The Weekly Cybers #64
eSafety’s international fines slammed as “vibes-based virtue signalling”, warnings on election disinformation, US defunds CVE cybersecurity research database, and more.
The Weekly Cybers #64 | 17 April 2025
Welcome
It’s a short work week before Good Friday tomorrow and we’re in an election campaign — have you noticed? — so there’s not much Australian digital policy news this week. But what there is, is big.
The government admits that fines issued by the eSafety Commissioner against overseas companies can’t be enforced, so what even is the point?
There are warnings of election misinformation but few solid examples. And in the US, government cutbacks are an own goal for cybersecurity.
Plus, of course, there’s yet more depressing new about AI.
Are eSafety’s international “fines” a sham?
The news back in February was that the eSafety Commission had hit encrypted chat app Telegram with a $1 million fine for failing to respond to a reporting deadline.
Friend of the newsletter Mark Newton wondered, as many people might wonder, how exactly this was going to work. After all, previous legal actions by eSafety against X, another overseas entity, have foundered, although an appeal is in progress.
Telegram is run by Russian oligarchs out of Dubai — although co-founder Pavel Durov is currently experiencing difficulties in France. Why would they care what Australia says?
Good question. So Mark asked the communications minister.
“Does the Government of Australia genuinely believe that an enterprise run by Russian oligarchs in Dubai is going to bow to the wishes of an Australian petty bureaucrat? This is an entirely pointless waste of time,” he wrote.
We now have the government’s reply, from the department rather than the minister because we’re in pre-election caretaker mode.
“Telegram is not obliged by law to pay the penalty contained in the infringement notice, and failure to pay does not create a debt that the Commissioner can enforce. Rather, payment of the infringement notice would allow Telegram to discharge its liability for the alleged non-compliance with the transparency reporting notice. This is consistent with the way other Australian regulators work. Telegram decided not pay the infringement notice.”
So Telegram doesn’t have to pay, and didn’t pay.
“As Telegram did not pay the infringement notice, the Commissioner may take other action, including initiating civil penalty proceedings in the Federal Court of Australia for alleged non-compliance with the transparency reporting notice. Enforcement decisions are a matter for the independent regulator.”
The reply noted that there has been an independent statutory review of the Online Safety Act 2021, which “acknowledged that there can be challenges enforcing Australia’s laws extra-territorially and recommended exploring a number of options,” and that Mark might like to write again “after the outcome of the election is known”.
eSafety’s “vibes-based virtual signalling”
For his part, Mark is not surprised. “It’s just vibes-based virtue signalling from [eSafety Commissioner] Julie Inman Grant,” he posted.
“So that’s how eSafety fines work: Big headlines informed by eSafety press releases about record fines, which are never collected, and that’s completely okay. All eSafety needs to do is make shit up, that’s how the Government of Australia keeps everyone safe online.”
Your writer looks forward to Australia’s next government inventing ways to force foreign organisations to pay attention to Australian finger-wagging.
How’s all that election misinformation going?
Your writer had been expecting things to be worse, but that said there’s still some news of election-related digital naughtiness.
- The Liberal Party sent out emails containing an unsubscribe link that actually went to a data harvesting operation.
- From The Conversation, a discussion of whether embracing influencers smart, risky or both? Monique Ryan, the independent Member for Kooyong, has no opinion on this yet, perhaps because another teal independent, Allegra Spender, has been caught paying for influencer posts without putting an authorisation line on them.
- SBS News warns that certain voters can be disproportionately targeted by misinformation, especially migrant communities. Apparently disinformation is swirling on Chinese social media .
- ASPI’s The Strategist has an explainer on how to spot AI influence in the election campaign.
If you find a particularly brazen bit of election information, you can let me know my replying to this email.
US defunds CVE, the world’s database of software cybersecurity flaws
In a truly brilliant (cough) move, the US government cut funding for MITRE, the organisation which runs the world’s central database of software product security flaws.
CVE, the Common Vulnerabilities and Exposures database, was founded 25 years ago to provide security researchers with a standardised way to refer to the vulnerabilities they find, to rate their severity, and to inform network engineers at large of the things they need to fix.
As Luta Security founder and CEO Katie Moussouris told The Register, “All industries worldwide depend on the CVE program to keep their heads above water when it comes to managing threats, so an abrupt halt like this would be like depriving the cybersecurity industry of oxygen and expecting it to spontaneously sprout gills”.
The latest news is that MITRE has been given an 11-month reprieve, but really, what a clumsy move.
It came as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) was hit with massive staff cuts as part of the Trump regime’s DOGE cutbacks.
The cutbacks come as former CISA chief Chris Krebs loses his security clearances.
Krebs had been fired by Trump in 2020 after allegations that CISA had “suppressed conservative viewpoints under the guise of combatting purported misinformation, and recruited and coerced major social media platforms to further its partisan mission.”
Now that Krebs has no security clearances, he has resigned from his position as chief intelligence and public policy officer of private cybersecurity firm SentinelOne, vowing to “fight ... for the rule of law”.
Also in the news
- The recent superannuation data breach was worse than we first thought. AAP reports that 10 customers of AustralianSuper had a combined $750,000 transferred out of their accounts.
TIP: Michael West Media has a feed of AAP news stories for the browsing thereof. Worth bookmarking.
- According to research from Cyber Wardens, a government-funded program to assist small businesses with their cybers, small businesses are more worried about cybersecurity than rising electricity prices. “We encourage small business owners and employees to download the research report,” writes Cyber Wardens, who then hide the report behind a regwall.
- Aussie Broadband has a new technology strategy with three years and six pillars.
- The Royal Australian Corps of Signals is 100 years old and to mark that milestone we now have a commemorative coin. Some 50,000 coins will be minted but they won’t be circulated. It’s a collectors thing.
IF YOU’VE FOUND THIS NEWSLETTER HELPFUL, PLEASE SUPPORT IT: The Weekly Cybers is currently unfunded. It’d be lovely if you threw a few dollars into the tip jar at stilgherrian.com/tip.
Elsewhere
- Depressing news from 404 Media, “I tested the AI that calls your elderly parents if you can't be bothered”. It’s behind a regwall but worth checking out, if only to hear how truly appalling these calls are.
- A new study finds no evidence that technology causes “digital dementia” in older people.
- And since it’s a long weekend ahead, a change of pace: “Why do AI company logos look like buttholes?”
AND NOW FOR SOMETHING COMPLETELY DIFFERENT: My good friend Snarky Platypus and I have produced the pilot episode of a new podcast, Another Untitled Music Podcast. Look for it under that title in your podcast app of choice. Yes, it’s about music.
Inquiries of note
- Not government, but important. auDA, the organisation which administers Australian internet domain names, has published a consultation paper (PDF) for its strategy 2026–2030. There’s a webinar scheduled for 5 May. Submissions close 16 May.
What’s next?
The Australian government is currently in caretaker mode before the federal election on Saturday 3 May, so there will be policy pitches but few real actions before then.
Next week Friday 25 April is Anzac Day, so the next edition of this newsletter will appear on Thursday afternoon.
DOES SOMETHING IN THE EMAIL LOOK WRONG? If there’s ever a factual error, editing mistake, or confusing typo, it’ll be corrected in the web archives.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber security newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.