Cyber defender Brandis is proving unfit for purpose

Cyber defender Brandis is proving unfit for purpose

Summary: The minister responsible for leading cabinet discussions about Australia's cybersecurity can't even explain a web address. May God have mercy on our souls.


I used to think that cybergeddon, the much-hyped digital Pearl Harbor, was just hawkish scaremongering. Now I'm not so sure. The evidence that we're in the midst of a cyber cold war is mounting daily — as is the evidence that one of Australia's key defenders isn't fit for purpose.

As industrial control system (ICS) hackers told me two years ago, while the SCADA systems that control everything from power stations and oil refineries to chocolate factories and hotel air conditioning have shockingly bad security, you need to know how the systems are set up. Knowing how to hack controller number 75454 is useless, unless you know what controller 75454 actually does, and how it interacts with the rest of the system.

But since then we've learned a lot about the scale and scope of cyber espionage and weapons development. Stuxnet and Flame, the worms that got so much attention back then, just hint at what must be a massive stockpile of cyber weapons.

Last November, when Kaspersky Lab founder Eugene Kaspersky was on his global cyber scare tour, his comments about the scale of espionage led me to believe that the operating manual for controller 75454 was probably scooped up long ago — along with the address of the kindergarten where the operator's children spend their days, oh so vulnerable.

And just days ago, we learned that a Russian crime gang has stockpiled 1.2 billion usernames and passwords. "The group includes fewer than a dozen men in their 20s," reported The New York Times. So given that, plus what we know via Mr Snowden's work, imagine what a few thousand well-funded military or defence-contractor hackers could get up to. Or rather, have already gotten up to.

I'm guessing that a variety of nation-states have already gathered plenty of SCADA plans and logins, have already conducted plenty of drills, have already calculated how well it'd work given certain levels of failure, and have already turned it all into operating procedures. On a planet whose ape-creatures set up systems for launching thousands of thermonuclear warheads at each other on a few minutes' notice, what's turning off a few power stations or crashing a few oil trains into each other? SCADAgeddon will have been automated.

When the siren sounds, gentlemen, insert your keys and select "Shut down Belgium".

In brief, we're screwed.

Which brings me to the glory that was Wednesday evening's television appearance by Australia's favourite Attorney-General, Senator George Brandis QC. Watch it. His brandisplaining of metadata collection in the context of the proposed mandatory data retention regime is hilarious — web surfing, the "electronic address" of a website, "computer terminals", it's all there.

As ZDNet reported, the interview was such a train wreck that today Brandis ditched keynoting a conference on freedom of speech, one of his favourite subjects, to instead attend a memorial service for the victims of the MH17 attack.

Brandis' quarter-baked explanation of data retention would be a passing amusement, up there with a series of tubes and the spams or scams that come through the portal, except for two things.

One, Brandis is clearly clueless about the basic concepts underlying an important government policy. As I said on ABC Radio's AM this morning, this is about the operation of our intelligence services — something that we do need to get right for our nation's security, yet something that's riddled with subtle human rights and privacy implications.

No-one's asking Brandis to be a systems administrator. But even non-technical internet users of middling intelligence can learn to understand the difference between a URL and an IP address in just a few minutes. Brandis either hasn't bothered or isn't equipped to understand.

If the nation's chief law officer still isn't across the basics of what data would and wouldn't be collected, this many months into the discussions, that's a real cause for concern.

It's also concerning that he doesn't seem to be reading the talking notes being passed around the Liberal party this week. Not only has Brandis taken a different approach to copyright infringement than his Cabinet counterpart, Minister for Communications Malcolm Turnbull, but yesterday saw the attorney-general talking from a different page than his Prime Minister.

Two, Brandis is, as attorney-general, the minister responsible for CERT Australia, the agency which acts as the government's contact point for cyber security issues affecting our critical infrastructure and major Australian businesses. Brandis is therefore responsible for relaying CERT Australia's briefings into federal cabinet, and explaining their policy and political implications to his colleagues.

Given yesterday's TV performance, imagine how well that works.

Back in March, I wrote that when it comes to explaining metadata retention, Brandis is clearly either ignorant or wilfully disingenuous. I think we now know which it is. Despite his stated aim to make national security his focus, Brandis is proving incompetent for that job.

Should SCADAgeddon come, may God have mercy on our souls.

Topics: Security, Government AU


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • He just doesn't understand ...

    # What he is trying to control through legislation ... effectively he wants the ISP's logs, but from what he was saying the other night he wants much more than this
    # The relative ease with which his major targets could nearly completely avoid and/or obfuscate his data collection methods ... for less than $20 per annum. Tunnelled VPN packets through a remote proxy would tend to be pretty bland offerings from a metadata analysis perspective.
    # The construction of an IP data packet ... into header and data blocks
    # How IP data transmission tends to be a pretty randomly routed affairs anyway, and determined by the packets from packet to packet.
    # What metadata (i.e. IP packet header data) is going to be collected, analysed and the like ... and how the collection of said metadata and the intimations that may be drawn from same accord with the Rules of Evidence.
    # The fact that IP number allocations tend to be pretty damn dynamic and ever moving ... even within a single ISP's network.
    # The magic of NAT and all the complications that entails from a traffic analysis perspective
    # ... and a host of other (TCP/IP) networking niceties.

    Sad really ... but as you say - he's out of his depth.

    Maybe he should stack that $15,000 politician's (AKA 'Lifter's") bookcase with a few networking and TCP/IP tomes.
    Frank O'Connor
  • He sounds a lot like some IT executives in the US

    From similar backgrounds (it's not what you know, it's who you know), he and a lot of US IT executives got where they are by remaining willfully ignorant of all things technical, avoiding any form of direct responsibility, and being very good friends with other, non-IT executives in the same organization. Unfortunately, I have seen first-hand what this results in, and it is not good.
  • I get what he's saying, you don't?

    I watched the interview. The distinction he's making is between content & address. The reporter kept saying "If you have the web address, that's the web site", but he was making the distinction that, though content of the site may change, they're recording what addresses are being accessed. Any good carrier logs their traffic for forensics of both technical issues as well as malicious attacks. I found his ability to explain the difference with more clarity a bit weak and he bumbled and stumbled through the interview, but this didn't actually demonstrate a lack of knowledge or understanding so much as poor presence in front of a camera.
    • Generally...

      ...George does fine in front of a camera, even when "grilled" by someone like Sarah Ferguson. For him to have fallen apart in a soft interview on Sky is really telling...
  • The thing that offends me

    Brandis on bigotry and Scott Morrison on immigration, Brandis doesn't sound very Australian, why was he allowed into the country? Abbott on abortion, why was Abbott allowed into the country? Abetz!. He doesn't sound very Australian, what's going on?

    Seriously, Brandis is not the best and brightest, he is just a politician, why would anybody actually listen to these people?
    David Boyd
    • You're eager to exile all sorts of people, aren't you?

      There are people like that here in the USA as well, but it's hard to have a democracy if there are restrictions on what people are allowed to believe.
      John L. Ries
  • Perhaps it is a cunning plan

    Perhaps he never wanted 18C to get through, and is applying lessons learned from that success to metadata collection.
  • Actually I thought Brandis did OK there too

    Although I don't much like the guy, I thought is explanation seemed emminently reasonable - it struck me they each knew what they were talking about they each wanted to battle over what words they would each use to describe it. In particular the interviewer was desperate to be able to say "they'll track the websites you've been to" as a generic statement and invite misunderstanding and outrage amongst his audience.
    Although politicians are known for skirting issues by over generalisation it struck me Brandis was genuinely trying to explain and the media were doing their old trick of trying to 'get a contraversial story' - whether there is one or not. The fact is the truth is worthy of debate so lets make it clear what teh truth is instead of farting around arguing when 75% of people misunderstand the facts.