Digital campaigning on sites like Facebook is unlikely to swing the election



File 20190412 44802 mem06u.jpg?ixlib=rb 1.1
Voters are active on social media platforms, such as Facebook and Instagram, so that’s where the parties need to be.
Shutterstock

Glenn Kefford, Macquarie University

With the federal election now officially underway, commentators have begun to consider not only the techniques parties and candidates will use to persuade voters, but also any potential threats we are facing to the integrity of the election.

Invariably, this discussion leads straight to digital.

In the aftermath of the 2016 United States presidential election, the coverage of digital campaigning has been unparalleled. But this coverage has done very little to improve understanding of the key issues confronting our democracies as a result of the continued rise of digital modes of campaigning.

Some degree of confusion is understandable since digital campaigning is opaque – especially in Australia. We have very little information on what political parties or third-party campaigners are spending their money on, some of which comes from taxpayers. But the hysteria around digital is for the most part, unfounded.




Read more:
Chinese social media platform WeChat could be a key battleground in the federal election


Why parties use digital media

In any attempt to better understand digital, it’s useful to consider why political parties and other campaigners are using it as part of their election strategies. The reasons are relatively straightforward.

The media landscape is fragmented. Voters are active on social media platforms, such as Facebook and Instagram, so that’s where the parties need to be.

Compared to the cost of advertising on television, radio or in print, digital advertising is very affordable.

Platforms like Facebook offer services that give campaigners a relatively straightforward way to segment voters. Campaigners can use these tools to micro-target them with tailored messaging.

Voting, persuasion and mobilisation

While there is certainly more research required into digital campaigning, there is no scholarly study I know of that suggests advertising online – including micro-targeted messaging – has the effect that it is often claimed to have.

What we know is that digital messaging can have a small but significant effect on mobilisation, that there are concerns about how it could be used to demobilise voters, and that it is an effective way to fundraise and organise. But its ability to independently persuade voters to change their votes is estimated to be close to zero.




Read more:
Australian political journalists might be part of a ‘Canberra bubble’, but they engage the public too


The exaggeration and lack of clarity around digital is problematic because there is almost no evidence to support many of the claims made. This type of technology fetishism also implies that voters are easily manipulated, when there is little evidence of this.

While it might help some commentators to rationalise unexpected election results, a more fruitful endeavour than blaming technology would be to try to understand why voters are attracted to various parties or candidates, such as Trump in the US.

Digital campaigning is not a magic bullet, so commentators need to stop treating it as if it is. Parties hope it helps them in their persuasion efforts, but this is through layering their messages across as many mediums as possible, and using the network effect that social media provides.

Data privacy and foreign interference

The two clear and obvious dangers related to digital are about data privacy and foreign meddling. We should not accept that our data is shared widely as a result of some box we ticked online. And we should have greater control over how our data are used, and who they are sold to.

An obvious starting point in Australia is questioning whether parties should continue to be exempt from privacy legislation. Research suggests that a majority of voters see a distinction between commercial entities advertising to us online compared to parties and other campaigners.

We also need to take some personal responsibility, since many of us do not always take our digital footprint as seriously as we should. It matters, and we need to educate ourselves on this.

The more vexing issue is that of foreign interference. One of the first things we need to recognise is that it is unlikely this type of meddling online would independently turn an election.

This does not mean we should accept this behaviour, but changing election results is just one of the goals these actors have. Increasing polarisation and contributing to long-term social divisions is part of the broader strategy.




Read more:
Australia should strengthen its privacy laws and remove exemptions for politicians


The digital battleground

As the 2019 campaign unfolds, we should remember that, while digital matters, there is no evidence it has an independent election-changing effect.

Australians should be most concerned with how our data are being used and sold, and about any attempts to meddle in our elections by state and non-state actors.

The current regulatory environment fails to meet community standards. More can and should be done to protect us and our democracy.


This article has been co-published with The Lighthouse, Macquarie University’s multimedia news platform.The Conversation

Glenn Kefford, Senior Lecturer, Department of Modern History, Politics and International Relations, Macquarie University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Advertisements

As responsible digital citizens, here’s how we can all reduce racism online



File 20190409 2918 9q8zs6.jpg?ixlib=rb 1.1
No matter how innocent you think it is, what you type into search engines can shape how the internet behaves.
Hannah Wei / unsplash, CC BY

Ariadna Matamoros-Fernández, Queensland University of Technology

Have you ever considered that what you type into Google, or the ironic memes you laugh at on Facebook, might be building a more dangerous online environment?

Regulation of online spaces is starting to gather momentum, with governments, consumer groups, and even digital companies themselves calling for more control over what is posted and shared online.

Yet we often fail to recognise the role that you, me and all of us as ordinary citizens play in shaping the digital world.

The privilege of being online comes with rights and responsibilities, and we need to actively ask what kind of digital citizenship we want to encourage in Australia and beyond.




Read more:
How the use of emoji on Islamophobic Facebook pages amplifies racism


Beyond the knee-jerk

The Christchurch terror attack prompted policy change by governments in both New Zealand and Australia.

Australia recently passed a new law that will enforce penalties for social media platforms if they don’t remove violent content after it becomes available online.

Platforms may well be lagging behind in their content moderation responsibilities, and still need to do better in this regard. But this kind of “kneejerk” policy response won’t solve the spread of problematic content on social media.

Addressing hate online requires coordinated efforts. Platforms must improve the enforcement of their rules (not just announce tougher measures) to guarantee users’ safety. They may also reconsider a serious redesign, because the way they currently organise, select, and recommend information often amplifies systemic problems in society like racism.




Read more:
New livestreaming legislation fails to take into account how the internet actually works


Discrimination is entrenched

Of course, biased beliefs and content don’t just live online.

In Australia, racial discrimination has been perpetuated in public policy, and the country has an unreconciled history of Indigenous dispossession and oppression.

Today, Australia’s political mainstream is still lenient with bigots, and the media often contributes to fearmongering about immigration.

However, we can all play a part in reducing harm online.

There are three aspects we might reconsider when interacting online so as to deny oxygen to racist ideologies:

  • a better understanding of how platforms work
  • the development of empathy to identify differences in interpretation when engaging with media (rather than focusing on intent)
  • working towards a more productive anti-racism online.

Online lurkers and the amplification of harm

White supremacists and other reactionary pundits seek attention on mainstream and social media. New Zealand Prime Minister Jacinda Ardern refused to name the Christchurch gunman to prevent fuelling his desired notoriety, and so did some media outlets.

The rest of us might draw comfort from not having contributed to amplifying the Christchurch attacker’s desired fame. It’s likely we didn’t watch his video or read his manifesto, let alone upload or share this content on social media.

But what about apparently less harmful practices, such as searching on Google and social media sites for keywords related to the gunman’s manifesto or his live video?

It’s not the intent behind these practices that should be the focus of this debate, but the consequences of it. Our everyday interactions on platforms influence search autocomplete algorithms and the hierarchical organisation and recommendation of information.

In the Christchurch tragedy, even if we didn’t share or upload the manifesto or the video, the zeal to access this information drove traffic to problematic content and amplified harm for the Muslim community.

Normalisation of hate through seemingly lighthearted humour

Reactionary groups know how to capitalise on memes and other jokey content that degrades and dehumanises.

By using irony to deny the racism in these jokes, these far-right groups connect and immerse new members in an online culture that deliberately uses memetic media to have fun at the expense of others.

The Christchurch terrorist attack showed this connection between online irony and the radicalisation of white men.

However, humour, irony and play – which are protected on platform policies – serve to cloak racism in more mundane and everyday contexts.




Read more:
Racism in a networked world: how groups and individuals spread racist hate online


Just as everyday racism shares discourses and vocabularies with white supremacy, lighthearted racist and sexist jokes are as harmful as online fascist irony.

Humour and satire should not be hiding places for ignorance and bigotry. As digital citizens we should be more careful about what kind of jokes we engage with and laugh at on social media.

What’s harmful and what’s a joke might not be apparent when interpreting content from a limited worldview. The development of empathy to others’ interpretations of the same content is a useful skill to minimise the amplification of racist ideologies online.

As scholar danah boyd argues:

The goal is to understand the multiple ways of making sense of the world and use that to interpret media.

Effective anti-racism on social media

A common practice in challenging racism on social media is to publicly call it out, and show support for those who are victims of it. But critics of social media’s callout culture and solidarity sustain that these tactics often do not work as an effective anti-racism tool, as they are performative rather than having an advocacy effect.

An alternative is to channel outrage into more productive forms of anti-racism. For example, you can report hateful online content either individually or through organisations that are already working on these issues, such as The Online Hate Prevention Institute and the Islamophobia Register Australia.

Most major social media platforms struggle to understand how hate articulates in non-US contexts. Reporting content can help platforms understand culturally specific coded words, expressions, and jokes (most of which are mediated through visual media) that moderators might not understand and algorithms can’t identify.

As digital citizens we can work together to deny attention to those that seek to discriminate and inflict harm online.

We can also learn how our everyday interactions might have unintended consequences and actually amplify hate.

However, these ideas do not diminish the responsibility of platforms to protect users, nor do they negate the role of governments to find effective ways to regulate platforms in collaboration and consultation with civil society and industry.The Conversation

Ariadna Matamoros-Fernández, Lecturer in Digital Media at the School of Communication, Queensland University of Technology

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Labor will prioritise an NBN ‘digital inclusion drive’ – here’s what it should focus on


File 20190410 2901 s8ixq7.jpg?ixlib=rb 1.1
People with poor broadband services spend more time in queues at the bank and for other services that should easily be accessible online.
from www.shutterstock.com

Julian Thomas, RMIT University

The national broadband network (NBN) has been a major issue in federal election campaigns for close to a decade.

And the 2019 version of the NBN bears little resemblance to the futuristic, egalitarian earlier editions.

Despite years of controversy, cost over-runs, and delays, the coalition government says our $50 billion national network is finally nearing completion.

But Labor’s Shadow Communications Minister Michelle Rowland has set out some different priorities should her party achieve government in the coming election. One of these is a “digital inclusion drive”, aimed at improving access to the internet for older Australians and low-income households.




Read more:
Three charts on: the NBN and Australia’s digital divide


In addition, Labor is making no immediate commitment to replacing copper connections with fibre.

Instead, if elected, it will fund service and reliability fixes for those on the copper NBN, and impose service guarantees for small businesses and consumers. It will examine what has happened to the economics of the network, looking at its cash flow, pricing, capital structure, and future options for network upgrades.

Labor’s policy will disappoint those hoping for a fast-tracked return to that party’s original (2009) vision of high-speed fibre for (almost) everyone. But its 2019 plan is an important acknowledgement that network infrastructure is only one part of the NBN story.

Affordability and digital inclusion

The Australian Digital Inclusion Index (ADII) provides data on the affordability of internet services for Australians since 2014. It shows that recent, modest improvements seen by some households have been matched by declines in affordability for a number of Australia’s more digitally excluded groups.

The results for low-income households, single parents, people outside the labour force, Indigenous Australians, and people with a disability remain poor.

The good news for Australian consumers is that the pricing of mobile services has improved, reflecting competitive pressures and the reduced cost of delivery as a consequence of investment by network owners.

But when we look at fixed broadband services — the kinds of connections used by most households — recent price increases by NBN have led to a decline in the number of low-cost plans on the market. This change post-dates the most recent ADII report (2018), and the effects are beginning to work their way into the market.




Read more:
Digital inclusion in Tasmania has improved in line with NBN rollout – will the other states follow?


Communications costs matter

Communications services have a knock-on effect in many other areas of life and work.

Access to high-speed broadband can reduce the costs of using other services considerably. This makes critical activities like banking, seeking government information, looking for work, or studying much easier.

But when we speak of the cost savings linked with online services, we need also to bear in mind the flip-side of those savings: the much higher costs borne by those, often less well-off, citizens who must access services offline.

If an individual on a low income lacks electronic access to banking or government information, the cost of commuting to do these things in person can be prohibitive — and especially so for Australians living in remote or regional areas.

For children at school and adults in education or training, a lack of access to the internet means many will fall behind their peers, as access to educational materials and online content becomes a core part of the modern education experience. This has implications for Australia’s ability to take advantage of the next wave of digital transformation.




Read more:
Australia’s digital divide is not going away


Expensive for everyone

The costs of inequitable internet access are directly felt by many families, but the broader costs are borne by society.

And so digital exclusion now has the potential to be a drag on Australia’s economic growth and productive potential for decades to come.

For individuals, conducting activities offline may be time-consuming and expensive. But that’s also true for the government. It’s estimated that even taking half of government services online would save around A$20 billion.

Aside from the costs of lower productivity, economic growth and tax receipts, inequitable access means that the material savings from automated services may never be realised.

Affordable access to broadband also supports the cost effective delivery of core government and other services – such as health – to regional and remote locations.

Although addressing inequitable access will involve costs in the short term, effective policy measures to improve affordability are likely to generate considerable national benefits.




Read more:
Infographic: Budget 2019 at a glance


How to improve affordability

At this stage Labor is not saying what it might do to improve internet affordability for low-income households.

The idea of writing down the NBN has been widely discussed. It does, however, have serious implications: it will be very costly to taxpayers.

It will also limit the ability of the NBN to invest in future network upgrades and threaten the economics of uniform national pricing, the NBN’s key promise of equity for regional and remote Australia.

That could mean a return to the pre-NBN communications landscape, with regional and remote Australia relying on increasingly obsolete communications infrastructure while metropolitan Australia moves ahead.




Read more:
Shorten uses budget reply speech to reframe the economic debate


A direct increase in cash payments is likely to improve living standards materially for those in poverty, but more money for low income households doesn’t necessarily mean that broadband will be within their reach.

The creation of a concession at a retail level would make the telecommunications companies responsible for selling products at a cheaper rate, which in an era of reduced margins appears unlikely to occur.

Also, a series of retail concessions can lead to consumer confusion, as the scope of each scheme and the discounts on offer vary wildly. We’ve seen these problems in the energy sector.

Another option is to create a wholesale concession, a measure that has been promoted by consumer advocates. This would involve the government paying NBN to put a wholesale product into the market that retailers could purchase and retail to low income households.

A nationally uniform concessional service would allow retailers to compete in offering affordable services to low-income households, boost NBN take-up and consequently its revenue and financial viability.




Read more:
Government advertising may be legal, but it’s corrupting our electoral process


Focus on inclusion

While the introduction of a concessional arrangement would involve government picking up a part of the tab for service delivery, it offers sizeable benefits.

By ensuring NBN access for low-income households, the government avoids forgoing a large proportion of the savings that should accrued from the digital transformation of government services (and the benefits to be gained from improving services).

It would also prevent a lower take-up of NBN services and revenues. Without such an arrangement, questions will continue to be raised about the financial viability of NBN, its repayment of outstanding debt to government and whether there needs to be a write-down.

The take up of broadband has historically seen improvements in average household income, productivity, and the creation of new kinds of work and services.

In order to maximise the benefits of the current wave of digital change, we’ll need a broader public debate, that goes beyond the relative merits of fibre and 5G.

Policy will need to address the challenge of affordability, invest in digital literacy, and ensure that all Australians can access the services that they need.

While there are many improvements that can and should be made to our national network infrastructure, a focus on the larger problem of digital inclusion is both welcome, and overdue.The Conversation

Julian Thomas, Professor of Media and Communications; Director, Social Change Enabling Capability Platform, RMIT University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record


Greg Austin, UNSW

This article is part of a series examining the Coalition government’s record on key issues while in power and what Labor is promising if it wins the 2019 federal election.


The government’s chief cyber security coordinator, Alastair McGibbon, told an audience of specialists in November 2018 that the prospect of a catastrophic cyber incident is:

the greatest existential threat we face as a society today.

Using a nautical metaphor, he said such an event was not far off on the horizon, but could be on the next wave. He cited what one technology expert called the most devastating cyber attack in history, the NotPetya attack in 2017. NotPetya was a random attack on a single day that cost one Danish global company more than A$400 million dollars.

The latest dire warning from the government is appropriate, yet its policy responses have not quite matched the challenge – or their own commitments.




Read more:
Should cyber officials be required to tell victims of cyber crimes they’ve been hacked?


Cyber security is everyone’s business

The government is 16 months into a departmental reorganisation in order to deliver better cyber security responses, especially through the new Home Affairs Department. That department has been very busy with everyday skirmishes in the escalating confrontations of cyberspace – from Huawei and 5G policy, to foreign cyber attacks on Australian members of parliament.

But Home Affairs is not the only department with a broad responsibility in cyber security policy. On the military side, the Defence Organisation has moved decisively and with discipline. In 2017, it announced the creation of a 1,000-strong joint cyber unit to be in place within a decade. It also announced increased funding to expand the number of people working in civilian defence roles on cyber operations.

Another department with potentially heavy responsibilities is the Department of Education, working with universities, the TAFE sector and schools. Unfortunately, it appears to be missing in action when it comes to cyber security.

Key plans have stalled

In April 2016, Prime Minister Turnbull released a National Cyber Security Strategy. It included commitments to grow the cyber workforce (especially for women), expand the cyber security industry and undertake annual reviews of the strategy itself.

But in key places the ambitious plans appear to have stalled or fallen short. As a result of the Turnbull overthrow, the post of Minister for Cyber Security – which was only created two years previously – disappeared. The 2018 annual review of the strategy was not released, if it took place at all. The annual threat report of the Australian Centre for Cyber Security (ACSC) did not appear in 2018 either.

In November 2018, AustCyber, an industry growth centre that is one good outcome of the 2016 strategy, published its second Sector Competitiveness Plan. Typical of government funded agencies, it reports much good news. Australia is indeed an international powerhouse of cyber security capability. What is unclear from the report is whether the government’s 2016 strategy has much to do with that.




Read more:
Why international law is failing to keep pace with technology in preventing cyber attacks


Where we’re falling short

One indicator that we’re off-track is the fact the AustCyber report of 2018 has no data on the participation of women in the sector after 2016. Reports from the decade prior to 2016 showed a decline from 22% down to 19%, but the government does not appear to be tracking this important commitment after it was made.

In other bad news, the AustCyber report concludes that the education and workforce goals remain unfulfilled. It is hard to estimate how badly, since the initial strategy of April 2016 set no baselines or metrics. AustCyber now assesses that:

the skills shortage in Australia’s cyber security sector is more severe than initially estimated and is already producing real economic costs.

On the government’s commitment to increase the cyber workforce, AustCyber reports growth over the previous two years of 7% – roughly 3.5% per year. But it probably needs to be of the order of 10% per year for a full ten years if the gap identified by the report is to be met:

The latest assessment indicates Australia may need up to 17,600 additional cyber security workers by 2026 …

The government has provided $1.9 million over four years to promote university cyber security education in two Australian universities. That amount is so small it might not even be called a drop in the ocean. As AustCyber suggests, though in muted language, Australia does have huge resourcing holes in our cyber security education capability.

The most important gap in my view is the near total lack of university degree programs or professional education in advanced cyber operations, the near total lack of technical education facilities to support such programs, such as advanced cyber ranges, and a weakly developed national capability for complex cyber exercises.

What we should be doing

In 2018, I argued at a national conference sponsored by the government that Australia needs a national cyber war college, and a cyber civil reserve force, to drive our human capital development. I suggested at the time the college should be set up with a budget of A$100 million per year. Based on a recent international research workshop at UNSW Canberra, I have changed my estimate of cost and process.

Australia needs a cyber security education fund with an initial investment of around A$1 billion to support a new national cyber college. It should be networked around the entire country, and independent of control by any existing education institutions, but drawing on their expertise and that of the private sector.

It would serve as the battery of the nation for cyber security education of the future.




Read more:
The public has a vital role to play in preventing future cyber attacks


Labor isn’t offering a better alternative

The Labor Party, through its cyber spokesperson Gai Brodtmann, has been critical of the government’s failure to fill the gaps. But she is retiring from the House of Representatives at the next election.

Labor has no well developed policies, and no budget commitments, that can address the gaps. There is even reason to believe the party doesn’t have a front bench that is engaged with the scope of the challenge. None of them seem to be as technologically oriented as Turnbull, the last cyber champion the Australian parliament may see for a while.The Conversation

Greg Austin, Professor UNSW Canberra Cyber, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Australians want to support government use and sharing of data, but don’t trust their data will be safe



File 20190226 150715 ffa5h7.jpg?ixlib=rb 1.1
A new survey reveals community attitudes towards the use of personal data by government and researchers.
Shutterstock

Nicholas Biddle, Australian National University and Matthew Gray, Australian National University

Never has more data been held about us by government or companies that we interact with. Never has this data been so useful for analytical purposes.

But with such opportunities come risks and challenges. If personal data is going to be used for research and policy purposes, we need effective data governance arrangements in place, and community support (social licence) for this data to be used.

The ANU Centre for Social Research and Methods has recently undertaken a survey of a representative sample of Australians to learn their views about about how personal data is used, stored and shared.

While Australians report a high level of support for the government to use and share data, there is less confidence that the government has the right safeguards in place or can be trusted with people’s data.




Read more:
Soft terms like ‘open’ and ‘sharing’ don’t tell the true story of your data


What government should do with data

In the ANUPoll survey of more than 2,000 Australian adults (available for download at the Australian Data Archive) we asked:

On the whole, do you think the Commonwealth Government should or should not be able to do the following?

Six potential data uses were given.

Do you think the Commonwealth Government should or should not be able to … ?
ANU Centre for Social Research and Methods Working Paper

Overall, Australians are supportive of the Australian government using data for purposes such as allocating resources to those who need it the most, and ensuring people are not claiming benefits to which they are not entitled.

They were slightly less supportive about providing data to researchers, though most still agreed or strongly agreed that it was worthwhile.

Perceptions of government data use

Community attitudes to the use of data by government are tied to perceptions about whether the government can keep personal data secure, and whether it’s behaving in a transparent and trustworthy manner.

To measure views of the Australian population on these issues, respondents were told:

Following are a number of statements about the Australian government and the data it holds about Australian residents.

They were then asked to what extent they agreed or disagreed that the Australian government:

  • could respond quickly and effectively to a data breach
  • has the ability to prevent data being hacked or leaked
  • can be trusted to use data responsibly
  • is open and honest about how data are collected, used and shared.

Respondents did not express strong support for the view that the Australian government is able to protect people’s data, or is using data in an appropriate way.

To what extent do you agree or disagree that the Australian Government … ?
ANU Centre for Social Research and Methods Working Paper



Read more:
What are tech companies doing about ethical use of data? Not much


We also asked respondents to:

[think] about the data about you that the Australian Government might currently hold, such as your income tax data, social security records, or use of health services.

We then asked for their level of concern about five specific forms of data breaches or misuse of their own personal data.

We found that there are considerable concerns about different forms of data breaches or misuse.

More than 70% of respondents were concerned or very concerned about the accidental release of personal information, deliberate hacking of government systems, and data being provided to consultants or private sector organisations who may misuse the data.

Level of concern about specific forms of data breaches or misuse of a person’s own data …
ANU Centre for Social Research and Methods Working Paper

More than 60% were concerned or very concerned about their data being used by the Australian government to make unfair decisions. And more than half were concerned or very concerned about their data being provided to academic researchers who may misuse their information.




Read more:
Facebook’s data lockdown is a disaster for academic researchers


Trust in government to manage data

The data environment in Australia is changing rapidly. More digital information about us is being created, captured, stored and shared than ever before, and there is a greater capacity to link information across multiple sources of data, and across multiple time periods.

While this creates opportunities, it also creates the risk that the data will be used in a way that is not in our best interests.

There is policy debate at the moment about how data should be used and shared. If we don’t make use of the data available, that has costs in terms of worse service delivery and less effective government. So, locking data up is not a cost-free option.

But sharing data or making data available in a way that breaches people’s privacy can be harmful to individuals, and may generate a significant (and legitimate) public backlash. This would reduce the chance of data being made available in any form, and mean that the potential benefits of improving the wellbeing of Australians are lost.

If government, researchers and private companies want to be able to make use of the richness of the new data age, there is an urgent and continuing need to build up trust across the population, and to put policies in place that reassure consumers and users of government services.The Conversation

Nicholas Biddle, Associate Professor, ANU College of Arts and Social Sciences, Australian National University and Matthew Gray, Director, ANU Centre for Social Research and Methods, Australian National University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Seven ways the government can make Australians safer – without compromising online privacy



File 20190211 174894 12g4z9d.jpg?ixlib=rb 1.1
We need a cyber safety equivalent to the Slip! Slop! Slap! campaign to nudge behavioural change in the community.
Shutterstock

Damien Manuel, Deakin University

This is part of a major series called Advancing Australia, in which leading academics examine the key issues facing Australia in the lead-up to the 2019 federal election and beyond. Read the other pieces in the series here.

When it comes to data security, there is an inherent tension between safety and privacy. The government’s job is to balance these priorities with laws that will keep Australians safe, improve the economy and protect personal data from unwarranted surveillance.

This is a delicate line to walk. Recent debate has revolved around whether technology companies should be required to help law enforcement agencies gain access to the encrypted messages of suspected criminals.

While this is undoubtedly an important issue, the enacted legislation – the Telecommunications and Other Legislation Amendment (Assistance and Access) Act – fails on both fronts. Not only is it unlikely to stop criminals, it could make personal communications between everyday people less secure.

Rather than focus on the passage of high-profile legislation that clearly portrays a misunderstanding of the technology in question, the government would do better to invest in a comprehensive cyber security strategy that will actually have an impact.

Achieving the goals set out in the strategy we already have would be a good place to start.




Read more:
The difference between cybersecurity and cybercrime, and why it matters


Poor progress on cyber security

The Turnbull government launched Australia’s first Cyber Security Strategy in April 2016. It promised to dramatically improve the online safety of all Australian families and businesses.

In 2017, the government released the first annual update to report on how well it was doing. On the surface some progress had been made, but a lot of items were incomplete – and the promised linkages to businesses and the community were not working well.

Unfortunately, there was never a second update. Prime ministers were toppled, cabinets were reshuffled and it appears the Morrison government lost interest in truly protecting Australians.

So, where did it all go wrong?

A steady erosion of privacy

Few Australians paid much notice when vested interests hijacked technology law reforms. The amendment of the Copyright Act in 2015 forced internet service providers (ISPs) to block access to sites containing pirated content. Movie studios now had their own version of China’s “Great Firewall” to block and control internet content in Australia.

In 2017, the government implemented its data retention laws, which effectively enabled specific government agencies to spy on law-abiding citizens. The digital trail (metadata) people left through phone calls, SMS messages, emails and internet activity was retained by telecommunications carriers and made accessible to law enforcement.

The public was assured only limited agencies would have access to the data to hunt for terrorists. In 2018, we learned that many more agencies were accessing the data than originally promised.

Enter the Assistance and Access legislation. Australia’s technology sector strongly objected to the bill, but the Morrison government’s consultation process was a whitewash. The government ignored advice on the damage the legislation would do to the developing cyber sector outlined in the Cyber Security Strategy – the very sector the Turnbull government had been counting on to help rebuild the economy in this hyper-connected digital world.




Read more:
What skills does a cybersecurity professional need?


While the government focuses on the hunt for terrorists, it neglects the thousands of Australians who fall victim each year to international cybercrime syndicates and foreign governments.

Australians lose money to cybercrime via scam emails and phone calls designed to harvest passwords, banking credentials and other personal information. Losses from some categories of cybercrime have increased by more than 70% in the last 12 months. The impact of cybercrime on Australian business and individuals is estimated at $7 billion a year.

So, where should government focus its attention?

Seven actions that would make Australia safer

If the next government is serious about protecting Australian businesses and families, here are seven concrete actions it should take immediately upon taking office.

1. Review the Cyber Security Strategy

Work with industry associations, the business and financial sectors, telecommunication providers, cyber startups, state government agencies and all levels of the education sector to develop a plan to protect Australians and businesses. The plan must be comprehensive, collaborative and, most importantly, inclusive. It should be adopted at the federal level and by states and territories.

2. Make Australians a harder target for cybercriminals

The United Kingdom’s National Cyber Security Centre is implementing technical and process controls that help people in the UK fight cybercrime in smart, innovative ways. The UK’s Active Cyber Defence program uses top-secret intelligence to prevent cyber attacks and to detect and block malicious email campaigns used by scammers. It also investigates how people actually use technology, with the aim of implementing behavioural change programs to improve public safety.

3. Create a community education campaign

A comprehensive community education program would improve online behaviours and make businesses and families safer. We had the iconic Slip! Slop! Slap! campaign from 1981 to help reduce skin cancer through community education. Where is the equivalent campaign for cyber safety to nudge behavioural change in the community at all levels from kids through to adults?

4. Improve cyber safety education in schools

Build digital literacy into education from primary through to tertiary level so that young Australians understand the consequences of their online behaviours. For example, they should know the risks of sharing personal details and nude selfies online.




Read more:
Cybersecurity of the power grid: A growing challenge


5. Streamline industry certifications

Encourage the adoption of existing industry certifications, and stop special interest groups from introducing more. There are already more than 100 industry certifications. Minimum standards for government staff should be defined, including for managers, technologists and software developers.

The United States Defence Department introduced minimum industry certification for people in government who handle data. The Australian government should do the same by picking a number of vendor-agnostic certifications as mandatory in each job category.

6. Work with small and medium businesses

The existing cyber strategy doesn’t do enough to engage with the business sector. Small and medium businesses form a critical part of the larger business supply-chain ecosystem, so the ramifications of a breach could be far-reaching.

The Australian Signals Directorate recommends businesses follow “The Essential Eight” – a list of strategies businesses can adopt to reduce their risk of cyber attack. This is good advice, but it doesn’t address the human side of exploitation, called social engineering, which tricks people into disclosing passwords that protect sensitive or confidential information.

7. Focus on health, legal and tertiary education sectors

The health, legal and tertiary education sectors have a low level of cyber maturity. These are among the top four sectors reporting breaches, according to the Office of the Australian Information Commissioner.

While health sector breaches could lead to personal harm and blackmail, breaches in the legal sector could result in the disclosure of time-sensitive business transactions and personal details. And the tertiary education sector – a powerhouse of intellectual research – is ripe for foreign governments to steal the knowledge underpinning Australia’s future technologies.

A single person doing the wrong thing and making a mistake can cause a major security breach. More than 900,000 people are employed in the Australian health and welfare sector, and the chance of one of these people making a mistake is unfortunately very high.The Conversation

Damien Manuel, Director, Centre for Cyber Security Research & Innovation (CSRI), Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A state actor has targeted Australian political parties – but that shouldn’t surprise us



File 20190218 56243 para1s.jpg?ixlib=rb 1.1
Prime Minister Morrison said there was no evidence of electoral interference linked to a hack of the Australian Parliament House computer network.
from www.shutterstock.com

Tom Sear, UNSW

The Australian political digital infrastructure is a target in an ongoing nation state cyber competition which falls just below the threshold of open conflict.

Today Prime Minister Scott Morrison made a statement to parliament, saying:

The Australian Cyber Security Centre recently identified a malicious intrusion into the Australian Parliament House computer network.

During the course of this work, we also became aware that the networks of some political parties – Liberal, Labor and the Nationals – have also been affected.




Read more:
‘State actor’ makes cyber attack on Australian political parties


But cyber measures targeting Australian government infrastructure are the “new normal”. It’s the government response which is the most unique thing about this recent attack.

The new normal

The Australian Signals Directorate (ASD) – which incorporates the Australian Cyber Security Centre (ACSC) – analyses and responds to cyber security threats.

In January ASD identified in a report that across the three financial years (2015-16 to 2017-18) there were 1,097 cyber incidents affecting unclassified and classified government networks which were “considered serious enough to warrant an operational response.”

These figures include all identified intrusions. The prime minister fingered a “sophisticated state actor” for the activity discussed today.

Cyber power states capable of adopting “sophisticated” measures might include the United States, Israel, Russia, perhaps Iran and North Korea. Suspicion currently falls on China.

Advanced persistent threats

Cyber threat actors with such abilities are often identified by a set of handles called Advanced Persistent Threat or APTs.

An APT is a group with a style. They are identifiable by the type of malware (malicious software) they like to deploy, their methods and even their working hours.

For example APT28 is associated with Russian measures to interfere with the 2016 US election

Some APTs have even been publicly traced by cyber security companies to specific buildings in China.

APT1 or Unit 61398 may be linked to the intrusions against the Australian Bureau of Meteorology and possibly the Melbourne International Arts Festival. Unit 61398 has been traced to a non-descript office building in Shanghai.

The advance in APT refers to the “sophistication” mentioned by the PM.




Read more:
How we trace the hackers behind a cyber attack


New scanning tool released

The ACSC today publicly released a “scanning tool, configured to search for known malicious web shells that we have encountered in this investigation.”

The release supports this being called a state sponsored intrusion. A web shell is an exploitation vector often used by APTs which enables an intruder to execute wider network compromise. A web shell is uploaded to a web server remotely, and then an adversary can leverage other techniques like privileges and issue commands. A webshell is a form of a malware.

One well-known shell called “China Chopper” is delivered by a small web application, and then is able to “brute force” password guessing against the authentication portal.

If such malware was used in this incident, this explains why politicians and those working at Australian Parliament House were asked to change their passwords following the latest incident.

Journalism and social media surrounding incidents such as these pivot on speculation of how it could be an adversary state, and who that might be.

Malware and its deployment is close to a signature of an APT and requires teams to deliver and subsequently monitor. That the ACSC has released such a specific scanning tool is a clue why they and the prime minister can make such claims.

An intrusion of Australian Parliament House is symbolically powerful, but whether any actual data was taken at an unclassified level might not be of great intelligence import.

The prime minister’s announcement today suggests Australian political parties have been exposed.

How elections are hacked

In 2018 I detailed how there are a few options for an adversary seeking to “hack” an election.




Read more:
If it ain’t broke, don’t fix it: Australia should stay away from electronic voting


The first is to “go loud” and undermine the public’s belief in the players, the process, or the outcome itself. This might involve stealing information from a major party, for example, and then anonymously leaking it.

Or it might mean attacking and changing the data held by the Australian Electoral Commission or the electoral rolls each party holds. This would force the agency to publicly admit a concern, which in turn would undermine confidence in the system.

This is likely why today the prime minister said in his statement:

I have instructed the Australian Cyber Security Centre to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available.

They have already briefed the Electoral Commissions and those responsible for cyber security for all states and territories.

They have also worked with global anti-virus companies to ensure Australia’s friends and allies have the capacity to detect this malicious activity.

Vulnerability of political parties

Opposition Leader Bill Shorten’s response alluded to what might be another concern of our security and electoral agencies. He said:

… our party political structures perhaps are more vulnerable. Political parties are small organisations with only a few full-time staff, they collect, store and use large amounts of information about voters and communities.

I have previously suggested the real risk to any election is the manipulation of social media, and a more successful and secretive campaign to alter the outcome of the Australian election might focus on a minor party.

An adversary could steal the membership and donor database and electoral roll of a party with poor security, locate the social media accounts of those people, and then slowly use social media manipulations to influence an active, vocal group of voters.

Shades of grey

This is unlikely to have been the first attempt by a “sophisticated state actor” to target networks of Australian political parties. It’s best not to consider such intrusions as if they “did or didn’t work.”

There are shades of grey.

Adversaries clearly penetrated a key network and then leveraged access into others. But the duration of such a presence or whether they are even still in a network is challenging to ascertain. Equally, the government has not suggested data has been removed.

Recognition but no data theft may be a result of improved security awareness at parliament house and in party networks. The government and its administration have been taking action.

The Department of Parliamentary Services – that supplies ICT to parliament house – has improved security in “network design changes to harden the internal ICT network against cyber attack”.

This month a Joint Committee opened a new inquiry into government resilience following a report from the National Audit Office last year which found “relatively low levels of effectiveness of Commonwealth entities in managing cyber risks”.

Government response is what’s new

As the ASD and my own observation has noted, this is likely not the first intrusion of this kind – it may be an APT with more “sophisticated” malware than previous attempts. But the response and fall out from the government is certainly new.

What is increasingly clear is that attribution has become more possible, and especially within alliance structures in the Five Eyes intelligence network – Australia, Britain, Canada, New Zealand and the United States – more common.

Sometimes in cyber security it’s challenging to tell the difference between the noise and signal. The persistent presence of Russian sponsored trolls in Australian online politics, the blurring of digital borders with China and cyber enabled threats to our democratic infrastructure: these are not new.

Australia is not immune to the new immersive information war. Digital border protection might yet become an issue in the 2019 election. In addition to raising concerns our politicians and cyber security agencies will need to develop a strong and clear strategic communication approach to both the Australian public and our adversaries as these incidents escalate.The Conversation

Tom Sear, PhD Candidate, UNSW Canberra Cyber, Australian Defence Force Academy, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

‘State actor’ makes cyber attack on Australian political parties



File 20190218 56204 18qp4dj.jpg?ixlib=rb 1.1
While the government has not identified the state actor, China is.
being blamed.
Shutterstock

Michelle Grattan, University of Canberra

“A sophisticated state actor” has hacked the networks of the major
political parties, Prime Minister Scott Morrison has told Parliament.

Recently the Parliament House network was disrupted, and the intrusion
into the parties’ networks was discovered when this was being dealt
with.

While the government has not identified the “state actor”, the Chinese
are being blamed.

Morrison gave the reassurance that “there is no evidence of any
electoral interference. We have put in place a number of measures to
ensure the integrity of our electoral system”.

In his statement to the House Morrison said: “The Australian Cyber
Security Centre recently identified a malicious intrusion into the
Australian Parliament House computer network.

“During the course of this work, we also became aware that the
networks of some political parties – Liberal, Labor and the Nationals
– have also been affected.

“Our security agencies have detected this activity and acted
decisively to confront it. They are securing these systems and
protecting users”.

The Centre would provide any party or electoral body with technical help to deal with hacking, Morrison said.

“They have already briefed the Electoral Commissions and those
responsible for cyber security for all states and territories. They
have also worked with global anti-virus companies to ensure
Australia’s friends and allies have the capacity to detect this
malicious activity,” he said.

“The methods used by malicious actors are constantly evolving and this
incident reinforces yet again the importance of cyber security as a
fundamental part of everyone’s business.

“Public confidence in the integrity of our democratic processes is an
essential element of Australian sovereignty and governance,” he said.

“Our political system and our democracy remains strong, vibrant and is
protected. We stand united in the protection of our values and our
sovereignty”.

Bill Shorten said party political structures were perhaps more vulnerable than government institutions – and progressive parties particularly so.

“We have seen overseas that it is progressive parties that are more likely to be targeted by ultra-right wing organisations.

“Political parties are small organisations with only a few full-time staff, they collect, store and use large amounts of information about voters and communities. These institutions can be a soft target and our national approach to cyber security needs to pay more attention to non-government organisations,” Shorten said.

Although the authorities are pointing to a “state actor”, national cyber security adviser Alastair MacGibbon told a news conference: “We don’t know who is behind this, nor their intent.

“We, of course, will continue to work with our friends and colleagues, both here and overseas, to work out who is behind it and hopefully their intent”.

Asked what the hackers had got their hands on MacGibbon said: “We don’t know”.The Conversation

Michelle Grattan, Professorial Fellow, University of Canberra

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Don’t click that link! How criminals access your digital devices and what happens when they do



File 20190207 174851 1lwq94r.jpg?ixlib=rb 1.1
A link is a mechanism for data to be delivered to your device.
Unsplash/Marvin Tolentino

Richard Matthews, University of Adelaide and Kieren Niĉolas Lovell, Tallinn University of Technology

Every day, often multiple times a day, you are invited to click on links sent to you by brands, politicians, friends and strangers. You download apps on your devices. Maybe you use QR codes.

Most of these activities are secure because they come from sources that can be trusted. But sometimes criminals impersonate trustworthy sources to get you to click on a link (or download an app) that contains malware.

At its core, a link is just a mechanism for data to be delivered to your device. Code can be built into a website which redirects you to another site and downloads malware to your device en route to your actual destination.

When you click on unverified links or download suspicious apps you increase the risk of exposure to malware. Here’s what could happen if you do – and how you can minimise your risk.




Read more:
How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it


What is malware?

Malware is defined as malicious code that:

will have adverse impact on the confidentiality, integrity, or availability of an information system.

In the past, malware described malicious code that took the form of viruses, worms or Trojan horses.

Viruses embedded themselves in genuine programs and relied on these programs to propagate. Worms were generally stand alone programs that could install themselves using a network, USB or email program to infect other computers.

Trojan horses took their name from the gift to the Greeks during the Trojan war in Homer’s Odyssey. Much like the wooden horse, a Trojan Horse looks like a normal file until some predetermined action causes the code to execute.

Today’s generation of attacker tools are far more sophisticated, and are often a blend of these techniques.

These so-called “blended attacks” rely heavily on social engineering – the ability to manipulate someone to doing something they wouldn’t normally do – and are often categorised by what they ultimately will do to your systems.

What does malware do?

Today’s malware comes in easy to use, customised toolkits distributed on the dark web or by well meaning security researchers attempting to fix problems.

With a click of a button, attackers can use these toolkits to send phishing emails and spam SMS messages to eploy various types of malware. Here are some of them.

https://datawrapper.dwcdn.net/QDA3R/2/

  • a remote administration tool (RAT) can be used to access a computer’s camera, microphone and install other types of malware

  • keyloggers can be used to monitor for passwords, credit card details and email addresses

  • ransomware is used to encrypt private files and then demand payment in return for the password

  • botnets are used for distributed denial of service (DDoS) attacks and other illegal activities. DDoS attacks can flood a website with so much virtual traffic that it shuts down, much like a shop being filled with so many customers you are unable to move.

  • crytptominers will use your computer hardware to mine cryptocurrency, which will slow your computer down

  • hijacking or defacement attacks are used to deface a site or embarrass you by posting pornographic material to your social media

An example of a defacement attack on The Utah Office of Tourism Industry from 2017.
Wordfence



Read more:
Everyone falls for fake emails: lessons from cybersecurity summer school


How does malware end up on your device?

According to insurance claim data of businesses based in the UK, over 66% of cyber incidents are caused by employee error. Although the data attributes only 3% of these attacks to social engineering, our experience suggests the majority of these attacks would have started this way.

For example, by employees not following dedicated IT and information security policies, not being informed of how much of their digital footprint has been exposed online, or simply being taken advantage of. Merely posting what you are having for dinner on social media can open you up to attack from a well trained social engineer.

QR codes are equally as risky if users open the link the QR codes point to without first validating where it was heading, as indicated by this 2012 study.

Even opening an image in a web browser and running a mouse over it can lead to malware being installed. This is quite a useful delivery tool considering the advertising material you see on popular websites.

Fake apps have also been discovered on both the Apple and Google Play stores. Many of these attempt to steal login credentials by mimicking well known banking applications.

Sometimes malware is placed on your device by someone who wants to track you. In 2010, the Lower Merion School District settled two lawsuits brought against them for violating students’ privacy and secretly recording using the web camera of loaned school laptops.

What can you do to avoid it?

In the case of the the Lower Merion School District, students and teachers suspected they were being monitored because they “saw the green light next to the webcam on their laptops turn on momentarily.”

While this is a great indicator, many hacker tools will ensure webcam lights are turned off to avoid raising suspicion. On-screen cues can give you a false sense of security, especially if you don’t realise that the microphone is always being accessed for verbal cues or other forms of tracking.

Facebook CEO Mark Zuckerberg covers the webcam of his computer. It’s commonplace to see information security professionals do the same.
iphonedigital/flickr

Basic awareness of the risks in cyberspace will go a long the way to mitigating them. This is called cyber hygiene.

Using good, up to date virus and malware scanning software is crucial. However, the most important tip is to update your device to ensure it has the latest security updates.

Hover over links in an email to see where you are really going. Avoid shortened links, such as bit.ly and QR codes, unless you can check where the link is going by using a URL expander.

What to do if you already clicked?

If you suspect you have malware on your system, there are simple steps you can take.

Open your webcam application. If you can’t access the device because it is already in use this is a telltale sign that you might be infected. Higher than normal battery usage or a machine running hotter than usual are also good indicators that something isn’t quite right.

Make sure you have good anti-virus and anti-malware software installed. Estonian start-ups, such as Malware Bytes and Seguru, can be installed on your phone as well as your desktop to provide real time protection. If you are running a website, make sure you have good security installed. Wordfence works well for WordPress blogs.

More importantly though, make sure you know how much data about you has already been exposed. Google yourself – including a Google image search against your profile picture – to see what is online.

Check all your email addresses on the website haveibeenpwned.com to see whether your passwords have been exposed. Then make sure you never use any passwords again on other services. Basically, treat them as compromised.

Cyber security has technical aspects, but remember: any attack that doesn’t affect a person or an organisation is just a technical hitch. Cyber attacks are a human problem.

The more you know about your own digital presence, the better prepared you will be. All of our individual efforts better secure our organisations, our schools, and our family and friends.The Conversation

Richard Matthews, Lecturer Entrepreneurship, Commercialisation and Innovation Centre | PhD Candidate in Image Forensics and Cyber | Councillor, University of Adelaide and Kieren Niĉolas Lovell, Head of TalTech Computer Emergency Response Team, Tallinn University of Technology

This article is republished from The Conversation under a Creative Commons license. Read the original article.