Srsly Risky Biz: Australian government to shut down AN0M evidence appeals - Risky Bulletin

Summary6 min read

Risky Business News: Australian Government to Shut Down AN0M Evidence Appeals

Podcast Information:

Title: Risky Business News
Host/Author: risky.biz (Patrick Gray)
Episode: "Srsly Risky Biz: Australian government to shut down AN0M evidence appeals"
Release Date: November 28, 2024
Description: Regular cybersecurity news updates from the Risky Business team.

1. Introduction

In this episode of Risky Business News, host Patrick Gray engages in an in-depth discussion with colleague Tom Uren about a significant development in Australian cybersecurity law. The conversation primarily revolves around the Australian government's decision to pass new legislation aimed at ensuring that evidence collected during the AN0M sting operation is admissible in court. This legislative move has sparked controversy and raised questions about legal precedents and governmental overreach.

2. Australian Government's New Legislation on AN0M Operation

a. Overview of the AN0M Sting Operation

The episode begins with Patrick Gray providing context about the AN0M sting operation, a joint effort between the FBI and the Australian Federal Police (AFP). This operation involved selling seemingly secure "crime phones" to individuals, which secretly copied every message sent over the network to a server controlled by authorities. This covert data collection yielded substantial evidence, resulting in the arrest of several hundred individuals.

b. Legislative Response and Its Implications

Patrick Gray highlights that the Australian government is poised to pass a new act of Parliament to solidify the legal standing of the evidence gathered from the AN0M operation. This move is intended to prevent defendants from appealing their cases based on the legitimacy of the evidence collection methods.

[00:04] Patrick Gray: "The Australian government is going to pass a new act of legislation just to make sure that evidence collected in the AN0M sting is going to stand up in court."

c. Legal Perspectives and Expert Opinions

Tom Uren shares insights from his conversations with legal experts Greg Barnes of the Australian Lawyers Alliance and Michael Whitten, a King's Counsel. Both experts agree that the legislation is highly unusual and raises concerns about potential governmental overreach.

[02:29] Tom Uren: "Greg Barnes and Michael Whitten agree this is very unusual. There have been cases in the past, like maybe 20, 30 years ago in Victoria where something similar has sort of happened."

Greg Barnes expresses apprehension about the possibility of the government passing retrospective legislation that could undermine the rights of the accused, especially in authoritarian contexts. However, the bipartisan support for the bill, including backing from the Australian Greens, suggests a unified governmental stance.

[03:30] Tom Uren: "Governments should not be in the business of passing retrospective legislation that undermines the rights of an accused person."

Patrick Gray points out the significance of bipartisan support, noting that the Australian Greens typically oppose surveillance-related measures, making their support noteworthy.

[03:46] Patrick Gray: "The Australian Greens tend to oppose anything related to surveillance or, you know, this sort of stuff. So for the Greens to support it, it really means that everyone's kind of all aboard the let's convict these types."

Michael Whitten provides a broader perspective, emphasizing the role of Parliament in shaping laws to reflect their intended interpretation, especially when court rulings may diverge from legislative intent.

[04:07] Tom Uren: "Michael Whitten had a different perspective, which was kind of the more big picture ... it's up to the Parliament to make the laws."

The legislation specifically targets warrants issued during the AN0M operation, affirming their validity and preventing future legal challenges.

[06:11] Patrick Gray: "The Parliament is passing an act saying, yes, it was... basically it's saying, yeah, that was all fine."

3. CISA Red Team Assessment Report

Shifting focus, Patrick Gray and Tom Uren discuss a recent Red Team assessment report published by the Cybersecurity and Infrastructure Security Agency (CISA). The report critiques a U.S. critical infrastructure organization for failing to secure their systems adequately. Notably, the Red Team did not gain access through traditional phishing methods but exploited a web shell left by a previous assessment team—a lapse that CISA highlights as a significant oversight.

[10:38] Patrick Gray: "Red Team didn't gain access via phishing but through a web shell left by previous testers—a clear sign of sloppy security practices."

Tom praises CISA's comprehensive approach to cybersecurity assessments, noting the importance of transparent reporting and constructive feedback.

[11:44] Tom Uren: "CISA does a good job. They're comprehensive. They've got a good scope and timeline."

4. FTC Probe Against Microsoft

The conversation then transitions to breaking news about the Federal Trade Commission (FTC) launching a probe into Microsoft. The investigation covers various aspects of Microsoft's business practices, including licensing, cloud computing services, cybersecurity offerings, and AI products. Such a probe is anticipated to have significant repercussions for Microsoft, regardless of the investigation's outcome.

[12:07] Patrick Gray: "An FTC probe like that ... it's going to hurt. It's a phenomenally big deal."

Tom acknowledges the extensive nature of the inquiry, with questions spanning hundreds of pages, indicating the depth and seriousness of the investigation.

[12:40] Tom Uren: "The questions that they've been sent run to hundreds of pages. So, yes, that's a lot of stuff."

5. Discussion on Microsoft's Brad Smith and Cybersecurity

The hosts delve into comments made by Brad Smith, Microsoft's Vice Chair and President, who urged former President Donald Trump to take stronger action against cyberattacks, particularly those backed by nation-states. Tom criticizes Smith's stance as somewhat naive, suggesting that the nature of state-sponsored cyber operations renders them difficult to deter effectively.

[14:14] Patrick Gray: "... Brad Smith tells the Financial Times he's urging Trump to do more on cyber because of these cyber attacks... It's totally unacceptable."

[14:36] Tom Uren: "I think he's a bit of a Microsoft cultist and he actually believes everything that he's saying."

Tom further elaborates that responses to cyber espionage and attacks by nation-states are inherently limited, as retaliatory actions could escalate conflicts beyond practical solutions.

[15:41] Tom Uren: "... nation-state operations... there's no way that you can do something that the US can do, something that will in any way significantly deter these operations."

Patrick concurs, emphasizing the importance of maintaining perspective on cybersecurity within the broader context of geopolitical strategies.

[16:10] Patrick Gray: "... cyber is secondary in the scheme of real world geopolitics. And I think that those are wise words, Tom, and words that many people in this discipline tend to forget."

6. Conclusion

In wrapping up the episode, Patrick Gray encourages listeners to subscribe to the Seriously Risky Business newsletter for more detailed insights and updates. He also mentions additional content from colleague Catalyn Kimpanu, who covers broader news-related topics. The hosts acknowledge the complexity and significance of the topics discussed, highlighting the evolving landscape of cybersecurity and its intersection with legal and governmental frameworks.

[16:53] Tom Uren: "Thanks, mate."

Key Takeaways:

Legislative Shift: The Australian government's new legislation aims to secure the admissibility of evidence from the AN0M sting, sparking debate over potential legal overreach.
CISA's Role: CISA's Red Team assessments continue to play a crucial role in identifying and addressing cybersecurity vulnerabilities within critical infrastructure.
Microsoft Under Scrutiny: The FTC's comprehensive probe into Microsoft underscores ongoing concerns about big tech's business practices and their implications for cybersecurity.
Cybersecurity in Geopolitics: Effective deterrence against nation-state cyberattacks remains a complex challenge, as highlighted by critiques of industry leaders' approaches.

For more detailed analysis and updates, subscribe to the Seriously Risky Business newsletter at News Risky Biz.

Loading summary

Transcript30 lines

[00:05]
Patrick Gray
Hi, everyone, and welcome to another edition of the Seriously Risky Business podcast. My name is Patrick Gray. In these podcasts, we speak with our colleague Tom Uren about the work that he does with us, which is the Seriously Risky Business newsletter, which goes out every Thursday here in Australia. You can subscribe to that one by heading over to News Risky Biz. And this work that Tom does with us is supported by Lawfare and the William and Flora Hewlett Foundation. So big thanks to them. And we've also got a sponsor for this week's podcast, which is Stairwell. And what Stairwell does is it can go and collect every single sort of executable and script and whatever in your environment. And, you know, once you've got that corpus of files in one place, you can do all sorts of really cool analysis, like figuring out where and when malware was in your environment. You can build timelines, you can find variants. It's extremely cool stuff. You can find them@stairwell.com and, Tom, we're going to be talking about a few things this week, kind of a slow news week, which is to be expected because it's Thanksgiving week in the United States. But we got this story to talk about. We went through it yesterday on the regular Risky Biz podcast. But you've done some additional reporting here. The Australian government is going to pass a new act of legislation just to make sure that evidence collected in the anomaly sting is going to stand up in court. So this was, of course, the joint FBI and AFP operation. I think the Europeans were involved as well, where they were selling crime phones to people and they thought they were getting secure devices, but they happened to carbon copy every message sent over the network onto a device, onto a server that was controlled by authorities. So that was a, you know, treasure trove of evidence. In Australia, several hundred people have been arrested, 392 offenders have been charged in relation to this operation. 6.6 tonnes of drugs and about 55 million in cash have been seized. So, obviously, you know, this is a bunch of prosecutions. The government wants to succeed, but passing an act of Parliament to shut down an avenue of appeal is somewhat controversial. So what you've done is you've gone and spoken to a special council and a King's council about this and, you know, tell me what they said, because I, you know, we are. We are but mere cyber nerds. These people are actually lawyers and very good ones. What did they have to say about all of this?
[02:30]
Tom Uren
Yeah, so I spoke to Greg Barnes of the Australian Lawyers alliance and also Michael Whitten who's a King's Counsel, and both of them agree this is very unusual. This doesn't happen often. There have been cases in the past, like maybe 20, 30 years ago in Victoria where something similar has sort of happened. And with these kinds of actions, the concern is that if you're in a totally authoritarian state, or even just, you know, moderately authoritarian one, parliamentarians can go around changing laws to make people they don't like end up in prison for something that wasn't a crime before. So that if it was that, that would be very much on the nose. And that was kind of the perspective that Greg Barnes was taking. You know, governments should not be in the business of passing retrospective legislation that undermines the rights of an accused person.
[03:31]
Patrick Gray
I mean, I just think one thing that's, you know, kind of mitigates that as a concern a little bit is that this is actually. This has bipartisan support. So this isn't just one side of government doing this. Like, everybody agrees that this. Everybody in the Parliament agrees that this should happen.
[03:47]
Tom Uren
Yeah. So in the Parliament, I want to say, even the Greens. So, like, that sounds a bit pejorative, but the Greens senator stood up, I'm not sure if it was a senator, but in the reading of the bill, and said, look, we haven't had much time to look at this, but fine, it is completely.
[04:08]
Patrick Gray
I mean, the reason you say that is, you know, a lot of people watching this wouldn't necessarily know, but the Australian Greens tend to oppose anything related to, you know, surveillance or, you know, this sort of stuff. So for the Greens to support it, it really means that everyone's kind of all aboard the let's convict these guys train.
[04:24]
Tom Uren
Yeah, yeah. And so Michael Whitten, when I spoke to him, he had a different perspective, which was kind of the more big picture perspective, that, yes, we have an independent judiciary and court system and they're meant to interpret the laws, but it is up to the Parliament to make the laws. And what. And so it's their job, in a sense, to make sure that the laws are being interpret well, the laws are being changed to make sure that the interpretation is what Parliament wants. So usually what would happen is you would write a law, you know, it works its way through the court system, someone appeals, there's some wrinkle or problem or from the perspective of the Parliament, misinterpretation that results in decisions that aren't what Parliament intended. So then if it's important enough, Parliament will go back and redraft the law and change it. And amend it or whatever. So in this case, the Annom sting is such an unprecedented operation. So many potential offenders, or alleged offenders, whatever the correct term is. That to me, at least, it feels like Parliament has gone, oh, this is a bit risky. We don't want all these potential convictions to disappear. Because the way we want the law to be interpreted is not what's happened in the courts.
[06:00]
Patrick Gray
Well, and it is clear that it was looking like that was an avenue of appeal, which his lawyers were going to argue. This surely isn't what the Parliament intended when it passed this act. And, you know, what the Parliament's doing is passing an act saying, yes, it was.
[06:12]
Tom Uren
Yeah, yeah. Basically it's saying, yeah, that was all fine. It's quite extraordinary in that it says these specific warrants issued at this specific time for this specific thing. They're all good.
[06:24]
Patrick Gray
Yeah.
[06:25]
Tom Uren
And everything related to them is good.
[06:27]
Patrick Gray
I mean, essentially what they're saying is, you know, the Parliament intended for warrants like these to be issued. Right. And for these sort of instances. And I. Look, I think it is, yeah. I mean, it's just a very interesting development because what you've got is a set of offenders, right, in these cases who have a lot of money, so they have access to lawyers. So we're talking about, you know, a big organized crime nexus. They can afford the good lawyers. Right. So you can tell that what's happened is they've been shoveling money at lawyers and this is what they've sort of come up with, which could be an avenue of appeal. I mean, quite often they don't even expect to win these appeals, but what they want to do is sort of drag it out for as many years as possible, and this just all shuts it down. I mean, I am sympathetic to the. You know, Greg Barnes, the special counsel who you quoted in your newsletter here, he said that governments should not be in the business of passing retrospective legislation that undermines the rights of an accused person. I don't really know that that's what they're doing here, if I'm in.
[07:27]
Tom Uren
I think it's really important that this has actually been decided within South Australia. So one of the Australian states, it was, I guess, litigated. It went to the Court of Appeal, and in both decisions, they said what the police did was fine. So it's not that there was. So at this point in time, nothing has appeal.
[07:51]
Patrick Gray
Yeah, yeah, exactly.
[07:52]
Tom Uren
And so it's just heading off in Australia. There's another court above that, Australia's High Court. And so it's Just heading off the possibility that there might be a successful challenge at that top.
[08:03]
Patrick Gray
And I'm guessing successful challenges in other states are. Well, right.
[08:06]
Tom Uren
So, yeah, and so the decisions are really interesting because it goes into, you know, when exactly is something part of the telecommunication system, like is when you press send and it goes into minutia and each of the decisions is slightly different, so there is the possibility that someone could come along later and make a different decision again. And, you know, one court said, like, the app on a phone is not part of the telecommunications system. And another decision is like, well, how can you separate a phone?
[08:43]
Patrick Gray
I went into this yesterday on the show and it is quite funny, right, because for getting a telecommunications interception warrant, I believe you need to be. There's a whole bunch of criteria. I believe you need to be investigating a specific offence, which in this case they weren't. This started as an intelligence gathering operation, so they didn't know what the messages were going to say and they didn't know which crimes they were going to reveal, which, as far as I know, and I'm not a lawyer, I'm pretty sure that rules out telecommunications interception warrant right there. And then you have to demonstrate principles like exhaustion, which is there's no other way to collect the evidence, you know, so on and so forth. So what they did is they designed a system that would carbon copy the messages onto a. Onto a server controlled by the government, and then they essentially got a computer access warrant, which is more akin to a search warrant, to retrieve the information from that server, which is a cute way, I will admit, Tom, is a pretty cute way of arguing that it wasn't a telecom communication. Right. Because it was stored data just sitting, sitting on this server that they, you know, they happen to be using a system designed by authorities that would store the data on those systems. But I think, you know, and you and I have talked about this in other cases as well, you know, Australian lawmakers tend to be somewhat pragmatic when it comes to stuff like this and, you know, they don't entertain this sort of nonsense. And, you know, here is a. Here is a great example of that.
[10:00]
Tom Uren
Yeah, I think it is a classic example of something that is just. I think it's really driven by how important that sting operation was. You know, if it was just one person or one crime gang, I think it would, you know, we'll wait for the decision in a way that would be better if the decision was favourable, because then it's settled, everyone could move on. I think this leaves open the possibility that they have. Well, I think they must go back and revisit legislation to sort of eliminate the possibility in the future and make it clear exactly where those boundaries are.
[10:39]
Patrick Gray
Yeah, perhaps. But, yeah, I guess we'll talk about that when that happens. You've got a couple other items in the newsletter this week that are. That are interesting. You've got a Red Team assessment report published by cisa, which I think is really interesting because they have gone after a US Critical infrastructure organization. Then they published the report. What was interesting here is they didn't gain access via phishing, which is usually, you know, just ironclad, guaranteed way to get some sort of initial foothold in an organization. So that's great news. But then they manage to access the organization because a previous set of Red Team has left behind a web shell on a. On a box somewhere. And that is just so sloppy. Like, I've seen Red Team contracts and they say, you got to clean up. You cannot put your customer. You cannot introduce vulnerabilities like this into a customer environment. So someone really screwed up their job by not tidying up. But, you know, I think the, you know, the moral of what you've written here isn't so much the specifics of this report, it's more that it's good that CIS is doing this sort of thing and publishing these sort of findings and, you know, you're supportive of it.
[11:44]
Tom Uren
Yeah, yeah, that's right. They do a good job. They're comprehensive. They've got a good scope and timeline. So some of these reports I've written about before, they run over a couple of months. So it feels like a very realistic, you know, operation where they can actually say something constructive about what, what you should do.
[12:08]
Patrick Gray
Yep. And another short item we got this week, and I guess we can kind of combine this with some late breaking news. So something that just landed on our desks this morning is the FTC is launching a probe against Microsoft that's going to cover off their licensing practices, their cloud computing business, their CyberSecurity offerings and AI products. And, you know, an FTC probe like that, it's going to hurt. Right. Like, even if they come out the other side of it smelling shiny, which I doubt they will, it's going to hurt. So this is actually a phenomenally big deal.
[12:41]
Tom Uren
Yeah. But, you know, primarily the questions that they've been sent run to hundreds of pages. So, yes, that's a lot of stuff.
[12:49]
Patrick Gray
No, an FTC probe is not an enjoyable experience. Right. You talk to anyone who's lived through that and it's just, it's, you know, it's going to drag out for years and be a lot of work. But you've also written about how Brad Smith, who's Microsoft's vice chair and president, told the Financial Times that, you know, he's urging Trump to do more on cyber because of these, you know, these cyber attacks that we're seeing today, state backed attacks, you know, it's totally unacceptable. So he's urging, you know, Trump to do more. There's some irony here which is perhaps Trump might be inaugurated and tell Brad Smith, hey, we want you to do more given that so many of these major incidents are tied back to security defense efficiencies in Microsoft's products. So I mean, you can understand why you would have words for an incoming administration. But at the same time, you know, you do read this and roll your eyes a little.
[13:42]
Tom Uren
Many times I've criticized Smith's messages or writing because they seem a bit naive to me about just what states can do, are willing to do and will do and what influence they can have. And I'm not sure if it's naivety or trying to blame shift. It's not our problem, it's not our security that's the problem. It's that other states want to attack our security that's the problem.
[14:14]
Patrick Gray
Honestly, I can't work him out. I don't have a good read on Brad Smith because I just think to a degree maybe he's a bit of a Microsoft cultist and he actually believes everything that he's saying. But there's that part of me as well where I think, well, is this distraction, is this distraction or is he just such a Microsoft cultist that you know, that he believes absolutely everything he's saying here?
[14:37]
Tom Uren
And I don't know, I mean, I try and take people at face value, I think he does believe it. But like the, you know, I'm uncertain about that. That's what I think. But just so the things he talks about are cyber espionage and destructive attacks from states, basically nation state operations. And there's just no way that you can do something that the US can do, something that will in any way significantly deter these operations. Like they have an internal logic of their own that nothing the US can do will stop them. And if you were to propose something that would stop them, everyone would think that you're crazy. Like the sort of bar for response would be so high that it's just a non starter, which is just a long way of saying that there's nothing you can do nothing you can practically or realistically do, I should say.
[15:41]
Patrick Gray
Yeah. And I think that your assessment here, you know, here's what you've written. Trump doesn't care about cybersecurity as an independent topic, but instead focuses on bigger issues such as competition with China. And. That's right, you know, as he should, because when it comes to state competition, cyber operations are a means to an end, not an end in themselves. So cyber is secondary in the scheme of real world geopolitics. And I think that those are wise words, Tom, and words that many people in this discipline tend to forget.
[16:10]
Tom Uren
Yeah. I mean, it's natural that we forget it. We care about it as a topic. We think it's underappreciated, which I think it probably is. But at the same time, we've got to have a sense of perspective. I mean, I said it better than I. I wrote it better than I said it. It's a means to an end, not an end in itself.
[16:29]
Patrick Gray
Yeah. All right, Tom. Well, anyone who's interested in reading your terrific newsletter, there's a bunch of other stuff in there as well that people will be able to read through. Just head over to News Risky Biz and subscribe. And you can Tom's newsletter every week. And also three bulletins from our colleague Mr. Catalyn Kimpanu, who covers more news related topics. But, mate, that's it for this edition of the podcast. Thank you so much for joining me and we'll do it all again next week.
[16:53]
Tom Uren
Thanks, Mat.