“We are in discussion with the telcos that provide your services … under the Telecommunications Act, section 313, there might be a possibility for the telcos to act as an authorised blocking agent – that is to say, it’s unwanted, I don’t want this to come to my computer, I don’t want this to come to my phone. It’s malicious,” Home Affairs secretary Mike Pezzullo told Senate Estimates on Monday evening.
Pezzullo noted that more work needed to be done in this area, however, as it is currently unclear whether the Telecommunications Act deems providing a link to be an offence or whether the offence is actually the subsequent action taken by a criminal actor of taking advantage of a victim after they’ve clicked on a malicious link.
“There are some complexities here because it has to be a nexus to an offence. So scamming, click this link, may itself not be an offence, in which case, our advice to government in due course might well be that legislative changes are required. But the act of clicking might create a nexus to an offence, that offence might be identity, theft, fraud, etc,” Pezzullo said.
Marc Ablong, Home Affairs deputy secretary of National Resilience and Cybersecurity, analogised this “complexity” to how a mail service provider such as Australia Post would not be responsible for disposing the contents of a letter if it were dangerous.
“If there was something criminal in [a letter], you wouldn’t go after Australia Post … nor would you ask Australia Post to block the letter. And so, the nature of the conversations that we’re having with the telco sector at the moment is: Do they have sufficient information at scale to be able to block the whole class of these spam messages? Or would they need to report each and every one that came in?” Ablong explained.
Ablong added that part of Home Affair’s discussions with telcos about blocking malicious SMS messages have been focused on how best to define the attributes of an SMS message in a way that only blocks malicious messages, while still allowing normal SMS messages to be passed through.
The explanation of the potential expanded blocking measures followed the theme of yesterday’s Senate Estimates, at least for the Department of Home Affairs and federal law enforcement authorities, with Pezzullo saying they would all be “more aggressive” in addressing cyber threats moving forward.
“We’re going hunting. We’re using offensive capabilities,” he said.
“The AFP is very actively engaged with international colleagues to go after the gangs that, don’t only engage in ransomware – time’s up for them – but also other forms of identity theft, phishing, and so on and so forth.”
In Pezzullo’s opening statement at Senate Estimates, he said Home Affairs was becoming increasingly concerned about the potential for adversaries to preposition malicious code in critical infrastructure, particularly in areas such as telecommunications and energy.
“Such cyber-enabled activities could be used to damage critical networks in the future. The increasingly interconnected nature of Australia’s critical infrastructure exposes vulnerabilities which, if targeted, could result in significant consequences for our economy, security, and sovereignty,” he said.
Earlier on Monday, AFP commissioner Reece Kershaw share a similar sentiment at Senate Estimates, saying the federal police has been implementing a new cyber offensive arm, which has entailed talking with the Five Eyes alliance about the growth of cyberthreats.
“At the moment, we’re actually going through an internal review of how we can be more aggressive in cyber, and it may mean a mini restructure internally for us to really have what we would call a cyber offensive operation of the AFP, which would actually conduct disruption operations on these individuals,” he said.
Throughout his testimony at Senate Estimates, Kershaw explained that the powers given to the AFP through the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021, which passed earlier this year, would allow its cyber offensive capabilities to increase across various fronts, from countering child abuse, to spam, to terrorism.
Pezzullo’s declaration follows his department launching a national ransomware action plan earlier this month. The major focus for that plan is to create new laws and tougher penalties for people who use ransomware to conduct cyber extortion.
The federal government last week also amended the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which is currently under consideration in Parliament, as part of efforts to expedite the process for it to become law. That Bill is seeking to create mandatory reporting requirements for organisations that suffer a cyber attack and provide government with “last resort” powers that allow it to direct an entity to gather information, undertake an action, or authorise the ASD to intervene against cyber attacks.
When asked by Senator and Shadow Minister for Home Affairs Kristina Keneally how the development of these capabilities have progressed, he said he expected the policy work to be completed by “this side of Christmas”.
Kenneally and Shadow Assistant Minister Tim Watts the next morning said the lack of concrete details meant the federal government was “all announcement, no action”.
“Three months after Home Affairs Minister Karen Andrews declared that ‘Time’s Up’ for ransomware gangs, Senate Estimates has confirmed the government has committed no new funding, has initiated no new law enforcement action, and will pass no new legislation in the Parliament before Christmas,” the Labor politicians said in a statement.
Related Coverage
Home Affairs believes technological capability not there yet for cryptocurrency travel ruleHome Affairs asks for a rush on Critical Infrastructure Bill to allow ASD to act lawfullyCritical Infrastructure Bill should be split to swiftly give government step-in powers: PJCISAFP is looking to be ‘more aggressive’ with new cyber offensive armHome Affairs asks for a rush on Critical Infrastructure Bill to allow ASD to act lawfullyAustralia’s new ransomware plan to create ransomware offences and reporting regime