news One of the top public servants involved in advising on national Australian cyber-security policy has admitted the division she helps lead was “not familiar” with the decade-old Tor software frequently used by activists and those seeking secure communications to protect their anonymity when using the Internet.
Tor is a package of free software and an associated network on the Internet which routes Internet traffic through a large set of complex network nodes online, encrypting and decrypting the communicated data along the way multiple times. The process, reminiscent of the layers of an onion for which the Tor project (‘The Onion Router’) was named, is complex and has the net effect of blocking the communicated Internet data from being eavesdropped on by law enforcement or other organisations. It was first developed in 2002 and has become popular in the decade since.
In May Greens Communications Spokesperson, Senator Scott Ludlam, filed a Freedom of Information request with the Department of Foreign Affairs and trade, seeking any documents pertaining to the Tor Project, which oversees development of the Tor system, and two individuals associated with the project — developer Jacob Appelbaum and project founder Roger Dingledine.
Ludlam’s interest in any documents associated with the Tor Project and the pair stems from the fact that both have recently visited Australia — Appelbaum most recently in January 2012, and Dingledine in May 2010.
In a letter to Ludlam on 28 May, DFAT wrote that it had failed to identify any documents relevant to Ludlam’s Freedom of Information Request. However, it did highlight a previously released cable in January 2012 from Australia’s Embassy in Washington to the department in Canberra that noted that the US Department of Justice had subpoenaed social networking site Twitter for information relating to Appelbaum, as part of a wider search relating to Wikileaks founder Julian Assange and suspected Wikileaks leaker Bradley Manning.
Ludlam subsequently questioned bureaucrats from the Department of Prime Minister and Cabinet earlier this week on the issue, in budget Estimates hearings. A partial transcript, supplied by the Greens, is available online here in Doc format.
“I have submitted to the department an FOI request to discover in a bit of detail what the department’s attitude is to Australian citizens protecting their privacy through the use of encryption software called Tor,” Ludlam asked departmental bureaucrat Sachi Wimmer on the occasion. “Are you familiar with that service?”
“We are not familiar with it,” Wimmer replied. “We have actually referred that FOI request to the [Australian Federal Police] because we have no record of ever being involved in it.” Ludlam followed up with the question: “But you are not familiar with the service?” “Not,” replied Wimmer.
Wimmer’s position is first assistant secretary, of the Cyber Policy and Homeland Security Division within the National Security and International Policy Group of the Department of Prime Minister and Cabinet. The bureaucrat works alongside Allan McKinnon, who was appointed to the position of Deputy National Security Advisor in this division on 1 June 2012, with the additional title of National Security Chief Information Officer/Cyber-Policy Coordinator.
McKinnon’s role was set up, in the words of the department’s web site, “to provide strategic direction and coordination for information sharing across the national security community.
“The role of the Cyber Policy Coordinator (CPC) is to coordinate the whole-of-government approach to cyber policies and activities. The CPC provides strategic leadership and coordination on matters of cyber policy and strategies across the entire cyber ‘spectrum’, from online consumer protection to cyber defence. The Cyber Policy Group (CPG) is the primary forum for whole-of-government leadership and coordination across the full-spectrum of cyber policy issues,” the department’s site further states.
“To assist in coordinating the Commonwealth’s cyber policy agenda, the Department of the Prime Minister and Cabinet assumed responsibility for cyber security policy in December 2011 (previously held by the Attorney-General’s Department), as part of a broader reshuffle of portfolio responsibilities.”
Wimmer’s answer, in this context, is significant, because it appears to demonstrate a certain naivity on the part of one of the Federal Government’s top cybersecurity coordination branches when it comes to commonly used tools for evading Internet surveillance.
It also appears that Wimmer has little experience in the field of cybersecurity. A biography of the public servant published prior to her current appointment noted that Wimmer previously led the Homeland and Border Security division within the Department of the Prime Minister and Cabinet, which appears not to have dealt extensively with matters of IT security. Prior to that role and another similar role in the department, Wimmer worked in the Australian Customs and Border Protection Service and the departments of Agriculture, Fisheries and Forestry and Environment and Heritage. Wimmer holds tertiary qualifications in science, environmental law and public administration.
Other issues Ludlam questioned Wimmer and McKinnon on during the Estimates hearing related to the recent revelation that the Australian Securities and Investments Commission is unilaterally blocking websites it considers fraudulent, using the little known Section 313 of the Telecommunications Act, issues surrounding the Government’s response to the Wikileaks organisation, the recent announcement of a new government cybersecurity centre, and cybercrime in general.
Am I shocked to find out that the agency which advises Australia’s Prime Minister on ‘cybersecurity’ has no idea what a commonly used Internet anonymity tool like Tor is? No, I’m not. This is precisely the kind of gross technical naivity and ineptitude which Federal Government agencies such as the Attorney-General’s Department, ASIO, ASIC, the AFP, Defence Signals Directorate and others continually demonstrate when it comes to the modern Internet age. It appears to be something unique in the nature of the public service that only rarely are those deeply qualified to hold a post appointed to it. There is no doubt that Wimmer appears to be a highly qualified veteran when it comes to national security policy. However, IT security is a deep, complex and completely separate field, the nuances of which are lost on many.
I suggest Wimmer and her colleagues set some time aside for a rapid refresher course on these kind of modern technologies. If the historical naivity of most politicians themselves with respect to the Internet and other technologies is any indication of what Australia can expect over the next few years when it comes to ‘cybersecurity’ matters, then the office of the Cyber Policy Coordinator will need all the help it can get in educating the political class about modern Internet reality.