Western Australia’s auditor-general has handed down a landmark report which details the fact that none of a wide range of government departments and agencies in the state are currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.

In the report published today and available online in full, WA Auditor-General Colin Murphy reveals his office recently conducted “benign” cyber-attacks on 15 different departments and agencies in the state, including major departments such as the Departments of Education and Health, those with sensitive information such as Legal Aid WA and the Department of the Attorney-General, and others such as Lotterywest.

The first wave of attacks saw preliminary scans conducted on agencies’ networks by the Security Research Centre at Edith Cowan University, using publicly available software downloaded for free from the Internet. “These preliminary scans were deliberately hostile (prolonged and continuous) in a best effort to have our activity detected without making the test a denial of service (DoS),” the report states.

The second stage, which attacked three agencies, saw information gained from the scan used to exploit security vulnerabilities, with the aim of accessing government information.

In a separate attack, the Office of the Auditor-General took a different approach, physically scattering 25 USB keys around 15 different departments and agencies, with about half left in areas open to the public such as in reception or cafeteria, and half left in are not accessible to the public.

If a government worker plugged one of the USB keys into their PC, read one of the files on it and then launched a program, the USB key would then “phone home” to the Office of the Auditor-General, telling it its location and sending back some basic network information.

The results were stark.

“Fourteen of fifteen agencies failed to detect, prevent or respond to any of our hostile scans,” the report states.

In one case, the Office of the Auditor-General tried to provoke a response by conducting a “brute force” attack on an agency web server, sending several million messages to it and noticeably degrading the agency’s network performance. “However, despite this, the attack went unnoticed by the agency,” the report states. “This was even more concerning, given that this agency had specifically engaged a contractor to identify cyber-threats.”

Using the information from the network scans, the attackers were able to then gain access to three agencies without detection. In one they obtained several usernames and passwords for databases in their network, while in others they gained access to files on network shares and login screens for web administration systems.

Lastly, the Auditor-General noted that eight agencies actually picked up the USB keys left lying around their offices, plugged them in and activated the software contained therein, despite the fact that the message contained on the USB devices, and the steps required to run the software, should have made staff “suspicious and wary”.

The audit report published this week is not the first one the Auditor-General’s office has conducted into IT security at Western Australian government agencies; it typically conducts one each year. This year, the Auditor-General went to lengths to point out that its advice from previous years about poor agency IT security was not being followed.

43 percent of departments and agencies it reviewed last year, for example, had showed no change in their approach to IT security over the year, while 15 percent had actually gone backwards by at least one measure, without making any improvements in others.

The news comes at a time when IT security is coming to forefront of the public consciousness due to a series of high-profile sustained attacks on infrastructure, as well as successful cyber-attacks on government and corporate interests.

For example, several of Australia’s major banks and a number of government agencies last week confirmed plans to replace tens of thousands of unique token authentication devices as a result of a break-in at US vendor RSA Security. In late March it was reported that at least ten parliamentary computers, including those belonging to Prime Minister Julia Gillard and Foreign Minister Kevin Rudd, had been hacked.

In addition, Sony’s PlayStation Network has recently been down for about a month through April and May after hackers broke into its network, in a security breach which could have affected more than 100 million online accounts.

State governments around Australia are seeing similar problems with their security.

In October, NSW’s auditor-general Peter Achterstraat rubbished the State Government’s IT security procedures in a report published at that time, saying the state could not guarantee to its residents that it was keeping their information secure and away from prying eyes. In the report, Achterstraat wrote that NSW had been issuing edicts about electronic information security for a decade, with agencies having been directed since at least 2001 to develop and implement security policies around how they hold personal information and certify their IT systems.

“The cyber-security threat is no longer an emerging threat — it exists now and the risk is growing,” said WA Auditor-General Colin Murphy in a statement associated with today’s report. “Agencies need to recognise the risk and take appropriate action to protect their confidential information and systems. I urge agencies to take note of the findings and act on the recommendations of this report.”

Image credit: Elliott Brown, Creative Commons

Three of the Gillard Government’s heaviest-hitting ministers have teamed up to announce this morning that their respective portfolio departments will work together to develop a major new whitepaper to map out the nation’s response to cybersecurity issues which they say continue to build in importance.

In a statement issued this morning, Attorney-General Robert McClelland (pictured, above centre), Defence Minister Stephen Smith and Communications Minister Stephen Conroy said the document — developed over the next year and to be released in the first half of 2012 — would be a “comprehensive blueprint” to help Australians connect to the Internet with confidence.

“The cyber threat to Australia is real, evolving and a growing test to our national security establishment,” Smith said. “It comes from a wide range of sources, and from adversaries possessing a broad range of skills. Cyber attacks are becoming increasingly more sophisticated and targeted. They are no longer confined to random acts of opportunism.”

McLelland said the document would examine a broad range of areas, ranging from consumer protection, cyber-safety, cyber-crime, cyber-security and cyber-defence. It will build on the Government’s existing 2009 Cyber-Security Safety Strategy and the recent establishment of a number of government organisations such as the Cyber Security Operations Centre, CERT Australia.

The development of the paper will be led by the Department of Prime Minister and Cabinet, with the Government to commence extensive public consultations from next month via a public discussion paper.

Over his tenure in office over the past several years, McLelland in particular has appeared to be concerned with the cyber-security issue; making regular announcements of new projects in the area, as well as attempting to unify the Government’s response to the issue internally, and Australia’s approach with applicable international laws and standards.

In addition, a number of very public attacks appear to have been carried out on both Government and enterprise technology systems and architecture over the past several years.

For example, in late March this year, The Daily Telegraph reported that at least 10 parliamentary computers, including those belonging to Prime Minister Julia Gillard, Foreign Minister Kevin Rudd and Defence Minister Stephen Smith, were suspected of being hacked, with government sources linking the attacks to foreign spy agencies. In addition, the loose-knit confederation of internet activists who organise under the banner “Anonymous” appears to have several times targeted Federal Government websites and other communications systems in protest against Labor’s mandatory internet filtering policy.

However, with many of the claimed attacks, it remains relatively unclear to what extent they took place or did damage. For example, mining giants like Woodside Petroleum have recently complained against cyber-attacks on their systems from international players; but without providing any technical information about what precisely the attacks consisted of. It was a similar case with the attacks on Gillard’s PCs.

Image credit: Office of the Attorney-General

The Daily Telegraph this morning reported that at least 10 parliamentary computers, including those belonging to Prime Minister Julia Gillard, Foreign Minister Kevin Rudd and Defence Minister Stephen Smith, were suspected of being hacked, with government sources linking the attacks to foreign spy agencies.

According to the Daily Telegraph, the security breach started to occur in February this year and were carried on for more than a month. In the process, thousands of email are reported to have been accessed. Allegedly, four government sources declared Chinese agencies were among the foreign hackers suspected of having breached Australia’s cyber security.

Attorney-General Robert McClelland said in a statement he would not comment on current operations, but said Australian agencies were working in cooperation with national and international counterparts to ensure cyber-security.

“It’s the long-standing practice of successive Australian Governments not to comment on the operations of security and intelligence agencies,” he said. “Australia’s security and intelligence agencies, as a matter of course, work closely and cooperatively with their international counterparts on cyber-security”.

Earlier this month, the Attorney-General had announced the establishment of a new cyber-security unit created by peak intelligence agency the Australian Security Intelligence Organisation (ASIO). On that occasion the Labor politician had said the new agency would help to tackle the threats of those using the internet as a modern tool of espionage to expose sensitive government material.

“ASIO is also working to guard against foreign interference and espionage, including via technical means,” he said in Canberra in early March, stressing how cybersecurity had become a global issue and that international cooperation was fundamental to national defence.

Today, McClelland added Australia had a dedicated alliance of agencies to protect its Internet borders. “Australia has in place a range of measures including the Cyber Security Operations Centre (CSOC) within the Defence Signals Directorate (DSD) and a dedicated cyber investigations unit within the Australian Security Intelligence Organisation (ASIO),” he said.

The Telegraph reported government sources were concerned about the cyber threats they were exposed to and that one MP had received regular internal warnings against “foreign interests” trying to access computers and telephones. However, McClelland said Australia was always working to improve its cyber-security.
“The Australian Government takes the issue of cyber security very seriously and is constantly strengthening cyber security measures,” he said.

Image credit: MystifyMe Concert Photography, Creative Commons

Federal Attorney-General Robert McLelland is tonight slated to unveil a new cyber-security unit created by peak intelligence agency the Australian Security Intelligence Organisation (ASIO).

In an excerpt from his speech released this afternoon, McClelland said cyber-security continued to be at the forefront of the Government’s agenda. He said while cyber-intrusion was a distinct method of accessing private information and disrupting critical systems, it was also a “people problem” — as individuals hack computers.

He said the modern world posed new cyber-threats for governments and that therefore new instruments were needed. “For this reason, ASIO has also established a specialist cyber investigations unit to investigate and provide advice on state-sponsored cyber attack against, or involving, Australian interests,” he said in the excerpt.

The Labor politician said the new threats required cooperation among agencies, citing the fact that Australia’s national computer emergency response team (CERT) was already operating along with other Government agencies as well as a network of international partners to improve Australia’s cyber-security.

“CERT Australia works closely with the Cyber Security Operations Centre (CSOC), based within the Defence Signals Directorate (DSD), which focuses on identifying and responding to cyber-incidents of national significance,” he said. “ASIO is also working to guard against foreign interference and espionage, including via technical means.”

McClelland reiterated this network of cooperation was crucial to tackle the threats of those using the internet as a modern tool of espionage which — he said — could facilitate access to large volumes of sensitive government and commercial information. “ASIO’s close co-operation with CERT Australia and the CSOC seeks to identify developing threats and determine appropriate responses,” he said.

He added cyber-security was a growing issue globally, citing a break-in at the Dalai Lama’s office and some “critical” Estonian infrstructure that had already been exposed to the new cyber-threats. ”These attacks and the threat to critical infrastructure such as banking, telecommunications and government systems is not something we can be complacent about,” he said.

As the menace expands globally, the Attorney-General remarked the Australian Government would work to establish a broader international cooperation for cyber-investigations. Tonight he will announce his intention to join the Council of Europe Convention on Cybercrime which – he said – is the only binding international treaty on cybercrime.

“Accession to the Convention is a critical step as it facilitates international co-operation between signatory countries and establishes procedures to make investigations more efficient,” he said. “As such, it will help Australian agencies to better prevent, detect and prosecute cyber-intrusions.”

Image credit: Department of Defence

Attorney General Robert McClelland today launched the four day-long international cybersecurity exercise known as Cyber Storm III in Australia — a simulation to test response times and show up public and private sector security exploits.

“On the weekend we saw the chaos that occurred as a result of a computer outage at a major domestic airline,” said McClelland in a statement, in reference to Virgin Blue’s Navitaire software outage that caused chaos to the airline’s flights.

“Imagine the impact of a failure of our banking and finance systems, a disruption to the water or electricity grid, or an outage in the mobile phone network. These scenarios demonstrate the ‘cyber’ reliance of our modern society, as any one of these events has the potential to cause significant social and economic upheaval.”

The Australian leg of the event is hosted by the Australian Government and will provide vital information to new government security agencies — such as the Computer Emergency Response Team (CERT) and Cyber Security Operations Centre (CSOC) — on how to better respond to a cyber security attack.

“With the rapid escalation in the intensity and sophistication of cybersecurity threats, it is imperative that government, business and the community are aware of the severity of cyber security risks, and commit to work together to protect what has become a vital component of our economy and society,” said McClelland.

Major Australian private sectors and government sectors are also joining in the event as either participants or as passive observers. The exercise involves public and private organisations across the telecommunications, finance, transport and utilities sectors.

Telstra is the largest telecommunications company in Australia to take part in the global exercise, which involves Canada, New Zealand, UK, and the US. The giant telco said it was a good opportunity to to further develop government and “key industry” organisations.

“Our participation also allows us to develop our collaborative working relationships with industry and government stakeholders, and to tap into different aspects of security thinking. By doing this in a secure information sharing environment, we all play a role in developing and strengthening the nation’s response to online threats,” said Telstra executive director of network information technology operations Craig Hancock.

“Exercises like Cyber Storm ІІІ are a great opportunity to test the veracity of these network protection measures, in addition to communications and decision-making processes which underpin any technical response to a cyber event. By actively testing our response processes, we can then evaluate and improve our effectiveness in managing and responding to cyber security incidents,” he said.

Telstra said that while there were security measures are already implemented thanks to Telstra’s Security Operations Centre in Canberra and the network monitoring of Managed Network Operations Centre in Melbourne and Global Operations Centres in Sydney, the “integrity” of its networks was its main focus.

Optus is participating as an observer but could not immediately provide further information on its involvement. The Australian Security Intelligence Organisation (ASIO) is also known to be involved, but declined to comment directly on the subject. The office of the Attorney General was not able to provide a full list of Australian organisations involved.

The last event of its kind was Cyber Storm II — held back in 2008 — when Australia was the second-biggest participant to be involved. Australia has been a participant since the first Cyber Storm was held back in 2006.

Image credit: Office of the Attorney-General

The Department of Defence’s recent move to start hiring cyber-security staff in bulk appears to be just the start of its plans to secure its own electronic borders, and those of other potential targets of national importance.

Last week the department advertised for a sizable clutch of senior IT security staff to be part of its Australian Defence Force Computer Security Incident Response Team (CSIRT) based in Canberra.

However, the department shortly after clarified it would soon conduct a separate hiring initiative for the newly opened and separate Cyber Security Operations Centre.

“The roles of these positions are specific to defending Defence networks against security threats,” a Defence spokesperson said in an emailed statement late last week.

“The recently advertised positions referred to are not part of recruitment for the Cyber Security Operations Centre. The Cyber Security Operations Centre (CSOC) will commence recruiting shortly and will be looking for people highly trained in information technology and analysis.”

While the CSIRT will specifically defend computer networks within Defence, the CSOC has a broader role — providing government with an understanding of cyber-threats against Australian interests and coordinating and coordinating and assisting the operational response to electronic events that have national importance across both government and critical infrastructure.

Defence Minister John Faulkner opened the CSOC in mid-January, describing the move as a major step in meeting Defence’s commitment to understand online threats.

“The Cyber Security Operations Centre will employ around 130 highly-skilled information technology experts, engineers and analysts drawn from the DSD. There will also be representatives from the Defence Intelligence Organisation and the ADF and scientists from the Defence Science and Technology Organisation as well as representation from the Attorney-General’s Department, ASIO and the AFP,” Senator Faulkner said at the time.

The position of the CSIRT and CSOC within Defence, in addition to existing groups such as the Defence Signals Directorate and the Australian Government Computer Emergency Readiness team (CERT Australia) within the Attorney-General’s Department — as well as the existing non-profit and non-government AusCERT, means Australia now has a plethora of electronic security organisations to handle serious electronic threats.

As several of these have been created recently, it remains unclear thus far what the exact levels of jurisdiction are between their operations. The various state and Federal branches of Australian police forces also operate significant e-crime units.

Image credit: Department of Defence