As a devotee of IT Security (and, somewhat of an expert in the space), I watch with droll amusement the dog and pony show of people running around talking about CyberThreats, but then reverting to comments like Password strength, and malware, and so on. The recent revelations that Nation States have been conducting ongoing espionage of each other, suddenly seems to be “new news” even though we all grew up reading the James Bond books, apparently, not believing them to be true.
Of course, much of the mechanics of communications is now within the private sector. And as such, there comes an arms length (of sorts) engagement between that private sector and the government, but that implies that there is at least the vague-est level of knowledge amongst those concerned.
I refer to the following discussion, just a day or two ago, from Australian Federal Senate Committees. LUDLAM is a West Australian Federal Greens Senator, on the ICT Committee. Seittenranta is the CIO of Parliamentary Services, i.e. the Person ultimately accountable for the information security around our most senior politicians.
What I find stunning is a) the “no we are not aware that our major Software Provider has provided back doors to a foreign intelligence agency, into our systems”, b) the “our plan to deal with this (the intrusion by a software supplier (Microsoft) is to make sure we are up to date, on all of the software patchs from said company”, and c) we lack the ability to delve more deeply into this.
Senator LUDLAM: I figured.
We know that Microsoft software contains a back door which is utilised by the US NSA and Microsoft has been very active in assisting the NSA to circumvent the company’s own encryption standards. What can you tell the committee about the network-level security threats posed by using Microsoft software given that it has been backdoored by foreign intelligence agencies?
Ms Seittenranta : I would have to take that on notice.
Senator LUDLAM: Why is that?
Ms Seittenranta : It is not a level of detail that I am familiar with.
Senator LUDLAM: I am not sure that I would call it detail. For example, do we provide for a specific patch against that back door, or is the parliament’s network open to intrusion by the US government?
Ms Seittenranta : We implement the patches provided by the Microsoft organisation to their systems based on malware that they are aware of. We do not get specific advice on vulnerabilities that may or may not be built into the software.
Senator LUDLAM: Okay, but you are aware that Microsoft is under a legal obligation to allow the US NSA access to its servers and its hosting services.
Ms Seittenranta : We are aware that there are rumours to be things like that around, yes.
Senator LUDLAM: It is not a rumour; we have primary source documentation and know that is correct.
Ms Seittenranta : We do not have capabilities to create any patches for vulnerabilities of that nature. We are dependent on what the industry provides us and advice that we might get from the Australian Signals Directorate.
Senator LUDLAM: So should parliamentarians and staff working in this building assume that we are exposed to that level of intrusion.
Ms Seittenranta : Yes, I suppose you should be able to assume that. Also, it probably should be noted that our network is not a protected network. It is unclassified.
Senator LUDLAM: Yes. What about ministerial?
Ms Seittenranta : For ministers their home departments provide their IT. Each minister has access to the parliamentary computing network in the same way as backbenchers.
Senator LUDLAM: I would have to chase the departments around this building one after another to see what they do, wouldn’t I?
Ms Seittenranta : To see what they do.
Senator LUDLAM: Okay. But, as far as the work of ordinary MPs-everybody sitting around these tables and most of the people behind-that back door is in effect? You have not taken any actions to remedy that security hole that has been opened by the NSA?
Ms Seittenranta : No, we would not have taken a specific action?
Senator LUDLAM: Is there any reason why not? Could I request that you might take that action on behalf of all of us?
Ms Seittenranta : We would be dependent on somebody being able to provide us appropriate patches to close that. We do not have the technical skills to create patches to close that nature of vulnerability, so we would have to take that on notice to work with the Australian Signals Directorate.