.png)
2 hours ago
2
The head of Australia’s Security Intelligence Organisation (ASIO) has warned that authoritarian regimes “are growing more willing to disrupt or destroy critical infrastructure”, using cyber-sabotage.
In a speech delivered today, Director-General of Security Mike Burgess referred to recent telecoms outages in Australia, one of which is thought to have contributed to three deaths.
I do not think we truly appreciate how disruptive, how devastating, this could be
“That’s one phone network not working for less than one day,” he said. “Imagine the implications if a nation state took down all the networks? Or turned off the power during a heatwave? Or polluted our drinking water? Or crippled our financial system?”
Burgess said those scenarios “are not hypotheticals,” adding “foreign governments have elite teams investigating these possibilities right now.” Some of those governments, he said, have previously had an intent “to commit espionage and foreign interference – to steal and meddle.”
He warned some are now “more likely to pull the trigger on the higher-harm activities.”
“We expect sabotage, particularly cyber-enabled sabotage, to pose an increasing threat in the next five years – both in terms of adversary capability and adversary intent,” Burgess said, adding that “advances in technology – including artificial intelligence – and a proliferation of capabilities for sale or hire online are making it easier for regimes to obtain the tools and weapons they need to conduct sabotage.”
The intelligence boss said ASIO therefore “expects a complex, challenging and changing security environment will become more dynamic, more diverse, and more degraded.”
“Dynamic, because Australia has never faced so many threats… at scale… at once. Diverse, because threats are intersecting and boundaries are blurring. Foreign spies are increasingly using criminal cut-outs to do their dirty work.
“And degraded, because of the depths authoritarian regimes are more willing to go to. They are behaving more aggressively, more recklessly, more dangerously. More willing to engage in what we call ‘high harm’ activities.”
Burgess mentioned the Salt Typhoon and Volt Typhoon hacking groups to illustrate his points.
“I know many people are confounded by the silly nicknames – so let me decode these further,” he said. “These groups are hackers working for Chinese Government intelligence and their military.”
The ASIO boss said Salt Typhoon’s intent was espionage, and that the group “have been probing our telecommunication networks here in Australia too.”
“In contrast, Volt Typhoon’s intent was disruptive.
“The hackers compromised American critical infrastructure networks to pre-position for potential sabotage. The penetrations gave China the ability to turn off telecommunications and other critical infrastructure.”
Burgess said ASIO has “seen Chinese hackers probing our critical infrastructure as well. And once access is gained – the network is penetrated – what happens next is a matter of intent not capability.”
“I do not think we – and I mean all of us – truly appreciate how disruptive, how devastating, this could be,” he said.
- Top spy says LinkedIn profiles that list defense work 'recklessly invite attention of foreign intelligence services'
- Australia’s spies and cops want ‘accountable encryption’ - aka access to backdoors
- Swipe left: Snoops use dating apps to hook sources, says Australian Five Eyes boss
- Australia to build six 'cyber shields' to defend its shores
Business is botching it
Burgess delivered his remarks at the annual conference staged by Australia’s Securities and Investments Commission, the nation’s financial regulator, and therefore discussed how organisations should act given the heightened threats.
“As a rule, an effective defence against potential espionage and sabotage shares a lot of DNA with an effective defence against other foreseeable corporate challenges – like criminal theft, fraud, workplace accidents and equipment failures,” he said, before asking two questions.
“So why are boards and leadership teams surprised when they are faced with an outage or compromise? And why do they struggle?”
You can’t PowerPoint your way out of this risk
Burgess suggested a combination of complacency and poor governance is to blame.
“Almost every security incident involves a known problem with a known fix and/or a manager who is shocked but not surprised,” he told the event.
“If these threats are foreseeable, and our vulnerabilities are knowable, what are we doing to manage this risk – both at the operational and governance level?” he added, before advising “Boards need to be curious and discerning about the information provided to them. You can’t PowerPoint your way out of this risk. Don’t let management do that to you.”
He recommended leaders develop an understanding of the data, systems, services and people that are particularly important to an organization and its customers, plus their at-risk data, systems, services and people.
“Where are things stored? Who has access? How well are they protected?” he asked. “Once you understand all that, manage the risk in a coherent and connected way. Look across your whole enterprise, recognising that good security is a connected web, not silos of excellence with chasms in between.”
Burgess said those efforts are not optional.
“I cannot be clearer, if the risks are foreseeable and the vulnerabilities are knowable, there is no excuse for not taking all reasonable steps,” he said. “Complexity is not an excuse; it must be dealt with.” ®
