Story

Can govts ever discuss cybersecurity without going over the top?

It was always a safe bet to suggest, as Crikey did last week, that the tide of stupid would keep rising when it came to self-interested reports. As if pre-arranged, US security software giant McAfee stepped forward a few days later with an “online safety survey” to show how terrified Americans were about cybersecurity, including that “90% of Americans do not feel completely safe” online and 25% had been exposed to a data breach. Cue inevitable dramatic headlines.

An actual look at the survey revealed some things that didn’t quite fit — that “90%” figure was based on a scale of 1 to 5, with 8% of Americans saying they felt completely safe (5), and another 33% saying they were relatively sanguine about it (4). Only 8% of Americans said they felt “completely unsafe”. And the “25%” figure was based on the question “have you been notified by any businesses, online service providers or an organization” about a data breach, which raised the amusing possibility that the survey result would be including fake security breach notifications that deliver malware and phishing attacks.

Still, no surprises with any of this. The survey was launched by McAfee in league with a US government-sponsored cybersecurity initiative. Capitalism and government working hand-in-hand to sell more stuff and heighten hysteria. Same old. But it seemed to coincide with a torrent of stupid from elsewhere. In a bizarre US military document acquired by Wired.com, this week, the Asymmetric Warfare Group advises “military leaders” that “social networks” and “youth”, among many, many other traits that characterise most of humanity, are “risk factors for radicalisation”.

Then two days ago, the United States’s top cyber defence official boldly claimed that hackers were now moving “from exploitation to disruption to destruction” and that power grids and stockmarkets could be shut down. General Alexander’s solution was information-sharing arrangements between the private sector and government. Alexander had loudly complained in August when a bill to mandate sharing of information relevant to cybersecurity threats was defeated in Congress thanks to an unusual coalition of big business lobbyists and privacy and net freedom advocates.

One of the sponsors of the bill endorsed Alexander’s remarks by issuing the now inevitable warning of a “cyber 9/11”. As Crikey and many others have previously explained, there’s little evidence that large-scale destructive attacks can be achieved by hacking in the way “cyberhawks” maintain. But this is a species on the rise: back in August, Dubya-era NSA and CIA head Michael Hayden repeated his call for a “digital Blackwater”, an unaccountable private cyber army to prosecute America’s interests online.

Here in Oz, of course, we have our very own cyberwar skirmishes going on not online, but in the real world, or “meatspace” as the trolloscenti call it, as a Parliamentary committee doggedly works its way through 44 rather vague proposals for extensions of surveillance and intelligence-gathering laws.

Every once in a while, the committee gives away a signal as to its thinking. Last Thursday, chairman Anthony Byrne asked Telstra’s representatives to comment on why it was that, in addition to police forces, organisations like the RSPCA, the Victorian Taxi Directorate, the NSW Office of Environment and Heritage and Commonwealth departments like Health were able to demand that telecommunications companies hand over user information.

That’s the law, a Telstra representative explained: “[I]f an agency is able to verify that it undertakes investigation of a criminal offence, protects the public revenue or has the ability to impose a pecuniary penalty — one or all three of those — then they have the right to request that information lawfully from the telcos.”

It was a brief but illuminating spotlight on the vast array of entities that can already obtain information about what we’ve been doing online and on a phone.

That was the day after the Australian Securities and Investment Commission had appeared before the committee and demanded the retention of all internet and telephone information, including content records. In another context, Byrne referred the following day to “ambit claims” being made by agencies.

At least some people in government can discuss these issues without succumbing to cyber hysteria.