The Weekly Cybers #59
Ransomware payment reporting is now mandatory, concerns over election misinformation and corporate “cyberwashing”, and why the 1980s D&D panic informs social media policy.
Apologies for this week’s edition being a little late. Our bulk mailing platform Buttondown was, to use the technical term, having a bit of a sook.
The Weekly Cybers #59 | 14 March 2025
Welcome
The federal election is mere weeks away, and people are starting to worry about disinformation and election security.
Home Affairs has published new mandatory rules for cybersecurity and the protection of critical infrastructure — which aligns nicely with emerging concerns about “cyberwashing”, when companies spout lovely cyber-related words but provide little detail about their “state-of-the-art cybersecurity”.
And there’s a lovely story about how a US judge didn’t become a Satanist even though he played Dungeons & Dragons.
Ransomware payment reporting now mandatory
The Department of Home Affairs has published the new Cyber Security Rules 2025 and Security of Critical Infrastructure Rules, which are now law.
The former includes cybersecurity standards for smart devices, reporting rules for ransomware payments, and the operational rules for the new Cyber Incident Review Board.
Businesses with a turnover of more than $3 million a year, or which are responsible for a critical infrastructure asset under Part 2B of the Security of Critical Infrastructure Act 2018, must now report all ransomware payments, along with details of the ransomware demand itself and the impact on customers and the business entity’s infrastructure.
The catchy document Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 sets out requirements for those risk management programs, including personnel and background checks, physical security, and other compliance matters.
All the cyber threats to the federal election
With Australia’s federal election due by 17 May, all manner of news stories are reflecting the worries about security and election disinformation. Here’s just a few of this week’s.
The Australian Electoral Commission (AEC) is now on TikTok. Fergus Ryan from the Australian Strategic Policy Institute (ASPI) argues that TikTok’s real threat isn’t that it might steal our data but that there’s a “deeper risk of algorithmic manipulation and covert political interference”.
The AEC being on the platform “legitimises a social media ecosystem that is ultimately subject to the influence of an authoritarian government,” he writes.
Meanwhile the AEC is planning to use Starlink as a backup for transmitting election results back to head office.
I’m sure there will be some fuss about “critical infrastructure” and “sensitive information”. But just as with using any other piece of the internet, it’s just one of several backup options, the data is encrypted in transit, and it really doesn’t matter if the data is delayed a day or two anyway.
Staying with Elon Musk for a moment, the crew at Risky Business News argues that just like TikTok, X is now a foreign influence threat, at least outside the US. Within the US it’s a domestic influence threat, of course.
Meanwhile, CSIRO research has revealed “major vulnerabilities” in deepfake detectors, and I reckon we’ll see plenty of such material in the coming weeks.
“Cyberwashing” is a growing problem: report
Cyberwashing is when organisations exaggerate or misrepresent their cybersecurity credentials to appear more secure than they actually are, and according to a new report from Monash University it’s a growing problem.
“Over the past few years, we have seen several high-profile data breaches in Australia, including those affecting Optus, Medibank, and Latitude Financial Services. In each case, these organisations faced significant criticism and legal action after suffering data breaches despite claiming to have robust cybersecurity practices in place,” said Professor Nigel Phair, lead author of Cyberwashing: The disconnect between cyber security claims and real practices (PDF).
He’s talking about things like “state-of-the-art security”, a phrase which is meaningless without giving details of the processes that back it up.
The report includes a five-point plan for mitigating against cyberwashing in your organisation.
IF YOU’VE FOUND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip.
Also in the news
From National Indigenous Times, Adobe has been slammed for using AI-generated images of Indigenous people and artworks. There’s further commentary at The Conversation.
News Corp has introduced its own AI model, NewsGPT. As Crikey reports, the internal memo says NewsGPT would be “supporting the creative process” and “streamlining daily tasks”. Amusingly, there’s another AI-powered NewsGPT, completely unrelated, whose tagline is “The Unhuman Truth”.
The National Library of Australia (NLA) is throttling access to its archives, blocking legitimate researchers from downloading entire documents. Apparently it’s about stopping bots from trawling the archives to feed their generative AI models, but it does seem to be getting in the way.
CSIRO has a new report on digital health in aged care. “The report notes that despite the aged care and health care sectors having similar data requirements, data exchange between them is limited by the lack of system interoperability.”
The Digital Transformation Agency (DTA) has released this year’s Major Digital Projects Report. As InnovationAus reports ($), nine major projects are off track and will require significant changes if they are to meet their targets.
The Australian Public Service faces a skills shortage as older tech workers ar due to retire just as systems will need rebuilding. Maybe it’s a good time to learn COBOL?
Elsewhere
An American judge is pushing back against the moral panic about kids and social media by pointing to a previous moral panic about Dungeons & Dragons, the role-playing game. He played D&D and he didn’t become a Satanist, and comic books didn’t destroy society, and what’s so magical about turning 16 years old anyway?
Inquiries of note
Nothing new for us this week.
What’s next?
Parliament is currently on a break. Both houses return for three days of sittings on Tuesday 25 March, which will be Budget Night. Then the House of Representatives only returns for two weeks starting Monday 7 April, unless the election is called.
The current theory is that the election will be called soon after the Budget is delivered, and the election itself will be held on one of the first three Saturdays in May.
DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber security newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.