March 7, 2023
TOM CONNELL: Cyber security experts are warning Australian universities may be unknowingly arming our adversaries with hacking skills. They say partnerships with Chinese institutions are undermining efforts to bolster cybersecurity and leading Australian banks and other infrastructure vulnerable to attacks. Joining me live, James Paterson's Shadow Cyber Security and Countering Foreign Interference, thanks for your time. What do we know about what the universities are actually teaching here and to whom?
JAMES PATERSON: So, it appears that a number of Australian universities have partner relationships with equivalent Chinese institutions where they are teaching Chinese students some offensive cyber hacking techniques and tactics. And this is pretty alarming given the national security and cyber environment that we're operating in. Australia struggles enough as it is with the challenges of cyber security. But we shouldn't be teaching potential adversaries how to attack our civil and civilian infrastructure.
CONNELL: So hacking teams are pretty well resourced already in China. How much of this is new? Is it a big concern or is it more about the collaboration and PhD level stuff versus some of the mass available online courses, which a few experts have said, look, this stuff's sought everywhere. High-level collaboration and stuff where you'd find out a bit more about Australian systems would be more of a worry?
PATERSON: Both are of concern to me. I am concerned about this, even if it is able to be taught elsewhere because I don't think Australian taxpayers’ money, or the money of student fees paid by Australian students here in Australia should be going to subsidise the upskilling at scale of our potential adversaries who might then go work for a Chinese intelligence agency or the PLA’s cyber unit.
CONNELL: So, is this scale the problem that might be so-called netizens who just sort of get a bit more knowledge in a certain area and might be convinced in future years to do the so-called patriotic thing?
PATERSON: Well, cyber agencies in China are major employers of cybersecurity graduates. That's not a kind of surprising thing, and I don't want any Australian trained students going to work for them to then turn around, days after they were trained by an Australian academic or researcher, to then look for vulnerabilities in our critical infrastructure or our government networks. But you're also right to raise the kind of sensitive onshore research that happens. It's often the case in other areas, for example, defence research that's funded at universities that PhD students or researchers working on those projects must be Australian citizens or must be Five Eyes citizens. And if there is sensitive cyber research going on, I think we do have to think very carefully about whether that should be restricted.
CONNELL: And well, this is the interesting thing because there's been a lot of urging over recent years around collaboration. But is it at the point where you just need laws on these things?
PATERSON: Well, we now have a number of laws and a number of systems of government that are supposed to capture those things. So, we have the Foreign Arrangements Act, which should be capturing these bilateral relationships between Australian universities and Chinese universities because they lack institutional autonomy. They're effectively arms of the Chinese government. So that could be scrutinised under the Foreign Arrangements Scheme. We also have the Universities Foreign Interference Taskforce and the whole point of this is to prevent things like this from happening not just in research but in teaching as well. And it appears to me that it's not on UFIT's radar at all and that's really concerning. That's why...
CONNELL: So, they should be looking at this?
PATERSON: Absolutely. And that's why I've called for the government to do an investigation into this and get to the bottom of it. How many students are being taught? Exactly what is the course content? Should this be permitted, should it be allowed?
CONNELL: I mean, when you're talking about course content, surely, it's not like, look, here's how you hack a bank in Australia. Here's the standard firewall. Here's how, you know, I don't know how to do stuff, but on the Dark Web turn left here, turn right here?
PATERSON: On the contrary, Tom, it does appear to be, from what we've seen from these leaked whistle-blowers within universities, very specific instructions on particular types of successful attacks against critical infrastructure and civilian infrastructure.
CONNELL: It seems extraordinary. I mean, why would any university even teach that? Wouldn't that sort of be a restricted government agency?
PATERSON: There is a need if you are training someone to protect those systems, for them to understand they are vulnerable...
CONNELL: They know how it gets hacked...
PATERSON: You have to understand what your adversary can do if you want to be able to defend against it. So, it's not inappropriate for it to be taught. But it doesn't seem very smart to me to be teaching it to people who are potentially going to use it against us.
CONNELL: Series beginning in Nine newspapers today being a warning of preparing for war. Look, these are pretty standard headlines at the moment, but this threat, and it's all about deterrence, is the biggest need in the short-term for us, a lot of long-term projects, missiles?
PATERSON: Look, that's certainly one of them. I would say our ability to project power at distance and to keep our adversaries thinking twice and put their platforms at risk is a really important capability. Now, whether that's delivered by a long-range
missile, a submarine, a B-52 bomber, the platform is not so important. It's the effect that is really important. And I really hope to see in the government's imminent AUKUS announcement, some real acceleration of those plans. And I hope that the DSR feeds into that.
CONNELL: And the other thing the government has been big on is a counter offensive or an offensive cyber team. That might be something we can actually compete in a bit better compared to the hardware stuff, right? And that's almost a bigger threat and one you're more willing to use versus the weapons.
PATERSON: That is exactly the rationale for the REDSPICE program that our government did in our final budget. A $9.9 billion upgrade to the Australian Signals Directorate to effectively double in size, including their offensive cyber capabilities. And there's a reason why we were so public about that, because we do want to signal to our potential adversaries who are contemplating doing harm to us online that we can hit them back too. And the great thing about cyber is it's asymmetric. A much smaller country can hold a much larger country's assets at risk because we've got really exquisite cyber capabilities at ASD.
CONNELL: For all this talk about spending and the former PM says we need to increase spending as well. Does it mean we have to focus on sustainability of the budget? The conversation about everything, about spending in other areas and tax concessions. Even if we get bogged down in promises and I'm not saying they're not important, but Labor's conversation around the budget matters when you get to defence stuff.
PATERSON: It's all about priorities, Tom. What I've observed with this government so far is they haven't said no to any of their core constituencies, they're increasing funding on childcare, on disability, on aged care, on health care, on so many areas at a time when interest rates are rising and the debt on interest is rising. They're going to have to spend more on defence too, and they going to have to make some difficult choices. And so far, they've shown no ability at all to exercise any restraint on the spending front. And that's why they're coming after people's retirement savings, that's why...
CONNELL: So, if they were doing a bit of both to be more sympathetic? If they're showing spending restraint and perhaps looking at concessions, you'd say, well, they're doing everything they can?
PATERSON: Well, there's certainly no evidence they're interested in spending restraint so far...
CONNELL: Right. But if they were, that would be something you'd give them a little bit more credit for?
PATERSON: Certainly, I'll give them credit for if they're able to identify some savings, if they're able to hold in spending. But there's no evidence of that yet.
CONNELL: James Paterson, thank you.
ENDS
