Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Australia and US call out cyber attacks on hospitals during COVID-19 pandemic

As China pushes Huawei-inspired supply chain freedoms at the United Nations, Australia reminds the world that a cyber legal framework already exists and attacking hospitals is not on.

feakin-australia-cyber.jpg

Director of cyber policy Johanna Weaver and Australia's Ambassador for Cyber Affairs, Dr Tobias Feakin

(Image: Australian Department of Foreign Affairs and Trade)

Australia's cyber diplomats have called for an end to attacks on medical facilities, such as the recent cyber attack on one of the Czech Republic's biggest COVID-19 testing laboratories.

"As Australians and the international community band together to respond to COVID-19, we are concerned that malicious cyber actors are seeking to exploit the pandemic for their own gain," said Australia's Ambassador for Cyber Affairs, Dr Tobias Feakin told ZDNet on Friday.

"We call on all countries to cease immediately any cyber activity inconsistent with their international commitments. We also urge countries to exercise increased vigilance to ensure their territory is not a safe haven for cybercriminals.

"History will judge harshly those exploiting this crisis for their own objectives."

The US also notes with concern the threat to the Czech healthcare sector, saying it has "zero tolerance" for malicious cyber activity against its partners in the fight against the pandemic.

China pushes to end tech bans on 'national security' grounds

It's now been a year since the United Nations (UN) restarted its stalled process for setting rules on "responsible state behaviour in cyberspace" -- this time in two separate forums.

One is the Open Ended Working Group (OEWG), based on a Russian proposal and open to all UN members. It will report back to the General Assembly later this year.

The other is the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), now in its sixth incarnation. It's due to report in 2021.

GGE meetings are closed to non-members -- including technical experts -- which is why the OEWG was formed. However, it has been responsible for setting up the current international cyber legal and normative framework, including the 11 international norms for nation-state behaviour.

ebook

Coronavirus and its impact on the enterprise

This TechRepublic Premium ebook compiles the latest on cancelled conferences, cybersecurity attacks, remote work tips, and the impact this pandemic is having on the tech industry.

Read More

Australia played a key role in developing those norms, and since the release of its International Cyber Engagement Strategy in 2017, has been increasingly confident in its calls to enforce them.

The OEWG is currently working through a huge number of proposals for modifications and clarifications to the norms, with one of the more significant ones coming from from China.

China's specific language proposals [PDF] on what is delightfully called the initial pre-draft [PDF] of the OEWG report includes a section on supply chain security that is obviously about the whole 5G issue -- although that isn't mentioned explicitly, of course.

"States should be committed to upholding a fair, just, and non-discriminatory business environment," China wrote.

Their wording echoes the phrase "fair, reasonable, and non-discriminatory" (FRAND) that is used by technology standards organisations in relation to the licensing of patents for the purposes of implementing a certain standard.

FRAND disputes were previously at the core of the long-running battle between Samsung and Apple over patents related to 3G technology.

With the discussions around cybersecurity norms, China has given FRAND a new spin.

"States should not use national security as a pretext for restricting development and cooperation of ICTs [information and communications technologies] and limiting the market access for ICT products and the export of high-tech products," China wrote.

Nations "should not exploit their dominant position" in resources, critical infrastructures, or core technologies, to "undermine other states' right to independent control of ICT goods and services as well as their security".

Given the trade war and other tensions between China and the West, this is clearly a hot topic for the UN to resolve.

No backdoors or cyber espionage, China says

"States should prohibit ICT goods and services providers from illegal obtainment of users' data, control and manipulation of users' devices and systems by installing backdoors in goods," China wrote.

"States should also prohibit ICT goods and services providers from seeking illegitimate interests by taking advantage of users' dependence to their products, or forcing users to upgrade their systems or devices."

China also says that nations should not "interfere in internal affairs of other states and undermine their political, economic and social stability" nor "conduct or support ICT-enabled espionage against other states, including mass surveillance and theft of important data and personal information".

"States should prohibit terrorist organisations from using the internet to set up websites, online forums and blogs to conduct terrorist activities, including manufacturing, publication, storage, and broadcasting of terrorist audio and video documents, disseminating violent terrorist rhetoric and ideology, fund-raising, recruiting, inciting terrorist activities etc," wrote China.

"States should request internet service providers to cut off the online dissemination channel of terrorist content by closing propaganda websites and accounts and deleting terrorist and violent extremist content."

While this sounds similar to schemes to block graphic violent content and other terrorism-related material, such as Australia's content blocking scheme that were introduced after the Christchurch terrorist attack of 2019, in China's eyes, "terrorist" includes dissident groups inside its own territory.

COVID-19 pushes backroom cyber diplomacy into the open

Whether China's proposals are agreed to, or even discussed, is still unknown, however. The COVID-19 pandemic has disrupted what are usually face-to-face discussions.

In attempt to overcome this hurdle, the OEWG has taken the highly unusual step of posting its working documents online, with titles like "initial pre-draft" and "non-paper", while asking member nations to do the same with their responses.

While Australia's cyber negotiator at the UN, Johanna Weaver, has been "pretty optimistic about what we would be able to achieve through these processes", she acknowledged that there's only so much that can be done via video conferences and exchanging documents in the public eye.

"The way that you get agreement on those is by having in-person conversations, and that will be difficult in the current environment," Weaver told ZDNet.

"It's really a question for the chair in terms of the level of ambition that they will have for the report going forward."

Some of "those more ambitious proposals" may have to wait for the future iterations of the OEWG and GGE. Or they may "buckle down" to find some agreement despite the COVID-19 restrictions.

In its own response [PDF], Australia noted "with concern" the reports of cyber disruption of critical infrastructure, including those for healthcare and medical functions and crisis response organisations, during the pandemic.

"Countries have agreed international law applies in cyberspace, and have agreed specific norms, including to cooperate to prevent cybercrime," Weaver said.

"Australia also considers that the existing norm 'states should not intentionally damage critical infrastructure using ICTs' encompasses medical services and facilities.

"During a pandemic, it is hard to think of an infrastructure more critical than hospitals and health services."

Australia's Department of Foreign Affairs and Trade (DFAT) is running an ongoing consultation on responsible state behaviour in cyberspace, including a video conference this Wednesday, April 29 at 3pm AEST.