hacking

While the Indonesian spying story was erupting yesterday, another espionage yarn was playing out in estimates.

Greens Senator Scott Ludlam used the Finance and Public Administration Committee estimates hearings to quiz Department of Parliamentary Services officials about revelations about National Security Agency internet spying. Why? Because as part of the NSA’s PRISM program, Microsoft was required by the NSA to give it a backdoor into Outlook to enable the NSA to monitor people using Outlook for encrypted chats. The NSA also has access to emails before they’re encrypted on the Outlook.com web email service, and to Skype.

The Parliament House IT system uses Microsoft Office as a default for word processing, spreadsheet and email software. It’s very hard to get other software approved for use. The Australian Signals Directorate is normally the gatekeeper on such matters.

Now, the Parliament House IT system is not the one used by ministers. They and their staff use IT equipment and networks provided by their departments. They are of significantly higher security than the Parliament House system. And cabinet materials are only distributed using CABNET, an old but highly secure system with only a limited number of terminals. A major upgrade of CABNET has been planned for a while.

But everyone who isn’t a minister — the leader of the opposition, the minor parties, government backbenchers — uses the Parliament House system only. And ministers may also use the Parliament House system for, say, electoral matters and party activities.

So the security of that system is important. You might not see a cabinet document on the Parliament House system — but you might seen an email from a minister to the chair of a backbench committee, or to a parliamentary committee chair, containing cabinet-related or confidential information. You could see shadow cabinet material. A careless minister might send information from his or her ministerial account to his or her APH account.

And it’s fair to say the security of the APH system isn’t all it should be. A couple of years ago hackers accessed the APH accounts of senior ministers, including Julia Gillard. Chinese hackers remain the main suspects. It’s unclear what the attack mechanism was — it might have been malware or it might have been an unpatched exploit in either the APH servers or in Microsoft Office — but it was successful. And while the hackers wouldn’t have had direct access to ministerial and cabinet information, they would have done pretty well courtesy of all the material that is distributed via the APH system. One Labor figure said “I reckon they’ve got it all in Shanghai in some warehouse and they’re still going through it today.”

So Ludlam’s questions were very relevant: it was public knowledge that, as part of the NSA’s PRISM program, there was a backdoor in Microsoft’s Outlook software used by a foreign intelligence agency. Microsoft itself hadn’t fixed it, because it was prevented from doing so by US laws. So had it been fixed?

By the way, there’s another way in which the NSA monitors the use of Microsoft products. Whenever you use a Microsoft Office product, it sends data back to Microsoft (quite apart from if you actually store documents in the Microsoft cloud service). For example, it sends metadata about your Word documents back, sends bug reports if you allow it to, and checks to see if your copy of the product is legal. It also sends information about your computer itself to Microsoft, and any other identifying information it can find (a list of what it sends is in its privacy policy).

Microsoft hasn’t given the NSA access to that information — but the NSA has almost certainly taken it anyway. Last week Microsoft  admitted that it doesn’t encrypt information as it flows between its own internal servers. The NSA and the UK’s GCHQ operate a program called MUSCULAR to, without the companies being aware, intercept data on Google’s and Yahoo’s internal servers — the revelation of which infuriated Google, which promised to further improve its internal encryption. The same interception is almost certainly happening on Microsoft’s servers, without even an effort to encrypt the data.

Asked about efforts to remedy these serious flaws in the Parliament House IT system, the Department of Parliament Services’s Chief Information Officer Eija Seittenranta said that nothing had been done, and that DPS simply used whatever patches Microsoft gave them.

But Microsoft isn’t allowed to fix the NSA’s backdoor, Ludlam pointed out. Seittenranta struggled to respond. Had there been any effort by DPS to patch it themselves? Had they spoken to ASD, or the new Cybersecurity Centre, about it? No. What were you waiting for, asked Ludlam. Seittenranta suggested that there were only rumours that there was a backdoor. There had been no “validation”.

It was a painful performance. Then her offsider, Department of Parliament Services’ Assistant Secretary of ICT and Infrastructure Steve McCauley, came to the table and gave a very different story. “We’re patched,” he assured Ludlam. No information leaves the APH network unless it’s allowed to by DPS and ASD. Ludlam pressed for more information. Well, they’re not quite patches in the Microsoft products, McCauley then said — they were features of the APH firewall that stopped information leaving. Was this specifically in relation to PRISM, Ludlam asked. McCauley seemed uncertain and had to take it on notice.

For those of us with estimates experience, it looked like officials had watched an unprepared Seittenranta make a meal of things, while her offsider hastily got a briefing from his subordinates and then rushed in to fix things up.

So we think ASD and DPS are blocking any outward-bound information sent by Microsoft Office products from our parliamentarians and their staff, or anything else, and ensuring nothing untoward gets out. But whether that was in response to the 2011 hack, or to the NSA’s PRISM and other programs, remains unclear. On the performance of DPS yesterday, it’s not likely to be clarified any time soon.