Posted 31/03/2011 by Nigel Brew
Just weeks after the Attorney-General, Robert McClelland,
announced the establishment within the Australian Security Intelligence Organisation (ASIO) of a ‘specialist cyber investigations unit to investigate and provide advice on state-sponsored cyber attack against, or involving, Australian interests’, News Limited
media reports have claimed that the parliamentary computers of the Prime Minister and several key Cabinet ministers were infiltrated recently in a sustained “hacking” attack.
The reports claim that ‘several thousand emails’ may have been accessed and that in addition to the Prime Minister, the Defence and Foreign Ministers were among those targetted. The cyber-attack is alleged to have begun in February and lasted more than a month before Australian authorities were alerted to the breach by US intelligence agencies. According to the report, state-sponsored actors are among those under suspicion. Understandably, the government is remaining tight-lipped on the claims, citing a long-standing tradition of not commenting on intelligence and security operational matters. However, the government’s concern over cyber-attacks and electronic espionage targetting Australian interests is neither secret nor new.
Acknowledgement of the problemThis latest alleged incident serves to highlight the significant and ongoing challenges of cyber-security. While neither espionage nor computer “hacking” are themselves particularly new, combined they pose a rapidly evolving potent threat to security. Discussion of cyber-security and in particular, public acknowledgement by the government of the threat from cyber-espionage, appears to have become more forthright and detailed in recent years.
In his
National Security Statement to parliament in December 2008, the then Prime Minister, Kevin Rudd, sounded a general warning about the threat to Australia from espionage, noting in particular the increasing potential for spying by electronic means:
Australian policy, military and intelligence institutions, directions and capabilities are attractive intelligence targets for foreign powers. And Australia is also seen as a potential alternative source of sensitive defence, intelligence and diplomatic information shared by our allies. Electronic espionage in particular will be a growing vulnerability as the Australian Government and society become more dependent on integrated information technologies. Both commercial and state-based espionage, while not visible to the public eye, are inevitable.
Similarly, in a
farewell address to staff in February 2009, the former Director-General of ASIO, Paul O’Sullivan, spoke of the agency’s efforts to deal with re-emerging traditional national security threats, in addition to the ongoing threat of terrorism, and hinted at an increase in electronic espionage:
We’ve broadened and strengthened our human and technical collection, and our investigative and strategic analysis, not only in counter-terrorism, but across all areas of security concern. We have responded proactively to the evolution of espionage in the 21st century, and the accumulation of challenges this presents, by boosting our counter-espionage and foreign interference capability.
In a further indication that counter-terrorism is not the only issue occupying ASIO, the current Director-General, David Irvine, noted in ASIO’s
2008–09 annual report, that 2008–09 ‘saw the most intense period of operational activity since 2005’, adding that, ‘...the extent of Internet-enabled espionage as a rapidly growing threat to the national interest became more apparent’. Adding to the recognition publicly that espionage, and cyber-espionage in particular, has now firmly become an operational priority, ASIO’s
Portfolio Budget Statements 2010–11 noted that, ‘ASIO continues to build capability and operational momentum against counter-espionage and foreign interference targets, which includes a focus on electronic espionage’. Indeed, as previously stated in the section on ASIO in the Parliamentary Library’s
Budget Review 2010–11, ‘the combined effect of the intelligence-related measures announced in the 2010–11 Budget is to underpin the Government’s public recognition of the growing need to deal with the re-emergence of traditional security threats in a technology-enabled world, and to plan for the long-term strategic security implications of modern shifts in geopolitics’.
ASIO’s
2009–10 annual report is even less ambiguous about the nature and extent of the challenges posed by cyber-espionage, indicating strongly that the government is no longer simply hinting at the threat. Reflecting on the notion that ‘the communications revolution has fashioned new security frontiers’, and noting that ‘the speed and scale of technological development presents significant challenges for organisations like ASIO’, the Director-General states:
Espionage has also thrived on globalisation and the communications revolution.
Digitisation means that massive amounts of information can be extracted, transferred and shuffled with ease. A single well-placed human agent becomes the potential source of archives worth of intelligence. Hostile intelligence agencies now also have a ‘beyond-the-horizon’ capability; they need not leave their own shores to target information held on our government, business and even personal computers.
The
Attorney-General has also recently echoed these observations in an address on 10 March:
While traditional threats like espionage and foreign interference remain significant, the explosion of the cyber world has expanded infinitely the opportunities for the covert acquisition of information by both state and non-state actors ... these attacks can be staged from anywhere in the world...
Coincidently, on 23 March, the Australian National Audit Office released a Performance Audit Report into
The Protection and Security of Electronic Information Held by Australian Government Agencies, in which the effectiveness of the management and implementation of measures by four government agencies to protect and secure their electronic information was investigated. The agencies selected for the audit, which included The Department of the Prime Minister and Cabinet, were chosen because they ‘represent a general cross-section of agencies and their associated ICT systems’.
The audit examined the following four aspects of electronic information security within each agency—information security framework; network security management; access management; and equipment security—and the report notes the importance of maintaining good electronic information security:
Vulnerabilities within ICT systems may allow an attacker to gain access to sensitive information, including information about Government decision making, significant financial transactions, and aggregate personal and financial information.
The Department of the Prime Minister and Cabinet made similar comments in the audit report, noting, somewhat prophetically:
... the protection and security of electronic information by Australian Government agencies is of increasing importance. Recent events surrounding the unauthorised release of classified US information, as well as the increasing incidents of cyber attacks are a stark reminder of the damage that poor information security can do to Australia’s national interests.
The audit concluded overall that the measures examined to protect and secure electronic information in each of the agencies were ‘generally operating in accordance with Government protective security requirements’. However, the audit did identify several deficiencies and recommended agencies take measures to ensure better upkeep of information security policies and procedures, better use of software security patches, closer attention to password security, and the blocking of access to public web-based email services (like Hotmail and Gmail) on agency ICT systems. Although some access to web-based email is currently permitted in the Department of the Prime Minister and Cabinet, limited by certain control measures, the Department has indicated in its response to the audit report, that all access to web-based email from Departmental systems will cease on 1 July 2011.
Tests designed to test the strength of user passwords revealed weaknesses in several agencies. The application of a so-called “brute force” test resulted in ‘around 20 per cent of passwords being compromised in each agency’, which, the report states, ‘compares reasonably favourably with some private sector and State government agencies’. In three of the four agencies, however, the test was able to compromise some administrator and/or service account passwords, about which the report warns:
... these types of accounts have a high level of access to agencies’ ICT systems. If an attacker managed to gain access to an agency ICT system by cracking an administrator or service account password, there could be serious consequences for that agency’s security.
Responding to the problemIn acknowledging that ‘cyber security is now one of Australia’s top tier national security priorities’, the government launched its
Cyber Security Strategy in November 2009 with the aim of maintaining ‘a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the benefits of the digital economy’.
CERT Australia, Australia’s national computer emergency response team, is one of the lead agencies in this ongoing effort, and works in close conjunction with the
Cyber Security Operations Centre (CSOC), based within the
Defence Signals Directorate. The CSOC was established in 2009 as an initiative of the Defence White Paper,
Defending Australia in the Asia Pacific century: Force 2030, and contains staff from a number of agencies, including ASIO, the Attorney-General’s Department, and the Australian Federal Police.
ASIO noted in its 2009–10 annual report that it had ‘expanded its engagement with industry on the threat of electronic espionage, particularly in the resources and energy sectors’, liaising with some private sector companies which had been the targets of electronic intrusions. As part of National Cyber Awareness Week, ASIO also ‘sponsored a resource sector information technology forum to deliver high-level briefings on cyber security and espionage threats and mitigation strategies to a range of resource sector companies’.
The government has also recently
announced its intention to accede to the only binding international treaty on cybercrime, the
Council of Europe Convention on Cybercrime. Australia would be joining over 40 other nations which have either signed or become a party to the Convention, and as the Attorney-General has recently
indicated, such international cooperation will significantly assist Australia’s efforts to stay abreast of and meet the ever-growing challenges of cyber-security:
Accession to the Convention is a critical step as it facilitates international co-operation between signatory countries and establishes procedures to make investigations more efficient. As such, it will help Australian agencies to better prevent, detect and prosecute cyber intrusions.
(Image sourced from http://www.australiandefence.com.au/archive/cyber-security-operations-centre-opens)