The revelation that an Australian defence subcontractor had a large volume of material on Australia’s defence assets stolen in an “extensive and extreme compromise” should ring loud alarm bells in Canberra. Instead, it will likely pass with little interest. But be sure our enemies and allies have noted it.
They’ll also have noted the head-in-the-sand reaction from the government, with Defence Industries Minister Christopher Pyne dismissing the incident as merely relating to commercial, not classified information, and that it wasn’t the fault of the federal government that the subcontractor had poor security. Pyne was thereby demonstrating that the great advantage of outsourcing isn’t so much that governments save money, as that they can avoid blame. You get to outsource responsibility, above all.
The Chinese, or whoever stole the information, don’t care about who’s responsible. But they know that when western governments outsource IT, comms or defence projects, and the companies to which they’ve been outsourced then sub-contract out work to smaller firms, each step down in the foodchain sees poorer IT security in smaller firms. It’s no surprise that what is described as a “mum and dad” business was targeted. But the attitude of the government is all care and no responsibility, merely saying that companies should take cybersecurity more seriously, as if this was any ordinary case of commercial espionage.
The other disturbing aspect is the performance of the Australian Signals Directorate. Once regarded as one of the finest signals intelligence agencies in the world, there is now talk in intelligence circles that ASD has been badly exposed and is over-tasked with its dual defensive and offensive cyber-intelligence roles — not to mention being regularly trotted out by the Turnbull government for media purposes.
It seems ASD didn’t know of the breach until it was told, three months after it occurred and 30 GB of data had been extracted. This is a staggering failure and suggests ASD doesn’t keep tabs on all defence subcontractors. The organisation that won’t let MPs use a new phone unless it’s been forensically vetted seems oblivious to what’s happening to defence data. Will there be any accountability for ASD head Paul Taloni? And why are we only finding out nearly a year later about the hack?
Accountability is the key here — and there isn’t any. Pyne says it’s not the government’s fault. So, whose is it? ASD’s? The company’s? If we’re reduced to blaming “mum and dad” companies for the loss of defence information, that suggests major flaws in our cybersecurity framework. It’s like saying a plane crashed because of “pilot error” and shrugging your shoulders about being able to do anything about it.
If we had an effective mechanism of parliamentary oversight of intelligence and security matters, we might have some confidence that there would be accountability. But the Parliamentary Joint Committee on Intelligence and Security is virtually moribund under the “leadership” of Liberal Andrew Hastie and that committee is hamstrung at the best of times because of limitations on its role.
It would seem an act of absurd optimism to think this will be the last major hack of sensitive information. We’ve sent a strong signal to the world — to Beijing, to Moscow, and to Washington DC — that we can’t, or won’t, protect our data.
Well Bernard, now they will know that the Flying Heap of Crap is just that.
Great article, Bernard. It’s amazing, but not surprising, the contrast between the claimed need for ever more monitoring of the activities of ordinary citizens and the ‘It’s not our fault’ attitude toward a major breach of IT security on defence procurement.
and Canberra wants to keep all the medical records in Australia in a computer in Canberra and bribing doctors with practice grants to join up – with a twist patients cannot access their notes . So when did you last have tonsillitis or gonorrhoea? I will just look at what the hackers have
Well our ATO info is now O/S, Medical records on their way or have already landed. So I’ve been informed.
What makes you think that the records will stay in Australia, rather than in an out-sourced data silo in India or Singapore or wherever? I’ve read that’s where our telephone call records are, at the moment, now that they must be stored for two years. Throw in enough delegation and sub-contracting and you’ve got no idea or control at all. Might just as well publish it on the dark-net in the first place, and cut out the middle-men.
IT security is difficult with the best set-ups and the best minds working on it, and at least half of those ‘best minds’ have to be non-IT people who can slap the IT geniuses when they make blanket statements that something is unhackable.
It is in system design and thinking that IT security has to be met, and then use the best software and encryption beyond that. So often though the systems resemble colanders and the encryption is poor. It isn’t the ‘mum and dad’ company that created this problem, it is that a ‘mum and dad’ company were able to provide services that weren’t behind a firewall*, so that they couldn’t be hacked. By definition, the little guy isn’t going to have top secret government level hacking prevention software and practices.
* firewalls are often not firewalls at all, but papier mache soaked in metho.
It’s no less than astonishing that Pyne & Co haven’t blamed this on Labor…yet.
Kevin Mitnick (formerly one of the world’s most notorious blackhackers) has stated that nothing is unhackable especially if one has the means to fund the operation.
It’s early daze yet Zut, give Pyne time and enough heat, he’ll warp.