Dutton drags bank cyber into ASD domestic expansion row

Australia’s Home Affairs Minister Peter Dutton has cited the prospect of Australian banks and payment systems being forced offline because of cyber attacks as a key element of the escalating row over potential expansion of offensive cyber capabilities to domestic agencies.

Speaking on ABC’s Insiders program on Sunday, Dutton warned Australia’s retail financial system, including retail PoS systems, were not currently able to be sufficiently defended with a counter strike to protect their continuity.

“In relation to a cyber attack on our Australian banks, if people want to be able to tap-and-go, and pay, and conduct their business… if the system was out [for four or five days ] I think people would probably, by about the second or third hour let alone day, be demanding what is the government going to do to put this back online,” Dutton said.

“Now, at the moment, we don’t have the sophistication or capacity to be able to mount a counter attack or to have the technical capacity to be able to deal with that,” Dutton warned.

When pressed if he supported the expansion of the Australian Signals Directorate’s powers to cover domestic activity Dutton left the door conspicuously ajar.

“I think there needs to be a sensible discussion about whether or not we have the ability to deal with threats we face,” the home affairs minister said.

The inclusion of banks and payment schemes in the storm over increased cyber and surveillance powers and Federal Police raids on News Ltd journalist Annika Smethurst and the Australian Broadcasting Corporation Ultimo headquarters caught institutions on the hop on Monday morning.

After successive reputational beltings at both the Royal Commission and in front of Parliamentary Committees, institutions contacted by iTnews gave the topic a wide berth, offering only that they’d need to view the video to see what Dutton said.

Some inside the security community feel that the ham-fisted execution of search warrants against Australia’s two biggest media organisations will now irrevocably politicise debate around how offensive cyber powers and surveillance are controlled.

Within the bureaucracy, the tussle to establish contemporary cyber powers has also rekindled long-standing inter-agency tensions that the establishment of the powerful Department of Home Affairs was meant to neutralise.

A key friction point is whether agencies within Home Affairs should be allowed and resourced to run their own cyber offence, an expansion many in defence circles view as risky because of the potential for escalation.

One argument against the expansion of powers is that the offensive cyber weapons arsenal and bag of tricks used operationally by ASD is dangerous by nature and must be kept highly restricted to prevent proliferation.

Conversely, as Dutton expressed, there is a growing frustration that available tools are not being put to their full use and a capability and response gap has emerged.

At a doctrinal level, noted cyber strategists have for some years been arguing for a de-escalation of offensive cyber operations and their limitation to surveillance and intelligence operations as opposed to firefights bent on neutering infrastructure.

This has included questioning the benefits of the Stuxnet cyber attack on Iran because it telegraphed an implicit green light for other nations to engage in such conduct.

While Australia’s banks have long-supported cyber agencies including the Australian Cyber Security Centre and AFP’s earlier High Tech Crime Centre, they have preferred to send their own staff into security agencies rather than having police residing in banks.

At the same time, despite massive spend on cyber and counter fraud security, banks pass through the bulk of their online credit card fraud losses back through to merchants, a liability shift that has had retailers ropeable for years.

The question many in banks will be privately asking is whether new offensive cyber measures that can potentially neutralise fraud will come with a regulatory shift to make institutions responsible for losses.

Online credit card fraud not sits at just under $500 million a year across banks and is still growing strongly, concurrent with the shift to online payments.

Whether banks are prepared to live without an arsenal for hire at their disposal in exchange for some ongoing legacy financial comfort is a question that will now be being asked in Australia’s institutions.

The Australian Banking Association has been contacted for comment.