So our GCSB has chimed in, alongside its British, Australian and US allies, with warnings about a “fresh wave” of
Russian cyber attacks, although the warning has been curiously framed :
GCSB director-general Andrew Hampton said in the agency's annual report in November that 122 local incidents, about a
third of the 396 serious incidents recorded by the GCSB's National Cyber Security Centre, had "indicators of connection
to foreign intelligence agencies". He said Russian state-sponsored hackers were behind some of those incidents.
“Fresh” is a curious term. How” fresh” is this fresh wave of Russian activity, given that the only quantification we
have is contained in annual report released nearly five months ago. “Some” is also an odd term. Did “some” attacks also
originate from China, and “some” from North Korea, and did “some” also come from hackers in Eastern Europe…? Almost
certainly they did. And if so, why single out Russia, and is the ratio of Russian-sourced attacks more prominent than
say, the Chinese- sourced attacks, and to what extent have the attacks emanating from Russia been on the rise, compared
to those from other countries…etc etc.
Moreover, it is also very hard to tell whether these “fresh” attacks have (a) already been launched, or (b) are about to
be launched. The media reports seem to want to have it both ways. Western government are under attack and commerce is
being disrupted by attacks Russia has launched, but also hang on, Russia is only “gearing up” to do so. For example :
The United States and Britain today accused Russia of launching [my emphasis] a new wave of internet-based attacks targeting routers, firewalls and other computer networking equipment used by
government agencies, businesses and critical infrastructure operators around the globe.
The U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK National Cyber
Security Centre (NCSC, which is GCHQ's 'cyber' division) today said that hackers supported by Russia are gearing up for
a series of digital attacks.
Clear as mud. Even if Russia is already, or is only maybe, could be, about to be doing this bad stuff, by how much does
this exceed (if at all) the level of cyber intrusions into foreign countries to which this country has been a party,
alongside our deeply offended British, Australian and US allies ?
In other words, we’re all at it. Every developed nation seems to be engaged in cyber attacks and cyber defences, which
is one reason why, the US was (famously) able to cripple the Iranian nuclear weapons programme with the Stuxnet worm. No
doubt, some countries do this stuff on an industrial scale. That seems to have been the case during the last US
election, although – if money buys influence – it is also true that the revealed budget of the alleged Russian cyber
farm operations in the US (over the course of the 2016 election) was dwarfed by the advertising budgets of the Clinton and Trump campaigns.
The real problem with our GCSB possibly crying “wolf” with respect to Russia is that it looks opportunistic, coming at a
time of virtual Cold War tensions over the events in Salisbury, and in Syria. If anything, the selective focus on Russia
only obscures the public understanding of the global extent of this sort of online activity.
Commerce, and privacy
For the GCSB, cyber attacks also pose other boundary issues. For decades, the security services have been given an
explicit role (under their legislation) to protect the economic security of this country. This is not a purely reactive
role. There have been reports that the GCSB has been actively engaged in spying on foreign friends and enemies alike, in order to enhance our trade prospects. To the same ‘economic security’ end, New Zealand corporates are now being
urged to modernise their cyber security defences, and there have been indications that the GCSB/SIS can, should and are
engaged in helping major NZ firms to shore up their capacity to repel any cyber attacks emanating from foreign
countries.
This engagement with commerce poses some interesting questions for the security services, with regard to accountability.
When it comes to surveillance of private individuals and dissident groups, the security services and relevant Ministers
routinely drop a curtain of silence over their operational methods and capacities. There is little in the way of
meaningful public accountability – allegedly because this could enable the real and potential targets of surveillance to
be alerted about SIS/GCSB expertise, and their modus operandi. Yet when it comes to the engagement with corporate New
Zealand, the coin seems to be flipped – and the security services appear to be actively engaged with business in sharing
and advising on the appropriate levels of counter-espionage expertise.
Where (and how) does this line get drawn? Surely, the taxpayer shouldn’t be bankrolling the security services to assist
the private sector to erect and maintain cyber defences that industry should be paying for itself – and especially when
the public isn’t being entrusted with the same levels of care and consolation about similar intrusions into its own
privacy. At base, how can the GCSB/SIS offer meaningful advice that protects our economic secrets and intellectual
property from cyber attack, without tipping its hand to the businesses in question, about its operational methods and
technical capacities? And if it can manage that tricky balance in its dealings with commerce, why can’t it be more
transparent about its dealings with the public?
This apparent disjunct between what the security services conceal in their ‘surveillance’ role yet seem willing to
reveal when wearing their ‘economic security’ hat must be a nightmare for the guardians that supposedly keep our
security services in check. Chief among those watchdogs is the Inspector-General of Intelligence and Security, currently
Cheryl Gwyn. In the past, this watchdog has been more like a toothless old lapdog - usually a retired judge working from
an office with few resources, and almost entirely reliant on what the security services are prepared to reveal.
By contrast, Glyn seems to be a far more independent operator. This week, she has set up an eleven person advisory panel
to be a “sounding board’ in the performance of her duties. The full group is :
Ben Creet - Issues Manager, Internet NZ
Professor Rouben Azizian - Director, Centre for Defence and Security Studies, Massey University
Dr Nicole Moreham - Associate Professor, Faculty of Law, Victoria University of Wellington
Dr Paul Buchanan - Director, 36th Parallel Assessments
David Fisher - Journalist, New Zealand Herald
John Ip - Senior Lecturer, Assistant Dean (Academic), Faculty of Law, University of Auckland
Nicky Hager - Journalist, Author
Thomas Beagle - Chairperson, NZ Council for Civil Liberties
Treasa Dunworth - Associate Professor, Public International Law, University of Auckland
Suzanne Snively - Chair, Transparency International
Deborah Manning – Barrister
None of this group will have access to classified information, or to the operational methods and technical expertise of
the SIS/GCSB. Amusingly, some politicians have been upset that a statutorily independent watchdog might choose to engage
with people who do not share the same mindset as the organisations she is being expected to monitor :
National's spy spokesperson Gerry Brownlee said the creation of the reference group raised a number of serious questions
- particularly around the inclusion of the investigative journalist Nicky Hager. "The Inspector-General has said this
group has been brought together to help her stand 'in the shoes of the public. But several members of her group are far
from objective in their view of our intelligence relationships, or in some cases the existence of intelligence services
at all," Mr Brownlee said. He said Mr Hager had repeatedly questioned the legitimacy of the country's spy agencies.
Heavens to Betsy. Can an independent watchdog really be sharing a cup of tea and a plate of biscuits occasionally with
people who have been critical in the past of the organisations she is supposed to be monitoring? Andrew Little – the
Minister responsible for the Security Services – seems to be equally perturbed that the NZ Herald investigative journalist David Fisher is on the same advisory panel, and Little wonders how Fisher can square this with
his journalistic ethics.
Is Little serious? Surely, we are past the time when we regarded journalists as ideally being political eunuchs, devoid
of values and opinions in any realm of their personal or public lives. That has always been a fallacy, in that it has
been the “objective” journalism that has commonly tucked its half truths, deliberate exclusions and ideological premises
carefully out of sight, before it comes to the table.
Journalists like Hager and Fisher, academics like John Ip (who has written insightfully about the role of special
advocates in security cases) consultants like Paul Buchanan and lawyers like Deborah Manning all have expertise and
opinions and networks that are relevant to the tasks that Glyn is expected to perform. She should be being congratulated
for casting her net so wide, and so fearlessly.
To suggest, as Brownlee has, that Glyn shouldn’t dare to engage with someone critical of the SIS/GCSB is an insult to
her abilities. To suggest, as Little does, that Fisher is being unethical by participating in this panel is an insult to
Fisher, and is a quaintly inaccurate view of the evaluative role that good journalism should be encouraged to actively
pursue.
Footnote One : Hate to be a conspiracy theorist, but there is a possibility the latest Russia cyber scare is a by-product of toxic US
domestic politics. The current US warnings on Russian cyber activity have been attributed to the assistant director of
the FBI - whose past director (and the FBI decision to raid the office of the President’s personal lawyer) have both
come under attack of late from a President who has routinely peddled a softer line on Russia, and continues to do so.
Even after the alleged gas attack in Syria, Donald Trump has not supported imposing further sanctions on Russia, as
advocated by Congress and by the Republican Party to which he belongs. The FBI don’t seem to share the President’s
comparatively benign view of Russia.
Footnote Two : Ironically, it is not all bad news. Sport is one area where Russian cyber attacks have arguably been of positive
benefit to the public. The so called “Fancy Bear” cyber attacks in 2016 – after Russia had been targeted by Western
authorities for its state doping programme - revealed for the first time, the surprising extent of ‘therapeutic use exemptions’ (TUEs) granted for permitted drug use, within modern professional
sport.
These revelations have had direct repercussions for public understanding of the potential abuse of TUEs in the Olympics,
football, tennis, baseball, gymnastics and lately in cycling. The past exploits of Bradley Wiggins and Chris Froome have both come under intense scrutiny, as a result. All of which surely, has to be regarded as welcome.