No back door, Microsoft tells Parliament

5

steve-ballmer

news Global technology giant Microsoft has definitively told Australia’s Federal Parliament that it does not have a back door in its software that would allow the company to provide access to the IT infrastructure of the Parliament, which would include private files and emails held by Members of Parliament, Senators and their staff.

In June last year, UK newspaper the Guardian published classified documents created by the US National Security Agency and leaked by whistleblower Edward Snowden, which stated that the NSA was able to gain “direct access” to the servers of companies such as Google, Facebook, Apple, Microsoft, Yahoo and Skype through a program known as ‘PRISM’. The access allowed US officials to collect information including search history, the content of emails, file transfers and live chats.

Subsequently, the New York Times reported that the US Government had used the system to collect information on non-US citizens overseas for nearly six years. The revelation of the move has caused outrage online, amongst the general public as well as those specifically interested in digital rights and privacy online.

In November last year, Greens Communications Spokesperson and Senator Scott Ludlam sharply questioned Department of Parliamentary Services chief information officer Eija Seittenranta, who was appointed CIO in January 2013 to clean up the Parliament’s woeful IT infrastructure, on the issue of whether the reported NSA backdoors had opened up the IT systems of Australia’s Federal Parliament to US interests.

In responses to some of Ludlam’s questions published this month (PDF) and first reported by The Guardian, the department said based on the available material, the speculation around backdoors in Microsoft software appeared to relate to backdoors in cloud computing products rather than internal environments. “DPS has not been provided with any specific advice that Microsoft products or any other products have been backdoored by foreign intelligence services,” the department wrote.

It further added that after further investigation and discussions with Microsoft and the Australian Signals Directorate (ASD) regarding backdoor exposures and PRISM: “Microsoft has advised DPS that there is no backdoor within the Microsoft suite of products nor have they made any attempt to source information from the parliamentary network or provide information to any other entity.”

Microsoft, the department said, has advised that the company complies with all jurisdictional laws in relation to these matters; as well as advising that ASD has been a member of the vendor’s Government Security Program which gives governments controlled access to a variety of Microsoft source code; and ASD has advised that they are not able to provide commentary on intelligence matters and that the application of the Top 35 Information Security Manual (ISM) controls remains the most effective mechanism to treat malware and advanced persistent threats.

The department added: “Further advice on whether a backdoor exists or not in Microsoft products would more appropriately be directed to Microsoft itself, ASD or the “Reform Government Surveillance group”, an industry cohort of major ICT companies to address the practices and laws regulating government surveillance of individuals and access to their information.”

The department said it employs a number of intrusion and analysis tools to detect malware and data leakage and that these tools were reviewed to determine if any malware or data leakage was evident in its IT infrastructure environment.

“DPS did not observe nor detect any data leakage that would indicate the existence of a PRISM related capability,” the department said. “DPS continues to implement the Top 35 ISM controls as part of its ICT security control programme. Whilst these have not been specifically designed to manage against threats such as the PRISM system, they are designed to prevent against intrusions and extraction of data from ICT systems.”

The department said it understands that the major security risk would be with cloud computing services where organisations’ data travels outside of Australia.

The department said it could advise “that DPS does not host Parliamentarians’ data in the cloud and that we are taking all reasonable steps to prevent systems such as the alleged PRISM system compromising our ICT environment. Our security tools have not identified any evidence of this style of illicit data collection from the parliamentary network.”

“DPS will continue to implement ASD controls and any reasonable recommendations that are provided by the IT industry, the Attorney General’s Department or ASD to combat malware and any form of advanced or persistent threat.”

opinion/analysis
As I wrote back in November last year, I believe Ludlam was barking up the wrong tree with this one. The important issue here is not so much what Microsoft and the NSA are or are not doing, as this is an issue certainly beyond Seittenranta’s ability to fix, but whether the Federal Parliament’s IT systems themselves are actually adequately funded and secured in general.

A report published by DPS in October 2012 acknowledged that at that time, the Parliament had widespread problems with IT service delivery and infrastructure, stemming from the fact that it has “no parliament-wide IT strategic plan” and no mechanism for making strategic IT decisions, despite a decade of reports warning of the situation.

Similar reports published by virtually all of Australia’s State Governments over the past several years have found that all have huge IT security holes that would be trivial to exploit.
If someone wants to spy on the digital communications and files of an Australian Parliamentarian or their staff, I strongly suspect they do not need to have Microsoft and the NSA on their side to do so. The Parliament’s IT infrastructure is dilapidated enough that an attacked can probably make their own way in. This is the issue Ludlam should be concentrating on — increasing funding to the Department’s IT support operation.

Image credit: Microsoft, Creative Commons

5 COMMENTS

  1. Shame, big shame.

    If they did, maybe we could have gotten access to the unredacted reports of one Malcolm Turnbull, such as the Strategic Review :)

  2. Of course, being that they are a US company, and it appears that much of the ado has been around “secret courts” and “gag orders”. It could be possible that they are not being 100% truthful.

    But as stated, I don’t think they’d honestly need it anyway. Most government security is laughable from my experience.

  3. Ludlam was way off the mark when he said there was a backdoor. The majority of the media and Ludlam assumed the Guardian info meant that the NSA could just log on, when in fact what they were doing was sniff/tap the unencrypted linked between Microsoft and Google datacenters.

    For places like Parliament that have their own servers hosting their data (rather than Exchange in the cloud), there was no backdoor. But like everyone has said, there’s plenty of poor IT practices that create other trivial vulnerabilities though.

  4. I believe all https and encryption technologies are interceptable by the gov’s because they are illegal if the USA gov can’t intercept it.
    (Export rules) Just read the export notification sticker on any Cisco product.

  5. Almost certain there is a backdoor in MS Windows (desktop & server). Just means NSA haven’t felt the need to use it to eavesdrop on the Federal Government.

Comments are closed.