Information Technology

Atheris squamigera, also known as a green bush viper
Image: sipa
Google’s security experts have open-sourced another automated fuzzing utility in the hopes that developers will use it to find security bugs and patch vulnerabilities before they are exploited.

techrepublic cheat sheet

Named Atheris, the project is a classic fuzzer.
A fuzzer (or fuzzing tool) and the technique of fuzzing work by feeding a software application with large quantities of random data and analyzing its output for abnormalities and crashes, which give developers a hint about the presence and location of possible bugs in an app’s code.
Across the years, Google’s security researchers have been some of the biggest promoters of using fuzzing tools to discover not only mundane bugs but also dangerous vulnerabilities that could be exploited by attackers.
Since 2013, Google security researchers have created and later open-sourced several fuzzing tools, including the likes of OSS-Fuzz, Syzkaller, ClusterFuzz, Fuzzilli, and BrokenType.
But all of these tools have been created for discovering bugs in C or C++ applications.
A fuzzer for the growing Python codebase
Atheris is Google’s answer to the rising popularity of the Python programming language, currently ranked 3rd in last month’s TIOBE index.

Developed internally at Google in a hackaton last October, Atheris supports fuzzing Python code written in Python 2.7 and Python 3.3+, but also native extensions created with CPython.
However, Google says that Atheris works best with code in Python 3.8 and later, where new features added to the Python programming language can help Atheris find even more bugs than in code written in older Python code.
Google has open-sourced the Atheris code on GitHub, and the fuzzer is also available on PyPI, the Python package repository.
Going forward, Google says it also plans to add support for Atheris fuzz tests on OSS-Fuzz, a hosted platform that lets developers fuzz open-source projects for security flaws. Previously, this platform supported only C and C++ fuzzing, and was extremely successful, being used to find thousands of bugs across the years. As of June 2020, OSS-Fuzz has found over 20,000 bugs in 300 open source projects. More

COVID-19 named by WHO for Novel coronavirus NCP concept. Doctor or lab technician holding blood sample with novel (new) coronavirus N.C.P. in Wuhan, Hubei Province, China, medical and healthcare
Getty Images/iStockphoto
The European Medicines Agency (EMA), the EU regulatory body in charge of approving COVID-19 vaccines, said today it was the victim of a cyber-attack.

In a short two-paragraph statement posted on its website today, the agency discloses the security breach but said it couldn’t disclose any details about the intrusion due to an ongoing investigation.
EMA is currently in the process of reviewing applications for two COVID-19 vaccines, one from US pharma giant Moderna, and a second developed in a collaboration between BioNTech and Pfizer.
An EMA spokesperson did not return a request for comment seeking information if the attack targeted its vaccine approval process or if it was a financially-motivated attack like ransomware.
Nonetheless, in a follow-up statement released on its own website, BioNTech said that “some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed” during the attack, confirming that COVID-19 research was most likely the target of the attack.
Over the past months, numerous companies working on COVID-19 research and vaccines have been the targets of hackers, and especially of state-sponsored hacking groups.
Companies like Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, AstraZeneca, Moderna, and Gilead have been targeted by hackers, according to reports from Reuters and the Wall Street Journal.

In November, OS maker and cyber-security giant Microsoft said it detected three nation-state hacking groups (known as APTs) targeting seven companies working on COVID-19 vaccines, singling out Russia’s Strontium (Fancy Bear) and North Korea’s Zinc (Lazarus Group) and Cerium for the attacks.
Speaking at the Aspen Cyber Summit last week, Marene Allison, the Chief Information Security Officer at Johnson & Johnson, said companies like her employer are seeing cyber-attacks from nation-state threat actors “every single minute of every single day.”
IBM also reported last week that hackers were looking to compromise companies working in the “cold chain” of COVID-19 vaccines.
EMA said it would provide further information on the hack once they learn more. More

Cybersecurity teams must have a diverse mindset to provide the best means of protecting business, governments and others from cyber attacks – and that collaboration is the key to ensuring different perspectives can come together in the fight against cyber crime.
It’s this sort of collaborative attitude which is needed to help combat challenges and reduce cyber risk to societies, says Pete Cooper, deputy director of cyber defence for the UK Cabinet Office and lead of the government sector of the National Cyber Security Programme.
The former RAF fast jet pilot turned cyber operations advisor founded the UK’s first multi-disciplinary cyber strategy competition and believes that better collaboration and diversity is the key to tackling international cybersecurity challenges.
“We all have diverse perspectives of what our challenges are and we all have our individual horizons and the real value of collaboration comes through seeing the world those diverse perspectives,” Cooper said, speaking during his keynote session at Black Hat Europe 2020.
“Because by doing that you then start creating shared perspectives, you start pushing out your joint horizons so you can see further and develop a much better joint understanding of everything”.
Mixing together the different perspectives has the potential to transform how resources can be used and what actions can be taken, he explained – and maybe even find new ways of dealing with known and previously unknown scenarios.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

“It creates a unique collaboration so you can identify those obstacles, opportunities and ideas you wouldn’t have been able to do previously – and that’s what it really means to collaborate,” Cooper said.
“In collaborating across those diverse teams, the best solutions are those joint solutions and it takes that collaboration”.
Preventing and responding to cyber attacks and data breaches is a key part of cybersecurity, it’s far from the only part of the job – and the culture of the industry and information security teams within organisations needs to reflect that.
“Incidents are just the tip of the iceberg and that we’ve got to have a great and engaged culture to see under the surface and understand what the problems are, understand what the events are and understand what the ideas might be to see them are,” Cooper explained.
And while bringing together those different perspective does take time and effort, as he noted during the session, collaboration and diversity is valuable for everything that cybersecurity is attempting to achieve.
“Because if we do that, we then start sharing those shared perspectives and we expand out our horizons,” Cooper said.
“The more we form those joint horizons by working together, the better it is for everybody as we try to tackle the key risks going forwards,” he added.
READ MORE ON CYBERSECURITY More

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.
The latest of these odd places is, believe it or not, CSS files.
Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.
These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.
Web skimmer gang experiments with CSS
However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.
One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

Image: SanSec
De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.
“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.
“It seems to have been taken offline in the last hour, since our tweet,” he added.

“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.
“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”
Most skimmers are invisible
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.
“While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible,” de Groot said.
“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”
As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires. More

Cloudflare, Apple, and Fastly have co-designed and proposed a new DNS standard to tackle ongoing privacy issues associated with DNS. 

On Tuesday, Cloudflare’s Tanya Verma and Sudheesh Singanamalla announced support for the new standard, which separates IP addresses from queries, a measure that, it is hoped, will mask requests and make it more difficult for users to be tracked online. 
The Domain Name System (DNS), which has underpinned online architecture for years, in its basic form still sents queries without encryption. Therefore, anyone lurking on network paths between your device and DNS resolvers can view queries that contain hostnames — or website addresses requested — and IP addresses. 
DNS over HTTPS (DoH) and DNS over TLS (DoT), were engineered to safeguard these paths through Internet Engineering Task Force (IETF) standardized DNS encryption, reducing the risk of queries being intercepted or modified — for example, by preventing attackers from redirecting users from legitimate domains to malicious addresses. Third-parties, such as ISPs, also find it more difficult to trace website visits when DoH is enabled. 
See also: DNS cache poisoning poised for a comeback: Sad DNS
DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy. 
Research conducted by Princeton University and the University of Chicago, “Oblivious DNS: Practical Privacy for DNS Queries,” (.PDF) published in 2019 by Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster, provided the inspiration for the new standard proposal. 

The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare’s 1.1.1.1’s public DNS resolver — and the combination of both this and public key encryption “guarantees that only the user has access to both the DNS messages and their own IP address at the same time,” according to Cloudflare. 

“The target decrypts queries encrypted by the client, via a proxy,” Cloudflare explained. “Similarly, the target encrypts responses and returns them to the proxy. The standard says that the target may or may not be the resolver. The proxy does as a proxy is supposed to do, in that it forwards messages between client and target. The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target’s responses. Any client that chooses to do so can specify a proxy and target of choice.”
As a result, ODoH should ensure that only targets can view both a query and proxy’s IP address; read a query’s content or produce a response, and the proxy has no visibility into DNS messages. 
CNET: The best Windows 10 antivirus protection for 2020
Cloudflare says that as long as there is no “collusion” or compromise between proxies and target servers, attackers should not be able to interfere with connections. 
Cloudflare is currently working with IETF on the standard and plans to add ODoH to existing stub resolvers, including cloudflared. It is important to note that ODoH is still in development, and the companies are currently testing performance across different proxies, targets, and latency levels. 
An ODoH draft for the IETF has been published.  
Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox’s CTO, has already indicated that Firefox will “experiment” with ODoH.
TechRepublic: WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS
“We hope that more operators join us along the way and provide support for the protocol, by running either proxies or targets, and we hope client support will increase as the available infrastructure increases, too,” Cloudflare says. “The ODoH protocol is a practical approach for improving privacy of users, and aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience on the internet.”
In October, Cloudflare debuted API Shield, a free service that uses a “deny-all” setup to refuse incoming connections on API servers unless suitable cryptographic certificates and keys are provided. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The cyber-criminal groups behind some of the most notorious and damaging ransomware attacks are using the same tactics and techniques as nation-state-backed hacking operations – and they’re only going to get more sophisticated as they look for even bigger pay days.
Ransomware has continued to evolve in the past year, with some ransomware crews making off with millions of dollars following each successful attack.

More on privacy

One of the key reasons why ransomware has become such a common cyberattack is because it’s the easiest way for malicious hackers to make money from a compromised network.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
Previously, cyber criminals might have focused on stealing information that could be used or sold on, but by encrypting the network, they can make a large sum of money from demanding a ransom in a shorter amount of time than it would take to make from exploiting stolen credentials or financial information.
And now the skills of ransomware gangs are catching up with the Advanced Persistent Threat (APT) groups associated with nation states.
“Ransomware attackers are essentially just a couple of years behind the tradecraft we’ve seen ATP crews adopt. This is still a growing problem, it’s not going to go away,” Mitchell Clarke, principal incident response consultant at security company FireEye Mandiant, told ZDNet.

Researchers at Mandiant presented analysis of how ransomware – and the cyber-criminal gangs behind it – has evolved and matured in recent times during a presentation at Black Hat Europe 2020, demonstrating how the cyber-criminal groups running these campaigns are increasingly conducting full-scale network intrusions similar to those seen in nation-state attacks.
Ransomware groups like DoppelPaymer and REvil have been highly prolific this year, encrypting networks and making millions. Part of the reason for the success of these campaigns is because they’re highly targeted.
Cyber-criminal hackers uncover vulnerabilities on networks then spend months laying the groundwork to compromise the systems with ransomware before finally unleashing the attack and encrypting the network.
This is similar to how APT groups hide for months or even years without being detected, although their goal is surveillance or stealing sensitive data rather than making money with ransomware.
“If we look back to older cases of ransomware, it was largely opportunistic. Attackers would land on a corporate environment and advance into a small subset of a wide organisation. The transition from opportunistic crime into APT-like campaigns is just a realisation that it’s more profitable to completely cover an organisation with ransomware,” said Clarke.
“The attacker has taken their time to step through that APT process, to understand the victim environment and to move across it as quietly as possible and with as much privilege as they’re able to get. Then when it’s time to deploy ransomware, to cover a whole organisation.”
But that isn’t where the evolution of ransomware campaigns stops; there’s the risk that as these groups gain more experience with successful attacks, the time between initial compromise and an attempted full encryption of the network will become much shorter – meaning there’s even less time to potentially detect suspicious activity before it’s too late.
“We’re seeing a gap from initial compromise to a ransom event being in the months – it’s in that period before a ransom that organisations can implement changes to be able to detect,” explained Tom Hall, principal incident response consultant at FireEye Mandiant.
“But as they get more sophisticated, we’re going to see that window dropping from months to weeks and weeks to days. If organisations don’t grasp the problem of being able to catch them when they’ve got months, there’s no hope when we’re down to shorter time periods,” he added.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
However, one of the key reasons why cyber criminals continue to be successful with ransomware attacks is because they’re able to exploit vulnerabilities that are simple to protect against – but organisations have failed to do so.
Applying the security patches that fix security vulnerabilities shortly after they’re released prevents cyber criminals being able to exploit issues that have been fixed, while applying two-factor authentication and preventing the use of default passwords on the network can also go a long way to protecting against ransomware and other attacks.
“It’s not like these situations couldn’t have been prevented. It really highlights that a solid patch-management programme would have solved having vulnerabilities exposed that kicked off the entire breach,” said Clarke.
MORE ON CYBERSECURITY More

Adobe’s last scheduled security update of the year has resolved critical vulnerabilities in Lightroom, Prelude, and Experience Manager. 

Released on Tuesday, the tech giant’s patches deal with four vulnerabilities, three of which are deemed critical. 
The first fix was issued for Adobe Lightroom, image editing software that is popular with professional photographers. Impacting Lightroom Classic version 10.0 and below on Windows and macOS machines, the critical issue — tracked as CVE-2020-24447 — is described as an uncontrolled search path element vulnerability leading to arbitrary code execution. 
See also: Adobe releases new security fixes for Connect, Reader Mobile
A second critical bug was found in Adobe Prelude  for Windows and macOS, version 9.01 and earlier. Tracked as CVE-2020-24440, the severe vulnerability has been caused by an uncontrolled search path and if exploited by attackers, can lead to “arbitrary code execution in the context of the current user,” according to Adobe. 
Adobe’s third security advisory relates to Adobe Experience Manager (AEM) and the AEM Forms add-on package on all platforms. 
Two vulnerabilities have been patched in these software packages. The first, CVE-2020-24445, is a critical bug in AEM CS, and is also found in AEM 6.5.6.0/6.4.8.2/6.3.3.8 and earlier. 

CVE-2020-24445 is a stored cross-site scripting (XSS) flaw that can lead to arbitrary JavaScript execution in the browser. 
CNET: The best Windows 10 antivirus protection for 2020
The second security flaw, CVE-2020-24444, is an “important” vulnerability found in AEM Forms SP6 add-on for AEM 6.5.6.0 and the AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2). This vulnerability is a blind server-side request forgery issue that can be triggered for the purpose of information disclosure. 
Adobe thanked Qihoo 360 CERT researcher Hou JingYi, as well as Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway, for reporting the security issues to the vendor. 
TechRepublic: WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS
Adobe’s November security update tackled another handful of vulnerabilities, two of which were found in the Connect remote conferencing software, and one in Reader. Connect’s bugs could be exploited to perform JavaScript execution in a browser, whereas Reader’s lone issue could be used to leak information. 
In Microsoft’s last patch update of the year, released on Tuesday, the Redmond giant resolved 58 vulnerabilities, 22 of which are remote code execution (RCE) vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Chris Duckett/ZDNet
The official inquiry into the 2019 lone-wolf terrorist attack on mosques in Christchurch, New Zealand, which killed 51 people and injured another 40, has found that YouTube was “a far more significant source of information and inspiration” than extreme right-wing websites.
The inquiry also highlighted the limitations of counterterrorism efforts when a potential terrorist is just one of many people espousing extremist views.
The final report of the Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain [mosques] on 15 March 2019, was published on Tuesday.
In line with common New Zealand media practice and the report itself, your correspondent will not name the perpetrator here, but refer to him simply as “the individual”.
“The individual claimed that he was not a frequent commenter on extreme right-wing sites,” the report said.
“Although he did frequent extreme right-wing discussion boards such as those on 4chan and 8chan, the evidence we have seen is indicative of more substantial use of YouTube and is therefore consistent with what he told us.”
He also followed instructions on YouTube videos to modify his guns and accessories to maximise their effectiveness during his attack.

“YouTube has been often associated with far right content and radicalisation,” the report said.
Whether YouTube’s recommendation engine leads users to ever more extreme material, or whether the widespread availability of videos supporting far-right ideas reflects demand, remain unanswered questions.
“What is clear, however, is that videos supporting far-right ideas have been very common on YouTube,” the report said.
“YouTube has made changes in response to these criticisms, in particular to their recommendation system, so it is less likely to continue recommending increasingly extreme content and has also made it more difficult to access extreme content.”
New Zealand’s Prime Minister, Jacinda Ardern, has said she would raise radicalisation directly with YouTube’s leadership.
The individual was also active in a number of far-right Facebook groups, including those of Australian groups United Patriots Front and The True Blue Crew, and under a pseudonym on pages created by The Lads Society.
The report said that according to a friend, “the individual had a number of Facebook accounts over the last few years, randomly closing one down and creating a new one”.
“From time to time he deleted data and removed Facebook friends,” the report said.
In all of these online forums the individual used known far-right language, posted far-right memes, and expressed strong anti-immigration, anti-Muslim, and anti-Semitic sentiments.
He included a neo-Nazi reference in his username at New Zealand auction and classifieds site, Trade Me, and bought far-right publications and accessories to send to his family.
“He reprimanded his mother for using the term ‘neo-Nazi’ in Facebook Messenger when she commented on his shaved hair and rhetoric,” the report said.
“His mother understood that he was not offended at being called a ‘neo-Nazi’, but rather was worried that her use of the term on a popular messaging platform would be detected.”
He also expressed concerns to his sister that he was being tracked by the Australian Security Intelligence Organisation, although he told the inquiry that there was an element of play-acting here.
That said, the individual is known to have used the Tor browser and virtual private networks to help hide his activities.
‘No single aspect’ could have alerted authorities to the lone wolf
Despite all this activity, the inquiry found that New Zealand’s public sector agencies had just one piece of information that directly referred to the terrorist attack.
Just eight minutes before the attack began, the individual sent an email to the Parliamentary Service, as well as politicians, media outlets, and individual journalists.
“The critical information about the attack (in terms of the location) was within a 74-page manifesto attached to and linked within the email. It took some minutes for the Parliamentary Service to open the email, read and make sense of the manifesto, and then pass the details on to New Zealand Police,” the report said.
“By then the terrorist attack had just started.”
The inquiry found that other information known about the individual was “largely unremarkable”.
“With the benefit of hindsight, we can see that some did relate to the individual’s planning and preparation. That, however, was not apparent at the time as this information was fragmentary,” it wrote.
“No single aspect of it could have alerted public sector agencies to an impending terrorist attack.”
The ‘practical difficulties’ of detecting lone wolves
The capability and capacity of New Zealand’s counterterrorism efforts are “far less than many believe”, according to the inquiry.
“The idea that intelligence and security agencies engage in mass surveillance of New Zealanders is a myth.”
It observed that “intelligence and security agencies have comparatively little social licence”. In 2014, the agencies were in a “fragile state”. A rebuilding program didn’t start until 2016 and was still unfinished in 2019.
“With limited resources, counter-terrorism agencies have to make tough choices about where to focus their intelligence efforts,” the report said.
“There are legal, logistical, and technical obstacles to counter-terrorism agencies conducting operations on far right internet sites on the scale necessary to pick up such comments and identify the people who make them.”
There are also “practical difficulties” in distinguishing between those who are “just talkers” and the “potential doers”, that is, those likely to mobilise to violence.
The inquiry found that there were perhaps three ways in which the individual could have come to the attention of relevant agencies.
One could have been a tip-off about his pseudonymous far-right rhetoric. However, counterterrorism professionals described such comments as “not being remarkable”.
“Concerns were expressed as to whether such inquiry would have been appropriate (or proportionate) given the privacy implications of disclosing private Facebook comments to those who would have been spoken to at the gym.”
The individual’s training for the terrorist attack had included working out at a gym and taking steroids to bulk up.
Another could have been a tip-off from the public about his shooting style and comments about large-capacity magazines at his rifle club, or about his use of a drone to reconnoitre his intended targets.
“As many Muslim individuals have observed to us, an identifiably Muslim person who acted in the same way as the individual would likely be reported to the counter-terrorism agencies,” the report said.
Indeed, the inquiry noted that the New Zealand Security Intelligence Service had “only a limited understanding” of right-wing extremism in the country.
“The inappropriate concentration of resources on the threat of Islamist extremist terrorism did not contribute to the individual’s planning and preparation for his terrorist attack not being detected,” the report said.
The third possibility would have been “a more extensive system of data aggregation, analysis, and reporting”.
The inquiry noted that put together, the known facts did paint a certain picture: The importation of ballistic ceramic plates and the like; steroid and testosterone use, which was known to health providers; the purchase of large numbers of hypodermic needles, syringes, and alcohol swabs; the individual’s collection of eight firearms, and the purchase of high-capacity magazines and ammunition.
“Whether the New Zealand public would be prepared to accept data aggregation and analysis on the scale and basis just suggested is uncertain,” the report said.
“It is worth pointing out that some large-scale data aggregation currently takes place… for example between some public sector agencies to allow people to be detained at the border for unpaid fines or significant and outstanding student loan debts.”
The report also noted the down side: “The key feature of bulk data collection is that a large proportion of the data gathered relates to people who are not intelligence targets and is of no intelligence value.”
New Zealand to set up new national intelligence and security agency
The inquiry has recommended New Zealand set up a new national intelligence and security agency that is “well-resourced and legislatively mandated” to be responsible for strategic intelligence and security leadership functions.
The agency should create a “public-facing strategy that addresses extremism and preventing, detecting and responding to current and emerging threats of violent extremism and terrorism” which is “developed in collaboration with communities, civil society, local government, and the private sector”, the report said.
It should also “[set] the purpose and the direction of the strategy, with goals, milestones, and performance measures.”
All up, there are 44 recommendations. The government has committed in principle to implementing all of them.
Can Australia learn from New Zealand’s experience?
For your correspondent, one of the more remarkable paragraphs in the report concerns the matter of trust.
“Media controversy and generally low levels of public trust and confidence in the intelligence and security agencies and aspects of the work of the law enforcement agencies have meant that politicians have avoided the challenge of public engagement about countering-terrorism.”
Another is its focus on “social cohesion, inclusion, and embracing diversity [which] are goals that we can all aspire to”.
“We accept political engagement on these issues will not be easy. But facing up to the hard issues and having open public conversations are critical,” the report said.
“We hope our report will encourage members of the public, officials and politicians to engage in frank debate so that everyone understands their roles and responsibilities in keeping New Zealand safe, secure and cohesive.”
In your correspondent’s view, Australia has much to learn here.
Home Affairs Minister Peter Dutton sees the internet as a sewer and, in general, seems to see the world in terms of “us versus them”. Consultation with communities, civil society, and the like, often seem tokenistic.
And as noted before, things like the Cyber Security Strategy lack measurable targets or even a timeline.
There has been a Senate inquiry into nationhood, national identity, and democracy but it is yet to report. Whether it outlines a vision for Australia, or whether it’s merely a collection of gripes, remains to be seen.
Related Coverage More