Australian Lefty on Politics, Governance, Science and Info Management

The Age publishes old news on security threat

Posted by Dave Bath on 2008-02-10

"Chinese waging online spy war" (The Sunday Age 2008-02-10) is not news to competent IT security types.  The good news is that the federal government will spend A$70 million to improve things.  The bad news is it probably won’t.  The other bad news is that US activities against "friendlies" went unreported.

$70 million if spent wisely will improve things dramatically.  However, if the spend is mainly on hardware, software and staff, the money will be wasted.

The real improvements will only come via an education program of senior managers on their obligations.

As the adage goes: "A fool with a tool is still a fool".

While there is some hope that the new ALP government will address these issues, it is not certain.  I doubt very much that managers that have been negligent over recent years will be replaced.

It is astonishing how many senior managers know next to nothing about their obligations and basic principles of IT security, defined by the Attorney-General’s Protective Services Manual (PSM), the documents it refers to, and the associated principles of:

  • General risk management (including how to assess expenditure required)
  • Metadata and information classification (so you know what you have and who should see it)
  • IT-specific issues

As with so many things, obligations and minimum requirements are poorly addressed when creating statements of works and reviewing tenders.

Many IT professionals became extremely frustrated in May 2001, when the Chinese infiltrated many Australian agency and businesses with significant government ownership, probably triggered by the landing of the US EP3 electronic warfare plane on an island that is the Chinese equivalent of Pine Gap.  Denial, then wilful negligent inaction was the typical response of "tier 1" and "tier 2" executives and managers, despite the alarm among technical experts at the coalface.

For nearly two weeks, all network diagnostics pointing to China, unusual activity was noted in computer networks of Australian agencies, as central servers, long unpatched with lax practice, became compromised and seemed to feed blegabytes of information out of the country.  Even the head of the CIA at the time admitted in a documentary aired on SBS that this was a particularly worrying time.

It’s not just the Chinese that are spying on us.  The European Union concluded that the USA spied on European businesses, passing details of tenders from European companies to US businesses to allow underbidding.

The bottom line is that the $70 million will be wasted unless there is a huge shakeup in management practices, and Australia’s national infrastructure will remain under threat from nation states and terrorists.

See Also / Notes:

  • The mandate of the key IT-related security requirements and practices document (DSD ACSI-33) is clearly defined by the Attorney General:

    Part C (of the Protective Security Manual): Information Security
    This part provides detailed explanations and minimum standards for information security. The PSM seeks to avoid duplication and confusion on computer issues by making extensive reference to the Australian Government Information and Communications Technology Security Manual (ACSI 33), a Defence Signals Directorate.

  • ACSI-33 itself is explicit in it’s mandate and purpose:

    Australian Government agencies are required by the Protective Security Manual (PSM) to comply with ACSI 33.  Agencies must consider the security implications of their IT systems and devise policy and plans to ensure the systems are appropriately protected.  Although security needs will be greatest when national security classified or non-national security classified information is being processed, even unclassified systems with no special safety, mission critical, or financial implications should have some degree of protection if a reliable or accurate service is to be maintained.
    There are two versions of the manual.  The SECURITY-IN-CONFIDENCE version contains the security policies and guidance for all classifications. The UNCLASSIFIED version only contains policies and guidance for the following classifications: PUBLIC DOMAIN, UNCLASSIFIED, IN-CONFIDENCE, RESTRICTED, and PROTECTED.

    The current version (2007-09) of ACSI-33 is: here and has an erratum document.

  • The DSD’s role includes advice to all government (state and federal) agencies and subcontractors from the private sector.  As they stated in the Senate Inquiry into the Access Card bill (submission 59):
    • DSD’s role is anticipated to cover the following aspects:
      • technical advice on the current tender evaluations;
      • security advice on system design;
      • evaluation and accreditation of information communications technology security products used in the development and maintenance of the system; and
      • vulnerability assessments both before and after system rollout.
    • It should be noted that DSD’s role in development of the system is limited to technical advice.  The final decision on all aspects of the system remains with the Department (or government-owned business concerned).

    Therein lies the rub – managers in departments can ignore the best advice, and do not know (under the PSM) they need a specific waiver from the head of the department or the minister.

  • The US Global Surveillance System, a.k.a. Echelon, is damned by a European Parliament Report A5/0264 (2001), and spying on US citizens worries the ACLU.
  • When developing and maintaining information security plans, This document from the US Navy has a good discussion of security ontology/metadata.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: