Trivialising the Channel 9 Breach: Seriously?
By Ravi Nayyar
Some have taken to trivialising what appears a significant breach of cyber resilience at Australian commercial television network, Channel 9; so significant, mind you, that it affected broadcast and corporate operations at the network.
I say to such people:
Put your politics and your biases aside, and look at the policy implications, for heaven’s sake.
Yes, I agree that Channel 9 is not the ABC and Channel 9's breakfast programming is not cutting-edge journalism, but to laugh off a breach at a major media network — which would be regulated as critical infrastructure per proposed amendments to the Security of Critical Infrastructure Act 2018 (Cth) — as a ‘blessing in disguise’ betrays a woefully inadequate understanding of the importance of cyber resilience.
An intelligent public which takes breaches of cyber resilience — such as that of communications infrastructure — seriously is a pillar of overall societal cyber resilience, per Australia’s Cyber Security Strategy 2020:
The community will always have a role to play in cyber security. Even with the best efforts of governments and businesses, Australians will need to know how to safeguard themselves against cyber security threats.
If people make light of suboptimal cyber hygiene, let alone fail to educate themselves on the overall implications thereof for their economies and societies, they might as well give up in the first place.
It can be argued that, despite the flaws in the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (‘the Bill’), the incident at Channel 9 arguably reinforces the policy imperatives underlying the Bill. To use the language of the Bill, the responsible entity for critical broadcasting assets experienced a cyber security incident which arguably had a relevant/significant impact on said assets. That impact can be implied by the entity requesting assistance from the Australian Signals Directorate (‘ASD’), Australia’s signals intelligence and offensive cyber operations agency, in dealing with said incident.
ASD’s involvement here arguably reminds us of how the Bill proposes a power for the Secretary of the Commonwealth Department of Home Affairs to request ASD to do (a) certain act(s) or thing(s) in relation to an asset which is specified in an ‘intervention request’. That intervention request can only be given to the Director-General of ASD if it has been authorised by the Minister for Home Affairs after the Minister is satisfied of the fulfilment of certain criteria.
One should also note that the Channel 9 breach comes soon after yet another breach of cyber resilience affecting the Commonwealth Parliament as well as one affecting hospitals in the Australian state of Victoria to such an extent that elective surgeries were postponed.
So, folks, when dealing with cyber resilience, please don’t trivialise it.
There may be a time when the same vulnerability, which was exploited to compromise the networks of an entity you make fun of, may be used to compromise the networks that you rely on everyday.
P.S. To learn more about cyber resilience, check out our show’s February 2021 special episode (my interview with two experts on cyber law and policy) and its May 2020 episode (which explored the Toll Group ransomware attack).
P.P.S. I hope Channel 9 doesn’t end up doing what TV5Monde did when the latter managed to get back on the air and broadcast its passwords for the world to see.
