC/YouGov research. I think they mean access by children.
- A bunch of well-known Australian musicians are part of a campaign demanding the government regulate AI, focusing on its impact on the music industry. It’s based on a report (PDF) from music rights organisation APRA AMCOS which reckons that by 2028 the cumulative impact could be as high last $519 million.
- A training company in Western Australia used an AI chatbot to generate a fictional sexual harassment scenario for “psychosocial workplace training”, except it used a real person’s name and other details from a current court case.
- Over at Pivot to AI — a newsletter well worth subscribing to — there’s the news that Gartner’s AI Hype Cycle says autonomous AI is on the way. The newsletter also notes that “the Hype Cycle has long been known to be trash”.
- China has started testing a national cyber-ID before consultations have even closed. Some 81 apps have already signed up to the “voluntary” program which includes facial recognition and people’s “real” names.
- An interesting essay at The Conversation: “Calls to ban ‘harmful pornography’ are rife. Here’s what teens actually think about porn,” and it’s far more nuanced that the politicians and regulators seem to think. And, I might add, far more intelligent.
Inquiries of note
No new ones relevant to this newsletter, but there’s a lot going on.
What’s next?
Parliament is now on a two-week break until 9 September.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.