Information Technology

Image: Warner Bros
The US Department of Justice has unsealed charges today against six Russian nationals believed to be members of one of Russia’s elite hacking and cyberwar units — known as Sandworm.
In court documents today, US officials said all six suspects are officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
As part of this unit, US officials said the six conducted “destructive” cyber-attacks on behalf and under orders of the Russian government with the intent to destabilize other countries, interfere in their internal politics, and cause havoc and monetary losses.
Their attacks span the last decade and include some of the biggest cyber-attacks known to date: 
Ukrainian Government & Critical Infrastructure: From December 2015 through December 2016, the group orchestrated destructive malware attacks against Ukraine’s electric power grid, the Ukraine Ministry of Finance, and the Ukraine State Treasury Service, using malware that altered industrial equipment (BlackEnergy in 2015 and Industroyer in 2016) or wiped hard drives (KillDisk).
French Elections: In April and May 2017, Sandworm orchestrated spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (“En Marche!”) political party, French politicians, and local French governments prior to the 2017 French elections.
The NotPetya Ransomware Outbreak: On June 27, 2017, Sandworm released the NotPetya ransomware. Initially aimed at Ukrainian companies, the ransomware quickly spread and impacted companies all over the world, causing damages of more than $1 billion to its victims.
PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees: Between December 2017 through February 2018, Sandworm launched spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, and visitors, and International Olympic Committee (“IOC”) officials. The attacks took place after Russian athletes were banned from the sporting event due to a state-sponsored doping scheme.
PyeongChang Winter Olympics IT Systems (Olympic Destroyer): From December 2017 through February 2018, Sandworm orchestrated intrusions into computers supporting the 2018 PyeongChang Winter Olympic Games, which culminated in the February 9, 2018, with the release of Olympic Destroyer, a destructive malware strain that attempted to wipe crucial servers during the opening ceremony.
Novichok Poisoning Investigations: In April 2018, the Sandworm group orchestrated spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (“OPCW”) and the United Kingdom’s Defence Science and Technology Laboratory’s (“DSTL”) into the nerve agent poisoning of Sergei Skripal, his daughter, and several UK citizens.
Georgian Companies and Government Entities: In 2018, Sandworm carried out spearphishing campaigns targeting a major media company in the country of Georgia. These attacks were followed in 2019 by efforts to compromise the network of Georgian Parliament, and a mass website defacement campaign in 2019.
But these are only the attacks documented in the DOJ indictment [PDF] unsealed today. They represent only a fraction of the group’s vast cyber-operations, which go back as far as 2010.
To read more on the group’s history, reports from the cyber-security industry are also available here, with the group also being referenced as Telebots, BlackEnergy, Voodoo Bear, and under other codenames.
But above all, the group is universally known as Sandworm. However, the six nationals indicted today are only the Sandworm members who could individually be linked to past Sandworm attacks. The group is believed to be made up of many more other GRU officers.
The six GRU officers charged today, and their respective crimes, are listed below:

Defendant

Summary of Overt Acts

Yuriy Sergeyevich Andrienko

·         Developed components of the NotPetya and Olympic Destroyer malware.

Sergey Vladimirovich Detistov

·         Developed components of the NotPetya malware; and
·         Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 

Pavel Valeryevich Frolov

·         Developed components of the KillDisk and NotPetya malware.

Anatoliy Sergeyevich Kovalev

·         Developed spearphishing techniques and messages used to target:
–          En Marche! officials;
–          employees of the DSTL;
–          members of the IOC and Olympic athletes; and
–          employees of a Georgian media entity.

Artem Valeryevich Ochichenko

·         Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and
·         Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.

Petr Nikolayevich Pliskin

·         Developed components of the NotPetya and Olympic Destroyer malware.

Image: FBI
The six supects are still at large in Russia. If they are apprehended and trialed in the US, all six would face sentences of tens of years in prison, each.
Irresponsible use of destructive malware
But today’s case is also an oddity in the cyber-security industry. International norms exempt cyber-espionage operations from international prosecution, as cyber-espionage is considered an arm of normal intelligence gathering operations.
But speaking at a press conference today, US officials said Sandworm’s cyber-attacks often relied on the indiscriminate use of malware with destructive capabilities that caused not only financial losses to thousands of companies but also put human life at risk, showing a disregard for regular cyber-norms.
“As this case shows, no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers, referring to attacks like BlackEnergy, NotPetya, and OlympicDestroyer, all of which were not aimed at intelligence gathering but were clear destructive attacks intent on sabotage.
US Attorney Scott W. Brady, one of the US prosecutors, said the US has been working on a case against Sandworm operators for more than two years, as part of the aftermath of the NotPetya ransomware outbreak.
“The crimes committed by Russian government officials were against real victims who suffered real harm,” Brady said in a prepared statement. “We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victim.”
Shortly after the indictments were announced, the UK government also formally accused Russia’s Sandworm group of attempts to disrupt this year’s Tokyo Olympics before the event was moved to next year due to COVID-19. The UK also showed support for the US legal case. More

Image: Liam Galvin
A new tool called Gitjacker can help developers discover when they’ve accidentally uploaded /.git folders online and have left sensitive information exposed to attackers.

Gitjacker was created by British software engineer Liam Galvin, is written in Go, and was released as a free download last month on GitHub.
In its simplest form, the tool lets users scan a domain and identify the location of a /.git folder on their production systems.
/.git folders should never be uploaded online.
“A .git directory stores all of your [Git] repository data, such as configuration, commit history, and actual content of each file in the repository,” Galvin said in a blog post last month when he launched Gitjacker.
“If you can retrieve the full contents of a .git directory for a given website, you will be able to access raw source code for that site, and often juicy configuration data like database passwords, password salts, and more,” he added.
All developers know this; however, accidents happen.
For example, developers working on a website or a web app can accidentally copy their entire Git repository online, including the /.git folder, and forget to remove it. Furthermore, /.git folders can also be included in automated build chains and added to Docker containers that are later installed as web servers.
Gitjacker not only finds /.git folders but can also fetch their content
Attackers can scan the internet for these types of folders, identify accidentally exposed systems, download their content, and gain access to sensitive configuration data or even to an app’s source code.
“Webservers with directory listings enabled make this kind of attack especially easy, as it’s simply a matter of recursively downloading every file in the .git directory and running the following to pull files from the stored object files: git checkout — .”, Galvin said.
“The attack is still possible when directory listings are disabled, but it’s often difficult to retrieve a complete repository in such cases,” Galvin added.
However, this is where Gitjacker comes in. Galvin said he developed Gitjacker to handle the download and extraction of a git repository for users, even in cases where web directory listings are disabled.
Galvin said he developed the tool to be used in penetration tests, but due to its capabilities, Gitjacker will most likely be abused by threat actors as well (as threat actors have a long history of abusing open source tools for their operations).
And why not? Gitjacker’s capabilities allow attackers to retrieve sensitive configuration files with a few keyboard strokes.
In addition, there’s an incentive for attackers to look for /.git folders. Even after years of warnings [1, 2, 3, 4], /.git exposure is still in high numbers, meaning attackers will have an easy time finding domains with /.git folders left exposed online.
For example, in 2018, a Czech developer scanned more than 230 million sites and found that 390,000 were exposing /.git folders, but only 150,000 of these were fixed. More

Researchers have uncovered a new form of malware using remote overlay attacks to strike Brazilian bank account holders.

The new malware variant, dubbed Vizom by IBM, is being utilized in an active campaign across Brazil designed to compromise bank accounts via online financial services. 
On Tuesday, IBM security researchers Chen Nahman, Ofir Ozer, and Limor Kessem said the malware uses interesting tactics to stay hidden and to compromise user devices in real-time — namely, remote overlay techniques and DLL hijacking. 
Vizom spreads through spam-based phishing campaigns and disguises itself as popular videoconferencing software, tools that have become crucial to businesses and social events due to the coronavirus pandemic. 
Once the malware has landed on a vulnerable Windows PC, Vizom will first strike the AppData directory to begin the infection chain. By harnessing DLL hijacking, the malware will attempt to force the loading of malicious DLLs by naming its own Delphi-based variants with names expected by the legitimate software in their directories. 
See also: New Emotet attacks use fake Windows Update lures
By hijacking a system’s “inherent logic,” IBM says the operating system is tricked into loading Vizom malware as a child process of a legitimate videoconferencing file. The DLL is named Cmmlib.dll, a file associated with Zoom. 
“To make sure that the malicious code is executed from “Cmmlib.dll,” the malware’s author copied the real export list of that legitimate DLL but made sure to modify it and have all the functions direct to the same address — the malicious code’s address space,” the researchers say. 
A dropper will then launch zTscoder.exe via command prompt and a second payload, a Remote Access Trojan (RAT), is extracted from a remote server — with the same hijacking trick performed on the Vivaldi Internet browser. 
To establish persistence, browser shortcuts are tampered with and no matter what browser a user attempts to run, the malicious Vivaldi/Vizom code will run in the background. 
CNET: The best DIY home security systems of 2020
The malware will then quietly wait for any indication that an online banking service is being accessed. If a webpage’s title name matches Vizom’s target list, operators are alerted and can connect remotely to the compromised PC. 
As Vizom has already deployed RAT capabilities, attackers can take over a compromised session and overlay content to trick victims into submitting access and account credentials for their bank accounts. 
Remote control capabilities also abuse Windows API functions, such as moving a mouse cursor, initiating keyboard input, and emulating clicks. Vizom can also grab screenshots through Windows print and magnifier functions. 
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
In order to create convincing overlays, the malware generates HTML files and then loads them in Vivaldi in application mode. A keylogger is then launched, with input encrypted, packaged, and whisked away to the attacker’s command-and-control (C2) server. 
“The remote overlay malware class has gained tremendous momentum in the Latin American cybercrime arena through the past decade making it the top offender in the region,” IBM says. “At this time, Vizom focuses on large Brazilian banks, however, the same tactics are known to be used against users across South America and has already been observed targeting banks in Europe as well.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Sandbox Interactive GmbH
A hacker has breached the forum of Albion Online, a popular free medieval fantasy MMORPG, and stole usernames and password hashes, the game maker disclosed on Saturday.

“The intruder was able to access forum user profiles, which include the email addresses connected to those forum accounts,” said Sandbox Interactive GmbH, the company behind Albion Online.
The attacker also harvested encrypted passwords. Sandbox Interactive said the passwords were hashed with the Bcrypt password-hashing function and then salted with random data to make it harder for attackers to reverse and crack the password.
“These can NOT be used to log in to Albion Online, the website 
or the forum, nor can they be used to learn the passwords themselves,” the German game maker said.
“However, there is a small possibility they could be used to identify accounts with particularly weak passwords.”
Users who reused emails and passwords for both their game and forum account are at particular risk.
As a result of the unauthorized intrusion, the game maker asked forum users to reset passwords via a forum post on Saturday, and emails delivered to all impacted users.
The company did not disclose the size of the breach.
Sandbox Interactive said the intrusion took place on Friday, October 16, and the attacker utilized a vulnerability in its forum platform, known as WoltLab Suite.
The vulnerability is now patched, the game maker said.

Our forum has gone down for an emergency maintenance that will last several hours. The game and website will remain online and will not be affected by this maintenance.
— Albion Online (@albiononline) October 16, 2020

Sandbox Interactive said it’s compiling a report on the attack to provide to authorities.
“So far we have prioritized fixing vulnerabilities and informing players about this incident,” it said.
Albion Online was launched in July 2017 and is available as a free-to-play game for Windows, macOS, Linux, iOS, and Android.
The game is believed to have more than 2.5 million players, while the Albion Online forum lists 293,602 registered members at the time of publishing.
On Saturday, a hacker claimed to be in possession of the site’s database, which they began advertising for sale on a well-known hacker forum. The post has now been deleted.

Threat actor claims he hacked Albion Online, a large MMORPG with over 180,000 daily players.The actor is claiming he has access to the main game’s database, the payment database, and other databases containing sensitive information. pic.twitter.com/M8Qk3pI2rK
— Alon Gal (Under the Breach) (@UnderTheBreach) October 17, 2020 More

Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.  

Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.
The first security issue was found in Electron, the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron — an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS — was saved locally and could be extracted and examined. 
See also: Hackers exploit Windows Error Reporting service in new fileless attack
One of the settings in Discord’s Electron build, “contextIsolation,” was set to false, and this could allow JavaScript code outside of the app to influence internal code, such as the Node.js function. The feature was designed to introduce separate contexts between web pages and JavaScript code.
“This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false,” Kinugawa explained. 
Now, the researcher needed a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) issue in the iframe embed feature, used to display video in chat when a URL is posted, such as one from YouTube. 
This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord’s content security policy and can be embedded in the iframe — but a DOM-based XSS discovered in the embeds page could be abused. 
CNET: Best password manager to use for 2020: 1Password, LastPass and more compared
However, this only allowed the bug bounty hunter to execute JavaScript in the iframe, and so it still wasn’t possible to achieve full RCE on the Discord desktop app. At least, not until Kinugawa came across a navigation restriction bypass in Electron’s “will-navigate” event code. 
Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.   
Kinugawa reported his findings via Discord’s Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
“After a while, the contextIsolation was enabled,” the bug bounty hunter added. “Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods.”
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron’s “will-navigate” issue has also been resolved.  
ZDNet has reached out to Discord and will update when we hear back.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

We could soon be in for a new round of the encryption wars, but this time governments are taking a different approach.
Seven governments from across the world have started a new campaign to try and persuade big tech companies to reduce the level of security they offer to customers using their services.

More on privacy

The seven — US, UK, Canada, Australia , New Zealand, India and Japan — are worried that the use of end-to-end encryption makes it impossible for tech companies to identify dangerous content like terrorist propaganda and attack planning, and makes it harder for police to investigate serious crimes and protect national security.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Their statement starts boldly: “We, the undersigned, support strong encryption”, saying that it plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cybersecurity, and in repressive states protects journalists, human rights defenders and other vulnerable people.
Then, of course, comes the big caveat: “We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content.” The sort of end-to-end encryption that means messages can’t be intercepted, or that a hard drive can never be read without the key, “pose significant challenges to public safety”, the seven governments warn.
This of course is where things get trickier. These governments want tech companies to make it possible to act against illegal content and activity, but with no reduction to safety — something that tech companies insist is impossible.
“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity. We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions,” the statement concludes.
Tech companies argue that end-to-end encryption protects users’ privacy rights, and it to weaken it — by creating a so-called ‘backdoor’ that would allow the authorities to look at messages — would put all sorts of private communications at risk from hackers and force them to decide whether to hand over messages to oppressive regimes. End-to-end encryption makes the tech companies’ lives easier, and also allows them to claim the moral high-ground when it comes to privacy.
So it there anything new in this? Governments have been half-heartedly trying to refight the cryptowars for years now, with little success — largely because they know that coming up with a fix for this is hard.
They know it’s all but impossible to ban the use of end-to-end encryption. Sure, you could pass laws to ban it, and maybe block encrypted apps from local app stores if they used it, or make it illegal to posses them. But that’s insanely hard to justify and even harder to enforce — even for states like Russia, which have tried to ban encrypted services.
And even if you did go for a ban, organised crime would simply get hold of encryption on the black market or from abroad, and would be just as well-protected as ever. But the average person on the street would be unable to access strong encryption, and would be more at risk of hacking as a result.
A policy that makes the average person less secure, while doing little to tackle the real problem, seems unlikely to gain much support. Imagine being the politician who has to explain to the country that their data has just been scooped up by a foreign power as a result.
The UK’s GCHQ has come up with an idea called ‘ghost protocol’, which would add the government as a secret eavesdropper into every call. But although GCHQ’s scheme has technical merit, if tech companies said ‘yes’ to one agency they would struggle to exclude others — that chat with your mates about what to watch on Netflix could quickly become crowded with spies from around the world.
That’s because governments will inevitably over-reach and use such powers to increase their general surveillance. It’s worth remembering that many of these tech companies introduced end-to-end encryption precisely because governments were cheerfully snooping on everyone’s conversations in the first place. Many would say it’s brazen of governments to now ask us to trust them again.
A new approach
So what’s going on here? Adding two new countries — Japan and India — the statement suggests that more governments are getting worried, but the tone is slightly different now. Perhaps governments are trying a less direct approach this time, and hoping to put pressure on tech companies in a different way.
“I find it interesting that the rhetoric has softened slightly,” says Professor Alan Woodward of the University of Surrey. “They are no longer saying ‘do something or else'”. 
What this note tries to do is put the ball firmly back in the tech companies’ court, Woodward says, by implying that big tech is putting people at risk by not acceding to their demands — a potentially effective tactic in building a public consensus against the tech companies.
SEE: Network security policy (TechRepublic Premium)
“It seems extraordinary that we’re having this discussion yet again, but I think that the politicians feel they are gathering a head of steam with which to put pressure on the big tech companies,” he says.
Even if police and intelligence agencies can’t always get encrypted messages from tech companies, they certainly aren’t without other powers. The UK recently passed legislation giving law enforcement wide-ranging powers to hack into computer systems in search of data.
So will governments find more success with their new softer approach? In the short term, probably not. End-to-end encryption creates real and tragic problems for police and the victims of crime, yet governments have not made a decent case for making us all less secure in response to those problems. Still, governments are increasingly conscious of the impact of big tech companies, and are increasingly willing to take them on. It may only take a few high-profile situations where strong encryption prevents a terrible crime from being stopped or investigated, for governments to think that public opinion can be shifted in their direction.
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: More

As part of the October 2020 Patch Tuesday security updates, Microsoft has added a new option to Windows to let system administrators disable the JScript component inside Internet Explorer.
The JScript scripting engine is an old component that was initially included with Internet Explorer 3.0 in 1996 and was Microsoft’s own dialect of the ECMAScript standard (the JavaScript language).
Development on the JScript engine ended, and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE.
Across the years, threat actors realized they could attack the JScript engine, as Microsoft wasn’t actively developing it and only rarely shipped security updates, usually only when attacked by threat actors.
CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674 are some of the recent JScript zero-days that Microsoft had to deal with over the past three years.
All were bugs exploited by nation-state actors, for which Microsoft had to hurry to ship patches [1, 2]. Once patched, proof-of-concept code was also published on GitHub, and these vulnerabilities also quickly entered the arsenal of exploit kit developers [1, 2].
Now, 11 years after deprecating the component, Microsoft is finally giving system administrators a way to disable JScript execution by default.
According to Microsoft, the October 2020 Patch Tuesday introduces new registry keys that system administrators can apply and block the jscript.dll file from executing code.
Details on how this can be done are available below, as taken from Microsoft’s documentation.
Click Start, click Run, type regedt32 or regedit, and then click Ok.
To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones3140DTo disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones4140D
Right-click the appropriate registry subkey, and then click Modify.
In the Edit DWORD (32-bit) Value dialog box, type 3.
Click OK, and then restart Internet Explorer. More

Cyber resilience needs to be part of a coherent “all vectors and all sectors” approach to national security, according to Mike Pezzullo, Secretary of Australia’s Department of Home Affairs.
National security itself also needs to be discussed more broadly, he said. Not everything should become a national security problem, but he does believe in a whole-of-society approach to fostering resilience.
“I am in favour … of emphasising concepts such as ‘self-reliance’ and ‘sovereign capability’ in national policy discourse, which would require the closer integration of security, economic, and social policy,” Pezzullo told the National Security College in Canberra last week.
“We should logically separate the ‘vector’ — whether it be an invading army, an enemy fleet, terrorists, saboteurs, cyber hackers, violent criminals, extreme weather events, or a global pandemic, and so on — from the ‘sectors’ of society and the economy which are likely to be impacted, and which will need to be defended, mobilised, and/or remediated,” he said.
“Relatedly, the logic and language of war in security thinking should be reduced to its proper and legitimate place, which is to say the field of armed conflict — where it has enough to do.”
Pezzullo’s speech cited five centuries of political philosophy, among other things, to outline a conceptual framework for national security.
“Security is a means to an end. Its effects enable the pursuit of happiness and prosperity, which are the greater ends,” he said.
“If one were to construct a national risk register, it would be immediately apparent that some are not ‘national security’ issues at all.”
The speech also extended on Pezzullo’s speech from March 2019, “Seven Gathering Storms — National Security in the 2020s”, by listing an even greater range of potential risks that might arise in the coming century through to 2120.
Too long to include here, the list included: A Great Power war that might even go nuclear; weapons of mass destruction used outside a nation-state conflict; terrorism and politically-motivated violence; massive economic damage by transnational criminal networks; supply chain risks; a global pandemic; “the adverse consequences of advanced technology, especially artificial intelligence and synthetic biology”; natural disasters; and much more.
“This is an apocalyptic list to be sure,” he said.
“Indeed, in relation to ways in which humanity might become extinct you will find arguable cases for the following scenarios, amongst others: A deliberately released, humanity-killing synthetic virus; super volcanic eruptions which block the Sun; the Terminator AI threat; a nuclear apocalypse; and, yes, the killer asteroid.”
To face these risks, Pezzullo put forward the concept of an “extended state”, which he described as a “networked and dynamic conception of security which comprehends sectors across society and the economy”.
This extended state would include the “entire apparatus” of the Australian government, not just the core agencies. It would convene and coordinate activities with the state, territory, and local governments, and beyond.
That includes “the business sector, including finance and banking; food and groceries; health and medical services; transport, freight and logistics; water supply and sanitation; utilities, energy, fuel, telecommunications; the scientific and industrial research establishment; as well as non-for-profit and community organisations, including charities; and households as might be required”.
It is the extended state that needs to respond to these vectors of risk, according to Pezzullo.
Such systems were built for counterterrorism (CT), for example, especially after the 9/11 terrorist attacks in 2001.
“The states and territories and others all had to mobilise around the prospect of mass-casualty attacks. We built a lot of depth and ballast in our CT arrangements, and they’ve been honed over about 20 years,” Pezzullo said.
“They are fit for purpose for that vector and sector problem. They are not necessarily easily replicated [for other matters].”
A more recent example is Australia’s response to the COVID-19 pandemic, where coordination between governments was established differently in the rapidly-established National Cabinet.
“Let’s not reinvent the wheel in relation, for instance, to cyber resilience,” Pezzullo said.
“States and territories and indeed municipal governments… hold a lot of data. They manage a lot of sensitive networks, either directly or by way of infrastructure that they license through state utility arrangements and the like,” he said.
“Don’t just have a [single] sector response to a vector problem.”
Home Affairs isn’t ‘tyrannical’ or ‘despotic’
Pezzullo responded to an audience question about authoritarianism and state secrecy by referring to the recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry into the impact of the exercise of law enforcement and intelligence powers on the freedom of the press.
“Let’s have a sensible discussion,” he said.
“Let’s just be open and upfront that the notion that somehow the colleagues that I’ve just identified [in law enforcement and intelligence], myself included, are tyrannical, despotic, you know, plotting behind closed doors to oppress the Australian population were it only for, you know, the altruistic fourth estate [the media], is frankly just an exaggeration, a caricature, and a trope.”
Agencies are under “Royal Commission-level coercive oversight every day” and that’s “liberating”, according to Pezzullo.
“You know what the rules are. A royal commissioner could roll into my organisation, into anything we’re doing, at any time, and out whatever they want,” he said.
“And that’s frankly liberating because you go, ‘Yep’, you’ve got that self-restraining, self-censoring idea of you’ve got to do the right thing anyway and, if you don’t, you’re going to get caught anyway.”
Pezzullo was speaking off the cuff so to be fair, one shouldn’t parse these comments too finely.
Nevertheless, your correspondent still wonders whether “Don’t do bad things because you might get caught” is the best way to portray an organisational culture.
It’s also unclear how this squares with the evidence given to Senate Estimates on Monday, where he was asked about the alleged cash-for-visa scheme that is currently being investigated by the NSW Independent Commission Against Corruption (ICAC).
When asked how the matter being investigated by ICAC sat when compared to the incidents seen within Home Affairs, Pezzullo said that “we see lots of things in the department”.
“In fact, we see highly organised criminality. We see the loosely organised or casual opportunistic criminality. We see inadvertent either criminality or civilly sanctionable activity,” he said.
“It’s a constant enforcement and compliance activity.”
Yet compliance hasn’t always been Home Affairs’ top strength.
An example of this was seen in February this year, when Home Affairs was savaged by PJCIS for its poor oversight of data retention laws. Also in the Home Affairs portfolio, Australian Federal Police officers were found in 2017 to have not fully appreciated their responsibilities in relation to those laws.   
SEE ALSO More