Audit push after defence hack lasts for three months
Nick Xenophon has called for Australian intelligence agencies to launch an audit of all Australian defence contractors after a major security breach.
Australian Signals Directorate incident response manager Mitchell Clarke this week revealed that a hacker accessed about 30 gigabytes of restricted information on the F-35 Joint Strike Fighter, the P-8 Poseidon submarine hunters and Australian naval vessels.
The hacker, thought to have been China-based, had access to the data for three months before the ASD became aware of it.
The ASD referred to the period — between July and November 2016 — as “Alf’s Mystery Happy Fun Time”, in a reference to a Home and Away character.
The Turnbull government yesterday went into damage control over the revelations, and Defence Industry Minister Christopher Pyne said the government could not be blamed for the breach.
“I don’t think you can try and sheet the blame for a small enterprise having lax cybersecurity back to the federal government. I mean, that is a stretch,” Mr Pyne said. He suggested the company was a subcontractor. “The contractor could well have been working for a prime (a major defence contractor),” he said.
According to a recent threat report, during 2016-17 the government responded to 734 cyber incidents affecting private sector systems of national interest and critical infrastructure providers.
Senator Xenophon said it was “very much in the national interest” to find out which other defence contractors or subcontractors had poor cyber security.
“The information could paint a mosaic which could compromise our defence,” Senator Xenophon told The Australian.
“This highlights the need for there to be an audit by ASD as to whether the cybersecurity arrangements involving the contractors are adequate or not.”
Opposition Leader Bill Shorten said the Turnbull government should be demanding answers, rather than “making excuses”.
“I think Australians reasonably expect sensitive defence information to be protected,” Mr Shorten said. “Clearly it hasn’t been in this case. I think that if the government needs more resources to protect material, we should expend those resources.”
Alastair MacGibbon, the special adviser to the Prime Minister on cybersecurity, said the stolen information did not compromise national security.
Mr MacGibbon said it was a “lesson” for defence contractors.
“My understanding is that they were actually working for a larger defence contractor. This is a supply-chain issue. It is a third-party supply-chain issue,” he told the ABC.
Richard Buckland, a professor in cybercrime at the University of NSW, said this was a “canary in a coalmine. Even the current standards are not sufficient and even if they were, we don’t comply with them. Audits show lots of agencies are not compliant.”
Labor cybersecurity spokeswoman Gai Brodtmann said the hack was “very concerning”.
“We’ve been calling on the government to take the cybersecurity of government agencies seriously since the release of the 2014 audit of cyber resilience,” she said.