AFP Commissioner Andrew Colvin revealed last week that an AFP officer had, in the course of an investigation, accessed the call record metadata of a journalist without a warrant, putting the error down to poor processes within the AFP. While much of the data retained under the scheme can been accessed by Australian law enforcement agencies without a warrant, data on journalists is specifically exempt. The incident comes only two weeks after the controversial legislation came into force, and has added more fuel to the fire for privacy advocates. Guardian Australia journalist Paul Farrell has called the incident a ‘systemic, structural failure of the AFP’s internal policies’, and Electronic Frontiers Australia has renewed its push for a universal warrant requirement for metadata access. While the affected journalist hasn’t been told that their data was inappropriately accessed and no action has been taken against the officer, the Commonwealth Ombudsman will now conduct their own inquiry to the incident. On the same day news broke about the AFP’s bungle, UNESCO released a report Protecting Journalism Sources in the Digital Age, which notes the ‘chilling’ effect of data retention schemes, undermining public access to information, the democratic role of the media and journalistic quality.
Last Thursday marked the 10th anniversary of the 2007 cyber attack on Estonia. The three-week spat, sparked when Estonian authorities moved a Russian war memorial, resulted in a massive and coordinated campaign of cyber operations that severely disrupted the highly-connected Baltic state. In the decade since, Estonia has championed norms of responsible behavior in cyberspace, including the Tallinn Manual, and it hosts NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCoE). To mark the anniversary, CCDCoE hosted NATO’s annual cyber exercise, Exercise Locked Shields, where 25 countries fought to defend themselves from a major cyber attack on military assets. Australia’s foreign minister Julie Bishop observed part of the exercise, and has indicated that Australia may join future iterations.
The 2007 attacks on Estonia have been widely attributed to Russia, and Russians remained a key issue for cyber security across Europe this week. In France evidence has emerged that Russian hacking group APT28 (aka Fuzzy Bear), also responsible for hacking the DNC last year, have been targeting centrist candidate and current frontrunner Emmanuel Macron’s campaign team since January, trying to steal email credentials. It’s also been revealed that GCHQ has been placed at a higher state of readiness to respond to cyber threats to the forthcoming general election, forming surge teams to respond to potential cyber incidents affecting the election.
Denmark’s Centre for Cyber Security has released a report into hacking incidents that targeted the Danish defence and foreign ministries in 2015 and 2016. While the report doesn’t attribute the activities to a country, it does brand APT28 as the likely culprit. The Danish defence minister later told a national newspaper that Russia was behind the incident. And the International Olympic Committee has announced a new Digital and Technology Commission charged with strengthening the organisations cyber security. The new commission comes several months after the World Anti-Doping Agency claimed it was hacked by APT28.
While the weekend marked President Trump’s first 100 days in office, concerns remain about the role of fake news in the 2016 US election. Facebook has released a report into information operations conducted through the social network to spread misinformation, noting that they will increase their monitoring of suspicious activity in order to reduce the spread of fake news.
Also in the US, CSIS hosted a panel last week on the effects of significant cyber security breaches in the US. The panelists, including former Cyber Czar Michael Daniel and CrowdStrike’s Dmitri Alperovitch, discussed the apparent futility of existing defences, the link between foreign policy and cyber security, and the need to be more forthcoming when attributing cyber incidents.
And in brief news this week, South Australia has followed NSW’s lead by appointing its first state government Chief Information Security Officer. David Goodman, currently the SA government’s cyber risk director has been appointed to develop and deliver a new government cyber security strategy. British police have charged a man who allegedly provided information to Islamic State on the use of encryption and ToR to hide their activities, including producing instructional videos. And Rwanda has passed a law to establish a National Cyber Security Authority—hats off to them!