News

The attack on the census website highlights concerns over more damaging cyberwarfare, potentially state-sponsored, leading some experts to caution against foreign investment in critical infrastructure. By Mike Seccombe.

Census attacks raise issue of security of foreign investment in infrastructure

Like millions of Australians, Jill Slay found her attempt to fill out her census online on Tuesday night a frustrating experience. Unlike most, however, she immediately guessed the problem when the website was taken down.

“I thought: ‘Oh my goodness, I know what’s happened. There’s been a denial of service attack on their site. How stupid.’

“I was thinking: ‘This is going to have great ramifications for the census. This will be embarrassing for them.’ ”

Right and right again.

But Professor Slay, the director of the Australian Centre for at the University of New South Wales, based at the Australian Defence Force Academy in Canberra, is not to be counted among those who see the Tuesday night attack as evidence of a massive failure by the Australian Bureau of Statistics to guard our personal details.

Sure, it’s a huge political problem for the government and an inconvenience to the Australian citizenry. But compared with other threats to Australia’s security, what happened with the census is not so serious. She accepts the government’s assurances that no data was compromised, and is more concerned by other issues about which the government, the media and the populace appear more sanguine.

The basic details of what happened on Tuesday night are well known by now. Through the day there was a series of apparent attacks on the census site, mostly routed through servers in the United States. Initially, in the morning, the ABS reacted by blocking overseas access and alerted intelligence agencies. Two more attacks were mounted in the afternoon, at 4.58pm and 6.15pm, but blocked by a firewall.

There was another “significant” attack made at 7.30pm. Fifteen minutes after that it was decided the census site should be taken offline. Relevant people in the government were informed, including Prime Minister Malcolm Turnbull.

Early Thursday the government went public with its scant details and lavish reassurances.

The defence department’s intelligence unit, the Australian Signals Directorate, was investigating, Turnbull told a media conference.

“The Australian Signals Directorate are the finest, most professional organisation of their kind anywhere in the world,” he said. “They are extraordinary. They are the experts of the experts.”

And the “unequivocal advice” from the ABS, the Signals Directorate and IBM, which won the $9.6 million contract to host the eCensus in 2014, was that data had not been hacked.

Turnbull emphasised the point: “The site has not been hacked. It has not been interfered with. The data is safe.”

But as to who was behind the attack, no clue.

China responsible?

Such a void encourages speculation: by the punters, by the media, by people Professor Slay dismissively terms “pseudo-technical experts”, and by national security hawks, the most prominent among which is Peter Jennings, executive director of the Australian Strategic Policy Institute.

He immediately pointed the finger of suspicion at China.

“I think we’ve had quite a sophisticated attempt to take down the ABS and maybe also to steal information,” he told the ABC.

“I think this is more than what a handful of angry university students might be able to do.”

China, he noted, had form for data hacking. Last year it stole the records of some 22 million US government employees.

“They have the capacity to do this and the interest to do it,” he said, and recommended against taking “any assurance today that no records have been stolen out of the Bureau of Statistics”.

As to motivation, the Chinese might have been upset by Australia’s disapproval of its expansionism in the South China Sea, or about the outspokenness of Australians at the Olympics in relation to Chinese doping, or to the debate about Chinese investment in Australia.

Jennings, a former senior adviser to the defence minister and later the prime minister in the Howard government, and deputy secretary for strategy within the defence department, is an acknowledged expert in strategic policy.

Denial of Service explained

He is not, however, an expert in the technicalities of cyber attacks. Professor Slay is, and disagrees. She says the evidence suggests nothing particularly sophisticated about this one.

Indeed, there is nothing terribly sophisticated about any denial of service attack. In lay terms, you simply clog up the system.

Slay says what happened with the census site was analogous to a thousand people crowding the door of department store, making it impossible for legitimate customers to get in.

The government’s cybersecurity adviser, Alastair MacGibbon, used another analogy: “It’s equivalent to me parking a truck across your driveway to stop vehicles coming in and out.”

While a denial of service attack can be an indicator of a hacking attack, it is not necessarily so.

“Attacks on websites follow a chain,” Slay says. “Part of that chain can be that you deny service so you can make part of the network not function properly. And once it’s not functioning you as a hacker can get in there and potentially take over.”

To put it in terms of her department store analogy: while the staff are distracted by the melee at the front door, someone else can sneak in the back and rob the place.

Thus, she says, risk management dictated that the bureau should take the site down on Tuesday night. But the circumstances – given the level of disquiet among privacy advocates surrounding the census – suggested the motive was to make a political point rather than to steal data.

“This seems to have been done for the express purpose of embarrassing somebody – either Australia, the Turnbull government or the ABS, or all of them,” she says.

“I doubt that whoever was behind it had any intent to do anything other than crash the system. The alternative – cybercrime, data theft – seems remote to me.

“If it were a real attempt to hack the system it was obviously poorly done. I mean, these people, whoever they were, had several goes before they achieved anything major.”

So, it was most likely done as a protest, by some hacker group, like Anonymous?

Probably not Anonymous, she says. The international hacktivist group, famous for its attacks on government agencies and corporations in the US, Israel and elsewhere, as well as on Daesh and pornographic and racist sites among others, is, she says, “usually much better than this”.

Cyber attack on Ukraine's electricity grid

MacGibbon also plays it down, saying the attack “was no more significant than the types of attacks we would see all the time against Australian government systems. It’s just that there was a confluence of events.”

It is to be hoped the government’s cyber spooks eventually identify the culprit. But the reality is just about anyone who is sufficiently motivated and has a little cash can mount such an attack.

There is software for sale online. A variety of dubious businesses in various countries – notably China and Russia, but also in Eastern Europe and other places – also are only too happy to do the job for you. Some provide 24-hour customer assistance, in a variety of languages. All you have to do is provide the target URL and meet the relatively modest cost of a few hundred dollars.

We have already been told the attack was sourced offshore, and might well have involved China. “But,” says Slay, “we’re not talking the need for a nation state to be involved.”

No doubt this story has some way to run. Already the government is determinedly shifting blame away from itself, to the ABS and IBM. Speaking on commercial radio on Thursday morning, Turnbull said he was “bitterly disappointed” by their lack of preparedness for an “entirely predictable” attack.

In the scheme of things, the Australian census’s problems are relatively small. Elsewhere, cybersecurity issues are much larger and more grave.

Take Ukraine. Two days before Christmas last year someone – possibly the Russian government, possibly non-state cybercriminals, possibly a combination of the two – launched a cyber attack on the Ukrainian electricity grid.

A detailed reconstruction of events published in the authoritative US tech magazine Wired in March began with an anecdote about one controller watching helplessly as the cursor on his computer screen “navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline”.

As Wired recounted: “A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.”

In total, 230,000 people lost their power. And while the disruption lasted only one to six hours, the hack also rewrote the “firmware” at 16 substations, leaving them useless months later. The power was back on, but workers had to control the breakers manually.

The story is very technical, but the key insight from it is that computerised systems, the so-called Supervisory Control and Data Acquisition (SCADA) networks used to control electricity and other infrastructure networks, are efficient, but also vulnerable.

Morrison blocks Ausgrid sale

Wired concluded there were big lessons to be learnt from the Ukraine incident about security measures and about who gets access to critical infrastructure.

Now, it appears, Treasurer Scott Morrison has learnt them, too. On Thursday afternoon he called a media conference to announce he had ruled two Chinese companies out as potential buyers of the New South Wales electricity distributor Ausgrid.

Ausgrid provides power to 1.6 million consumers. The Baird government is hoping to reap about $10 billion via a 99-year lease of a majority stake. One of the interested Chinese companies is the state-owned State Grid Corporation. The other is Cheung Kong Infrastructure Holdings (CKI), which is registered in Hong Kong and part owned by billionaire Li Ka-shing.

After carefully considering the two bids, Morrison said, his “preliminary view is that the foreign investment proposals put to me for this transaction are contrary to the national interest, in accordance with the required provision on the grounds of national security”.

Morrison said he invited bidders to make submissions to him by the end of next week, so he might make a final decision.

He refused to elaborate on the precise reasoning behind Thursday’s announcement.

Either way, it was a big call.

On one side, Morrison is being pushed by the business community and the pro-privatisation free marketeers who stress the importance of Australia’s economic relationship with China. On the other side are the likes of Jennings and Jill Slay, who shares “100 per cent” Jennings’s concerns.

The chief executive of the Australian Chamber of Commerce and Industry, James Pearson, for one, came out in the media this week calling for “perspective” on the issue.

“Australia and China have economic futures which are inextricably linked and a great deal of the wealth, and therefore the high standard of living that Australians enjoy today is a direct result of our economic relationship with China,” he said.

Pearson also questioned why concern spiked when Chinese investment was concerned. Other countries, particularly the US, had vastly more invested in Australia, he noted.

Foreign investment politicised

Tony Wood, the energy program director at the Grattan Institute, is another who is not much concerned about Chinese ownership.

“A substantial proportion of our network businesses in Australia are already dominated by owners from Singapore, Hong Kong or China,” he points out.

“And they have turned out to be good owners: patient, prepared to look to the long term. I would argue that fundamentally privatisation has been good, and that is true whoever the owners.

“These network businesses are regulated monopolies. The prices are set by an independent regulator, the reliability standards are set by an independent regulator.”

Wood sees a “weird sort of xenophobia” behind some opposition to Chinese investment, and also self-interest on the part of industry workers and others who are simply anti-privatisation.

He acknowledges, though, that the issue of Chinese investment has become “very political” over recent times, and cites a current example from Britain.

A $US2.3 billion deal for a French/Chinese consortium to build a new nuclear power station appeared to be sealed last October. Recently the new British prime minister, Theresa May, announced it was being reviewed.

The concerns seem odd to Wood.

“If I wanted to hack into the system,” he says, “I could think of cheaper ways than by spending billions of dollars buying into the network.”

And if for some reason the Chinese ever decided to crash the system, the Ukrainian example shows they could do it whether they owned it or not.

That’s true to a degree, says Slay. If things became ugly between us and the Chinese “they could potentially develop something to attack our critical infrastructure”.

That could be something such as the Russians used in the Ukraine, or more akin to Stuxnet, the US-Israeli developed worm that was used to disrupt the Iranian nuclear program.

“But that would take a lot of time, energy and money,” she says. “However, if we sell it to them, they can just turn it off.”

It’s much easier to take a system down from the inside. She points to a small, early example of the malicious manipulation of a SCADA system in Australia, although it did not relate to a power grid.

Infrastructure under real threat

Back in March and April 2000, Queensland’s Maroochy Shire experienced a series of baffling failures of its new sewerage system.

Communications sent by radio link to wastewater pumping stations were being lost, pumps were not working properly, and alarms put in place to alert staff to faults were not going off.

Raw sewage found its way into the creek, fish died, the stench for residents was unbearable. Someone was hacking them.

“It actually proved to be a disgruntled insider who had the passwords and was trying get a permanent job. So when he wasn’t at work he would attack the system,” she says. “That was the first attack on Western critical infrastructure.”

Sure it was small, but it has been much studied by cybersecurity experts like Slay. If one hacker could do such damage, it’s not hard to imagine what a state could do.

“I feel very protective of Australian infrastructure,” says Slay, a self-described “technical nerd” who inhabits a “neurotic world” in cybersecurity.

“When we did the deal on the Port of Darwin, selling it to a Chinese government, I worried. I do every time I see government selling bits of critical infrastructure to the Chinese, and whether we were to sell it to the Chinese mainland government or to Cheung Kong, in Hong Kong, we’d have the same potential problem. The fact that we’ve already done a lot of it bothers me a lot.”

China’s State Grid already has substantial holdings in businesses that run critical infrastructure – gas and electricity to millions of consumers in NSW and Victoria. CKI also has large investments.

So why has the issue of the potential sale of Ausgrid provoked national security concerns this time, whereas previous sales did not?

Peter Jennings cites two factors.

“One is the increasing hackability of the grid. Electricity grids around the world are essentially managed by internet-enabled industrial control systems. Five years ago, when the Victorian grid elements were sold, we largely had an infrastructure that was not managed this way.”

The other is the ascension of China’s President Xi Jinping and his nation’s new aggressiveness.

“We’ve seen a switch from peaceful rise through to a more assertive Chinese foreign policy approach,” Jennings says.

“If they’re threatening to shoot our aircraft out of the sky and sink our ships in the South China Sea, should we really be that welcoming of their investment in Australian critical infrastructure?”

Jennings notes that the Chinese government does not permit such foreign investment in its critical infrastructure, for security reasons.

“I think the more assertive Chinese international posture is going to complicate investment not only here but around the world.”

There are tough questions to be answered here. Much tougher than what went wrong with the census. One was answered by Scott Morrison on Thursday.

Here’s another: what about all the critical infrastructure the Chinese already own in Australia?

This article was first published in the print edition of The Saturday Paper on Aug 13, 2016 as "Census violence". Subscribe here.

Mike Seccombe
is The Saturday Paper's national correspondent.