Earlier this month, Australian Parliament computer systems were breached in what is just the latest horse on a perpetual carousel of screw ups.
On this week’s episode of The Australian Government Gets Hacked, an attack on the parliamentary computer network was widely described as an “attempted attack”. This is despite officials saying their main concern was to “get the offender out of the system and keep them out of the system”.
By any definition I’m aware of that, if the attacker is in the system that’s a successful attempt.
The breached computer network is used by politicians and their staff, complete with databases, emails and troves of personal information. As yet, we’re still in the dark about how long the attackers have been in the system.
There’s only so much benefit of the doubt we can give, and the Government has time and again failed to live up to the most basic cyber security standards.
This is the same institution that rushed through the most ill-informed, destructive legislation ever to come out of Canberra. The anti-encryption laws passed before Christmas let enforcement bodies compel a backdoor to be built into any encrypted messaging platform, when investigating crimes with at least a three year prison sentence.
These laws are already causing Australian tech companies to lose customers, but the government is refusing to consider amendments. Despite the fallout, the bill will be completely ineffective, thanks to how little our politicians understand encryption (that is, not at all).
With the latest breach, it seems inevitable that our Government will be unable to keep this anti-encryption skeleton key out of the hands of cyber attackers. Whether it’s the Chinese, who are supposedly behind the latest breach, the Russians, or some other malcontent doesn’t matter – once this decryption tool is in the wild, it’s game over. The horse has left stables.
There’s a dizzying array of examples highlighting Government cyber ineptitude, a laundry list which underscores just how likely it is these tools will end up in the wrong hands.
In December 2015 an ABC report uncovered a hack into the Bureau of Meteorology that saw confidential documents stolen and malware installed. The attack was in early 2015, but it took the government until April 2016 to confirm it.
In September 2016 patient’s medical information was made publically available on a government website. It took a tip from a university researcher for the government to realise their cock-up. This particular example also helps explain the exodus of the Australians opting out of the My Health Record initiative.
Less than a week later a workplace census with the records of 96,000 public servants was hacked and downloaded 60 times. Agency codes included in the records make them potentially identifiable, despite the promise of anonymity to staff.
Then in March 2017 the Department of Human Services gave a journalist the personal information of a welfare recipient who criticised Centrelink’s automated debt recovery system in the media. The recipient was then identified in an article defending the government. The minister claimed it was justified, despite not obtaining a public interest certificate. Legal or not, it shows a flagrant disregard for the personal privacy of individuals.
This is a government that releases the personal information of critics for publication, then doggedly pursues the destruction of the tech industry to look tough on crime. It’s no surprise they’re unable to prevent potentially disastrous cyber attacks. They’re either embarrassingly incompetent or, as the evidence seems to indicate, they just don’t care.
Government is slow and no one expects perfection, but there are improvements government could take: Put an end to race-to-the-bottom tenders; pay for a high-quality digital security; change how we collect data to prevent painting a digital target on government departments.
Or listen to the tech industry when its screaming at you that the anti-encryption laws are a terrible idea.
Any one of these options would have been a start to making Australia’s data safe. Instead, both parties make excuses and do nothing to improve the situation. All we get is the occasional underbaked piece of legislation to feign progress on the issue.
There’s a deep irony here, with China suspected to have been behind the latest attack. One minute our politicians condemn China’s digital espionage, then a moment later take inspiration from its corporate-government relations on encryption and privacy, without regard for the technical, financial, or social ramifications.
Rarely does proposed legislation unify an industry in the way the anti-encryption laws did. Technology firms, both Australian and from around the world, spoke out firmly and frequently about the consequences of this law. The gravest concern was these decryption tools would fall into the hands of cyber attackers, a fear which seems justified in the wake of the latest breach.
We tried, but we were ignored. You can lead a horse to water, but you can’t force a horse to drink.
This article originally appeared in the Australian Financial Review