Is the major internet attack on the Bureau of Meteorology, the wake call Australian governments — state and federal — have needed to take the threat of cyber security seriously?
Australian government agencies have been largely immune from some of the major hacks that have recently so embarrassed and compromised major public and private overseas organisations — and their users — such as the US Office of Personnel Management, the dating site Ashley Madison, the US bank JP Morgan and Sony.
But the attack on a major strategic asset such as the BoM technology stack will send shock waves through Canberra’s defence and security services, which to date have struggled to get agencies to take seriously the reality that the internet is inherently insecure. This risk increases exponentially as government becomes rapidly reliant on the internet to deliver its main services and as it moves to connect agencies systems to offer the seamless services citizens want.
Each agency CEO is responsible for their data security and herein lies the problem. Experts familiar with the federal agency cyber spends have estimated that on average agencies spend about 2% of their ICT budget on security. In comparison the tier one banks spend an estimated 15%. According to Akamai’s cyber security strategist, John Ellis, Israel mandates each agency spend 8%. Singapore mandates 10%.
This chronic underspend is just the start of the problem. The key artefact through which day to day cyber security is managed is the Information Security Manual — a 328 page manual of rules and controls, which despite attempts to clean it up, is almost unusable as a practical guide for agencies to rely on.
Security is often managed at a surprisingly low level in public agencies. With CIOs being asked to rapidly transform their legacy ICT systems to modern digital ready stacks, security is more often than not a relatively low priority –managed as a tick the ISM box exercise.
Agencies then fall back to relying on the big gateway vendors that in practice manage the internet traffic (think of them as government ISPs) for almost all Australian government agencies. These vendors — such as Verison and Macquarie Telecoms — have security smarts, but nothing like what is needed to defeat the sort of mega attacks now being seen around the globe.
At the SES C-suite level, poor digital literacy and a sense that there is little they can do to stop serious hacks, has led to a pervasive Hail Mary culture — close your eyes and pray it doesn’t happen to us. There are some stand out exceptions — the ATO — is seen as an exemplar of how to run a hardened resilient organisation that takes and manages data security seriously.
But in the main, agency executives have little insight what part of their information and security systems are vital — ie what data are the crown jewels. Nor if their meagre security investments are actually aligned with the threat environment.
A threat environment that is very dynamic, with attacks getting bigger, more intense and coming from variety of sources and motivations — ranging from espionage to extortion to hactivism.
The Australian Cyber Security Centre (ACSC) was recently set up to provide a much more sophisticated and co-ordinated approach, but the lack of a broader system architecture — and a deeply ingrained culture of agencies reluctant to give away their independence — means it is very difficult in practice to confront the problem as an all of government problem.
Till the ACSC came along, technical security was largely the domain of the Australian Signals Directorate. The ASD is a Defence play and well known as the group that manages DoD’s electronic espionage and counter espionage efforts. Not surprisingly, ASD to most of of the civilian public service is just a black box. Matters are routinely reported or sent to ASD, but little comes back, leaving agencies isolated and largely alone to fight the very sophisticated back hat enemy.
How the ACSC responds to — and manages — this breach will be an early test for its effectiveness. Much of this test will be in the public management of the consequences of the breach and the detailing of what assets have been compromised and what citizen or stakeholder data has been breached.
ACSC is being supported by the traditionally lumbering Defence Media Ops group which in a major real time crisis such as this breach will need a very sophisticated and open communications response. If there is a lesson from the big US and UK breaches it is to be right up front with what has happened, who has been impacted and what the remedial action is.
As a case study of how not to respond this type of major intrusion this is what we got back from the ACSC via Defence Media:
“Thanks for your email. As a matter of principle and long standing practice, the Government does not publicly discuss specific cyber activities or incidents.
“The Bureau’s services and systems are fully functional and it will continue to provide quality reports and warnings and weather information to the community and its stakeholders. [Unattributed]”
Meanwhile back in the real world, the BoM famously sits on very old technology — and has even resorted to advertising on its popular web site to raise some extra pennies. This means it can not take advantage of the security technologies now considered standard in any cyber architecture, nor does it have basic logging capability to enable auditing of potential intrusions. BoM is now in the market to replace its ageing legacy systems, but in the mean time is caught in what Akamai’s Ellis describes as a perfect storm:
“The threat landscape is constantly evolving, yet old threats and risks are still there, further compounding the problem. Interagency connectivity, sharing of data, legacy technology and staff attrition along with conflicting priorities create a perfect storm for which oversights become cracks in our defenses, that then quickly become gaps and in turn are exploited by our cyber adversaries.
“Short of turning off all the lights, and starting again, agencies are faced with a challenge that is akin to rebuilding a legacy Boeing 747 into a modern Airbus A380 while still flying.”
At the same time a major review has been under way led by the Prime Minister’s Department. This review was meant to report this month, but the change in Prime Minister has seen the report delayed till early next year. A critical issue is how to get much better co-ordination between government and the big commercial security players such as the telcos, the banks, and the top tier security vendors – who have high real time visibility of both the threat environment and the most effective response. This needs to be industrially robust and not just a statement of intent.
Another issue that should be on the table is mandatory reporting. In the US reporting is required so there is a strong culture of full disclosure. In Australia — as witness by the ACSC’s response above — we could not be further from that culture. This means there is little awareness of the real threats, nor any mature, publicly tested protocols for how these big breaches are responded to and managed.
China again is the bogey man being accused of the BoM breach, and while there are some early signs there may some attempt to get a political solution to the rampant cyber espionage that comes out of China, hard heads such as Fireeye’s cyber security guru, Kevin Mandia remains sceptical. He told a conference in May:
“If we all signed a global co-operation treaty for rules of engagement in cyberspace today and every sovereign nation signed it, we would all be cheating before the ink dried. Nothing is going to change that way. But I do think you are going to see largely East versus West alignment there. It will ebb and flow and it will go largely unabated until there are risks and repercussions to the threat actors. The dialogue with China may change the rules of the game. We will see.”
In the mean time agency leaders are having to come to terms with a risk they have little real ability to quantify and equally are unable to reason through an appropriate mitigation strategy.
According to Ellis agencies need to take a far more holistic view and see secirty as a business issue rather than a narrow technical problem:
“Security attacks and incidents are the reality in today’s hyperconnected world, and government agencies are legitimate targets by nation states. Agencies need to develop better the ability to prepare for and adapt to the changing and hostile cyber security conditions, with the ability to withstand and recover rapidly from such disruptions.
“Building a resilient agency involves and integrated and holestic approach to cyber security where everyone and everything are part of their total defence plan so they have the ability to deliver their services irrespective of disruptive cyber events (deliberate or accidental).”
While Canberra will take the heat on this breach, every state government has a similar, if not worse risk. Many of the states have very immature cyber security policies and programs. The states front end the majority of services and so the risk of deeply personal health and other information being breached is a time bomb waiting to happen.