Standing up for Canberra

It's time the government takes cyber security seriously

The revelations last week about what was happening on the cyber security front here in Australia in Defence contracts or what was not happening on the cyber security front just underscored the fact this government is failing in its most basic responsibility, and that is our national security. 

The Minister Assisting the Prime Minister for Cyber Security launched the Australian Cyber Security Centre's 2017 Threat Report in a speech at the National Press Club, and an extraordinary announcement was made. It was quite extraordinary—it was a little drop there but its consequences were significant. The extraordinary announcement was made that a small Defence contractor's network had been compromised last year—just a little oops there. What continues to amaze and concern me is that the compromise wasn't picked up by Australian cyber security authorities. Our authorities were tipped off by international partner agencies.

The fact is that an unknown hacker was able to steal 30 gigs of sensitive Defence data. That's a lot of very sensitive Defence data. Although the language that's been used around this by the government has been incredibly flippant in terms of the seriousness of this issue—it was commercially sensitive, according to some reports, and it was unclassified according to some reports—for the purposes of today's speech I'm basically underscoring the fact that the unknown hacker was able to steal 30 gigs of sensitive Defence data.

This sensitive data included information on major multibillion-dollar Defence projects, including the Joint Strike Fighter program, the P-8A surveillance craft project, the C 1-30 transport planes and several current naval vessels. As much as the government tries to downplay its significance, this was a serious breach with the potential for serious consequences. It is incredibly concerning that the Minister for Defence Industry is so flippant on an issue of national security. This is not about blame; this is about responsibility. The government is responsible for Australia's national security, and it should hang its head in shame for this breach in national security.

The Turnbull government is responsible for the cyber resilience of government agencies, and this responsibility extends to the contractors that government agencies employ. There are over 4,000 of these defence industry businesses in Australia, and many of them are micro or small. We know that small and medium businesses are especially vulnerable to cyber attacks. They have limited resources and limited time. I know because I used to be a microbusiness, and I know there are other small business people in here too. In my case I had no resources except me. You have limited time because you're going out there making money, you're marketing your business, you're out networking, you're doing your admin and your invoices and, in your limited spare time, it's nice to put you feet up and be with the family.

These businesses have limited resources and do not have much time to mitigate against cyber attacks. Unfortunately, as a result of that, they are a regular target for attacks. According to a 2016 report by cyber security firm Symantec, 43 per cent of cyber attacks are targeted against small businesses. This recent Defence data breach is a symptom of a much larger problem amongst small and medium businesses here in Australia. The government is failing to get the message across about correct security practices, and more needs to be done in communicating with and supporting small and medium businesses to help them improve their cyber security and their operating practices.

Last week we heard about the 'Alf's Mystery Happy Fun Time' hack, as it was dubbed by the Australian Signals Directorate. The name of the hack may be amusing, but it's a symptom of a very serious problem. Basic precautions like changing default passwords and installing security updates are, obviously, continuing to be ignored. The security of this hacked contractor system was laughable. The ASD revealed that the oversights were as glaring as having default 'admin' users and passwords—I think one of them was 'guest' as well. This is a contractor to Defence contracts worth billions.

Action must be taken. Our small to medium businesses need more support and clear communication from the government, and it needs to be from one voice and one point of truth. At the moment we have a spaghetti tree of different agencies involved in communicating and in governing cybersecurity. So it's very difficult for businesses to know where to go for help and information. There is a convoluted and confusing mish-mash of various agencies and organisations responsible for providing assistance and communication to businesses, and this needs to change fast. Instead of passing the buck, the Turnbull government ought to be sitting up and taking notice of the significant improvements that need to be made all the way down the line. Cybersecurity is a whole-of-supply-chain issue. One weak link is all it takes to expose sensitive information and introduce attack vectors into larger systems, as we heard last week.

Our policies to protect government agencies also need to extend down the chain. At the moment, not even the government agencies are adhering to their own cybersecurity requirements. Despite being required to comply with the protective security policy framework, we know that many government agencies continue to be noncompliant with the information security manual. This is mandated. A stern letter by ministers asking agencies to 'please comply' is not enough. There are still no ramifications for those who refuse to comply.

I've been calling on the government to take the cybersecurity of government agencies seriously since the release of the damning 2014 audit of cyber resilience, where no agencies were found to be compliant. We've got to get our own house in order. This has to be a priority, but this must also be extended further down the supply chain. There's currently no legislation or requirement on government contracts to have adequate cybersecurity measures in place. This recent breach is not the first and nor will it be the last, while the government continues to ignore this issue. The ASD already provides guidance for government contractors on how to secure their systems, so why isn't it mandatory? Government agencies like Defence must be able to ensure a basic cybersecurity standard has been met before they release sensitive information. How can the government and the Australian people trust that sensitive information is being secured if it's being handed over to private contractors with no minimum cybersecurity assurances?

Our US ally recognised this supply-chain threat long ago and has already taken steps to rectify it. In May this year, an executive order was passed, requiring all US government agencies to comply with a national cybersecurity standards framework. This includes cybersecurity risks facing the defence industrial base, including its supply chain. Not only have minimum cybersecurity standards been applied to government agencies and their supply chains, they have also been applied to critical infrastructure systems as well.

This is yet another glaring cyber risk that's been ignored by the Turnbull government. The draft Security of Critical Infrastructure Bill, released last week, is a joke. It doesn't require critical infrastructure operators to improve their cyber security. It doesn't require critical infrastructure operators to report on the current state of their cyber security. The Turnbull government cannot continue to turn a blind eye to cyber security. It's endangering our ability to work with our allies and endangering our national security. The Turnbull government needs to clarify what it is doing to ensure that those handling sensitive information have the proper security precautions in place. The government has to start taking cyber security seriously now. It's the government's responsibility. 

Download this speech