Dispatches from the cyber-front
Interesting episode on the ABC’s Four Corners program this monday that discloses more about the ongoing attacks against government computer networks. Four Corners sources confirmed that, as I predicted at the time, the Bureau of Meteorology infiltration was a beach head operation to allow further attacks on higher value government targets (such as the Australian Geospatial-Intelligence Organisation and Intelligence/Surveillance assets such as the JORN system). OK, smug mode off.
More seriously the 4 Corners episode points to the weak underbelly of national cyber-security which is those corporatised government organisations that are run along private company lines but which actually are the custodians of critical and sensitive data or infrastructure, NewSat and Austrade are two examples given in the show, there are others. The problem with these ‘quasi-private’ corporations is that they are run by people who are focused on EBIT and who simply don’t realise (or blithely ignore) that they also have stewardship and governance roles. This is, as Four Corners has shown, not a good idea. What most government’s seem to have overlooked in their haste to corporatise, privatise and outsource is that unless a private company risks taking a serious kick in the financial cojones because of a breach, cyber-sec is just not a priority. That management indifference maybe ‘OK’ if you’re a national retailer, but not so much if your business is re-processing reactor fuel rods, or directing air traffic.
In further, and slightly amusing, news ZDNet reports that the Australian Bureau of Statistics has decided to quietly drop it’s claim to achieving the ASD’s highest level of security, which embarrassingly conflicted with the less than glowing findings of the Australian National Audit Office. Instead, in a flash of bureaucratic brilliance, they’ve plunked a reassuring line into their TV ads to the effect that ‘don’t worry your data is safe’. What marvelous security theatre! I mean why go to all the trouble of actually achieving that pesky security accreditation when you can just pay someone to make an add saying you are?
I must admit I still don’t understand why our tech-savvy Prime Minister would be so sanguine about his census data being traceable to his name, given that such data would immediately attract the attention of foreign intelligence services to the ABS, like y’know if you identify it, they will come. Unfortunately* it seems there’s some sort of weird perception filter in place so that all the supposed adults in the room don’t quite register that modern nation states run on data. Nor that there’s a pitiless struggle being waged for it’s control, exploitation and weaponisation. That struggle is one which western governments, mostly through their own bad decisions, are losing.
*constant readers of my ramblings will note I use that word a lot.