Law enforcement agencies are yet to use their new hacking and surveillance powers a full two months after legislation passed.
The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 gave the Australian Federal Police (AFP) and the Australian Crime Commission (ACC) unprecedented powers to hack into accounts of suspected criminals when it passed into law in August.
At its core are three controversial warrants the agencies can apply for that make it legal for them to disrupt data, monitor network activity, and take over people’s online accounts.
Speaking at senate estimates on Monday, AFP Commissioner Rhys Kershaw said his agency hadn’t yet applied for the surveillance warrants because “administrative arrangements” were still being worked out.
“The three new powers in this act will significantly enhance how the AFP investigates serious cyber-enabled crime and our investigators are already strategising on how they will use the new powers in active investigations to identify, target and disrupt offenders,” he said.
So what’s the hold up? An “administrative process,” according to Kershaw, which has meant the people who authorise the hacking warrants aren’t themselves authorised to do so.
The AFP’s Deputy Commissioner of Investigations, Ian McCartney explained further.
“Under the terms of the three warrants, they need to be authorised by either a magistrate and a team member or a judge,” McCartney said.
“As part of the process, they need to have that authorisation to be able to issue those warrants. As we speak, the Attorney-General’s Department are working through that process.”
Meanwhile, the government’s multi-agency ransomware-fighting taskforce – dubbed Operation Orcus – has been left sitting on its hands.
Home Affairs Minister, Karen Andrews, announced Operation Orcus in July, saying “time’s up” for the ransomware gangs who have been attacking Australian organisations with “despicable technology”.
But when Labor Senator Kristina Keneally asked Home Affairs secretaries what kind of activities Operation Orcus has undertaken since its inception, the department’s Deputy Secretary of Strategy and National Resilience, Marc Ablong, cited the same “administrative matters” as the AFP.
“So you're waiting for those three warrants that came in under the [Identify and Disrupt Bill] to come into effect?” Keneally asked.
“That’s correct, yes,” Ablong replied.
Home Affairs Secretary, Mike Pezzullo, then jumped in to say that Orcus was “an AFP operation” that was “not solely reliant” on the new hacking powers.
He later described Home Affairs’ offensive cyber activities in a simple three-word phrase: “we’re going hunting”.
“We’re using offensive capabilities,” Pezzullo said in reference to Australian agencies attacking ransomware gangs and other cyber criminals.
“Once certain administrative arrangements are put in place, you’ll see the AFP very active.”
While it waits for those “administrative arrangements”, the AFP is conducting an internal review into its cyber attacking abilities, Kershaw said.
This could also involve another lengthy administrative process.
“It may mean a mini restructure internally for us to really have what we call a cyber offensive operation arm of the AFP, which would actually conduct hostile disruption operations on these individuals,” the AFP Commissioner told Senate Estimates.
The testimony of Kershaw and his Home Affairs counterparts paints an uncertain picture of the current state of Australia’s cyber offensive capabilities which are simultaneously “going hunting” and in the midst of a departmental review and restructure as they wait for new hacking powers to be doled out.
In a statement, Senator Keneally was scathing of the government’s slow approach to ransomware and cyber criminals, saying it was “all announcement, no action”.
“In June, we introduced a private members bill to establish a mandatory notification scheme for ransom payments,” she said.
“But the government has been dithering for nine months while the issue escalated into a crisis. Today, ransomware is a billion dollar a year cost to the nation which threatens jobs and investments.
“The Morrison Government should stop announcing and start acting to protect Australians from the scourge of ransomware.”
The government announced a mandatory ransomware reporting scheme earlier this month, the details of which may be finalised by the end of the year.