Australia’s top cyber spy says China’s actions in the hack of Microsoft Exchange email server software were akin to propping open the doors of thousands of homes and leaving them ajar for criminals to get inside.
Rachel Noble, the director general of the Australian Signals Directorate (ASD), drew the analogy as she said the Chinese government’s actions had “crossed a line”, prompting the Australian government to join with the United States and other countries to publicly point the finger at Beijing last week.
Such “reckless actions should not be tolerated”, added the home affairs secretary, Michael Pezzullo.
The pair appeared at a parliamentary inquiry on Thursday as the Morrison government seeks support for proposed legislation to place extra requirements on the critical infrastructure operators to toughen up their cyber defences.
They were asked about the Australian government’s statement declaring that Canberra had “determined that China’s ministry of state security exploited vulnerabilities in the Microsoft Exchange software to affect thousands of computers and networks worldwide, including in Australia”.
“To describe it in plain language, it would be like houses and buildings had faulty locks on the doors,” Noble said.
“When the Chinese government became aware of those faulty locks on the doors, they went in and they propped all those doors open.
“What then happened was that there was opportunity for all sorts of criminals [and] other state actors – you name it – to pour in behind all those propped-open doors and get into your house or your building.
“It’s that action, from a technical point of view, which crossed a line in the judgment of policy agencies in governments around the world.”
Noble said it was estimated that there were about 70,000 businesses and organisations in Australia using a Microsoft Exchange server.
“So it’s an attack at a scale that is extremely large and significant.”
She said it was “certainly our operational experience that state actors along with criminals can look awfully similar in terms of their behaviour in cyberspace”.
Pezzullo said Australia believed states should show restraint in cyberspace, avoiding reckless or malicious actions.
“If you pry open all the doors, if you pry open all the windows, if you in effect disable all of the burglar alarms, we’re all going to be affected,” Pezzullo said.
“Such reckless actions should not be tolerated as a matter of international and global norms, and that’s why the Australian government joined with such a significant coalition of free democratic nations.”
The Chinese embassy in Canberra last week dismissed the Morrison government’s statement on the Microsoft Exchange matter as “groundless”.
The embassy said it was a case of Australia “following the steps and parroting the rhetoric of the US”, while arguing Australia had “a poor record” as “an accomplice for the US’s eavesdropping activities”.
The Australian parliament’s joint committee on intelligence and security is reviewing a government bill that would impose new cyber security obligations on a range of critical sectors.
These sectors include communications, financial services, data storage, defence industry, universities and research, health care, space technology, transport, and water and sewerage.
There will be mandatory reporting of serious cyber security incidents to ASD.
The bill gives government agencies new powers to respond to major attacks, including obtaining information from an affected business or entity. Australian entities under attack could also be directed to “do, or refrain from doing, a specified act or thing”.
Pezzullo played down concerns from industry about the new rules being overly onerous, arguing the government’s first preference was to work cooperatively with businesses and organisations to strengthen their defences.
He said the new measures, while potentially “far reaching”, were needed “as a last resort in a national emergency, should an entity be unwilling or unable to do what is necessary”.
During Thursday’s hearing, officials were also quizzed about the readiness of security agencies to protect Australia’s electoral systems from potential cyber attacks.
“If something were to occur, we would immediately know, as would other intelligence agencies, and then be working in real time to try and address any incident with a view to try and get the system back up and running to keep the election going, and then deal with the issues of ‘whodunnit’ after that,” Noble said.
Pezzullo added: “It helps that we’re still on paper and pencil [with electoral ballots]. This is one of those cases where not being digital helps.”