Sky News host Sharri Markson says questions have been raised over the University of Sydney’s decision not to declare it is on the cusp of awarding a multimillion-dollar contract to a Chinese government-funded company.
Ms Markson discussed the issue with Internet 2.0 Co-CEO Robert Potter
Watch Exclusive> Here
Sharri Markson: Joining me now to go through this and discuss this in some more detail is cyber security expert and co-founder at Internet 2.0, Robert Potter. Robert, thank you very much for your time and great to have you here in person now that lockdown is over and borders have been lifted.
Robert Potter (Internet 2.0 Co-CEO): It’s great to be back.
Sharri Markson: Now I want to start with how one scanner could enable Chinese state-owned enterprises or companies to access NSW health data?
Robert Potter (Internet 2.0 Co-CEO): Well, anything that we allow inside our networks has to be controlled from a supply chain point of view in the terms of the risks that it introduces into our network. When we assess technology like this, when it’s deployed on networks, it still has to be receiving updates and information back from its mothership, and in this case that would be back in mainland China. So by allowing a technology like this inside our network we’re increasing our risk and it’s a real question as to whether or not we are unnecessarily doing that if we have other alternatives.
Sharri Markson: So the risk is that they could through this scanner breach the firewall and access other data that might be contained by NSW health on their networks?
Robert Potter (Internet 2.0 Co-CEO): Yeh, absolutely. So there is a great example out of the United States of a company called PAX networks which was recently raided by the FBI. They sold point of sale machines, so like EFTPOS terminals, into companies and they were used as a beachhead to attack networks by offshore threat actors in China. So in this case it’s the same risk of deploying something inside your network. Medical technology is really difficult to quarantine within a network because it requires all of its updates from the inventor of the intellectual property which in this case is a Chinese invention and it would rely on that for its update cycle. So it’s very similar to the risk that we saw in Huawei and connecting this into our critical infrastructure really introduces risks that we may not need to introduce if we have other options in these tenders.
Sharri Markson: Yes, yes of course. Just in terms of, you know, how great the threat is in the biomedical space from your experience working in this area, have we seen any escalation of risk or have we seen cyber hacks or attacks on the hospital network here in Australia?
Robert Potter (Internet 2.0 Co-CEO): Well the majority of disclosed attacks on critical infrastructure in Australia occur on medical companies and in the health sector. So it’s already considered the underperformer in the critical infrastructure space compared to others like finance and energy.
Sharri Markson: Why is that? Why are Chinese entities so keen to get health data or biomedical data?
Robert Potter (Internet 2.0 Co-CEO): Well it’s very useful for a lot of different reasons because it’s quite cost-effective to get if you can collect it through other people’s networks. There are entire companies in China that receive defence contracts from the Chinese government to undertake intellectual property theft for example and to collect big data to feed these sorts of systems.
Sharri Markson: Do you think there is still some level of naiveite at the university level? I mean you’ve read the response from the University of Sydney that was contained in their due diligence report where they say they didn’t feel like they needed to disclose this because it was two steps removed from the Chinese company when in fact it was entirely owned and it was virtually one in the same company.
Robert Potter (Internet 2.0 Co-CEO): Yeh, I think there is a huge naiveite combined with an unwillingness to really face up to vendor risk. Supply chain risk isn’t something that is really simple to fix because everything that we plug into our networks brings risks into it. And so when we have a choice between a company that is producing a technology made in China or one that is made in Germany, I think the decision around cyber risk should really be a deciding factor even if the other vendor is slightly more expensive.
Sharri Markson: Yep. Don’t know if you would be able to answer this question. Do you think the federal government has some awareness that there might be not just universities but other institutions that might feel they don’t need to disclose potential deals under the Foreign Relations Disclosure Act?
Robert Potter (Internet 2.0 Co-CEO): Well, compliance with the Act is one thing, it’s still very new and universities are still trying to figure out what they should disclose and what they shouldn’t. But when there’s doubt I think you should generally err on just working with people who have the experience to help you make better decisions in this space. So, it’s one thing for the university to say look we’ve received advice from the Australian government, and this is fine but not to pursue that advice when you don’t really have that expertise in-house which the universities really don’t yet. They don’t have big enough muscles to lift this sort of risk. And so going externally and you know taking the free advice from the Australian government which is an expert in this space just makes sense to me.
Sharri Markson: Yeh, absolutely. Robert Potter, thank you very much for your time and for your insights throughout the year