Information Technology

Cybersecurity teams must have a diverse mindset to provide the best means of protecting business, governments and others from cyber attacks – and that collaboration is the key to ensuring different perspectives can come together in the fight against cyber crime.
It’s this sort of collaborative attitude which is needed to help combat challenges and reduce cyber risk to societies, says Pete Cooper, deputy director of cyber defence for the UK Cabinet Office and lead of the government sector of the National Cyber Security Programme.
The former RAF fast jet pilot turned cyber operations advisor founded the UK’s first multi-disciplinary cyber strategy competition and believes that better collaboration and diversity is the key to tackling international cybersecurity challenges.
“We all have diverse perspectives of what our challenges are and we all have our individual horizons and the real value of collaboration comes through seeing the world those diverse perspectives,” Cooper said, speaking during his keynote session at Black Hat Europe 2020.
“Because by doing that you then start creating shared perspectives, you start pushing out your joint horizons so you can see further and develop a much better joint understanding of everything”.
Mixing together the different perspectives has the potential to transform how resources can be used and what actions can be taken, he explained – and maybe even find new ways of dealing with known and previously unknown scenarios.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

“It creates a unique collaboration so you can identify those obstacles, opportunities and ideas you wouldn’t have been able to do previously – and that’s what it really means to collaborate,” Cooper said.
“In collaborating across those diverse teams, the best solutions are those joint solutions and it takes that collaboration”.
Preventing and responding to cyber attacks and data breaches is a key part of cybersecurity, it’s far from the only part of the job – and the culture of the industry and information security teams within organisations needs to reflect that.
“Incidents are just the tip of the iceberg and that we’ve got to have a great and engaged culture to see under the surface and understand what the problems are, understand what the events are and understand what the ideas might be to see them are,” Cooper explained.
And while bringing together those different perspective does take time and effort, as he noted during the session, collaboration and diversity is valuable for everything that cybersecurity is attempting to achieve.
“Because if we do that, we then start sharing those shared perspectives and we expand out our horizons,” Cooper said.
“The more we form those joint horizons by working together, the better it is for everybody as we try to tackle the key risks going forwards,” he added.
READ MORE ON CYBERSECURITY More

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.
The latest of these odd places is, believe it or not, CSS files.
Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.
These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.
Web skimmer gang experiments with CSS
However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.
One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

Image: SanSec
De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.
“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.
“It seems to have been taken offline in the last hour, since our tweet,” he added.

“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.
“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”
Most skimmers are invisible
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.
“While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible,” de Groot said.
“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”
As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires. More

Cloudflare, Apple, and Fastly have co-designed and proposed a new DNS standard to tackle ongoing privacy issues associated with DNS. 

On Tuesday, Cloudflare’s Tanya Verma and Sudheesh Singanamalla announced support for the new standard, which separates IP addresses from queries, a measure that, it is hoped, will mask requests and make it more difficult for users to be tracked online. 
The Domain Name System (DNS), which has underpinned online architecture for years, in its basic form still sents queries without encryption. Therefore, anyone lurking on network paths between your device and DNS resolvers can view queries that contain hostnames — or website addresses requested — and IP addresses. 
DNS over HTTPS (DoH) and DNS over TLS (DoT), were engineered to safeguard these paths through Internet Engineering Task Force (IETF) standardized DNS encryption, reducing the risk of queries being intercepted or modified — for example, by preventing attackers from redirecting users from legitimate domains to malicious addresses. Third-parties, such as ISPs, also find it more difficult to trace website visits when DoH is enabled. 
See also: DNS cache poisoning poised for a comeback: Sad DNS
DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy. 
Research conducted by Princeton University and the University of Chicago, “Oblivious DNS: Practical Privacy for DNS Queries,” (.PDF) published in 2019 by Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster, provided the inspiration for the new standard proposal. 

The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare’s 1.1.1.1’s public DNS resolver — and the combination of both this and public key encryption “guarantees that only the user has access to both the DNS messages and their own IP address at the same time,” according to Cloudflare. 

“The target decrypts queries encrypted by the client, via a proxy,” Cloudflare explained. “Similarly, the target encrypts responses and returns them to the proxy. The standard says that the target may or may not be the resolver. The proxy does as a proxy is supposed to do, in that it forwards messages between client and target. The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target’s responses. Any client that chooses to do so can specify a proxy and target of choice.”
As a result, ODoH should ensure that only targets can view both a query and proxy’s IP address; read a query’s content or produce a response, and the proxy has no visibility into DNS messages. 
CNET: The best Windows 10 antivirus protection for 2020
Cloudflare says that as long as there is no “collusion” or compromise between proxies and target servers, attackers should not be able to interfere with connections. 
Cloudflare is currently working with IETF on the standard and plans to add ODoH to existing stub resolvers, including cloudflared. It is important to note that ODoH is still in development, and the companies are currently testing performance across different proxies, targets, and latency levels. 
An ODoH draft for the IETF has been published.  
Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox’s CTO, has already indicated that Firefox will “experiment” with ODoH.
TechRepublic: WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS
“We hope that more operators join us along the way and provide support for the protocol, by running either proxies or targets, and we hope client support will increase as the available infrastructure increases, too,” Cloudflare says. “The ODoH protocol is a practical approach for improving privacy of users, and aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience on the internet.”
In October, Cloudflare debuted API Shield, a free service that uses a “deny-all” setup to refuse incoming connections on API servers unless suitable cryptographic certificates and keys are provided. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The cyber-criminal groups behind some of the most notorious and damaging ransomware attacks are using the same tactics and techniques as nation-state-backed hacking operations – and they’re only going to get more sophisticated as they look for even bigger pay days.
Ransomware has continued to evolve in the past year, with some ransomware crews making off with millions of dollars following each successful attack.

More on privacy

One of the key reasons why ransomware has become such a common cyberattack is because it’s the easiest way for malicious hackers to make money from a compromised network.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
Previously, cyber criminals might have focused on stealing information that could be used or sold on, but by encrypting the network, they can make a large sum of money from demanding a ransom in a shorter amount of time than it would take to make from exploiting stolen credentials or financial information.
And now the skills of ransomware gangs are catching up with the Advanced Persistent Threat (APT) groups associated with nation states.
“Ransomware attackers are essentially just a couple of years behind the tradecraft we’ve seen ATP crews adopt. This is still a growing problem, it’s not going to go away,” Mitchell Clarke, principal incident response consultant at security company FireEye Mandiant, told ZDNet.

Researchers at Mandiant presented analysis of how ransomware – and the cyber-criminal gangs behind it – has evolved and matured in recent times during a presentation at Black Hat Europe 2020, demonstrating how the cyber-criminal groups running these campaigns are increasingly conducting full-scale network intrusions similar to those seen in nation-state attacks.
Ransomware groups like DoppelPaymer and REvil have been highly prolific this year, encrypting networks and making millions. Part of the reason for the success of these campaigns is because they’re highly targeted.
Cyber-criminal hackers uncover vulnerabilities on networks then spend months laying the groundwork to compromise the systems with ransomware before finally unleashing the attack and encrypting the network.
This is similar to how APT groups hide for months or even years without being detected, although their goal is surveillance or stealing sensitive data rather than making money with ransomware.
“If we look back to older cases of ransomware, it was largely opportunistic. Attackers would land on a corporate environment and advance into a small subset of a wide organisation. The transition from opportunistic crime into APT-like campaigns is just a realisation that it’s more profitable to completely cover an organisation with ransomware,” said Clarke.
“The attacker has taken their time to step through that APT process, to understand the victim environment and to move across it as quietly as possible and with as much privilege as they’re able to get. Then when it’s time to deploy ransomware, to cover a whole organisation.”
But that isn’t where the evolution of ransomware campaigns stops; there’s the risk that as these groups gain more experience with successful attacks, the time between initial compromise and an attempted full encryption of the network will become much shorter – meaning there’s even less time to potentially detect suspicious activity before it’s too late.
“We’re seeing a gap from initial compromise to a ransom event being in the months – it’s in that period before a ransom that organisations can implement changes to be able to detect,” explained Tom Hall, principal incident response consultant at FireEye Mandiant.
“But as they get more sophisticated, we’re going to see that window dropping from months to weeks and weeks to days. If organisations don’t grasp the problem of being able to catch them when they’ve got months, there’s no hope when we’re down to shorter time periods,” he added.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
However, one of the key reasons why cyber criminals continue to be successful with ransomware attacks is because they’re able to exploit vulnerabilities that are simple to protect against – but organisations have failed to do so.
Applying the security patches that fix security vulnerabilities shortly after they’re released prevents cyber criminals being able to exploit issues that have been fixed, while applying two-factor authentication and preventing the use of default passwords on the network can also go a long way to protecting against ransomware and other attacks.
“It’s not like these situations couldn’t have been prevented. It really highlights that a solid patch-management programme would have solved having vulnerabilities exposed that kicked off the entire breach,” said Clarke.
MORE ON CYBERSECURITY More

Adobe’s last scheduled security update of the year has resolved critical vulnerabilities in Lightroom, Prelude, and Experience Manager. 

Released on Tuesday, the tech giant’s patches deal with four vulnerabilities, three of which are deemed critical. 
The first fix was issued for Adobe Lightroom, image editing software that is popular with professional photographers. Impacting Lightroom Classic version 10.0 and below on Windows and macOS machines, the critical issue — tracked as CVE-2020-24447 — is described as an uncontrolled search path element vulnerability leading to arbitrary code execution. 
See also: Adobe releases new security fixes for Connect, Reader Mobile
A second critical bug was found in Adobe Prelude  for Windows and macOS, version 9.01 and earlier. Tracked as CVE-2020-24440, the severe vulnerability has been caused by an uncontrolled search path and if exploited by attackers, can lead to “arbitrary code execution in the context of the current user,” according to Adobe. 
Adobe’s third security advisory relates to Adobe Experience Manager (AEM) and the AEM Forms add-on package on all platforms. 
Two vulnerabilities have been patched in these software packages. The first, CVE-2020-24445, is a critical bug in AEM CS, and is also found in AEM 6.5.6.0/6.4.8.2/6.3.3.8 and earlier. 

CVE-2020-24445 is a stored cross-site scripting (XSS) flaw that can lead to arbitrary JavaScript execution in the browser. 
CNET: The best Windows 10 antivirus protection for 2020
The second security flaw, CVE-2020-24444, is an “important” vulnerability found in AEM Forms SP6 add-on for AEM 6.5.6.0 and the AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2). This vulnerability is a blind server-side request forgery issue that can be triggered for the purpose of information disclosure. 
Adobe thanked Qihoo 360 CERT researcher Hou JingYi, as well as Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway, for reporting the security issues to the vendor. 
TechRepublic: WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS
Adobe’s November security update tackled another handful of vulnerabilities, two of which were found in the Connect remote conferencing software, and one in Reader. Connect’s bugs could be exploited to perform JavaScript execution in a browser, whereas Reader’s lone issue could be used to leak information. 
In Microsoft’s last patch update of the year, released on Tuesday, the Redmond giant resolved 58 vulnerabilities, 22 of which are remote code execution (RCE) vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Chris Duckett/ZDNet
The official inquiry into the 2019 lone-wolf terrorist attack on mosques in Christchurch, New Zealand, which killed 51 people and injured another 40, has found that YouTube was “a far more significant source of information and inspiration” than extreme right-wing websites.
The inquiry also highlighted the limitations of counterterrorism efforts when a potential terrorist is just one of many people espousing extremist views.
The final report of the Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain [mosques] on 15 March 2019, was published on Tuesday.
In line with common New Zealand media practice and the report itself, your correspondent will not name the perpetrator here, but refer to him simply as “the individual”.
“The individual claimed that he was not a frequent commenter on extreme right-wing sites,” the report said.
“Although he did frequent extreme right-wing discussion boards such as those on 4chan and 8chan, the evidence we have seen is indicative of more substantial use of YouTube and is therefore consistent with what he told us.”
He also followed instructions on YouTube videos to modify his guns and accessories to maximise their effectiveness during his attack.

“YouTube has been often associated with far right content and radicalisation,” the report said.
Whether YouTube’s recommendation engine leads users to ever more extreme material, or whether the widespread availability of videos supporting far-right ideas reflects demand, remain unanswered questions.
“What is clear, however, is that videos supporting far-right ideas have been very common on YouTube,” the report said.
“YouTube has made changes in response to these criticisms, in particular to their recommendation system, so it is less likely to continue recommending increasingly extreme content and has also made it more difficult to access extreme content.”
New Zealand’s Prime Minister, Jacinda Ardern, has said she would raise radicalisation directly with YouTube’s leadership.
The individual was also active in a number of far-right Facebook groups, including those of Australian groups United Patriots Front and The True Blue Crew, and under a pseudonym on pages created by The Lads Society.
The report said that according to a friend, “the individual had a number of Facebook accounts over the last few years, randomly closing one down and creating a new one”.
“From time to time he deleted data and removed Facebook friends,” the report said.
In all of these online forums the individual used known far-right language, posted far-right memes, and expressed strong anti-immigration, anti-Muslim, and anti-Semitic sentiments.
He included a neo-Nazi reference in his username at New Zealand auction and classifieds site, Trade Me, and bought far-right publications and accessories to send to his family.
“He reprimanded his mother for using the term ‘neo-Nazi’ in Facebook Messenger when she commented on his shaved hair and rhetoric,” the report said.
“His mother understood that he was not offended at being called a ‘neo-Nazi’, but rather was worried that her use of the term on a popular messaging platform would be detected.”
He also expressed concerns to his sister that he was being tracked by the Australian Security Intelligence Organisation, although he told the inquiry that there was an element of play-acting here.
That said, the individual is known to have used the Tor browser and virtual private networks to help hide his activities.
‘No single aspect’ could have alerted authorities to the lone wolf
Despite all this activity, the inquiry found that New Zealand’s public sector agencies had just one piece of information that directly referred to the terrorist attack.
Just eight minutes before the attack began, the individual sent an email to the Parliamentary Service, as well as politicians, media outlets, and individual journalists.
“The critical information about the attack (in terms of the location) was within a 74-page manifesto attached to and linked within the email. It took some minutes for the Parliamentary Service to open the email, read and make sense of the manifesto, and then pass the details on to New Zealand Police,” the report said.
“By then the terrorist attack had just started.”
The inquiry found that other information known about the individual was “largely unremarkable”.
“With the benefit of hindsight, we can see that some did relate to the individual’s planning and preparation. That, however, was not apparent at the time as this information was fragmentary,” it wrote.
“No single aspect of it could have alerted public sector agencies to an impending terrorist attack.”
The ‘practical difficulties’ of detecting lone wolves
The capability and capacity of New Zealand’s counterterrorism efforts are “far less than many believe”, according to the inquiry.
“The idea that intelligence and security agencies engage in mass surveillance of New Zealanders is a myth.”
It observed that “intelligence and security agencies have comparatively little social licence”. In 2014, the agencies were in a “fragile state”. A rebuilding program didn’t start until 2016 and was still unfinished in 2019.
“With limited resources, counter-terrorism agencies have to make tough choices about where to focus their intelligence efforts,” the report said.
“There are legal, logistical, and technical obstacles to counter-terrorism agencies conducting operations on far right internet sites on the scale necessary to pick up such comments and identify the people who make them.”
There are also “practical difficulties” in distinguishing between those who are “just talkers” and the “potential doers”, that is, those likely to mobilise to violence.
The inquiry found that there were perhaps three ways in which the individual could have come to the attention of relevant agencies.
One could have been a tip-off about his pseudonymous far-right rhetoric. However, counterterrorism professionals described such comments as “not being remarkable”.
“Concerns were expressed as to whether such inquiry would have been appropriate (or proportionate) given the privacy implications of disclosing private Facebook comments to those who would have been spoken to at the gym.”
The individual’s training for the terrorist attack had included working out at a gym and taking steroids to bulk up.
Another could have been a tip-off from the public about his shooting style and comments about large-capacity magazines at his rifle club, or about his use of a drone to reconnoitre his intended targets.
“As many Muslim individuals have observed to us, an identifiably Muslim person who acted in the same way as the individual would likely be reported to the counter-terrorism agencies,” the report said.
Indeed, the inquiry noted that the New Zealand Security Intelligence Service had “only a limited understanding” of right-wing extremism in the country.
“The inappropriate concentration of resources on the threat of Islamist extremist terrorism did not contribute to the individual’s planning and preparation for his terrorist attack not being detected,” the report said.
The third possibility would have been “a more extensive system of data aggregation, analysis, and reporting”.
The inquiry noted that put together, the known facts did paint a certain picture: The importation of ballistic ceramic plates and the like; steroid and testosterone use, which was known to health providers; the purchase of large numbers of hypodermic needles, syringes, and alcohol swabs; the individual’s collection of eight firearms, and the purchase of high-capacity magazines and ammunition.
“Whether the New Zealand public would be prepared to accept data aggregation and analysis on the scale and basis just suggested is uncertain,” the report said.
“It is worth pointing out that some large-scale data aggregation currently takes place… for example between some public sector agencies to allow people to be detained at the border for unpaid fines or significant and outstanding student loan debts.”
The report also noted the down side: “The key feature of bulk data collection is that a large proportion of the data gathered relates to people who are not intelligence targets and is of no intelligence value.”
New Zealand to set up new national intelligence and security agency
The inquiry has recommended New Zealand set up a new national intelligence and security agency that is “well-resourced and legislatively mandated” to be responsible for strategic intelligence and security leadership functions.
The agency should create a “public-facing strategy that addresses extremism and preventing, detecting and responding to current and emerging threats of violent extremism and terrorism” which is “developed in collaboration with communities, civil society, local government, and the private sector”, the report said.
It should also “[set] the purpose and the direction of the strategy, with goals, milestones, and performance measures.”
All up, there are 44 recommendations. The government has committed in principle to implementing all of them.
Can Australia learn from New Zealand’s experience?
For your correspondent, one of the more remarkable paragraphs in the report concerns the matter of trust.
“Media controversy and generally low levels of public trust and confidence in the intelligence and security agencies and aspects of the work of the law enforcement agencies have meant that politicians have avoided the challenge of public engagement about countering-terrorism.”
Another is its focus on “social cohesion, inclusion, and embracing diversity [which] are goals that we can all aspire to”.
“We accept political engagement on these issues will not be easy. But facing up to the hard issues and having open public conversations are critical,” the report said.
“We hope our report will encourage members of the public, officials and politicians to engage in frank debate so that everyone understands their roles and responsibilities in keeping New Zealand safe, secure and cohesive.”
In your correspondent’s view, Australia has much to learn here.
Home Affairs Minister Peter Dutton sees the internet as a sewer and, in general, seems to see the world in terms of “us versus them”. Consultation with communities, civil society, and the like, often seem tokenistic.
And as noted before, things like the Cyber Security Strategy lack measurable targets or even a timeline.
There has been a Senate inquiry into nationhood, national identity, and democracy but it is yet to report. Whether it outlines a vision for Australia, or whether it’s merely a collection of gripes, remains to be seen.
Related Coverage More

Image: Asha Barbaschow/ZDNet
Optus is looking for a cleaner delineation on when it needs to send a notice under Australia’s Telecommunications Sector Security Reforms (TSSR) after noting it accounted for half the notices sent so far under the regime.
Under the TSSR, carriers need to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the government of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty.
In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) which is reviewing the TSSR, Optus noted that over the two-year period to June 30, the Critical Infrastructure Centre received 66 notifications in total, which meant it completed half the notices.
“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said.
“The time for the resolution of these notifications has varied between 30 days to eight months.”
The telco said this meant the regime was not operating as intended due to telcos each coming up with their own notification thresholds and interpretations. Consequently, the TSSR is simultaneously at risk of under-notification and over-notification.
“This uncertainty means that it is highly unlikely that providers are implementing the rules in the same way within their organisations, creating an unequal playing field for providers,” it said.

“Due to the confidential nature of the TSSR notifications, it is difficult for providers to engage in detailed industry discussions on this topic to ensure a consistent application of the rules.
“If the TSSR notification provisions are retained, Optus recommends that a clearer notification threshold be developed and adopted to remove ambiguity, limit compliance risk, and create an easy ‘bright line’ to guide decision-making for providers.”
Optus said the TSSR has created “substantial uncertainty and regulatory risk” for its investments over the past two years, as well as cost added time, cost, and complexity. This is despite the telco shifting the time of notification to different times during the lifecycle of projects and, instead of resolving the risks, merely exchanging different types of risk.
“It is unclear if security outcomes have been improved commensurately,” the telco said.
The telco added that with the government introducing its recent critical infrastructure Bill — new legislation that introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing on operators of critical infrastructure — which could have possible overlap with TSSR obligations, it has asked for companies deemed to run critical telco infrastructure operators to be exempt from TSSR notifications.
The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia. It was a decision that Optus said changed its market position, investment strategy, customer outcomes, and network design and capability.
“Decisions made by government and the Critical Infrastructure Centre under the regime have had a significant effect on Optus,” it said.
Also providing a submission to the PJCIS was the subject of the ban, Huawei, which repeated many of the arguments the vendor has previously made.
“The politicisation of the TSSR legislation has isolated Australia from the world’s best technology and innovation, it will delay the rollout of future networks and curb competition forcing price hikes of 20-40% for operators and Australian consumers,” Huawei said.
“This extra 5G deployment cost has already been confirmed by comments from executives at TPG, Vodafone and Optus.
“One Australian carrier has advised Huawei it now costs 50% more to build out a mobile base station site, forcing them to scale back their 5G targets.”
Much of the submission questioned why Huawei was banned due to being a Chinese vendor, while Ericsson and Nokia were left untouched despite having manufacturing capacity in the Middle Kingdom.
“If the ‘risk’ is China, then how is it that Ericsson and Nokia can still manufacture, compile software, and work in partnership with the Chinese government for building 5G technology and then deliver those products into the Australian 5G networks with no independent testing?” it said.
“In fact the TSSR legislation permits Telstra and Optus to install 5G equipment made in China by the Ericsson/Panda Electronics joint venture, while the US Department of Defense has listed Panda Electronics as a company that is either owned by or controlled by the People’s Liberation Army.”
Huawei said the Australian government either did not know its competitors were manufacturing in China, or it did not believe they were subject to requests from Beijing, even though the communist government ran the factories.
“Nokia co-owns its Chinese subsidiary, Nokia Shanghai Bell, together with a Chinese state-owned enterprise, China Huaxin, which holds just over 49% of the venture and has the right to nominate its CEO,” Huawei said.
“From 2002 to 2017, the unit’s chairman also acted as the Secretary of the Chinese Communist Party committee within the company (every company of a certain size that does business in China is required to have a Party committee).”
Huawei did not mention its own party committee secretary.
The company also said the Australian ban on it has led to 900 direct job losses, over 1500 subcontractor job losses, and the forgoing of AU$100 million in research.
Elsewhere on Wednesday, China continued to crackdown on Australian trade, this time increasing bans on local timber and meat. Beijing previously clamped down on Australian wine by spiking tariffs and putting import bans on lobsters.
On Tuesday, The Washington Post reported Huawei was testing automated “Uyghur alarms” that send alerts to Chinese authorities when Uyghurs are detected via its camera systems.
The Washington Post said a document it saw from Huawei’s website was removed by the company after comment was sought. Huawei reportedly said it was “simply a test” and not a product.
Last week, The Wall Street Journal reported the US was discussing a deal with Huawei to allow its CFO Meng Wanzhou to leave Canada and return to China if she admitted to wrongdoing.
The Canadian ambassador to China reportedly said on Tuesday that two Canadians imprisoned by Beijing soon after Meng was detained in Vancouver were showing resilience.
Last week, Huawei continued to end its sponsorship of Australasian sporting teams, parting ways with the Wellington Phoenix.
Related Coverage More

Image: Gionee
Four Chinese nationals were sentenced last week to prison sentences for participating in a scheme that planted malware on devices sold by Chinese smartphone maker Gionee.
The scheme involved Xu Li, the legal representative of Shenzhen Zhipu Technology, a Gionee subsidiary tasked with selling the company’s phones, and the trio of Zhu Ying, Jia Zhengqiang, and Pan Qi, the deputy general manager and software engineers for software firm Beijing Baice Technology.
According to court documents published last week by Chinese authorities, the two companies entered into a hidden agreement in late 2018 to create a powerful software development kit (SDK) that would allow the two parties to take control of Gionee smartphones after they were sold to customers.
The SDK was inserted on Gionee smartphones by Shenzhen Zhipu Technology in the form of an update to Story Lock Screen, a screen-locker app that came preinstalled with Gionee devices.
But Chinese officials said the SDK acted like a trojan horse and converted infected devices into bots, allowing the two companies to control customers’ phones.
The two companies used the SDK to deliver ads through a so-called “live pulling” function.
The two companies made $4.26 million from ads
Court documents say that between December 2018 to October 2019, more than 20 million Gionee devices across the world received more than 2.88 billion “pull functions” (ads), generating more than 27.85 million Chinese yuan ($4.26 million) in profit for the two companies.

The entire scheme appears to have come crashing down after a suspected bug started blocking access to some Gionee phone screens, which led the parent company’s support staff to start an investigation, which then led to an official complaint with Chinese authorities.
The four suspects were arrested in November 2019. According to reports from local media, the four didn’t dispute the investigators’ findings and pleaded guilty for reduced sentences.
The quartet received prison sentences ranging from 3 to 3.5 years in prison and fines of 200,000 Chinese yuan ($30,500) each.
Shenzhen Zhipu Technology also received a separate fine of 400,000 Chinese yuan ($61,000).
A Gionee spokesperson did not return emails or phone calls seeking comment on the countries where the malware-laced smartphones were sold. More