The Weekly Cybers #7
An easy ride for Digital ID bills, ASIO warns of cyber sabotage, cybersecurity advice, a new podcast about disinformation, and more.
Welcome
I’m leading with the Australian government’s Digital ID bills this week because they will create the framework for the security of Australia’s online interactions in so many contexts.
Those of you with a technical bent will perhaps be confused that they don’t really talk about technology. Rather they’re about setting up the legal and governance framework.
The technical standards will come later, once the oversight bodies are in place.
Importantly, they don’t create a new “digital identity” but instead create a system through which existing credentials such as driver licenses or Medicare numbers can be verified without creating a new honeypot of data.
This week we also have ASIO’s warning about cyber sabotage, some cybersecurity advice, and a new podcast about political disinformation.
Read on... and if you find this newsletter useful, please forward this email to a friend.
Committee gives Digital ID bills an easy ride, so let’s see what happens in the Senate
We have the final report from the inquiry into the Digital ID Bill 2023 and the Digital ID (Transitional and Consequential Provisions) Bill 2023.
This legislation will create the Australian Government Digital Identity System (AGDIS), which is supposedly going to be ready by 1 July.
While the main report simply recommends passing the laws, there’s several dissenting reports which raise important issues.
As you might expect, the Coalition Senators’ Dissenting Report calls for involvement of the private sector in the AGDIS from the start, rather than a government-first approach.
It also recommends that the bills “only be considered once the reforms of the Privacy Act are introduced to the Parliament, to ensure that privacy, data protections and compliance requirements are consistent and coordinated across various related legislation”.
And it asks for amendments to include “further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary”.
This one is important. It’s all well and good to say you don’t have to have a digital ID, but you shouldn’t then make it all but impossible to access government services without one.
Services Australia’s systems are already structured so that people are discouraged from receiving legitimate entitlements. We shouldn’t make things worse.
The Greens Senators' Dissenting Report highlights some of the commentary which seems to have been forgotten, including the messaging in relation to access by law enforcement.
The Department, and many stakeholders, correctly identify that the scheme does not create a “honeypot” of data. Rather the Bill seeks to create what is essentially a linking service. This will allow data that is already contained in state and territory databases (such as drivers’ licences) and federal databases (such as the ATO) to be accessed under strict controls to determine a person’s identity. It does not create a new data set or any federal data “honeypot”.
Getting this message out is significantly undermined by a model which says law enforcement can, and should, have access to the scheme. Put simply, if law enforcement wants access to any of the data that is linked through the proposed new Digital ID scheme, they can already access this information by court issued warrants addressed to the existing data sets. Permitting law enforcement access to the Digital ID scheme creates the impression that there is a large and useful data set that police and security agencies will want to access. This is not true, and retaining this in the Bill will inevitably erode public confidence in the scheme. It is bad messaging and bad policy.
It’s not just about law enforcement, of course. It’s important to understand that the government isn’t creating a “digital identity” but a system for exchanging and verifying a “digital ID”.
My client Steve Wilson explains why this subtle shift in terminology is important.
Digital ID is concrete, specific and familiar. But “digital identity” is abstract and open-ended. It means different things to different people. Invariably, digital identity is interpreted as a new universal means of proving who we are. But there is no such thing.
So instead of imposing new identification standards and novel “digital identity” on Australians, the Digital ID Bill simply creates a governance regime to improve the quality and reliability of existing IDs when converted to digital form.
The Greens also highlight the risk algorithmic bias.
Concerns about biometrics and bias are also very real and should be addressed before the bill is made law... The primacy of biometric technology needs to be questioned before it is adopted wholesale into the digital identity system. Further, specific studies must be commissioned before its adoption into the digital identity system to interrogate bias, accuracy, and the impact on vulnerable categories of people.
They also repeat the concerns about the “voluntary” nature of the AGDIS, and called for a “a meaningful and accessible redress and penalty scheme” for data breaches and when things go wrong more generally.
The One Nation Senators' Dissenting Report, by which we mean Senator Malcolm Roberts and the voices in his head, repeats the concerns about the Privacy Act and adds the Treasury Laws Amendment (Consumer Data Right) Bill 2022 to the wishlist before the digital ID laws are passed.
Among Roberts’s other recommendations is: “The design of a digital ID must allow for offline use,” which raises some fascinating technical questions.
Australia Post does have a role to play in providing physical identification services, especially as their staff become familiar with regular customers on a personal basis over time, facilitating identification.
Recommendation 6: The provision for alternative identification should include explicitly providing for Australia Post to provide physical identification services through Australia Post outlets, with suitable cost recovery from the accredited service, not the individual.
Putting that aside, it worries me that despite the long list of public submissions, some 395 published at the time of writing, the main report doesn’t recommend any amendments to the tabled legislation whatsoever.
Once again the government seems to see a public consultation as a necessary piece of theatre, but not one which informs any refinements of the legislation.
Perhaps I’ll be proved wrong. When the bills return to the Senate for their third reading, they will doubtless be accompanied by a set of government amendments — and then the real horse-trading starts.
That debate will probably take place in the two sitting weeks later this month, because the laws would need to be in place so that funding can be allocated in the Budget, and that’s on Tuesday 7 May.
ASIO warns of “highly sophisticated” planning for cyber sabotage
ASIO chief Mike Burgess delivered his Director-General's Annual Threat Assessment 2024 this week. While the political news outlets have been salivating over his claim that an Australian MP was working for foreign spies, there’s also some things to interest us here.
The big one is that “one nation state [is] conducting multiple attempts to scan critical infrastructure”.
The reconnaissance is highly sophisticated, using top-notch tradecraft to map networks, test for vulnerabilities, knock on digital doors and check the digital locks.
We assess this government is not actively planning sabotage, but is trying to gain persistent undetected access that could allow it to conduct sabotage in the future.
To explain how serious this might be, Burgess recalled last year’s Optus network outage.
The cascading effects were more significant and widespread than most people would have expected. There were social impacts when families could not communicate, medical impacts when the sick could not call triple-0, financial impacts when businesses could not process transactions and transport impacts when a vehicle charging system went down. Services that people take for granted proved uncomfortably fragile.
That’s one phone network not working for one day. Imagine the implications if a nation state took down all the networks? Or turned off the power during a heatwave? I assure you, these are not hypotheticals — foreign governments have crack cyber teams investigating these possibilities right now, although they are only likely to materialise during a conflict or near conflict.
The last 18 months have also seen an “uptick” in nationalist and racist violent extremists advocating sabotage in private conversations, Burgess said, which of course means that ASIO is across those conversations.
It’s particularly pronounced among “accelerationists” — extremists who want to trigger a so-called “race war”.
We have seen them endorsing attacks on power networks, electrical substations and railway networks.
While it is largely big talk, ASIO remains concerned about a lone actor moving from talk to action without warning.
As usual, the full threat assessment is well worth reading.
Some handy cybersecurity advice I’d missed
It’s hard to keep track of everything! I’d missed these three documents first time around.
The Cyber and Infrastructure Security Centre has an Overview of Cyber Security Obligations for Corporate Leaders (PDF).
The Australian Cyber Security Centre (ACSC) has some advice on Engaging with Artificial Intelligence from a cybersecurity perspective.
And the ACSC has also updated its Business Continuity in a Box.
I learned of these via the newsletter of Information Integrity Solutions, a consulting firm founded by Malcolm Crompton, who was Australia’s Privacy Commissioner from 1999 to 2004. Subscribe here.
New podcast on Russian dezinformatsiya in politics
From the producers of the excellent podcast series Motherlode about the early underground hacking scene comes Dark Shining Moment about political disinformation.
Remember the 2016 presidential elections in the US? All that stuff and more.
Executive producer Greg Muller tells me:
[It’s] all about Russian dezinformatsiya, also “Soviet Gardening” (when you cut the flowers and water the weeds). We start (and finish) with two workers in the St Petersburg Troll Farm. Also Wikileaks used to launder disinformation, bots, far right and far left groups infiltrated etc etc.
Yep, Russians invented the word “disinformation”.
I’ve linked to the trailer on YouTube but you should be able to find it in your podcast app of choice.
Also in the news
Australia’s new national cyber security coordinator is Lieutenant General Michelle McGuinness. Her most recent gig was in Washington DC as deputy director for Commonwealth integration in the US Defense Intelligence Agency. According to The Mandarin, “One of McGuinness’ challenges will be persuading major businesses to allow in government cyber defence experts when it’s suspected a crew may be on the move looking for targets to exploit.”
“Facebook owner Meta says it won't renew commercial deals with Australian news media companies worth millions of dollars,” reports ABC News. “In a statement, Facebook said its users were not coming to its platform for news and political content and that it would invest its money elsewhere.”
Tech firms say new Australian standards will make it harder for AI to protect online safety, because of course they do.
Here’s a catch inquiry name: Inquiry into the failed visa privatisation process and the implementation of other public sector IT procurements and projects. Submissions close 12 April.
Elsewhere
Former crypto director Liang “Allan” Guo has been banned from leaving Australia after Blockchain Global collapsed owing $58 million. “He has been deemed a flight risk and ordered to hand over any passports in his possession,” reports the Guardian.
“The United States is opening an investigation into whether Chinese vehicle imports pose national security risks and could impose restrictions due to concerns about ‘connected’ car technology,” reports iTnews.
Please support my current crowdfunding campaign
My podcast The 9pm Edict and this newsletter are audience-supported. If you have a moment, it’d be great if you clicked through to The 9pm Autumn Series 2024, read the blurb, and maybe even pledged your support.
At the time of writing we’re 30% of the way to Target One, including some off-platform contributions.
You have until Thursday 7 March at 9pm AEDT, which is six days away — but why not do it now before you forget?
What’s next?
Parliament will return on Monday 18 March for two weeks of sittings.
Meanwhile, it’s a big week for public hearings. We can look forward to:
On Tuesday 5 March, the Communications Legislation Amendment (Prominence and Anti-siphoning) Bill 2023 [Provisions] inquiry, although it’s not listed on that page yet. That’s the one about Smart TV menus and broadcast TV sookage more generally.
On the same day, the inquiry into the Murdoch Media Inquiry Bill 2023, although again it isn’t listed on the inquiry’s home page.
On Wednesday, the inquiry into the use of generative artificial intelligence in the Australian education system.
And on Thursday, the inquiry into the Copyright Legislation Amendment (Fair Pay for Radio Play) Bill 2023.
Meanwhile report from the senate’s inquiry into the Optus network outage has been granted an extension until 9 May. Please put your schadenfreude on hold.
And that's it for this week.
Any questions or comments? Just reply to this email. Cheers.
The Weekly Cybers is a personal look at what the Australian government has been saying and doing in the digital and cyber realms, on various adjacent topics, and whatever else interests me, Stilgherrian, published every Friday afternoon (nearly).
If I’ve missed anything, or if there’s any specific items you’d like me to follow, please let me know.
If you find this newsletter useful, please consider throwing a tip into the tip jar.
This is not specifically a cyber *security* newsletter. For that that I recommend Risky Biz News and Cyber Daily, among others.