First Among Equals — Pollies Are Australian Cyber-Security’s Weakest Link

The 2016 US Presidential campaign will be remembered as the election that made cyber-security a mainstream political issue. The ‘Hacking Election’ transformed Info-Sec from a niche issue for security wonks into a general interest issue of political controversy. Unfortunately, it also showed how far behind the mark most political candidates and elected representatives are when it comes to ‘the Cybers’.

Many observers chortled when, in response to a question in the first presidential debate about how best to defend against cyber attacks, candidate Trump responded:

“As far as the cyber… we have to do better… I have a son — he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable.”

Fewer people were laughing after the Office of the Director of National Intelligence released a report outlining the US intelligence community’s assessment of Russian efforts to use ‘cyber operations’ to influence the US election.

Unfortunately, like most of the general public, the cyber-security competence of the average person working in Australian politics today is closer to that of the President-Elect’s ten-year old son than we’d like to admit. Despite the periodic release of much ballyhooed cyber security strategies, little of this has seeped through into the consciousness, and more importantly, into the behaviours of people working in and around Australian politics. It’s only a matter of time before we see our own political info-sec scandals.

The success of Russian cyber-operations in the US election should be a warning to political actors around the world. Cyber-security isn’t just about protecting classified government information anymore. As public figures, politicians are uniquely vulnerable to doxing, ransomware attacks and straight up blackmail. Hackers are now routinely targeting elected representatives, candidates and staff in political systems around the world with a wide range of motivations. Before the high profile attacks on Hilary Clinton and the DNC, there were major spearphishing attacks on politicians from Germany, Taiwan, Japan and a range of South American nations. Recent events in the US will only encourage further attacks.

It would be naïve not to think that Australian political figures are not targets for these kinds of attacks. Indeed, the official Parliamentary email system for Australian Members of Parliament were reportedly compromised for a year in 2011. The risk will only grow as the global geo-strategic environment, and Australia’s role in it, becomes more complex and contested.

Yet to date, Australian Members of Parliament have been largely on their own when it comes to protecting themselves against these threats. Since I became a Member of Parliament in 2013, no one has contacted me or my office with the simple message “You are a target and here’s what you can do about it”. MPs offices have personal safety alarms and staff and members receive personal briefings on procedures to follow when confronted by threats of violence, but there is no equivalent guidance for online security risks. Some seek this information out — many don’t.

As a result, poor cyber-hygiene is rife among MPs, candidates, political staff and volunteers. While there are security measures in place for official IT services like the @aph email accounts, MPs rely on many other online platforms that are not protected in the same way. The use of social media services like Facebook and Twitter, messaging apps like Imessage and Wechat, productivity apps like Slack and Dropbox, and private email accounts like Gmail are ubiquitous. In many cases, multiple staff access these services from multiple locations. No doubt it would be common to see a single ‘office password’ used across multiple services and it would be surprising if these passwords were changed regularly. Prime Minister Turnbull deserves credit for espousing the importance of two-factor authentication during a recent press conference, but how many members of his party room are using it across their various social media and private email addresses. I’d wager not many.

Given the frequency of data breaches on these sites, it’s more likely than not your average MP has already been pwned without even knowing it.

There are a range of government cyber-security strategies and policy documents that could be of theoretical relevance MPs and their offices, but to date, there has been no one pushing this message out to the people who need to hear it in our Parliaments and our political parties.

The Cyber Security Strategy released by the government last year effectively pursues a decentralised defence strategy that puts the onus on each government agency to be responsible for their own cyber security.

The Minister Assisting the Prime Minister on Cyber Security, Dan Tehan described this approach late last year as:

“What we want to develop is a culture with all departments and agencies within government that they have the mechanisms in place to make sure they are as cyber-secure as they possibly can be, and if there is capability shortfalls, that they reach out to see how they can get them addressed by other agencies who can help in this regard.”

The Minister indicated that he would be writing to the department and agency heads to encourage them to take cyber-security seriously. Unfortunately, so far, nobody has been writing to Members of Parliament or the people working around them to tell them what they should be doing to protect themselves from this growing threat.

Prime Minister Turnbull has announced an inquiry after the discovery of MPs’ APH email addresses in a series of data dumps following recently discovered breaches of LinkedIn and Yahoo. This inquiry should be the first step in addressing this existing vulnerability. At a minimum, the inquiry should look at the security risks associated with MPs, staff and campaign volunteers’ use of online platforms outside those administered by the Department of Parliamentary Services. Ideally, the review should make recommendations for building resilience against online threats across our political system — including awareness and competence building and information sharing about attacks.

If it fails to do so, participants in our political system risk being no better protected online than President-Elect Trump’s ten year old son. And that’s no laughing matter.