• The Frustrated State: How terrible tech policy is deterring digital Australia

    Written by Delimiter's Renai LeMay, The Frustrated State will be the first in-depth book examining of how Australia’s political sector is systematically mismanaging technological change. Click here to help fund it on Kickstarter.

  • No Brother: Science fiction, martial arts & Australia's darkest city

    Set in Australia's darkest city, No Brother is a vision of a future where martial arts discipline intersects with power, youth and radical technological change. It is the first novel by Delimiter's Renai LeMay. Click here to help fund it on Kickstarter.

  • Enterprise IT, Featured, News, Security - Written by on Wednesday, January 29, 2014 13:30 - 5 Comments

    No back door, Microsoft tells Parliament


    news Global technology giant Microsoft has definitively told Australia’s Federal Parliament that it does not have a back door in its software that would allow the company to provide access to the IT infrastructure of the Parliament, which would include private files and emails held by Members of Parliament, Senators and their staff.

    In June last year, UK newspaper the Guardian published classified documents created by the US National Security Agency and leaked by whistleblower Edward Snowden, which stated that the NSA was able to gain “direct access” to the servers of companies such as Google, Facebook, Apple, Microsoft, Yahoo and Skype through a program known as ‘PRISM’. The access allowed US officials to collect information including search history, the content of emails, file transfers and live chats.

    Subsequently, the New York Times reported that the US Government had used the system to collect information on non-US citizens overseas for nearly six years. The revelation of the move has caused outrage online, amongst the general public as well as those specifically interested in digital rights and privacy online.

    In November last year, Greens Communications Spokesperson and Senator Scott Ludlam sharply questioned Department of Parliamentary Services chief information officer Eija Seittenranta, who was appointed CIO in January 2013 to clean up the Parliament’s woeful IT infrastructure, on the issue of whether the reported NSA backdoors had opened up the IT systems of Australia’s Federal Parliament to US interests.

    In responses to some of Ludlam’s questions published this month (PDF) and first reported by The Guardian, the department said based on the available material, the speculation around backdoors in Microsoft software appeared to relate to backdoors in cloud computing products rather than internal environments. “DPS has not been provided with any specific advice that Microsoft products or any other products have been backdoored by foreign intelligence services,” the department wrote.

    It further added that after further investigation and discussions with Microsoft and the Australian Signals Directorate (ASD) regarding backdoor exposures and PRISM: “Microsoft has advised DPS that there is no backdoor within the Microsoft suite of products nor have they made any attempt to source information from the parliamentary network or provide information to any other entity.”

    Microsoft, the department said, has advised that the company complies with all jurisdictional laws in relation to these matters; as well as advising that ASD has been a member of the vendor’s Government Security Program which gives governments controlled access to a variety of Microsoft source code; and ASD has advised that they are not able to provide commentary on intelligence matters and that the application of the Top 35 Information Security Manual (ISM) controls remains the most effective mechanism to treat malware and advanced persistent threats.

    The department added: “Further advice on whether a backdoor exists or not in Microsoft products would more appropriately be directed to Microsoft itself, ASD or the “Reform Government Surveillance group”, an industry cohort of major ICT companies to address the practices and laws regulating government surveillance of individuals and access to their information.”

    The department said it employs a number of intrusion and analysis tools to detect malware and data leakage and that these tools were reviewed to determine if any malware or data leakage was evident in its IT infrastructure environment.

    “DPS did not observe nor detect any data leakage that would indicate the existence of a PRISM related capability,” the department said. “DPS continues to implement the Top 35 ISM controls as part of its ICT security control programme. Whilst these have not been specifically designed to manage against threats such as the PRISM system, they are designed to prevent against intrusions and extraction of data from ICT systems.”

    The department said it understands that the major security risk would be with cloud computing services where organisations’ data travels outside of Australia.

    The department said it could advise “that DPS does not host Parliamentarians’ data in the cloud and that we are taking all reasonable steps to prevent systems such as the alleged PRISM system compromising our ICT environment. Our security tools have not identified any evidence of this style of illicit data collection from the parliamentary network.”

    “DPS will continue to implement ASD controls and any reasonable recommendations that are provided by the IT industry, the Attorney General’s Department or ASD to combat malware and any form of advanced or persistent threat.”

    As I wrote back in November last year, I believe Ludlam was barking up the wrong tree with this one. The important issue here is not so much what Microsoft and the NSA are or are not doing, as this is an issue certainly beyond Seittenranta’s ability to fix, but whether the Federal Parliament’s IT systems themselves are actually adequately funded and secured in general.

    A report published by DPS in October 2012 acknowledged that at that time, the Parliament had widespread problems with IT service delivery and infrastructure, stemming from the fact that it has “no parliament-wide IT strategic plan” and no mechanism for making strategic IT decisions, despite a decade of reports warning of the situation.

    Similar reports published by virtually all of Australia’s State Governments over the past several years have found that all have huge IT security holes that would be trivial to exploit.
    If someone wants to spy on the digital communications and files of an Australian Parliamentarian or their staff, I strongly suspect they do not need to have Microsoft and the NSA on their side to do so. The Parliament’s IT infrastructure is dilapidated enough that an attacked can probably make their own way in. This is the issue Ludlam should be concentrating on — increasing funding to the Department’s IT support operation.

    Image credit: Microsoft, Creative Commons

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Ray Herring
      Posted 29/01/2014 at 7:08 pm | Permalink | Reply

      Shame, big shame.

      If they did, maybe we could have gotten access to the unredacted reports of one Malcolm Turnbull, such as the Strategic Review :)

    2. Woolfe
      Posted 30/01/2014 at 8:56 am | Permalink | Reply

      Of course, being that they are a US company, and it appears that much of the ado has been around “secret courts” and “gag orders”. It could be possible that they are not being 100% truthful.

      But as stated, I don’t think they’d honestly need it anyway. Most government security is laughable from my experience.

    3. Ed
      Posted 30/01/2014 at 11:49 am | Permalink | Reply

      Ludlam was way off the mark when he said there was a backdoor. The majority of the media and Ludlam assumed the Guardian info meant that the NSA could just log on, when in fact what they were doing was sniff/tap the unencrypted linked between Microsoft and Google datacenters.

      For places like Parliament that have their own servers hosting their data (rather than Exchange in the cloud), there was no backdoor. But like everyone has said, there’s plenty of poor IT practices that create other trivial vulnerabilities though.

    4. Paul
      Posted 31/01/2014 at 10:43 am | Permalink | Reply

      I believe all https and encryption technologies are interceptable by the gov’s because they are illegal if the USA gov can’t intercept it.
      (Export rules) Just read the export notification sticker on any Cisco product.

    5. Graham Rawolle
      Posted 31/01/2014 at 1:41 pm | Permalink | Reply

      Almost certain there is a backdoor in MS Windows (desktop & server). Just means NSA haven’t felt the need to use it to eavesdrop on the Federal Government.

    Leave a Comment


    Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, the $250 million project has not precisely been going well.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT

    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications

    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry

    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights