Information Technology

Image: Emin Baycan
As the fight against the coronavirus pandemic has progressed through the research phases to the production of working vaccines against COVID-19, the cyber attacks have followed.
These attacks are nothing new, but they’ve changed focus.
In March and April there were attacks on the US Department Health and Human Services, attacks on one of Czechia’s biggest COVID-19 testing laboratories, and attacks on the World Health Organization and, it seems, Chinese government agencies too.
The Vietnamese government-linked hacking group Ocean Lotus targeted officials in Wuhan, where the virus was first recorded, and the Chinese Ministry of Emergency Management.
Australia and the US, as well as other nations, spoke out against such attacks.
“As Australians and the international community band together to respond to COVID-19, we are concerned that malicious cyber actors are seeking to exploit the pandemic for their own gain,” Australia’s Ambassador for Cyber Affairs, Dr Tobias Feakin told ZDNet in April.
“History will judge harshly those exploiting this crisis for their own objectives.”

But more recently we’ve seen phishing attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, as well as tax and customs officials, and the manufacturers of cold chain equipment.
All in all, companies in Germany, Italy, South Korea, Czechia, greater Europe, and Taiwan were targeted in that one campaign.
Three state-sponsored hacker groups from Russia and North Korea have targeted seven COVID-19 vaccine makers. China and Iran have also been accused of attacks.
Johnson & Johnson’s CISO said healthcare organisations are seeing cyber attacks from nation-state threat actors “every single minute of every single day”.
Shouldn’t all this be illegal? Well yes, of course the hacking is illegal. But shouldn’t this disruption of medical supplies during a pandemic be a more serious crime? Yes, and in some circumstances, it would be. But not all.
‘It’s against the Geneva Convention!’
The Fourth Geneva Convention, or in full the “Convention (IV) relative to the Protection of Civilian Persons in Time of War, Geneva, 12 August 1949”, is very clear on this sort of thing.
“Civilian hospitals organized to give care to the wounded and sick, the infirm and maternity cases, may in no circumstances be the object of attack, but shall at all times be respected and protected by the Parties to the conflict,” it says in Article 18.
“States which are Parties to a conflict shall provide all civilian hospitals with certificates showing that they are civilian hospitals and that the buildings which they occupy are not used for any purpose which would deprive these hospitals of protection.”
Article 20 goes on to say that “personnel engaged in the search for, removal and transporting of and caring for wounded and sick civilians, the infirm and maternity cases, shall be respected and protected”.
Skipping ahead to Article 23 — the ones in between are about transporting the wounded and sick by land, sea, and air — we get to the protection of medical supply lines.
“Each High Contracting Party [state which is a party to the convention] shall allow the free passage of all consignments of medical and hospital stores and objects necessary for religious worship intended only for civilians of another High Contracting Party, even if the latter is its adversary,” it says.
“It shall likewise permit the free passage of all consignments of essential foodstuffs, clothing and tonics intended for children under fifteen, expectant mothers and maternity cases.”
There are some limits to all of these rules, of course.
One example is that a nation at war can’t just import medical supplies via its enemy to avoid producing them itself, thereby releasing some of its own production capacity for the war effort.
Another is that things like hospitals have to be used solely as hospitals, not “to commit, outside their humanitarian duties, acts harmful to the enemy”. That’s in Article 19.
Minor additions have also been made since 1949, to extend and clarify the protections.
The overall message is therefore clear: Civilian hospitals and medical facilities, their staff, and their medical supply lines, are all off-limits.
The first and second Geneva Conventions relate to the treatment of wounded and sick combatants on land and sea, respectively. The third relates to the treatment of prisoners of war. Again the message is clear: Once combatants are injured or sick or captured, and out of the game, their medical care is not fair game.
For fans of Hogan’s Heroes, “the Geneva Convention” they refer to in that WW2 sitcom is the predecessor of the 1949 convention, the much less-comprehensive “Convention relative to the Treatment of Prisoners of War” of 1929.
Need more convincing? Check out the Customary International Humanitarian Law Database. It lists not just the international treaties but also the relevant national laws and military operations manuals.
‘But we’re not at war!’
The thing is, though, the Geneva Conventions and all these other rules only apply during armed conflict. No war? No Geneva Conventions.
So what about in peacetime?
In a 2015 report [PDF], the snappily-named United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE) agreed to 11 norms of responsible state behaviour in cyberspace.
One norm requires states to “guarantee full respect for human rights”, but with a tag that says this includes “the right to freedom of expression”, it’s clear that this is about interfering with the use of the internet itself.
Another norm bans states from conducting or supporting any act which “intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public”.
But do medical research facilities count as critical infrastructure? Australia certainly thinks so.
In an official commentary [PDF] on current UN negotiations dated April 16, 2020, Australia noted “with concern” the reports of cyber attacks on critical infrastructure “including healthcare/medical services, facilities and systems, and crisis response organisations”.
“During a pandemic, it is hard to think of an infrastructure more critical than hospitals and health services,” Australia’s cyber negotiator at the UN Johanna Weaver told ZDNet.
Australia’s Critical Infrastructure Centre, part of the Department of Home Affairs, also classifies the health system as critical infrastructure.
Indeed, in March this year a parallel organisation to the GGE, the equally snappily-named UN Open Ended Working Group in the field of information and telecommunications in the context of international security (OEWG), indicated that this belief would be made more formal.
The initial “pre-draft” of its report [PDF] says that “states should not conduct ICT operations intended to disrupt the infrastructure essential to political processes or harm medical facilities”.
A joint proposal [.docx] from Australia, Czechia, Estonia, Japan, Kazakhstan, and the US aims to sharpen that, adding the words: “the OEWG underscored that all states considered medical services and medical facilities to be critical infrastructure for the purposes of [the] norms”.
More broadly, an analysis in March this year by legal advisers from the International Committee of the Red Cross noted that “international law prohibits all states from intervening in the internal affairs of other states”.
“The UK, for example, has expressly stated that this prohibition may also cover acts such as the ‘targeting of essential medical services’,” they wrote.
They also noted that attacks on computer systems essential for the maintenance of public health and safety are banned by the 2001 Budapest Cybercrime Convention, to which 65 nations are signatories.
In the view of most nations, therefore, this latest round of cyber attacks is, or at the very least should be, against international law.
But so what?
If we were at war, charges of committing war crimes could eventually end up being prosecuted in The Hague. But we’re not at war. And in peacetime, the 11 norms are constantly being breached.
Some states don’t just permit the misuse of networks in their territories, they actively encourage it. Some states suppress free speech online. Some states actively disrupt the critical infrastructure of others.
And of course, these cyber attacks on vaccine logistics are happening right now.
So far all we’ve seen happen with such illegal conduct is coordinated diplomatic action. Perhaps during a pandemic, it’s time to put a bit of stick about.

Coronavirus More

Wind develops flag of the Republic of Kazakhstan in background of capital Nur-Sulta
Getty Images/iStockphoto
Under the guise of a “cybersecurity exercise,” the Kazakhstan government is forcing citizens in its capital of Nur-Sultan (formerly Astana) to install a digital certificate on their devices if they want to access foreign internet services.
Once installed, the certificate would allow the government to intercept all HTTPS traffic made from users’ devices via a technique called MitM (Man-in-the-Middle).
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government’s certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.

Image supplied
Currently,, Kazakhstan users are reporting issues accessing sites like Twitter, YouTube, and Netflix, unless they install the government’s root certificate.
This is the Kazakh government’s third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019.
Both previous attempts failed after browser makers blacklisted the government’s certificates.
Government calls it a cybersecurity training exercise
In a statement published on Friday, Kazakh officials described their efforts to intercept HTTPS traffic as a cybersecurity training exercise for government agencies, telecoms, and private companies.

They cited the fact that cyberattacks targeting “Kazakhstan’s segment of the internet” grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise.
Officials did not say how long the training exercise will last.
The Kazakh government used a similarly vague statement last year, in 2019, describing its actions as a “security measure to protect citizens.”
2019 interception efforts targeted social media sites
The government’s 2019 HTTPS interception effort targeted 37 domains, all social media and communications websites, such as domains for Facebook, Google, Twitter, Instagram, YouTube, and VK, along with a few smaller sites.
The 2015 attempt targeted all internet traffic for interception, which immediately drew the ire of foreign governments, financial institutions, and telecoms — all of which threatened the Kazakh government with lawsuits for having sensitive traffic and private information intercepted.
Representatives for major browser makers, pivotal in blocking the Kazakh government’s first two attempts to backdoor HTTPS traffic, couldn’t be immediately reached for comment over the weekend, but, as before, they’re expected to block this certificate as well. More

Image: Kopter
Helicopter maker Kopter has fallen victim to a ransomware attack after hackers breached its internal network and encrypted the company’s files.
After Kopter refused to engage with the hackers, the ransomware gang has published on Friday some of the company’s files on the internet.
Many ransomware groups upload and share victim data on special “leak sites” as part of their tactics to put pressure on the hacked companies to either have them come to the negotiation table or force them into paying huge ransom demands.
LockBit ransomware gang takes credit
The Kopter data has been published on a blog hosted on the dark web and operated by the LockBit ransomware gang. Files shared on this site include business documents, internal projects, and various aerospace and defense industry standards.

Image: ZDNet

Image: ZDNet
In an email, the operators of the LockBit ransomware told ZDNet that they breached Kopter’s network last week by exploiting a VPN appliance that used a weak password and did not have two-factor authentication (2FA) enabled.
The LockBit gang also said they operate a web portal on the dark web where they show details to hacked companies about the attack, including a ransom demand. LockBit operators said someone from Kopter accessed the ransom page, but the company did not engage with them in a chat window provided to hacked companies.
Kopter has not publicly disclosed a security breach on its website or via business wires.

A Kopter spokesperson did not return an email seeking comment on the ransomware attack. Phone calls made on Friday also remained unanswered.
The Switzerland-based company was founded in 2007 and is known for its line of small and medium-class civilian helicopters.
In January 2020, Italian aerospace and defense company Leonardo acquired Kopter for an undisclosed sum. More

Image: Jim Reardan
In attempts to put pressure on victims, some ransomware gangs are now cold-calling victims on their phones if they suspect that a hacked company might try to restore from backups and avoid paying ransom demands.

“We’ve seen this trend since at least August-September,” Evgueni Erchov, Director of IR & Cyber Threat Intelligence at Arete Incident Response, told ZDNet on Friday.
Ransomware groups that have been seen calling victims in the past include Sekhmet (now defunct), Maze (now defunct), Conti, and Ryuk, a spokesperson for cyber-security firm Emsisoft told ZDNet on Thursday.
“We think it’s the same outsourced call center group that is working for all the [ransomware gangs] as the templates and scripts are basically the same across the variants,” Bill Siegel, CEO and co-founder of cyber-security firm Coveware, told ZDNet in an email.
Arete IR and Emsisoft said they’ve also seen scripted templates in phone calls received by their customers.
According to a recorded call made on behalf of the Maze ransomware gang, and shared with ZDNet, the callers had a heavy accent, suggesting they were not native English speakers.
Below is a redacted transcript of a call, provided by one of the security firms as an example, with victim names removed:

“We are aware of a 3rd party IT company working on your network. We continue to monitor and know that you are installing SentinelOne antivirus on all your computers. But you should know that it will not help. If you want to stop wasting your time and recover your data this week, we recommend that you discuss this situation with us in the chat or the problems with your network will never end.”
Another escalation in ransomware extortion tactics
The use of phone calls is another escalation in the tactics used by ransomware gangs to put pressure on victims to pay ransom demands after they’ve encrypted corporate networks.
Previous tactics included the use of ransom demands that double in value if victims don’t pay during an allotted time, threats to notify journalists about the victim company’s breach, or threats to leak sensitive documents on so-called “leak sites” if companies don’t pay.
However, while this is the first time ransomware gangs have called victims to harass them into paying, this isn’t the first time that ransomware gangs have called victims.
In April 2017, the UK’s Action Fraud group warned schools and universities that ransomware gangs were calling their offices, pretending to be government workers, and trying to trick school employees into opening malicious files that led to ransomware infections. More

[embedded content]
Marene Allison, the Chief Information Security Officer at Johnson & Johnson, one of the companies involved in the research and development of a COVID-19 vaccine, said this week that healthcare organizations like her employer are seeing cyber-attacks from nation-state threat actors “every single minute of every single day.”

Allison’s comments come after on Wednesday, the Wall Street Journal reported that Johnson & Johnson was one of six COVID-19 research companies that have been targeted by North Korean hackers seeking vaccine information.
“Healthcare companies literally have seen an onslaught [of cyberattacks] since March 2010,” Allison said on Thursday in an online panel at the Aspen Cyber Summit.
“That is the day that the Chinese actually started a hard knock of most of the healthcare in the United States.”
“Meredith and I, and in all CISOs and healthcare [organizations], are seeing attempted penetrations by nation-state actors, not just North Korea, every single minute of every single day,” Allison said, referring to Meredith Harper, CISO at Eli Lilly, another pharmaceutical company involved in the COVID-19 response, also present on the online panel.
The Johnson and Johnson CEO said that “with the vaccine in development,” her company is now “on a grander stage.”
Allison also said that her company doesn’t “have the resources to know where [an attack] came from,” or what attackers are actually going after, but instead has been working and relying on H-ISAC and CISA to identify and classify cyber-attacks.

All in all, Allison said Johnson & Johnson saw a 30% uptick in cyber-attacks targeting the company, but that they couldn’t tell how much was COVID-19-related.
“There’s only going to be so many people who could get information and turn it into a vaccine,” she said. “Then we’re going to have the
group of people who just decide that ‘well I don’t want the world to have a vaccine’.
“For us, inside, it’s really not much of a difference,” Allison said. More

The National Cyber Security Centre (NCSC) is urging people to be careful when shopping online in the run up to Christmas as cyber criminals step up campaigns to steal money, credit card information and more during the busiest time of year for retailers.
Last year’s Christmas shopping period, from November 2019 to January 2020, saw cyber criminals make off with a total of £13.5 million as a result of online shopping fraud – averaging out at £775 per incident across 17,405 cases reported by the National Fraud Intelligence Bureau.

More on privacy

And with even more people expected to be doing their Christmas shopping online this year because of ongoing coronavirus restrictions, the NCSC, alongside the Home Office, the Cabinet Office and the Department for Digital, Culture, Media and Sport (DCMS), has launched a ‘Cyber Aware’ campaign.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The campaign lists six things to help protect shoppers against phishing emails, malware and other malicious cyber activity – and provides information on how to set up these additional protections: 
Use a strong and separate password for your email
Create strong passwords using three random words
Save your passwords in your browser
Turn on two-factor authentication (2FA)
Update your devices and apps
Back up your data
By following this advice, people can not only better protect themselves from falling victim to cyberattacks, additional security on their devices can also provide better protection against cyber criminals attempting to exploit the phones and laptops people use while working from home to gain access to a corporate network.
Organisations can also play a role in helping their employees stay safe online by providing services including two-factor authentication and cloud-based backups.

“Technology will play an essential role over the festive period, with more people shopping online than ever before. Scammers stole millions from internet shoppers last Christmas – but by following our advice, you can protect yourself from the majority of their crimes,” said Lindy Cameron, chief executive of the NCSC.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
The Cyber Aware campaign is being supported by organisations including Microsoft, Vodafone, BT, ASOS, Barclays and Citizens Advice.
“If you are shopping online this year, spend the time you would have spent wrapping up warm to head out to the shops on checking your online security. If it feels suspicious or unusual it may well be,” said Sian John, chief security adviser at Microsoft UK.
MORE ON CYBERSECURITY More

[embedded content]
A ransomware attack has crippled the operations of TransLink, the public transportation agency for the city of Vancouver, Canada.
The attack took place this week, on December 1, and has left Vancouver residents unable to use their Compass metro cards or pay for new tickets via the agency’s Compass ticketing kiosks.
TransLink initially passed the incident as a prolonged technical issue before reporters from local news outlet CITY NEWS 1130 learned of the true nature of the incident and forced the agency to come clean.

Working with my colleague @pjimmyradio, we can confirm for @NEWS1130 that @TransLink has been hacked. Our information comes from multiple sources within the transit authority, who have shared the ransom letter with us. Listen in for more details throughout the afternoon.
— Martin MacMahon (@martinmacmahon) December 3, 2020

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement released last night, after the CITY NEWS 1130 report.

While Desmond did not reveal the name of the ransomware strain/gang that breached TransLink’s network, he confirmed that the attackers had sent the ransom note to be printed by the agency’s printers.
A copy of this ransom note was published online by another local reporter.

Based on the ransom’s note, TransLink had its systems infected with a version of the Egregor ransomware.

At least one affiliate part of the Egregor Ransomware-as-a-Service is known to employ the tactic of sending a copy of the ransom note to local printers.
A previous case was reported in South America after the same Egregor affiliate group also hit Cencosud, a major retail store chain, and had its printers spew its ransom note in full view of store employees and customers.

In the meantime, TransLink says it has restored access to its Compass kiosks so customers can resume using its Tap to Pay feature to pass through fare gates.
TransLink said the incident did not affect any of its transit routes.
The Egregor gang is also known for stealing data from hacked networks before encrypting their files. Desmond said TransLink is still in the middle of a forensic investigation, so they can’t confirm what was taken. Nonetheless, the CEO said payment details were not in danger as the company doesn’t store this type of data to begin with. More

A review into Australia’s intelligence community has recommended comprehensive reform of electronic surveillance laws, one that would repeal existing powers and combine them to avoid duplication, contradictory definitions, and any further ad hoc amendments to the existing three Acts.
Electronic surveillance powers enable agencies to use electronic or technical means, which would otherwise be unlawful, to covertly listen to a person’s conversations, access a person’s electronic data, observe certain aspects of a person’s behaviour, and track a person’s movements. Currently, these powers are contained within the Telecommunications (Interception and Access) Act 1979 (TIA Act), the Surveillance Devices Act 2004 (SD Act), and the Australian Security Intelligence Organisation Act 1979 (ASIO Act).
Parts of the Telecommunications Act 1997 and the Criminal Code Act 1995 are also directly relevant when considering these powers.
Each Act requires agencies to meet thresholds before accessing these powers and requires external authorities, such as judges, Administrative Appeals Tribunal (AAT) members, or the Attorney-General as is the case of ASIO, to approve the use of powers.
In 2017-18, Commonwealth, state, and territory law enforcement agencies obtained 3,524 interception warrants, 828 stored communications warrants, 802 surveillance device warrants, 23,947 prospective data authorisations, and 301,113 historic data authorisations. ASIO likewise obtained interception, surveillance device, and computer access warrants.
“In short, we conclude that the legislative framework governing electronic surveillance in Australia is no longer fit for purpose,” the review said. “The SD Act was enacted 15 years ago; the ASIO Act and TIA Act are 40 years old; and the foundations of the surveillance framework date back to decisions made by Prime Minister Chifley in 1949.”
It said that after 40 years of continued amendments, problems with the framework have accumulated.

“The framework contains a range of highly intrusive powers that are functionally equivalent, but controls and regulates their use in a highly inconsistent fashion. It is based on outdated technological assumptions that cause challenges for agencies applying the framework to modern technologies,” the review said. 
There are more than 35 different warrants and authorisations for electronic surveillance activities. These warrants have different tests, thresholds, safeguards, and administrative requirements.
Similarly, the review said, there are significant differences between the limits and controls that apply to agencies’ use of their electronic surveillance powers in respect of third parties who are not, themselves, under investigation. Additionally, the ASIO Act, SD Act, and TIA Act contain 10 different arrangements for “emergency authorisations” to exercise their electronic surveillance powers in various urgent circumstances.
It also said ad hoc amendments often introduce as many problems as they solve and many of the core definitions in the Acts date back to the 1970s and 1980s and do not reflect the current telecommunications environment.
The review labelled the TIA Act as a “case study of complexity”, saying the complexity was both unnecessary and harmful.
The review considered the following fixes: Continuing to progress ad hoc amendments to deal with problems as they arise; repealing and rewriting the TIA Act alone; comprehensively reforming the entire electronic surveillance framework — repealing and rewriting the TIA Act, SD Act, and relevant parts of the ASIO Act; or developing a common legislative framework, which would be a broader consolidation of core legislation governing the National Intelligence Community (NIC).
“We recommend that the SD Act and TIA Act, and relevant parts of the ASIO Act governing the use of computer access and surveillance devices powers should be repealed and replaced with a new Act,” it declared.
Under a new Act, it said agencies should continue to be required to obtain separate warrants to authorise covert access to communications, computer access, or the use of a listening or optical surveillance device under a new Act. It added the Act should not introduce a “single warrant” capable of authorising all electronic surveillance powers.
As part of the development of a new electronic surveillance Act, the review said, the Australian Transaction Reports and Analysis Centre (Austrac) should be able to access telecommunications data in its own right under arrangements consistent with other Commonwealth, state, and territory law enforcement agencies presently authorised to access telecommunications data.
It also recommended for corrective services authorities to be granted with the power to access telecommunications data if the relevant state or territory government considered it to be necessary.
A further recommendation is that as part of the development of a new Act, electronic surveillance powers should be vested in the Australian Border Force (ABF), not the Department of Home Affairs, and the ABF should also be granted the power to use tracking devices under warrant and authorisation for the purpose of serious criminal investigations.
The new Act would amalgamate bits from the existing Acts, but unify them. As one example, the Attorney-General would be permitted to issue warrants authorising ASIO to intercept telecommunications, access stored communications, access computers, and use optical and listening devices under the new Act if they were satisfied that a person was engaged in, or was reasonably suspected of being engaged in or of being likely to engage in, activities relevant to security, and the exercise of powers under the warrant in respect of the person is likely to substantially assist ASIO in obtaining intelligence in respect of a matter that is important in relation to security.
Under a new electronic surveillance Act, the review added that surveillance device powers should continue to be available for the purposes of integrity operations. But the use of tracking devices should be regulated separately from other electronic surveillance powers in a new electronic surveillance Act, it noted.
Under a new Act, ASIO’s tracking device warrants should be subject to the same test as ASIO’s other electronic surveillance warrants. The review also asked for another review once 5G rollouts are complete to determine whether access to network data has become functionally equivalent to using a tracking device.
A new electronic surveillance Act would require an issuing authority issue law enforcement warrants in writing wherever possible, and record keeping was highlighted as a must by the review.
Under its plan, the Attorney-General can approve variations to warrants while agencies themselves would be granted authority to make minor modifications to warrants.
The review said the development and testing framework that is presently contained in Part 2-4 of the TIA Act should be extended to enable the Attorney-General to authorise the testing and development of electronic surveillance and cyber capabilities, as part of a new electronic surveillance Act.
To summarise, the core definitions in a new electronic surveillance Act should: Provide clarity to agencies, oversight bodies, and the public about the scope of agencies’ powers; ensure that there are no gaps in the types of information that agencies may intercept, access, or obtain under warrants and authorisations; and be capable of applying to new technologies over time.
A new electronic surveillance Act should not require carriers, carriage service providers, or other regulated companies to develop and maintain attribute-based interception capabilities, the review said, noting these companies should continue to be required to develop and maintain the capability to intercept communications sent and received by specified services and devices
Under a new electronic surveillance Act, the Attorney-General should be given the power to require a company to develop and maintain a specified attribute-based interception capability. If such a capability has been developed, agencies should be able to obtain attribute-based interception warrants in cases where it will be practicable for the warrant to be executed.
ASIO and law enforcement agencies should be permitted to use their own attribute-based interception capabilities, in conjunction with service providers, under warrant, the review said. 
Interception warrants issued under a new electronic surveillance Act should be capable of authorising the interception of communications by reference to one or more services or devices that the person — or group — who is the subject of the warrant uses, or is likely to use.
It would ideally also retain specific secrecy offences for the use and disclosure of, and other dealings with, information obtained by, and relating to, electronic surveillance and continue to prohibit the use and disclosure of, and other dealings with, information obtained as a result of unlawful surveillance activities.
Existing use and disclosure provisions in the SD Act and the TIA Act should be replaced with simple, principles-based rules that “maintain strict limitations on the use and disclosure of information obtained by electronic surveillance”. It should also permit the use and disclosure of, and other dealings with, surveillance information for the purpose for which the information was originally and lawfully obtained.
The review added the new electronic surveillance Act should permit agencies to use, disclose, and otherwise deal with surveillance information for a defined range of secondary purposes, and require ASIO, law enforcement agencies, and Commonwealth, state, and territory agencies to destroy records of information obtained by electronic surveillance, as soon as reasonably practicable.
However, the review recommended that ASIO conduct under a new electronic surveillance Act should continue to be overseen by the IGIS and the Commonwealth Ombudsman should have oversight responsibility for the use of Commonwealth electronic surveillance powers by all agencies other than ASIO. The Ombudsman should oversee the compliance of all agencies, again excluding ASIO, with a new electronic surveillance Act.
LOCAL POWERS FOR ASIO
The review’s report was broken down into four volumes totalling 1,317 pages, making 203 recommendations that affect the nation’s intelligence community and its operations.
Among the recommendations was giving ASIO the ability to seek a warrant for the collection of intelligence on an Australian, providing they’re acting on behalf of a foreign power.
This would require, if the request for repeals is not adopted, amendments to the TIA Act and the ASIO Act to enable the Director-General of Security, on a request from the Foreign Minister or Defence Minister, to seek a warrant from the Attorney-General for the collection of foreign intelligence on an Australian person who is acting for, or on behalf of, a foreign power.
Currently, the ASIO Act does not apply an Australian/non-Australian distinction for ASIO’s security intelligence activities. It does, however, restrict ASIO’s ability to obtain foreign intelligence on Australians.
“Preventing some forms of collection when the Australian target is onshore, but enabling it when the target is offshore, seems a disproportionate restriction that costs Australia a significant intelligence dividend,” the review noted.
Those preparing the review claimed this restriction has cost Australia valuable intelligence where an Australian is acting for, or on behalf of, a foreign power, and that it would continue to do so unless the rules are changed.
Delivered earlier this week was the Advisory Report on the Australian Security Intelligence Organisation Amendment Bill 2020, which was prepared by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The PJCIS report [PDF] made eight recommendations, with the last being for the Bill to be passed by Parliament, following the implementation of the previous seven requests it made, which included prohibiting ASIO from using a tracking device without an internal authorisation.
RELATED COVERAGE More