Outsourcing accountability?
1 Nov 2017|

The recent defence security breach—labelled ‘ALF’ by the Australian Signals Directorate—involving an Adelaide-based defence contractor has been characterised as a cybersecurity incident. But closer examination indicates that the underlying causes have more to do with poor security governance and failures to implement, maintain and oversee basic security hygiene.

Details of the information that was compromised and how it was compromised have not, understandably, been released into the public domain by government. That said, it’s possible to construct a plausible account of the circumstances of the breach from government and media sources—in particular, comments made at a security conference by an ASD officer.

We know that the defence contractor was an engineering firm with a headcount of about 50 and an IT staff of one. It was several tiers away from being a prime defence contractor. It held information about some of Australia’s most sensitive and expensive defence projects, including the F35 Joint Strike Fighter; the Hercules C-130 transport aircraft; the P8 Poseidon patrol aircraft; the Joint Direct Attack Munition smart bomb; and naval vessels, in all likelihood Australia’s new frigates. It was contracted to defence projects involving Australia’s national security.

In July 2016, the company’s IT system was compromised by an attacker. About two weeks later, the attacker began taking data from the system. Over the next three months, 30 gigabytes of data was stolen. The breach was facilitated by the contractor’s poor ICT security, which included internet-facing servers’ passwords being left at their default settings of ‘admin’ and ‘guest’.

The government has been at pains to emphasise that the data breach was the result of a cybersecurity attack. Implicit in its cybersecurity messaging is that we’re all vulnerable to the complex and inscrutable machinations of hackers and that this event, although regrettable, was beyond our control.

Although that is correct, it’s not wholly correct. The hacking that occurred was far from a sophisticated exercise. It exploited simple security vulnerabilities and was in no way comparable to a highly skilled and intricate cyber operation against an equally skilled and prepared adversary: not all cyber incidents are equal.

Characterising the attack as a cybersecurity incident simpliciter has the effect of normalising cyberattacks and reinforces a widely held perception that we’re powerless. It privileges cybersecurity over mundane but essential basic security procedures to the detriment of the latter. Although we’ll never know whether a more sophisticated attack would have been successful if the contractor had been better defended, the chances are that the attacker would have moved on to a softer target.

The government’s line was that it’s not responsible for the security measures taken by a private-sector contractor. Minister for Defence Industry Christopher Pyne said, ‘I don’t think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch.’ Again, although that’s true, it’s not wholly accurate.

One of the most troubling aspects of our information security infrastructure is outsourcing. The problem is how to ensure that the security obligations imposed on the public sector are passed on to and observed by private-sector contractors. The fact that the delivery of a product or service has been outsourced doesn’t displace the outsourcer’s security obligations. Often outsourcing is used to drive cost efficiencies. The problem with the way this model is implemented is that government books the savings, but neglects to perform the required oversight and supervision.

As a number of information and security regulators have noted, you can outsource responsibility but you can’t outsource accountability. That rule is built into the Commonwealth’s Protective Security Policy Framework, which makes agency heads—in this case, the secretary of the Department of Defence—accountable for compliance with its standards and for taking action to mitigate security risks. This means that security is an active, not a passive, task. We’re entitled to know when the contractor was last subject to a security review or audit and whether it had made security commitments, such as asserting its compliance with relevant security standards, to the department either directly or through a prime contractor.

The national security community can learn several lessons from the ALF incident. Apart from the obvious ones—such as the need for all participants in the defence supply chain to implement ASD’s ‘Essential Eight’—they include the need for more rigorous security governance, a focus on security fundamentals and an appetite to deal with the challenges of outsourcing. Addressing those issues is not assisted by shaping the narrative to minimise the fallout.