Government’s secrecy war makes us less safe

Originally published on Green Agenda.

When the Australian government announced in April last year that they would be developing and deploying a smartphone application to assist contract tracing efforts as the coronavirus pandemic started to impact Australia, there was immediate and vocal public scepticism. It came from privacy advocates and the technology sector, but also human rights advocates and the broader public.

The trickle of information and the several contradictions from the government during the period between announcement and deployment did little to assuage concerns. A leak revealing that the Department of Home Affairs home security had attempted to obtain ongoing access to data gathered by the proposed app proved the sceptics right. The stubborn refusal to embrace the more effective, secure and privacy-respecting data model offered by Apple and Google was the final straw.

This stood in stark contrast to the state government controlled check-in apps. From the outset, Premiers and Health Department spokespeople were clear about the use case for the tool, how it would work, what small amount of information was to be collected, and crucially, when that information would be discarded.

Commonwealth governments have spent 20 years inverting the essential relationship between people and their government regarding transparency and privacy, and it has left us more vulnerable. The national security powers granted to government agencies and law enforcement work to surveil the populace, strip away rights to privacy, make reasoned scrutiny of the national security apparatus itself all but impossible, and undermine technologies that enable privacy and security.

Widespread public resistance to the “covidsafe” app was inevitable. It was yet another intrusion with nothing more than a repeat of the empty call to “trust us” after years of government digital illiteracy, overreach, incompetence and malice. We saw the spectacular failure of the first national census conducted on a digital platform. Hundreds of thousands of people’s lives were impacted by the fundamentally broken and needlessly cruel robodebt scheme. The National Broadband Network was weakened and delayed for what many believed were purely political reasons. And in the years since the attacks of September 11, 2001, successive Australian governments have introduced nearly a hundred pieces of increasingly invasive and draconian national security legislation. Public trust in Commonwealth Government digital initiatives is virtually non-existent.

That government fear-mongering and a bit of Hollywood fantasy has distorted public understanding of the dangers of digital security threats and cybercrime. Digital literacy within the community lags behind both technological change and the dangers those changes bring. There is some understanding of the financial costs of cybercrimes like identity theft and fraud, yet even “digital natives” often fall victim to those threats. Cybercrime costs the national economy almost $30 billion each and every year. Announcements of multimillion dollar investments in efforts to counter this are becoming more common.

But the greatest risk we face in the digital space is a government captured by fossil fuel interests consolidating their own power and control, and leaving the tech giants they partner with for that surveillance unchecked. The leaks from Edward Snowden gave us the first real insight into how the Australian government, along with its “Five Eyes” alliance partners, exercises some of the secret powers its given itself.

While those revelations produced widespread public debate and push-back elsewhere, the government and opposition in Australia shut down attempts at scrutiny and continued amassing still more covert powers. The ‘Assistance and Access’ anti-encryption bill rushed through on the final parliamentary sitting day of 2018 is the most recent example. The powers contained in the legislation can force a ‘designated communications provider’ — that can be any digital platform operating in Australia that allows people to communicate — to give the applicable agency access to any communications. This is all done without any oversight, warrant or appeal process. The agencies that can access these powers include ASIO and the Australian Signals Directorate (ASD, effectively Australia’s NSA), the Federal Police, and state police forces with AFP approval. Notably the government excluded anti-corruption bodies from this list at the time of the passage of the Bill.

It puts software developers in a no-win situation where they’d be compelled to engineer vulnerabilities into their programs or platforms and be unable to tell anyone, even their colleagues and bosses. If this hasn’t had a direct impact on the public yet it is only a matter of time until it does. And of course access to a vulnerability can not be limited to the supposedly good guys.

The anti-encryption powers can be used in the pursuit of a prosecution for any crime “punishable by a maximum term of imprisonment of 3 years or more”. Everything from civil disobedience and direct action to whistleblowing and subsequent reporting is in greater jeopardy.

After the series of bills undermining speech and journalism, the anti-encryption bill was covered by mainstream news outlets all over the world. Journalists increasingly rely on encrypted communications to conduct investigations, and connect with sources and whistleblowers. These powers simply make it dangerous to do reporting in the public interest.

Media scrutiny is how we understand and impose limits on what is being done in our names by our government. That reporting is the launching point for debate about what is best for our future, including what danger lies ahead and how to navigate it. The dozens of national security powers the government has granted itself over two decades — with bipartisan support each and every time — gives them the ability to both more effectively hide information from public view and punish people attempting to bring it to light.

In 2019, the Australian Federal Police raided the home of News Corporation journalist Annika Smethhurst in response to a leak that led to her story a year earlier about plans to expand the powers of the Australian Signals Directorate. A day later the AFP raided the ABC offices in Ultimo in pursuit of a leak about the ‘Afghan files’, a series of stories published in 2017 about potential war crimes committed by Australians. The AFP warrants gave the officers power to “add, copy, delete or alter” material on ABC devices, with no oversight.

The overwhelming public outcry to the heavy-handedness shown by law enforcement about stories so clearly in the public interest forced the government and AFP to cancel a third raid planned for the offices of News Corporation itself.

Australia is alone amongst democracies in that we have no bill or charter of rights. We have no recourse to this conduct. The Liberal government has effectively criminalised public interest reporting on national security matters. In the midst of a climate crisis and escalating tensions thanks to growing inequality, they have decided that national security is whatever they tell us it is.

Government activities in the digital space in pursuit of this nebulous national security are not limited to surveillance and defence. Like every other government in the world, ours also goes on the attack in the digital world. Even less is understood about the nature of this work, and accountability and oversight is non-existent.

Just over a decade ago, the world was introduced to a new method of warfare. The digital space has been a theatre for surveillance and intelligence gathering for as long as it has existed, but conflict was still contained within software itself. That changed when an Israeli-American software worm code-named Project Olympic Games triggered the destruction of centrifuges in Iran’s Natanz nuclear reprocessing facility. The program started as a pinpoint-targeted cyberweapon but spilled out into the wider world, where it became known as stuxnet. It did hundreds of millions of dollars worth of damage to businesses all over the world, provoked substantial retaliation and a new arms race.

Iran’s nuclear program did not stop. After recovering from the setback they redoubled their efforts and were back on the same timeline within months. The Iranian government rapidly expanding their own cyberwarfare capability, which in turn resulted in attacks on Sands Corp and Saudi Aramco, doing millions of dollars worth of damage to the US gambling and Saudi mining giants. There is some argument that the use of stuxnet created an environment of greater ‘permissiveness’ in the use of these weapons, though it’s impossible to say if Kim Jong Un was emboldened by stuxnet when he chose a damaging cyberattack on Sony as his retaliation for the 2014 movie The Interview that ridiculed him.

Offensive cyberweapons are unique in that they emerged from the world of espionage, not the regular military. This is partly why everything about them is so secret. That secrecy prevents understanding, accountability and debate around their use. The destructive power is why they are the only other weapon in the US arsenal besides atomic bombs to require specific Presidential approval before an attack is launched.

But unlike nuclear weapons, cyberweapons and warfare have not been the subject of major inquiries, public debate or community antiwar efforts.

There are no treaties governing their use, though Russia has led efforts for more than 10 years (while conducting attacks of their own) to establish such a treaty, and there are no behavioural norms for governments beyond ‘whatever you can get away with’. Capabilities in this space are a carefully guarded secret.

For years, long before the most recent rise in tensions with China, Australian institutions have received hundreds of hacking attempts a day originating from the Asian mainland. No doubt the reverse is also true. But we do not know what is being done in our name in the world of cyberwarfare. Our government or our allies could be destabilising entire countries, attacking infrastructure and doing huge damage to anyone caught in the crossfire. We frequently hear about the dangers of terrorists communicating on encrypted message networks, but nothing about what this kind of escalation is doing or could do, or what these acts and capabilities even are.

The mere existence of cyberweapons also means that they will inevitably fall into the wrong hands, where they can be duplicated, reverse-engineered, adapted and enhanced. Independent groups build on that expertise to develop their own weapons. In May of this year a the largest petroleum pipeline between Texas and New York was shut down. Millions of people were impacted in the chaos that ensued, as panicked buyers hoarded petrol, companies inflated prices and tensions flared in hours-long queues. Service was restored when the operators, Colonial Pipeline, paid a ransom equivalent to about US $5 million to the Russian cybercriminals responsible.

Aside from the stuxnet-style attacks on physical infrastructure — an act of war any way you slice it — we’ve seen attacks on the financial sector, commercial giants, and attempts at mass disruption of information and elections. Then there are the efforts undertaken by law enforcement and spy agencies, which also provoke damaging offensive responses from adversaries.

All covert operations require extensive support to maintain secrecy. A carefully leaked article in Newsweek recently revealed just what lengths the US government — and almost certainly their favourite fawning Five Eyes friend Australia — are going to in efforts to maintain surveillance networks at home and abroad.

Such surveillance is not passive either. Agencies in the US have coerced and entrapped disaffected, depressed and isolated young men into taking extremist positions and actions that they would never otherwise have taken. The FBI has almost certainly lost control of such an operation at least once resulting in the loss of innocent lives. The Australian government’s war on secrecy has made it very unlikely that we will learn much of similar programs here.

Whether it is foreign powers, or alienated people on the precipice of extremism at home, the Australian government and our allies are using the digital space not to ease tensions, but to provoke hostilities. They have created an environment that casts the people scrutinising those activities and holding them to account as a threat. They’ve granted themselves the power to marginalise and silence the fourth estate. They’re doing this with the support and encouragement of the fossil industries that are driving the biggest threat of all. It is the very opposite of national security.

Society functions best when individuals are afforded privacy, and governments are open, transparent and accountable. It’s the opposite of what we have now. There are an imposing number of battles ahead if we are to reverse course in time. There is little chance of success in the ones to follow if we do not win the first; the secrecy war.