news Global technology giant Microsoft has definitively told Australia’s Federal Parliament that it does not have a back door in its software that would allow the company to provide access to the IT infrastructure of the Parliament, which would include private files and emails held by Members of Parliament, Senators and their staff.
In June last year, UK newspaper the Guardian published classified documents created by the US National Security Agency and leaked by whistleblower Edward Snowden, which stated that the NSA was able to gain “direct access” to the servers of companies such as Google, Facebook, Apple, Microsoft, Yahoo and Skype through a program known as ‘PRISM’. The access allowed US officials to collect information including search history, the content of emails, file transfers and live chats.
Subsequently, the New York Times reported that the US Government had used the system to collect information on non-US citizens overseas for nearly six years. The revelation of the move has caused outrage online, amongst the general public as well as those specifically interested in digital rights and privacy online.
In November last year, Greens Communications Spokesperson and Senator Scott Ludlam sharply questioned Department of Parliamentary Services chief information officer Eija Seittenranta, who was appointed CIO in January 2013 to clean up the Parliament’s woeful IT infrastructure, on the issue of whether the reported NSA backdoors had opened up the IT systems of Australia’s Federal Parliament to US interests.
In responses to some of Ludlam’s questions published this month (PDF) and first reported by The Guardian, the department said based on the available material, the speculation around backdoors in Microsoft software appeared to relate to backdoors in cloud computing products rather than internal environments. “DPS has not been provided with any specific advice that Microsoft products or any other products have been backdoored by foreign intelligence services,” the department wrote.
It further added that after further investigation and discussions with Microsoft and the Australian Signals Directorate (ASD) regarding backdoor exposures and PRISM: “Microsoft has advised DPS that there is no backdoor within the Microsoft suite of products nor have they made any attempt to source information from the parliamentary network or provide information to any other entity.”
Microsoft, the department said, has advised that the company complies with all jurisdictional laws in relation to these matters; as well as advising that ASD has been a member of the vendor’s Government Security Program which gives governments controlled access to a variety of Microsoft source code; and ASD has advised that they are not able to provide commentary on intelligence matters and that the application of the Top 35 Information Security Manual (ISM) controls remains the most effective mechanism to treat malware and advanced persistent threats.
The department added: “Further advice on whether a backdoor exists or not in Microsoft products would more appropriately be directed to Microsoft itself, ASD or the “Reform Government Surveillance group”, an industry cohort of major ICT companies to address the practices and laws regulating government surveillance of individuals and access to their information.”
The department said it employs a number of intrusion and analysis tools to detect malware and data leakage and that these tools were reviewed to determine if any malware or data leakage was evident in its IT infrastructure environment.
“DPS did not observe nor detect any data leakage that would indicate the existence of a PRISM related capability,” the department said. “DPS continues to implement the Top 35 ISM controls as part of its ICT security control programme. Whilst these have not been specifically designed to manage against threats such as the PRISM system, they are designed to prevent against intrusions and extraction of data from ICT systems.”
The department said it understands that the major security risk would be with cloud computing services where organisations’ data travels outside of Australia.
The department said it could advise “that DPS does not host Parliamentarians’ data in the cloud and that we are taking all reasonable steps to prevent systems such as the alleged PRISM system compromising our ICT environment. Our security tools have not identified any evidence of this style of illicit data collection from the parliamentary network.”
“DPS will continue to implement ASD controls and any reasonable recommendations that are provided by the IT industry, the Attorney General’s Department or ASD to combat malware and any form of advanced or persistent threat.”
As I wrote back in November last year, I believe Ludlam was barking up the wrong tree with this one. The important issue here is not so much what Microsoft and the NSA are or are not doing, as this is an issue certainly beyond Seittenranta’s ability to fix, but whether the Federal Parliament’s IT systems themselves are actually adequately funded and secured in general.
A report published by DPS in October 2012 acknowledged that at that time, the Parliament had widespread problems with IT service delivery and infrastructure, stemming from the fact that it has “no parliament-wide IT strategic plan” and no mechanism for making strategic IT decisions, despite a decade of reports warning of the situation.
Similar reports published by virtually all of Australia’s State Governments over the past several years have found that all have huge IT security holes that would be trivial to exploit.
If someone wants to spy on the digital communications and files of an Australian Parliamentarian or their staff, I strongly suspect they do not need to have Microsoft and the NSA on their side to do so. The Parliament’s IT infrastructure is dilapidated enough that an attacked can probably make their own way in. This is the issue Ludlam should be concentrating on — increasing funding to the Department’s IT support operation.