February 27, 2018 – ZD Net
For a department that is focused on protecting borders, it seems virtual border protection is missing in action.
The cyber realm is fast becoming the battleground of this century, and not the first time, Australia is missing the boat and trailing the field.
The best evidence of the cyber ignorance of the Australian government was presented yesterday in Senate Estimates by the Department of Home Affairs — the Peter Dutton-led superministry created last year that sees the majority of the federal government’s enforcement agencies under one roof — when discussing how it would protect the facial recognition system it is developing.
Under questioning from Australian Greens Senator Jordon Steele-John, Home Affairs initially responded that its “hub-and-spoke” topology was helpful in preventing breaches, and presumably making infosec defences someone else’s responsibility if you are a mere message passing hub.
But in the wake of the Australian government being unable to protect its own Cabinet data, the absolute shambles of the Australian 2016 Census, the complete mess of the Australian Electoral Commission and its dealings around the Senate ballot scanning solution, and the festering sore of the Centrelink robodebt saga, one may begin to think that Canberra and computers don’t mix.
To shore up that line of thinking, we need to head to the transcript as Steele-John presses his case.
Have you ensured that the systems you’re using differ from the systems which have been breached in recent times in relation to Medicare and other personal information breaches that’ve been —
Maria Fernandez PSM, Deputy Secretary, Intelligence and Capability:
I might address that from a cybersecurity perspective from the department. The systems that Mr Rice refers to — for example, the visa and citizenship systems, the biometric systems — are held behind our firewalls. Our cybersecurity measures are layered in the department. We have two internet gateways that are secure internet gateways. And then, beyond the gateways, we have cybersecurity software on the desktops, and in our software and in our service —
Michael Pezzullo, Secretary, Home Affairs:
Inside the gateways, I think.
We’ve also got a moat on the outside of the gateway, don’t we?
We do. So the cybersecurity arrangements for the Department of Home Affairs apply to these biometric systems.
Don’t we also have forward posts ahead of the moat, as well, that detect through geoblocking and other —
Added on to the gateway, yes.
Thank you for your time.
What is being described here appears to be the Klein bottle of cyberdefences, where the moat surrounds the firewall, yet the there are forward posts that are somehow on the gateway, yet beyond the moat.
This exchange would be absolutely hilarious if its implications were not so consequential. Here we have the heads of the largest government department, home of the Australian Federal Police, ASIO, Border Force, thinking that they can glibly discuss the information security of a national biometric system in terms that are equivalent to a castle defence game on Facebook.
The dye was set for this sort of interaction when former Minister Assisting the Prime Minister on Cyber Security Dan Tehan said in 2016 that centralised approach by government to cybersecurity is dangerous, and it is preferable for departments to take care of themselves instead.
Add to the mix that the Audit Office last year found the then Department of Immigration and Border Protection had insufficient protection against external threats, and was under the belief it was doing better than it was. To add insult to injury, Immigration was ranked below the derided Department of Human Services that concocted the robodebt system.
Given this, it is little wonder Pezzullo said yesterday that Australia’s push for a decryption magic bullet will not undermine “legitimate encryption”.
Amid the bluster in recent months from Canberra on gaining access to encrypted communications, the least-worst scenario would appear to be targeted end-point compromises by law enforcement to get access to data prior to it being sent — but it wouldn’t surprise me to learn that the likes of Pezzullo think there is a magic formula that allows a separation of good encryption and bad encryption, if only the tech vendors would cooperate and tell them what it is.
Pezzullo struck out yesterday at descriptions of the decryption proposal as a “backdoor”.
“That’s the shorthand, colloquial, and in many respects, highly ill-informed shorthand that is sometimes used in this field,” Pezzullo said.
“You assume that a backdoor has to be created, I’m just saying that that is a cartoon-like assumption.”
Rest assured that in the realm of ill-informed, cartoon-like assumptions, Home Affairs and its cybermoat is going to take a lot to beat.