blog Spare a thought for Eija Seittenranta, who was appointed Department of Parliamentary Services chief information officer in January this year. Not only did Seittenranta find the department’s IT operations to be an absolute shambles when she arrived, but the poor IT executive has to contend with feisty parliamentarians such as Greens Senator Scott Ludlam, who took Seittenranta to task in this extraordinary Senate Estimates hearing (we recommend you watch the video) about the fact that the US National Security Agency may have a back door into the Microsoft software used at Parliament House. This is the kind of questions Ludlam was asking the CIO:
“We know that Microsoft software contains a back door which is utilised by the US NSA and Microsoft has been very active in assisting the NSA to circumvent the company’s own encryption standards. What can you tell the committee about the network-level security threats posed by using Microsoft software given that it has been backdoored by foreign intelligence agencies?”
And these are the kind of responses which Seittenranta was providing in response (transcription here):
“We implement the patches provided by the Microsoft organisation to their systems based on malware that they are aware of. We do not get specific advice on vulnerabilities that may or may not be built into the software … We do not have capabilities to create any patches for vulnerabilities of that nature. We are dependent on what the industry provides us and advice that we might get from the Australian Signals Directorate.”
To a certain extent Ludlam’s questions have merit. It is true that there have been recent reports that the NSA has access to backdoors in the software of major US-based technology vendors. This is certainly an issue which other sovereign nations should be concerned about, when trying to ensure the security of their parliamentary offices.
However, to me Ludlam’s questions pushed Seittenranta too hard and displayed a certain naivity about commercial reality in the IT industry. Seittenranta is not the bad guy here — the CIO is highly competent and was called in specifically to remediate the Parliament’s abysmal IT infrastructure. By all accounts she is doing a stellar job.
Then too, it’s not just Parliament which is vulnerable to any back doors in enterprise software created by US agencies such as the NSA. It’s basically every organisation globally. The unfortunate fact is that some vendors, such as Microsoft, have a virtual monopoly on some types of fundamental IT platforms, such as desktop PC software, and every major organisation uses technology from those same vendors. You know the names: Microsoft, Intel, Cisco, etc.
Frankly, it’s way above Seittenranta’s role to be able to deal with these kinds of problems, and it’s likely even outside the abilities of the Australian Signals Directorate to be able to totally secure systems if the vendors have inserted backdoors for US government agencies. These are fundamental issues for the global IT industry and will not be solved by individual CIOs or even individual governments.
The Federal Government also does not provide enough funding for the kind of security which I think Ludlam would like to see; the reality is that the Parliament’s IT infrastructure, and government IT infrastructure right around Australia, is woefully insecure and out of date. Commentators such as myself have been pointing this out for many years.
If Ludlam truly wants to see significant improvements to the Parliament’s IT infrastructure, I suggest he sponsor legislation to fund it, and get the Coalition Government on board. Demanding answers from the DPS CIO on these issues isn’t going to get anyone anywhere.
Image credit: Parliamentary broadcasting
This is an interesting pickup Renai … and is symptomatic of a a ‘shiver’ that has been sent through the whole ICT industry by the NSA snooping revelations. Snowdon has provided a timely wake up call to us all from the perils of being the proverbial frog boiled in slowly warming water. We have all these kind of discordant ideas buzzing around in our heads. On the one hand, we watch Hollywood movies about the digital surveillance magic of the intelligence agencies and we know that all countries spy … James Bond and all that. On the other hand, we know that digital technologies are becoming fully pervasive in business and our personal lives and we are using them to record and share all aspects of our professional and personal lives. Hmmm … but we have never really joined these two thought bubbles before.
I’m here at Dreamforce in San Francisco and Marc Benioff was asked a question about this in a Q&A session. He pretty much avoided answering it beyond emphasising the things Salesforce does to secure customer data and to maintain high-trust customer relationships … but you could sense an underlying frustration as it is just beyond his control when his own government does things that undermine his business.
Back to the Senate hearing … the problem for Governments is that they do not have a credible, affordably sustainable, alternative to being consumers of the software products of the large global (mainly US-based) software companies. Is this a consequence of the fact that the Government has neglected to support development of domestic software alternatives? Could Australian-owned companies provide all the software for all Australian government agencies? Hmmm … even if this was in theory possible the companies would need to be protected in perpetuity from being acquired by ‘evil snooping outlanders’ in order to keep the ‘back doors’ closed.
The reality is that we live in an increasingly connected global digital economy … and even government agencies are participants in this connected global digital economy (yes really). This economy is the engine that is creating a fantastic era of innovation in devices, software and inter-connectivity, so there is no way that we can disengage from it without becoming a tin-foil hat wearing backwater.
In truth, my view is that we need to ‘lean forward’ as the Americans like to say … embrace the future and get there as quickly as possible so that we discard old and out-dated mindsets and skills and acquire new mindsets and skills.
The problem is not the supposed back doors in Microsoft software it is actually old-school thinking about physical security perimeters in information systems. One thing that using trustworthy public cloud services teaches agencies, for example, is that they should (and can) focus more on understanding and managing their information and using it to enable policy and service delivery innovation … as opposed to fretting over sub-scale, unsustainable and (as it turns out) questionably secure technology stacks.
Information security is a series of risk/cost/benefit tradeoffs made in the context of a realistic understanding of the Government’s outcomes and the constraints under which it operates. We need to update our thinking about the art of the possible in order to keep risk in context and keep our eye on the outcome ball.
Sorry Steve, you lost me at ‘trustworthy public cloud services’…
Hey Duke … so you don’t think that any cloud services are trustworthy?
by trustworthy, you mean that the data housed in their data centres is not accessible to anyone other than those who run the centre (for DR purposes) and pay for it’s use for normal business purposes, then no.
i have no confidence in any data centre, at the moment. too many holes to be filled and too much shady government/non-government action going on.
Hey Shannon … so, by inference, you are in the fortunate position of working for an organisation with the money, skills and leadership focus needed to run world-class ICT infrastructure facilities … which is good.
not at all. and by inference, you are saying that cloud providers are all trustworthy?
if you have a list of providers that you would put your complete trust in, then by all means, for those of us not in as distinguished position as yourself, provide us that list so that we can use it to help make an informed decision
“i have no confidence in any data centre, at the moment”
hey Shannon,
I’d be careful what kind of statements you’re making here — they’re bordering on the irrational. Many Australian datacentres, operated by companies such as Fujitsu, Macquarie Telecom, HP, NEXTDC and others, have very high security ratings. Nobody, includng no government, is allowed to just simply swoop in and take data out.
When you combine this with good security implemented by end users on their physical servers and virtual machines hosted in such facilities, it’s drawing a very long bow indeed to say that you can’t trust any modern datacentre.
I caution you to keep this discussion within the bounds of rationality. If you want to make generalisations like this, you’ll need to provide evidence to back your statements.
Renai
fair point, renai, but please don’t confuse ‘no confidence’ with ‘not secure’.
i have not once stated that any of these data centres are not secure. all i am saying is that i have no confidence that any data centre is totally trustworthy in the manner that was described in the article.
and just because a government is ‘not allowed’ to ‘take data out’, does not mean that they can’t or won’t do it.
i’d hardly call my lack of confidence in data centres ‘irrational’. as you yourself have reported, some very large companies have decided not to use cloud data providers because of security concerns. i know some have, but plenty don’t.
if you cannot categorically say that all data centres are bullet-proof in regards to security, then my lack of confidence is justified.
hey mate,
it’s fine to have a lack of confidence in some infrastructure. But when you make a blanket generalisation in this area, you approach irrationality.
Evaluating the security of datacentres isn’t a black and white issue — it’s a very complex, nuanced issue, and Delimiter’s readers are well-educated IT professionals. I would enjoy it if you would stop boiling this situation down into a binary argument ;)
To ‘use or not use’ any kind of IT solution, is not a logical argument. The argument should be “how to use, when to use, for what data, for what applications, hosted where, under what service level agreements” etc.
Renai
again, fair points.
i, and the companies i have worked for, have data secured in the very data centres that we are talking about.
but i would be naive to think that they are 100% bullet proof. i have worked in the IT industry long enough to know that.
i totally agree that you need to do what is best, but sometimes, that involves compromises. a lack of 100% confidence is sometimes one of those compromises.
Mate, let me make this clear for you:
Nobody is arguing that anything is 100% bulletproof. That is precisely the kind of binary black/white statement that I have cautioned you about. You’re the only person framing the discussion in this terms.
Make another black/white binary argument like that about the security of datacentres, and I’ll ban you from commenting on Delimiter for a week.
Hey Shannon, apologies if you saw my comment as snarky. I think we’ve been around the houses on this already, but all I am saying, as I stated, is that “Information security is a series of risk/cost/benefit tradeoffs…” The data center is but one part of the information security equation. I’ve documented case studies in Australia where enterprise-grade SaaS solutions were better and more trustworthy – when all things are considered – than the in-house systems they replaced. In can be done …
it seems that my last post has been deleted, either by accident or on purpose.
i’ve said my piece.
While she isn’t the bad guy, I found her answers unsatisfactory and political. It’s hardly unreasonable to ask whether the poli’s communications are bugged. I found his questions to be quite polite and reasonable and I would have been quite frustrated by such answers from my IT staff. You purchase an OS from an Allie with a previously unknown inbuilt backdoor that you are unable to close, fair enough to a point, so why haven’t you done something about it? It raises so many further questions, they got off lightly. His question of why this is ok for US v China is perfectly reasonable.
Comments are closed.