July 30, 2021
China “crossed a line” with its state-sanctioned hacking of Microsoft Exchange email servers, Australia’s top cyber security official said, because it opened the door to criminals to exploit vulnerabilities.
Australian Signals Directorate chief Rachel Noble told a parliamentary inquiry that an estimated 70,000 Australian businesses used Microsoft Exchange servers and had potentially been exposed earlier this year.
Australia joined almost 40 countries last week, including the US, Japan and European Union, to name Beijing as the culprit after western intelligence services concluded China’s Ministry of State Security was behind a large-scale espionage operation.
At least 70 Australian organisations had data stolen or malware installed as part of a global wave of ransomware attacks.
While China has denied responsibility, Ms Noble told the inquiry it was an “extremely large and significant” attack.
“To explain it in plain language, it would be like houses or buildings having faulty locks on the doors,” she said.
“When the Chinese government became aware of the faulty locks on the doors, they went in and they propped all those doors open.
“There was opportunity for all sorts of criminals, other state actors, you name it, to pour in behind those propped-open doors and get into your house or your building. It’s that action from a technical point of view which crossed a line in the judgment of policy agencies and governments around the world.”
Home Affairs Department Secretary Mike Pezzullo said Australia was actively engaged in developing global “cyber norms”.
“Such reckless action should not be tolerated as a matter of international and global norms, and that’s why the Australian government joined with such a significant coalition of free democratic nations,” he said.
Under questioning from Liberal Senator James Paterson, Mr Pezzullo agreed that ransomware attacks are not just the preserve of criminal gangs, and that countries may be involved in facilitating them.
Ms Noble and Mr Pezzullo were appearing before a parliamentary intelligence and security committee into proposed legislation to protect critical infrastructure from cyber attacks.
The new powers include giving government agencies the power to “step in” when a business is under cyber attack, imposes new reporting requirements to inform agencies of cyber attacks and security obligations on staff.
However businesses, unions and technology groups have raised concerns about how the new regime would work, including the compliance burden.
Mr Pezzullo said the legislation would “fill regulatory gaps rather than duplicate existing regulation”.
He said the Home Affairs Minister would only be able to declare a positive service obligation for a critical infrastructure provider to strengthen their cyber defences after consultation with the sector and relevant regulators.
Mr Pezzullo said the minister would only use powers to take charge of a network under attack when they satisfied the infrastructure provider was “unwilling” to protect itself.
