Laissez-faire cyber security: what could go wrong?

If you saw the news about fitness tracker Strava revealing secure government buildings, and thought ‘someone would have told me if there was a risk to my organisation’, this article is for you.

Hands up if you don’t really understand half of what people are saying about cyber security?

It’s OK to admit that. The public service needs to be a safe place for executives to say ‘I don’t understand this, can I get a briefing that’s at my knowledge level?’

Can we expect a public service leader, with deep policy and delivery expertise in their field or a career spent honing their organisational strategy and management skills, has found time to become a Tor expert or master of the dark web? Perhaps after ensuring the kids got to school on time.

Besides, nearly every jurisdiction in Australia now has a whole-of-government chief digital officer, isn’t all this their responsibility? And there are departmental CIOs too. And the federal government has a whole agency on it. Surely that’s enough eyes. Sadly, this has been the assumption, and it’s had terrible consequences.

This is where governments’ laissez-faire approach to cyber responsibility has got us: delivery agencies, depended on by millions of Australians, implausibly claim they’ve had no cyber attacks.

‘No cyber attacks’ …and you believe that?

Let’s pick on Australia’s largest state. New South Wales has nearly 400,000 public sector employees including police, train drivers, teachers, nurses and the friendly staff member who helps you at the counter of Service NSW branch. These are the key people that deliver the services to about 7.5 million people.

If a foreign actor wanted to hurt Australia, destabilise our society — like Russia is accused of doing to the USA — one of the easiest ways to do that would be to insert fake official announcements or responses online. Make us doubt if we can trust our government institutions, especially at state and territory level. No unauthorised fitness trackers required.

Politicians claiming they were ‘hacked’ whenever they ‘liked’ a pornographic tweet has inured us to the fact that social engineering does lead to stolen passwords and so-called ‘in-the-middle’ attacks do happen, allowing others to impersonate the government.

NSW agencies, however, don’t appear to be taking this threat seriously.

A recent NSW auditor-general’s report said there were more than 8500 attacks in 2016-17. Two state agencies appeared to have been the target of more than 80% of all those cyber attacks. It’s not those two we should be focusing on. Clearly they know they need to be vigilant. Rather, we need to ask what happened to the rest.

A full third of NSW agencies reported no attacks.

As one astute reader wrote to us: “Either there is a huge story here about NSW government creating the world’s most effective air gap around its systems, or there are some unique definitions of cyber attack being used, or there is some world-leading ignorance.”

Whether you know it or not, your personal email address, web-based like Yahoo, or ISP like Bigpond, has probably had hundreds of hack attempts on it. The Mandarin has had hundreds to cyber attack attempts against it. It’s simply implausible to believe that government agencies, whether they have twenty employees or 20,000, had not a single cyber attack last year.

You can’t outsource cyber responsibility

An agency CIO is probably really good at procurement. As they should be. But it’s not the same expertise as cyber security.

Some agencies, if they know they need to be concerned about cyber at all, have outsourced it. Out of sight, out of mind. Others are waiting for some central agency or whole-of-government monitor to tell them what an attack is and if they need to do something about it. As the NSW auditor-general observed, these uncoordinated approaches just aren’t working for the state.

The Strava story this week was a good example of how much is slipping through the cracks with fast paced technological advances, even when experts are watching. As one security researcher pointed out to me this week, people have been warning about potential consequences of inadequate privacy controls on Strava’s location-tracking since at least August last year.

Our own Department of Defence, while it is aware of possible risks, isn’t treating this as a security breach, cyber or otherwise:

“All Defence personnel are required to complete annual mandatory security training which includes information on the risks posed by internet-connected devices and online activities. Defence personnel are advised to actively use and manage privacy controls to limit the amount of information they make publicly available and report any suspicious online activities or contacts. Defence also provides regular personal security awareness information to personnel.

“On operations, the online presence of ADF personnel and their use of electronic devices is managed in accordance with operational security requirements developed for each activity. Personnel are advised of pertinent restrictions as part of their force preparation and arrival in theatre.

“Strava is one of many applications and devices which collects user information. Many of these devices and activities are important to the quality of life of Defence staff. Defence manages the risks associated with the collection of such information by having layered physical and information security protections for Defence personnel and facilities.”

It takes a level head to manage the quality of life that comes with technological advances with the security of not just the nation, but how the people can trust in its institutions.

More of these level heads should be on the way, federally, with the new Defence Signals Intelligence and Cyber Command launched this week in Canberra. While much of its focus will be on warfare, it sets an example that the states and territories might follow to take cyber threats seriously.

More capability, expertise and coordination might ensure agency leaders aren’t left scratching their heads at the next embarrassing revelation.

Harley Dennett studied computer science for three years at university and is still a portrait of confusion when talking with real experts about some of the sophisticated cyber security threats faced by governments today.


Leave a Reply