Four Corners report short on technical detail


opinion Watching Four Corners’ expose last night on claimed Chinese electronic attacks targeting Australian companies was, shall we say, an ‘entertaining’ experience.

Cute graphical effects such as screen-shaking and electronic noise were spliced into the program in between shots of security consultants watching Google Earth zoom into certain global locations. And of course, there were plenty of international experts with doom and gloom quotes describing an epic war between East and West, played out in cyberspace.

The music was a well-mixed blend of frenetic electronica mixed with the sort of ominous overtones most people would associate with Frodo approaching Mordor, the one true ring clutched fearfully in one clenched fist.

However, those who have spent any time at all working as a systems administrator or security expert will know that cyber-security is a much more boring line of work than Four Corners would have you believe.

Regardless of this, the show succeeded in its mission of bringing attention to the issue of cyber-espionage with the troubling news that someone has been targeting major Australian mining giants Rio Tinto, BHP Billiton and Fortescue — during sensitive times in their corporate history. It’s a troubling situation — and after speaking to someone in a position to know, Delimiter has confidence that Four Corner’s contention that the Federal Government is deeply interested in the issue is true.

However, there are a couple of matters that are worth raising as a consequence of this report.

Firstly, it was a recurring theme throughout Four Corners’ report that none of its sources could definitely pin the so-called “cyber attacks” to any one source. The program repeatedly asked its on-the-record sources whether they could in the end identify the source of recent attacks — be they towards Australian companies or even the targets of other recent attacks such as the Dalai Llama.

None could, apart from to name the geographical location of the attacks as originating in China (which you can do by IP address).

In this context, the unspoken allegation throughout Four Corners’ program that the attacks have been an act of cyber-espionage conducted on a national level rather than the unrelated actions of a bunch of script-kiddies using cheap Chinese servers needs further investigation

As any security expert will admit, it is child’s play to use compromised computer servers in any particular country to attack any point on the globe — no matter where you are personally located. For all the security experts interviewed on the Four Corners report admitted, the attacks could have come from Lithuania.

Secondly, technically adept readers would have cringed repeatedly during the report at Four Corners’ use of the words “cyber-attack”.

There are many kinds of internet security threat, after all. There are distributed denial of service (DDoS) attacks, which aim to disrupt network infrastructure through traffic floods. There are spear-phishing attacks, which attempt to gather sensitive information through installing rogue software on certain individuals’ machines.

And there are even more traditional virus attacks where malware is spread en-masse through email, websites, instant messages and … the list goes on.

Although Four Corners had direct access to former senior executives from the Australian mining giants being targeted, it did not go into detail about the nature of the attacks on the companies, as it should have.

There’s an argument to be made that to go into technical detail would have run the risk of alienating the mass audience for Four Corners’ program. However, the difficulty is that several types of “cyber-attack” are not actually aimed at stealing corporate information and therefore cannot truly be judged as espionage.

For example, Four Corners mentioned that all three mining giants targeted by the attacks had upgraded their network security after detecting the “cyber-attacks”.

In this writer’s experience, you would not upgrade your network security after a spear-phishing attack, which would have probably been spread through a trojan attached to an email or something similar. Instead, you would wipe the affected executive’s machine and re-install the standard operating environment, perhaps with stricter security controls on the corporate security suite.

But you would upgrade your network security if you had been the target of a DDoS attack, because your existing routers (particularly in satellite offices such as Rio Tinto’s Singapore office, which was affected) might not be capable to dealing with a flood of traffic.

It is possible that it is this sort of problem that took that Singapore facility offline for several days after the attack. And it would not be surprising for mining companies to come under attack from rogue hackers — after all, it’s often mining companies that are involved in controversial environmental scandals that lead activists of all kinds to target them.

If the “cyber-attacks” were in fact DDoS attacks on the mining companies’ infrastructure (and let’s face it, these are the most likely attacks to have been detected, given their scale), it would be unlikely that it was the Chinese Government who perpetrated them. After all, why would it? A DDoS attack would not help gather any corporate information.

The lack of any technical detail in the Four Corners report leads me to believe that the program’s sources on the mining cyber-attacks was not, in fact, former executives from the companies’ IT departments, who, it is likely, would have been far more specific about the nature of the attacks.

It’s not likely to have been, for example, former BHP Billiton chief information officers Ken Mathews (who left BHP in mid-2009) or Graham Otter (who left Rio in early 2007). Fortescue, by the way, also has a new CIO — Ray Achemedei, who won the role in July 2009. But we’re not sure who was his predecessor.

Instead, it is possible that the sources were in fact lower-order executives from the miners’ mainstream ranks who didn’t work in its IT department.

The final thing that puzzles us about the Four Corners report is the lack of heavyweight security expertise in the interviews the program conducted. Most of the experts the program interviewed were security experts with a history in government or the military, but few had any real background in IT security.

Instead, the program quoted sources like former ICANN chief Paul Twomey (who has a deep background in the internet but not in security) and University of Sydney Professor Alan Dupont (who has a background in security, but not in technology).

The two sole Australian exceptions to this rule were Logica chief information security officer Ajoy Ghosh, who appeared at pains to dumb down his message for a mainstream audience, and Major Nicholas Chantler, a former counter-intelligence officer with the Australian army who lectures on cyber-security at the Queensland University of Technology.

Chantler was probably Four Corners’ most heavyweight on-the-record source. But even he didn’t get that technical on the program, and we would have liked to have seen some more Australian IT security luminaries weigh in.

None of this suggests that Four Corners’ Chinese Whispers report was inaccurate. But the show was certainly light on technical detail, a fault that this author has previously found with the program’s reporting on IT security matters.

When is Australia’s technology sector going to get the full picture on what went on at BHP, Rio Tinto and Fortescue?

Image credit: Gustavo Molina, royalty free