May 25, 2023
ANDY PARK: Well, joining me from the studio in Parliament House, Canberra is Shadow Cyber Security Minister, Senator James Paterson. Welcome to you.
JAMES PATERSON: Good to be with you.
PARK: Volte Typhoon. Who are they and what kind of attacks have they been carrying out?
PATERSON: They are a Chinese state sponsored cyber hacking unit that has been revealed in this instance to be targeting critical infrastructure, that is civilian infrastructure, by using a very sophisticated method, which is called "living off the land". Now to explain that briefly for your listeners, rather than placing their own malware on someone else's system, which can often be detected, they're effectively using the tools in the software, in this case Microsoft program, to do what they
wanted to do in a way that makes it much harder to identify. So, it's a highly sophisticated attack and it was targeted at critical infrastructure.
PARK: So what kind of threat does that pose if these hacks are successful, what kind of control could they have over what?
PATERSON: Well, there is no innocent reason for a state-sponsored hacking group to be on critical or civilian infrastructure. The only purpose which you would be on there, and particularly in a dormant presence, is to activate it at a future time that suits your national interest. So, for example, if there were to be a regional or global security crisis, that dormant activity could be enabled to damage or disrupt that critical infrastructure. That critical infrastructure could be an electricity network, it could be a payment systems network, it could be a telecommunications network, it could be our gas or our water utilities. And its purpose is to distract us and to make us internally focused at a time when we may need to be externally focused.
PARK: If it's happening on critical US infrastructure could also be happening on critical Australian infrastructure?
PATERSON: Yes, there's no doubt in my mind that if it is occurring on US infrastructure, that it is also occurring on our infrastructure. In fact, testimony by cyber experts before the intelligence committee a couple of years ago assessed that it was likely that there was an existing dormant presence on our networks and that was the major rationale behind the previous government's critical infrastructure reforms and also the REDSPICE program, which was a $10 billion investment in our Signals Directorate over the next ten years, including to boost both their defensive and offensive cyber capabilities.
PARK: I mean, Australia's publicly calling out China at a time when we're also working to repair the relationship. This is a tricky dance to dance. Is this a welcome move to call China out, as the Home Affairs Minister did today?
PATERSON: Yes, it's very important that we call out China for this malign behaviour if we ever hope to deter them from engaging in this behaviour again. One of the things we can do, particularly in conjunction with our like-minded partners in this case the Five Eyes, is call them out for doing so. There are also…
PARK: How do you do that more than just a speech? I mean, you put out a Tweet earlier today calling on the Albanese Government to directly penalise those engaged in attacks on Australian infrastructure. Are you effectively saying that you want to see China sanctioned if that's true?
PATERSON: The previous parliament under the previous government passed the Magnitsky sanctions and the primary purpose of that was to target human rights abusers and corrupt officials internationally. However, it also has a cyber component to it and it allows the Australian Government to sanction individuals who are responsible for perpetrating cyber attacks on our country. That part of the sanctions framework has not yet been used. I really strongly encourage the government to consider using it in this case or other potential use cases, including the Russian-backed attacks on Optus and Medibank and many other unfortunate cases that we have, frequent cases that we have, because what we're trying to do is deter this behaviour and if you don't put a cost on it, then you're really not doing enough to deter it. Calling it out is good. That's the first step. The second step is to act on it.
PARK: It's 5:12 on RN Drive. Shadow Cyber Security Minister Senator James Paterson is in the studio in Parliament House. You were really pushing for a ban on TikTok on government devices. You also said there are risks associated with downloading dating and other social media apps on them. Do you want to see a blanket ban on all social media or dating apps on your government work phones?
PATERSON: Not necessarily. Some apps pose greater risks than others. Ones which are subject to the extrajudicial direction of a foreign authoritarian government like TikTok in the case of the Chinese Government obviously pose a greater risk than Instagram, Facebook or Twitter do. And dating apps pose a risk for a different reason, not necessarily because of the data collection issue, but because the ASIO Director-General Mike Burgess, has warned that foreign intelligence agencies are trying to target clearance holders on dating apps to try and cultivate them and recruit them and ultimately compromise them and the information they have access to. So there doesn't necessarily need to be a broad ban on every sort of app and certainly not even every sort of social media app. But we do need to carefully assess the risks and then remove them.
PARK: Because you'd use Twitter or Instagram on your government phone, I'm assuming. I mean, is it just where these companies, these social media companies are domiciled as to whether they're trustworthy or not?
PATERSON: Well, to be clear, yes, I do use those apps. And no, they are not risk free. They also present risks as well. They're all collecting data on us, but the risk that they present are not as acute as the risk posed by a company that is beholden to a foreign authoritarian government. And in this case, the one which is perpetrating cyber attacks against us and is responsible for foreign interference and espionage in our democracy at record levels. That is an altogether different challenge than apps headquartered in a liberal democracy and an allied country who are trying to monetise the data they collect on us.
PARK: Moving on to some things coming out of Estimates this week, I know your head is firmly in this space. DJI drones are no longer being used by Border Force, Defence have grounded them, pending a six-month security audit. And in Estimates today we heard that the AFP was transitioning away from them as well. This is a move you no doubt welcome. What is the issue with these drones? Is it the geo-location data that the app that you use to control these drones is collecting in the background?
PATERSON: DJI is like many other Chinese technology companies in that it is effectively beholden to the interests of the state and therefore can be directed by the state to do things which are inconsistent with our national interest. In October last year, the Pentagon banned these devices from the US military, and their rationale was that the company was secretly being directed by the People's Liberation Army. But it also followed existing US government sanctions against the company because it was directly involved in the abuse of human rights of the Uyghur people in Xinjiang. So, there's both a moral component here and a security component here. That's why I started asking questions first to the ADF and now subsequently to the Border Force and the AFP. And I'm pleased that they have agreed to get rid of these drones, but really they shouldn't be waiting for an Opposition Senator like me to put questions to them to take this action. The government needs to be much more proactive about this. It's not good enough just to react when someone ask questions. You've got to be on the front foot in assessing these risks and removing them.
PARK: The other Estimates issue was ASIO boss Mike Burgess, he wouldn't confirm if the agency's looking into neo-Nazi groups infiltrating existing political parties. He said neo-Nazi groups are becoming more visible in public, but that doesn't
necessarily indicate an increased security threat. I mean, how should this problem be tackled, do you think?
PATERSON: Well, ASIO's mandate is to look to threats to security, and that includes terrorism, foreign interference, espionage, communal violence, that sort of thing. It's not really the jurisdiction of ASIO to investigate political infiltration of political parties. In fact, historically they were criticised for having an interest in such things during the Cold War and they've significantly changed their approach after a Royal Commission and other scrutiny. So, I think it's not appropriate for them to focus on political parties unless it's a risk of threats of violence. Mike Burgess said that the threat has declined in recent years from these neo-Nazi white supremacist groups. It was previously taking 50 per cent of their counter-terrorism workload. It's now down to 30 per cent. And he said the principal security concern in a terrorism space is from a religiously motivated extremist, in particular Sunni Islamist extremists. Really though, all of these groups are capable of engaging in violence and doing harm and they all need to be taken very seriously.
PARK: Shadow Cyber Security Minister James Paterson, thanks for your time this afternoon.
ENDS
