news Independent Senator for South Australia Nick Xenophon has called for an urgent inquiry into cyber security following recent revelations that the Bureau of Meteorology’s systems have been breached, along with those of other government agencies.
If the Senate votes for the inquiry (it appears the vote will take place early in February when the Senate resumes sitting), the Environment and Communications Committee will be asked to carry out a wide-ranging examination of cyber security, “from an individual’s phone being hacked to government agencies’ or NGO’s data being compromised”, Senator Xenophon said in a statement.
The terms of reference of the proposed inquiry will be the “adequacy of security for government and citizen data held or transmitted by governments, commercial entities, NGOs or citizens”, with particular focus on:
- Australia’s current laws and their enforcement
- The government’s cyber security policy framework for government agencies and reporting requirements of same
- Security (e.g. vetting) measures for personnel with access to government and citizen data stored or transmitted on government, NGO and commercial entities’ IT systems
- Physical security measures for government, NGO and commercial entities’ IT systems which store or transmit government and citizen data, including for mobile phone networks
- Cyber attack and interception security measures for government, NGO and commercial entities’ IT systems that store or transmit government and citizen data, including for mobile phone networks
- The safe disposal of obsolete government and NGO/commercial entities’ IT system, databases, storage systems
- Methods for detecting security breaches, including the detection of mobile surveillance devices such as International Mobile Subscriber Identity (IMSI) catchers
- Other approaches to these areas used in other jurisdictions
- Any other related matters.
Senator Xenophon has previously raised the issue of cyber security after appearing in a 60 Minutes story this year, during which it was demonstrated how easy it was to hack his mobile phone and listen to his calls.
“For too long successive governments have been asleep at the wheel when it comes to cyber security, whether it is individual’s mobile phones or government organisations being hacked by spies, there are huge vulnerabilities that need to be looked at,” he said.
The Bureau of Meteorology possesses one of Australia’s largest supercomputers and provides information to a host of government agencies and even links to the Department of Defence in Canberra.
The cyber attack on its computers, which has been called a “massive” breach, has been blamed by various sources on China.
Australian Strategic Policy Institute (ASPI) executive director Peter Jennings told the ABC there was evidence China was behind the hack. However, China has denied the claims.
“As we have reiterated on many occasions, the Chinese government is opposed to all forms of cyber attacks,” said Hua Chunying, the Chinese Foreign Ministry spokesperson.
Legislation requiring businesses of all sizes to adequately secure their systems with penalties for non-compliance have been sorely needed for years. Most people, including company directors and CEOs, think of IT as an expense to be minimised, when they need to think about it as one of the largest risks to their business. Whether it’s data loss, data theft or interruption of services, any of those could cripple a business overnight if not adequately foreseen and designed for. Indeed, inadequate security leading to customer data theft or collapse of a business could leave senior management open to personal liability if warnings were ignored and shortcuts taken. The more seriously the government takes this issue the more seriously businesses and their executives will take it.
Remember, cyber crime is growing exponentially because the payoff for successful attacks is so massive. Traditional criminals have turned to hacking because they want a share of the tens of billion dollar pie. Between organised crime and state hacking the Internet is like a dangerous war zone, with only governments, criminals and medium to large enterprise even aware they’re on a battlefield – most of the figures stumbling about like zombies haven’t the slightest clue that the only thing protecting them from destruction is the fact that, compared to the behemoths nearby, they are so insignificant they are paid no attention. But at some point the cost of remaining connected using existing technologies is going to be too high and difficult for anyone not protected by professional security teams – it is an inevitable conclusion to the accelerated pace of malicious hacking. Assuming, of course, we can overcome the vested interests of the commercial system, that will do absolutely anything to avoid acknowledging the scope of an issue it is comprehensively incapable of addressing. Imagine Microsoft calling time and admitting that Windows is impossible to secure, or Cisco making such an admission about their network hardware – it would kill their companies, so they will do what they can to plug holes on the one hand, while pretending that the threat is one they can handle and everyone should remain confident that the threat is minor. Which will work right up to the point where it doesn’t anymore and we find ourselves plummeting over the edge of the precipice, the collective efforts of a global criminal collective with ever increasing incentives fuelling research that’s uncovering hundreds of zero day vulnerabilities every year now.
The only solution to this is governments taking the issue seriously and directing sufficient resources to addressing it. Initially this starts with making businesses accountable so they do what is necessary themselves to minimise or mitigate potential security and data loss causes, which will immediately reduce the funding and thus incentives of cyber crime because the global payload will be reduced. The second part requires a sea change in the way we think about security – small businesses and end users will never be able to compete against large organised crime operations and state sponsored hacking, so states need to work out what can be done to collectively protect their whole countries. There are some solutions, but right now governments aren’t looking at them because the same techniques that will protect their citizens from cyber crime will also protect them from government data collection. Data protection has to trump government snooping or there won’t be anything left worth snooping, but it will be a hard sell convincing governments addicted to the idea of tracking everyone everywhere that what they want is essentially compromising the security of the planet.
Maybe they forgot to patch a server. Case closed Senator
Unrelated: after having been picked last for everything, Nick Xenophon’s favourite school memory was of the day Bobby Xylophone joined his class.
It seems to me that the PRC is being blamed simply to imply the cracked resource did indeed have adequate security in the first place.
I think the first thing to be done whenever an enterprise or agency has been cracked open is to immediately have the Australian Signals Directorate Australian Cyber Security Centre conduct a rigorous penetration test. Without notice.
Then we can look at what prosecutions should be launched.
Comments are closed.