Two enormous cyberattacks convince Australia to ‘hack the hackers’


Welcome to The Cybersecurity 202! I’m with these guys. “The Gang Cracks the Liberty Bell” is one of the best episodes.

Below: Industry weighs in on proposed rules for how critical infrastructure organizations should report hacks to the government, and state attorneys general reach a settlement with Google over location tracking. First:  

Australia has had enough. But going on offense against cyberspace tormentors has some downsides.

Australia’s Cybersecurity Minister Clare O’Neil vowed this weekend to “hack the hackers” after two monumental, back-to-back cyberattacks against Australian telecommunications giant Optus and insurance titan Medibank affected swaths of people.

The fallout has included the public exposure of sensitive health data and the theft of information about millions of customers. 

The stretch of high-profile hacks is comparable to what the United States experienced from late 2020 to mid-2021, when Russian hackers infiltrated federal agencies and tech companies after breaching IT firm SolarWinds and the Colonial Pipeline ransomware attack triggered a fuel panic on the East Coast. The combination of those hacks, among others, prompted more drastic action from the U.S. government, both in the Biden administration and Congress, Glenn Gerstell, former general counsel of the National Security Agency, told me.

“In some ways, this is a repeat of the kind of shock that the United States went through,” said Gerstell, now a senior adviser at the Center for Strategic and International Studies think tank. “I think it also reflects maybe a bit of frustration with traditional tools, law enforcement tools and even diplomatic tools, that are going to be limited — because most of these hackers are located offshore, probably in Russia — against attacks that nation-state-condoned, or state-tolerated at best.”

But going on the offensive and trying to strike back in cyberspace against one’s attackers has its own risks, with rewards that might not prove lasting.

On the plus side of offensive action, the U.S. has proven capable at times of clawing back stolen cryptocurrency, for instance, and has successfully targeted the servers of a ransomware gang, as my colleague Ellen Nakashima reported last year.

“You’re going to make a statement, obviously, if it takes some infrastructure down,” Tim Kosiba, the former chief of the NSA special liaison office in Canberra, Australia, and now CEO of cyber firm Redacted’s Bracket f subsidiary, told me. And it might send more of a message than filing charges against hackers unlikely to ever see the inside of a courtroom, he said.

  • “That sort of gives away your ability to track down and attest where the attack came from,” Kosiba said.
  • It requires complete confidence about who’s responsible for the attack to make sure an innocent target isn’t victimized, he said. And it can potentially cause trouble for allies, given the distributed global nature of the internet and the need to sometimes route attacks through the infrastructure of other nations.
  • The known, reported cases of U.S. hacking operations against cyber adversaries include operations like the 2018 disruption of the Russian troll farm the Internet Research Agency, which doesn’t seem to have done permanent harm. “I don’t see that as anything that amounted to much more than a momentary annoyance, in the grand scheme of things,” Gavin Wilde, who has served at the National Security Council and NSA and is now a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, told me.

Notably, the ransomware gang that Australia reportedly believes is responsible for the Medibank hack is REvil, the target of the operation that Ellen reported on last year. At the time, a pair of operations by U.S. Cyber Command and a foreign government at least temporarily “left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter,” Ellen reported. Ransomware gangs in general have shown the ability to rapidly regenerate.

The first hacking operation the U.S. government ever acknowledged came against the Islamic State terrorist group in 2016. NSA and Cyber Command Chief Gen. Paul Nakasone, reflecting on the operation in 2019, said that while the group may have still been online, it had to change its operations and was no longer as strong in cyberspace as before.

  • “We were seeing an adversary that was able to leverage cyber to raise a tremendous amount of money to proselytize,” he told NPR. “We were seeing a series of videos and posts and media products that were high-end. We haven’t seen that recently. … As ISIS shows their head or shows that ability to act, we’re going to be right there.”

That still means even U.S. Cyber Command is in its “relative infancy as far as offensively capable units,” Wilde said, and any nation should be “pretty circumspect” about sending the signal that retaliatory attacks are capable of being effective against cybercriminals. (Attacks on fellow nation states might be a different story.)

Australia’s experiences

With a population of just under 26 million people, Australia is far smaller than the United States (332 million). So it was a massive impact on the country when the attacks affected 9.7 million Medibank customers and 9.8 million Optus customers, Kosiba said.

“I’m pretty familiar with their capabilities, and they have great capabilities,” he said. Australia has also benefited from working closely with the United States as part of the “Five Eyes” intelligence partnership, he said. And a recent study ranked Australia as No. 5 in cyber power, with the United States at the top of the list.

That said, Australia is going up against the same adversaries in cyberspace that the United States has struggled to contend with, only Australia’s doing it with a far smaller cyber force, Gerstell said. That means going on offense is “just part of the solution,” he said, and must be paired with partnering with law enforcement and improved defense, something Australia seems to realize.

Both Australia and the United States also appear to recognize that they need to do more, Kosiba said.

“The big question is, are we at the stage where you should impose greater costs to the adversary?” he asked. “Obviously, it sounds like the Australians believe that … there needs to be more cost imposed on these types of ransomware gangs.”

Industry groups weigh in on rules to report hacks to government

The groups weighed in ahead of a Monday deadline to comment on how the Cybersecurity and Infrastructure Security Agency should require critical infrastructure organizations to report hacks to the government. President Biden signed legislation laying out the outline of those rules into law in March.

Many industry groups and firms that commented said they didn’t want the rules to overburden themselves or complicate their interactions with other regulators, some of whom have already imposed reporting requirements of their own. 

The U.S. Chamber of Commerce, a major corporate lobby, said the list of covered entities should be “tightly construed” to only cover the most consequential critical infrastructure entities. BlackBerry argued against narrow rule-writing, saying that the company “would encourage CISA to resist calls to overly narrow the law’s application within these critical sectors.” CISA has until 2024 to formally propose its rules.

Google reaches record $392 million settlement with state AGs over location tracking

Connecticut Attorney General William Tong (D) called the 40-state settlement a “historic win for consumers,” the Associated Press’s Dave Collins and Marcy Gordon report. The state investigation of Google came after a 2018 AP story that found that Google still tracked users’ locations even after they turned off Google’s “location history” feature.

“The attorneys general said Google misled users about its location tracking practices since at least 2014, violating state consumer protection laws,” Collins and Gordon write. “As part of the settlement, Google also agreed to make those practices more transparent to users. That includes showing them more information when they turn location account settings on and off and keeping a webpage that gives users information about the data Google collects.”

Google says it had updated the policies at the center of the case. “Consistent with improvements we’ve made in recent years, we have settled this investigation, which was based on outdated product policies that we changed years ago,” company spokesperson Jose Castaneda said, per the AP.

Italy bans many uses of facial recognition technology, allows use in criminal investigations

The ban by the country’s privacy watchdog comes as two municipalities said they would begin using the technology, Reuters’s Elvira Pollina and Federico Maccioni report. The technology will still be allowed when the technologies “play a role in judicial investigations or the fight against crime,” they write.

“Under European Union and Italian law, the processing of personal data by public bodies using video devices is generally allowed on public interest grounds and when linked to the activity of public authorities,” they write, citing the privacy watchdog. The technology is controversial in regions including Europe, where lawmakers have been working on legislation to ban sweeping, real-time use of the technology.

Medibank faces new headaches as it finds staff data has also been hacked (Sydney Morning Herald)

Google agrees to $391.5 million privacy settlement with 40 states (CNET)

Facebook $90 million privacy settlement approved over antitrust lawyers’ objection (Reuters)

K-12 cyber maturity improving, but still lags behind other sectors (StateScoop)

Twitter’s SMS two-factor authentication Is melting down (WIRED)

A fake tweet sparked panic at Eli Lilly and may have cost Twitter millions (The Washington Post)

Elon Musk keeps taking Twitter advice from right-wing trolls (Rolling Stone)

  • Rep. John Katko (R-N.Y.) and officials from the Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and FBI speak at the WaterISAC’s H2OSecCon security conference from today through Thursday.
  • DHS Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify at a House Homeland Security Committee hearing on worldwide threats today at 9:30 a.m.
  • The Election Assistance Commission holds a public hearing today at 10 a.m.
  • Top U.S. cybersecurity officials speak at the Aspen Institute’s annual Aspen Cyber Summit on Wednesday.
  • The Senate Judiciary Committee holds a hearing on oversight of the Department of Homeland Security on Wednesday at 10 a.m.
  • The Center for Democracy and Technology hosts an event on online harassment and targeted disinformation aimed at women of color candidates in U.S. elections on Wednesday at 11 a.m. 
  • The Senate Homeland Security Committee holds its hearing on worldwide threats on Thursday at 10:15 a.m.
  • Google Cloud chief information security officer Phil Venables and Elliptic founder and chief scientist Tom Robinson speak at a Washington Post Live event on Thursday at 10:30 a.m.
  • Rep. Jim Himes (D-Conn.) discusses spyware at a Center for a New American Security event on Thursday at noon.

Thanks for reading. See you tomorrow.