Gordon Campbell on the GCSB’s security hang-up with Russia

russia-hacker-imageSo our GCSB has chimed in, alongside its British, Australian and US allies, with warnings about a “fresh wave” of Russian cyber attacks, although the warning has been curiously framed :

GCSB director-general Andrew Hampton said in the agency’s annual report in November that 122 local incidents, about a third of the 396 serious incidents recorded by the GCSB’s National Cyber Security Centre, had “indicators of connection to foreign intelligence agencies”. He said Russian state-sponsored hackers were behind some of those incidents.

“Fresh” is a curious term. How” fresh” is this fresh wave of Russian activity, given that the only quantification we have is contained in annual report released nearly five months ago. “Some” is also an odd term. Did “some” attacks also originate from China, and “some” from North Korea, and did “some” also come from hackers in Eastern Europe…? Almost certainly they did. And if so, why single out Russia, and is the ratio of Russian-sourced attacks more prominent than say, the Chinese- sourced attacks, and to what extent have the attacks emanating from Russia been on the rise, compared to those from other countries…etc etc.

Moreover, it is also very hard to tell whether these “fresh” attacks have (a) already been launched, or (b) are about to be launched. The media reports seem to want to have it both ways. Western government are under attack and commerce is being disrupted by attacks Russia has launched, but also hang on, Russia is only “gearing up” to do so. For example :

The United States and Britain today accused Russia of launching [my emphasis] a new wave of internet-based attacks targeting routers, firewalls and other computer networking equipment used by government agencies, businesses and critical infrastructure operators around the globe.

The U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), and the UK National Cyber Security Centre (NCSC, which is GCHQ’s ‘cyber’ division) today said that hackers supported by Russia are gearing up for a series of digital attacks.

Clear as mud. Even if Russia is already, or is only maybe, could be, about to be doing this bad stuff, by how much does this exceed (if at all) the level of cyber intrusions into foreign countries to which this country has been a party, alongside our deeply offended British, Australian and US allies ?

In other words, we’re all at it. Every developed nation seems to be engaged in cyber attacks and cyber defences, which is one reason why, the US was (famously) able to cripple the Iranian nuclear weapons programme with the Stuxnet worm. No doubt, some countries do this stuff on an industrial scale. That seems to have been the case during the last US election, although – if money buys influence – it is also true that the revealed budget of the alleged Russian cyber farm operations in the US (over the course of the 2016 election) was dwarfed by the advertising budgets of the Clinton and Trump campaigns.

The real problem with our GCSB possibly crying “wolf” with respect to Russia is that it looks opportunistic, coming at a time of virtual Cold War tensions over the events in Salisbury, and in Syria. If anything, the selective focus on Russia only obscures the public understanding of the global extent of this sort of online activity.

Commerce, and privacy

For the GCSB, cyber attacks also pose other boundary issues. For decades, the security services have been given an explicit role (under their legislation) to protect the economic security of this country. This is not a purely reactive role. There have been reports that the GCSB has been actively engaged in spying on foreign friends and enemies alike, in order to enhance our trade prospects. To the same ‘economic security’ end, New Zealand corporates are now being urged to modernise their cyber security defences, and there have been indications that the GCSB/SIS can, should and are engaged in helping major NZ firms to shore up their capacity to repel any cyber attacks emanating from foreign countries.

This engagement with commerce poses some interesting questions for the security services, with regard to accountability. When it comes to surveillance of private individuals and dissident groups, the security services and relevant Ministers routinely drop a curtain of silence over their operational methods and capacities. There is little in the way of meaningful public accountability – allegedly because this could enable the real and potential targets of surveillance to be alerted about SIS/GCSB expertise, and their modus operandi. Yet when it comes to the engagement with corporate New Zealand, the coin seems to be flipped – and the security services appear to be actively engaged with business in sharing and advising on the appropriate levels of counter-espionage expertise.

Where (and how) does this line get drawn? Surely, the taxpayer shouldn’t be bankrolling the security services to assist the private sector to erect and maintain cyber defences that industry should be paying for itself – and especially when the public isn’t being entrusted with the same levels of care and consolation about similar intrusions into its own privacy. At base, how can the GCSB/SIS offer meaningful advice that protects our economic secrets and intellectual property from cyber attack, without tipping its hand to the businesses in question, about its operational methods and technical capacities? And if it can manage that tricky balance in its dealings with commerce, why can’t it be more transparent about its dealings with the public?

This apparent disjunct between what the security services conceal in their ‘surveillance’ role yet seem willing to reveal when wearing their ‘economic security’ hat must be a nightmare for the guardians that supposedly keep our security services in check. Chief among those watchdogs is the Inspector-General of Intelligence and Security, currently Cheryl Gwyn. In the past, this watchdog has been more like a toothless old lapdog – usually a retired judge working from an office with few resources, and almost entirely reliant on what the security services are prepared to reveal.

By contrast, Glyn seems to be a far more independent operator. This week, she has set up an eleven person advisory panel to be a “sounding board’ in the performance of her duties. The full group is :

Ben Creet – Issues Manager, Internet NZ

Professor Rouben Azizian – Director, Centre for Defence and Security Studies, Massey University

Dr Nicole Moreham – Associate Professor, Faculty of Law, Victoria University of Wellington

Dr Paul Buchanan – Director, 36th Parallel Assessments

David Fisher – Journalist, New Zealand Herald

John Ip – Senior Lecturer, Assistant Dean (Academic), Faculty of Law, University of Auckland

Nicky Hager – Journalist, Author

Thomas Beagle – Chairperson, NZ Council for Civil Liberties

Treasa Dunworth – Associate Professor, Public International Law, University of Auckland

Suzanne Snively – Chair, Transparency International

Deborah Manning – Barrister

None of this group will have access to classified information, or to the operational methods and technical expertise of the SIS/GCSB. Amusingly, some politicians have been upset that a statutorily independent watchdog might choose to engage with people who do not share the same mindset as the organisations she is being expected to monitor :

National’s spy spokesperson Gerry Brownlee said the creation of the reference group raised a number of serious questions – particularly around the inclusion of the investigative journalist Nicky Hager. “The Inspector-General has said this group has been brought together to help her stand ‘in the shoes of the public. But several members of her group are far from objective in their view of our intelligence relationships, or in some cases the existence of intelligence services at all,” Mr Brownlee said. He said Mr Hager had repeatedly questioned the legitimacy of the country’s spy agencies.

Heavens to Betsy. Can an independent watchdog really be sharing a cup of tea and a plate of biscuits occasionally with people who have been critical in the past of the organisations she is supposed to be monitoring? Andrew Little – the Minister responsible for the Security Services – seems to be equally perturbed that the NZ Herald investigative journalist David Fisher is on the same advisory panel, and Little wonders how Fisher can square this with his journalistic ethics.

Is Little serious? Surely, we are past the time when we regarded journalists as ideally being political eunuchs, devoid of values and opinions in any realm of their personal or public lives. That has always been a fallacy, in that it has been the “objective” journalism that has commonly tucked its half truths, deliberate exclusions and ideological premises carefully out of sight, before it comes to the table.

Journalists like Hager and Fisher, academics like John Ip (who has written insightfully about the role of special advocates in security cases) consultants like Paul Buchanan and lawyers like Deborah Manning all have expertise and opinions and networks that are relevant to the tasks that Glyn is expected to perform. She should be being congratulated for casting her net so wide, and so fearlessly.

To suggest, as Brownlee has, that Glyn shouldn’t dare to engage with someone critical of the SIS/GCSB is an insult to her abilities. To suggest, as Little does, that Fisher is being unethical by participating in this panel is an insult to Fisher, and is a quaintly inaccurate view of the evaluative role that good journalism should be encouraged to actively pursue.

Footnote One : Hate to be a conspiracy theorist, but there is a possibility the latest Russia cyber scare is a by-product of toxic US domestic politics. The current US warnings on Russian cyber activity have been attributed to the assistant director of the FBI – whose past director (and the FBI decision to raid the office of the President’s personal lawyer) have both come under attack of late from a President who has routinely peddled a softer line on Russia, and continues to do so. Even after the alleged gas attack in Syria, Donald Trump has not supported imposing further sanctions on Russia, as advocated by Congress and by the Republican Party to which he belongs. The FBI don’t seem to share the President’s comparatively benign view of Russia.

Footnote Two : Ironically, it is not all bad news. Sport is one area where Russian cyber attacks have arguably been of positive benefit to the public. The so called “Fancy Bear” cyber attacks in 2016 – after Russia had been targeted by Western authorities for its state doping programme – revealed for the first time, the surprising extent of ‘therapeutic use exemptions’ (TUEs) granted for permitted drug use, within modern professional sport.

These revelations have had direct repercussions for public understanding of the potential abuse of TUEs in the Olympics, football, tennis, baseball, gymnastics and lately in cycling. The past exploits of Bradley Wiggins and Chris Froome have both come under intense scrutiny, as a result. All of which surely, has to be regarded as welcome.