The revelation that an Australian defence subcontractor had a large volume of material on Australia’s defence assets stolen in an “extensive and extreme compromise” should ring loud alarm bells in Canberra. Instead, it will likely pass with little interest. But be sure our enemies and allies have noted it.
They’ll also have noted the head-in-the-sand reaction from the government, with Defence Industries Minister Christopher Pyne dismissing the incident as merely relating to commercial, not classified information, and that it wasn’t the fault of the federal government that the subcontractor had poor security. Pyne was thereby demonstrating that the great advantage of outsourcing isn’t so much that governments save money, as that they can avoid blame. You get to outsource responsibility, above all.
The Chinese, or whoever stole the information, don’t care about who’s responsible. But they know that when western governments outsource IT, comms or defence projects, and the companies to which they’ve been outsourced then sub-contract out work to smaller firms, each step down in the foodchain sees poorer IT security in smaller firms. It’s no surprise that what is described as a “mum and dad” business was targeted. But the attitude of the government is all care and no responsibility, merely saying that companies should take cybersecurity more seriously, as if this was any ordinary case of commercial espionage.
The other disturbing aspect is the performance of the Australian Signals Directorate. Once regarded as one of the finest signals intelligence agencies in the world, there is now talk in intelligence circles that ASD has been badly exposed and is over-tasked with its dual defensive and offensive cyber-intelligence roles — not to mention being regularly trotted out by the Turnbull government for media purposes.
It seems ASD didn’t know of the breach until it was told, three months after it occurred and 30 GB of data had been extracted. This is a staggering failure and suggests ASD doesn’t keep tabs on all defence subcontractors. The organisation that won’t let MPs use a new phone unless it’s been forensically vetted seems oblivious to what’s happening to defence data. Will there be any accountability for ASD head Paul Taloni? And why are we only finding out nearly a year later about the hack?
Accountability is the key here — and there isn’t any. Pyne says it’s not the government’s fault. So, whose is it? ASD’s? The company’s? If we’re reduced to blaming “mum and dad” companies for the loss of defence information, that suggests major flaws in our cybersecurity framework. It’s like saying a plane crashed because of “pilot error” and shrugging your shoulders about being able to do anything about it.
If we had an effective mechanism of parliamentary oversight of intelligence and security matters, we might have some confidence that there would be accountability. But the Parliamentary Joint Committee on Intelligence and Security is virtually moribund under the “leadership” of Liberal Andrew Hastie and that committee is hamstrung at the best of times because of limitations on its role.
It would seem an act of absurd optimism to think this will be the last major hack of sensitive information. We’ve sent a strong signal to the world — to Beijing, to Moscow, and to Washington DC — that we can’t, or won’t, protect our data.