Meeting the challenges of cyber-security

Parliament house flag post

Meeting the challenges of cyber-security

Posted 31/03/2011 by Nigel Brew

Senator John Faulkner speaking on Cyber Security
Just weeks after the Attorney-General, Robert McClelland, announced the establishment within the Australian Security Intelligence Organisation (ASIO) of a ‘specialist cyber investigations unit to investigate and provide advice on state-sponsored cyber attack against, or involving, Australian interests’, News Limited media reports have claimed that the parliamentary computers of the Prime Minister and several key Cabinet ministers were infiltrated recently in a sustained “hacking” attack.

The reports claim that ‘several thousand emails’ may have been accessed and that in addition to the Prime Minister, the Defence and Foreign Ministers were among those targetted. The cyber-attack is alleged to have begun in February and lasted more than a month before Australian authorities were alerted to the breach by US intelligence agencies. According to the report, state-sponsored actors are among those under suspicion. Understandably, the government is remaining tight-lipped on the claims, citing a long-standing tradition of not commenting on intelligence and security operational matters. However, the government’s concern over cyber-attacks and electronic espionage targetting Australian interests is neither secret nor new.

Acknowledgement of the problem

This latest alleged incident serves to highlight the significant and ongoing challenges of cyber-security. While neither espionage nor computer “hacking” are themselves particularly new, combined they pose a rapidly evolving potent threat to security. Discussion of cyber-security and in particular, public acknowledgement by the government of the threat from cyber-espionage, appears to have become more forthright and detailed in recent years.

In his National Security Statement to parliament in December 2008, the then Prime Minister, Kevin Rudd, sounded a general warning about the threat to Australia from espionage, noting in particular the increasing potential for spying by electronic means:
Australian policy, military and intelligence institutions, directions and capabilities are attractive intelligence targets for foreign powers. And Australia is also seen as a potential alternative source of sensitive defence, intelligence and diplomatic information shared by our allies. Electronic espionage in particular will be a growing vulnerability as the Australian Government and society become more dependent on integrated information technologies. Both commercial and state-based espionage, while not visible to the public eye, are inevitable.
Similarly, in a farewell address to staff in February 2009, the former Director-General of ASIO, Paul O’Sullivan, spoke of the agency’s efforts to deal with re-emerging traditional national security threats, in addition to the ongoing threat of terrorism, and hinted at an increase in electronic espionage:
We’ve broadened and strengthened our human and technical collection, and our investigative and strategic analysis, not only in counter-terrorism, but across all areas of security concern. We have responded proactively to the evolution of espionage in the 21st century, and the accumulation of challenges this presents, by boosting our counter-espionage and foreign interference capability.
In a further indication that counter-terrorism is not the only issue occupying ASIO, the current Director-General, David Irvine, noted in ASIO’s 2008–09 annual report, that 2008–09 ‘saw the most intense period of operational activity since 2005’, adding that, ‘...the extent of Internet-enabled espionage as a rapidly growing threat to the national interest became more apparent’. Adding to the recognition publicly that espionage, and cyber-espionage in particular, has now firmly become an operational priority, ASIO’s Portfolio Budget Statements 2010–11 noted that, ‘ASIO continues to build capability and operational momentum against counter-espionage and foreign interference targets, which includes a focus on electronic espionage’. Indeed, as previously stated in the section on ASIO in the Parliamentary Library’s Budget Review 2010–11, ‘the combined effect of the intelligence-related measures announced in the 2010–11 Budget is to underpin the Government’s public recognition of the growing need to deal with the re-emergence of traditional security threats in a technology-enabled world, and to plan for the long-term strategic security implications of modern shifts in geopolitics’.

ASIO’s 2009–10 annual report is even less ambiguous about the nature and extent of the challenges posed by cyber-espionage, indicating strongly that the government is no longer simply hinting at the threat. Reflecting on the notion that ‘the communications revolution has fashioned new security frontiers’, and noting that ‘the speed and scale of technological development presents significant challenges for organisations like ASIO’, the Director-General states:
Espionage has also thrived on globalisation and the communications revolution.
Digitisation means that massive amounts of information can be extracted, transferred and shuffled with ease. A single well-placed human agent becomes the potential source of archives worth of intelligence. Hostile intelligence agencies now also have a ‘beyond-the-horizon’ capability; they need not leave their own shores to target information held on our government, business and even personal computers.
The Attorney-General has also recently echoed these observations in an address on 10 March:
While traditional threats like espionage and foreign interference remain significant, the explosion of the cyber world has expanded infinitely the opportunities for the covert acquisition of information by both state and non-state actors ... these attacks can be staged from anywhere in the world...
Coincidently, on 23 March, the Australian National Audit Office released a Performance Audit Report into The Protection and Security of Electronic Information Held by Australian Government Agencies, in which the effectiveness of the management and implementation of measures by four government agencies to protect and secure their electronic information was investigated. The agencies selected for the audit, which included The Department of the Prime Minister and Cabinet, were chosen because they ‘represent a general cross-section of agencies and their associated ICT systems’.

The audit examined the following four aspects of electronic information security within each agency—information security framework; network security management; access management; and equipment security—and the report notes the importance of maintaining good electronic information security:
Vulnerabilities within ICT systems may allow an attacker to gain access to sensitive information, including information about Government decision making, significant financial transactions, and aggregate personal and financial information.
The Department of the Prime Minister and Cabinet made similar comments in the audit report, noting, somewhat prophetically:
... the protection and security of electronic information by Australian Government agencies is of increasing importance. Recent events surrounding the unauthorised release of classified US information, as well as the increasing incidents of cyber attacks are a stark reminder of the damage that poor information security can do to Australia’s national interests.
The audit concluded overall that the measures examined to protect and secure electronic information in each of the agencies were ‘generally operating in accordance with Government protective security requirements’. However, the audit did identify several deficiencies and recommended agencies take measures to ensure better upkeep of information security policies and procedures, better use of software security patches, closer attention to password security, and the blocking of access to public web-based email services (like Hotmail and Gmail) on agency ICT systems. Although some access to web-based email is currently permitted in the Department of the Prime Minister and Cabinet, limited by certain control measures, the Department has indicated in its response to the audit report, that all access to web-based email from Departmental systems will cease on 1 July 2011.

Tests designed to test the strength of user passwords revealed weaknesses in several agencies. The application of a so-called “brute force” test resulted in ‘around 20 per cent of passwords being compromised in each agency’, which, the report states, ‘compares reasonably favourably with some private sector and State government agencies’. In three of the four agencies, however, the test was able to compromise some administrator and/or service account passwords, about which the report warns:
... these types of accounts have a high level of access to agencies’ ICT systems. If an attacker managed to gain access to an agency ICT system by cracking an administrator or service account password, there could be serious consequences for that agency’s security.
Responding to the problem

In acknowledging that ‘cyber security is now one of Australia’s top tier national security priorities’, the government launched its Cyber Security Strategy in November 2009 with the aim of maintaining ‘a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the benefits of the digital economy’.

CERT Australia, Australia’s national computer emergency response team, is one of the lead agencies in this ongoing effort, and works in close conjunction with the Cyber Security Operations Centre (CSOC), based within the Defence Signals Directorate. The CSOC was established in 2009 as an initiative of the Defence White Paper, Defending Australia in the Asia Pacific century: Force 2030, and contains staff from a number of agencies, including ASIO, the Attorney-General’s Department, and the Australian Federal Police.

ASIO noted in its 2009–10 annual report that it had ‘expanded its engagement with industry on the threat of electronic espionage, particularly in the resources and energy sectors’, liaising with some private sector companies which had been the targets of electronic intrusions. As part of National Cyber Awareness Week, ASIO also ‘sponsored a resource sector information technology forum to deliver high-level briefings on cyber security and espionage threats and mitigation strategies to a range of resource sector companies’.

The government has also recently announced its intention to accede to the only binding international treaty on cybercrime, the Council of Europe Convention on Cybercrime. Australia would be joining over 40 other nations which have either signed or become a party to the Convention, and as the Attorney-General has recently indicated, such international cooperation will significantly assist Australia’s efforts to stay abreast of and meet the ever-growing challenges of cyber-security:
Accession to the Convention is a critical step as it facilitates international co-operation between signatory countries and establishes procedures to make investigations more efficient. As such, it will help Australian agencies to better prevent, detect and prosecute cyber intrusions.

(Image sourced from http://www.australiandefence.com.au/archive/cyber-security-operations-centre-opens)


Thank you for your comment. If it does not require moderation, it will appear shortly.
Facebook LinkedIn Twitter Add | Email Print

FlagPost

Flagpost is a blog on current issues of interest to members of the Australian Parliament


Parliamentary Library Logo showing Information Analysis & Advice

Archive

Syndication

Tagcloud

Refugees asylum immigration Australian foreign policy Parliament climate change elections women social security Australian Bureau of Statistics Employment indigenous Australians Sport illicit drugs gambling people trafficking taxation Medicare welfare reform Australian Defence Force higher education welfare policy United Nations health financing Asia Middle East criminal law disability Australian Sports Anti-Doping Agency World Anti-Doping Agency United States federal budget school education forced labour aid statistics Australian Electoral Commission WADA income management Industrial Relations emissions trading dental health Australia in the Asian Century steroids detention Private health insurance OECD ASADA labour force transport Law Enforcement Australian Federal Police people smuggling poker machines National Disability Insurance Scheme Australian Crime Commission 43rd Parliament slavery election results Papua New Guinea Australian Public Service constitution International Women's Day corruption Afghanistan Fair Work Act child protection Aviation debt federal election 2013 parliamentary procedure ALP New Zealand Newstart Parenting Payment Census politics High Court skilled migration voting mental health Federal Court terrorist groups Higher Education Loan Program HECS governance youth paid parental leave environment foreign debt gross debt net debt defence capability customs Senate doping health crime health risks multiculturalism aged care Gonski Review of Funding for Schooling sex slavery sea farers Special Rapporteur UK Parliament Electoral reform political parties banking firearms public policy Population violence against women domestic violence China ADRV terrorism science research and development social media pensions welfare ASIO intelligence community Australian Security Intelligence Organisation accountability public service reform Carbon Pricing Mechanism carbon tax mining military history employer employee fishing by-election European Union same sex relationships international relations coal seam gas family assistance planning Senators and Members United Nations Security Council Australian economy food vocational education and training Drugs health reform Indonesia children codes of conduct terrorist financing health system money laundering United Kingdom early childhood education Canada Financial sector national security fuel disability employment Tasmania integrity transparency Australian Secret Intelligence Service sexual abuse federal state relations World Trade Organization Australia housing affordability bulk billing water renewable energy children's health health policy Governor-General US economy export liquefied natural gas foreign bribery question time speaker superannuation expertise climate Intergovernmental Panel on Climate Change leadership Department of Agriculture Fisheries and Forestry food labelling Pacific Islands reserved seats new psychoactive substances synthetic drugs UNODC carbon markets Indigenous constitutional recognition of local government local government consumer laws PISA royal commission US politics language education baby bonus Leaders of the Opposition Parliamentary remuneration Australia Greens federal election 2010 servitude Trafficking Protocol energy forced marriage rural and regional Northern Territory Emergency Response ministries social citizenship human rights emissions reduction fund; climate change child care funding refugees immigration asylum procurement Indigenous health e-voting internet voting nsw state elections 44th Parliament 2015 ABS Age Pension Death penalty capital punishment execution Bali nine Bali bombings Trade EU China soft power education Fiji India Disability Support Pension Antarctica Diplomacy by-elections state and territories workers Bills anti-corruption fraud bribery corporate ownership whistleblower G20 economic reform innovation standards NATO Members of Parliament Scottish referendum Middle East; national security; terrorism social services Criminal Code Amendment (Misrepresentation of Age to a Minor) Bill 2013 online grooming sexual assault of minors ACT Assembly public health smoking plain packaging tobacco cigarettes Asia; Japan; international relations Work Health and Safety Migration; asylum seekers; regional processing China; United States; international relations fiscal policy Racial Discrimination Act; social policy; human rights; indigenous Australians Foreign policy Southeast Asia Israel Palestine regional unemployment asylum refugees immigration political finance donations foreign aid Economics efficiency productivity human rights; Racial Discrimination Act employment law bullying asylum seekers Animal law; food copyright Australian Law Reform Commission industry peace keeping contracts workplace policies trade unions same-sex marriage disorderly conduct retirement Parliament House standing orders public housing prime ministers election timetable sitting days First speech defence budget submarines Somalia GDP forestry world heritage political engagement leave loading Trade; tariffs; safeguards; Anti-dumping public interest disclosure whistleblowing Productivity Commission regulation limitation period universities Ireland cancer gene patents genetic testing suspension of standing and sessional orders animal health live exports welfare systems infant mortality middle class welfare honorary citizen railways disciplinary tribunals standard of proof World Health Organisation arts international students skilled graduate visas temporary employment visas apologies roads Italy national heritage NHMRC nutrition anti-dumping Constitutional reform referendum Rent Assistance competition policy pharmaceutical benefits scheme obesity evidence law sacrament of confession US presidential election international days DFAT UN General Assembly deregulation Regulation Impact Statements administrative law small business Breaker Morant homelessness regional engagement social determinants of health abortion Youth Allowance Members suspension citizen engagement policymaking workplace health and safety Trafficking in Persons Report marine reserves hearing TAFE Victoria astronomy resources sector YMCA youth parliament alcohol Korea rebate Australian Greens presidential nomination Racial Discrimination Act entitlements political parties preselection solar hot water Financial Action Taskforce Horn of Africa peacekeeping piracy Great Barrier Reef Stronger futures political financing Hung Parliament political education social inclusion Social Inclusion Board maritime early childhood National Quality Framework for Early Childhood Education and Care Murray-Darling Basin Iran sanctions Norway hospitals republic President Barack Obama Presidential visits ANZUS qantas counselling

Show all
Show less
Back to top