Australian security & the cult of mediocrity

Australia is a technological back-water and its cult of mediocrity has come home to roost, big time.

It was revealed today by The Guardian that the Medicare details of millions of Australians are now available for sale on the dark web.

Last week it was revealed that WannaCry ransomware leaked into Victoria’s roads and safety systems.

While this was going down, I was interviewing more than thirty security professionals locally, and tens more internationally who have concluded that outside of Defence and Intelligence Departments, Australia’s security protocols and procedures are inadequate.

These incidences are not outliers, or exceptions to the rule. Australia’s public sector has embarrassed itself with incident-after-incident owing to poor security practices and basic human error.

Last year IBM shut down Australia’s first online Census because its systems wrongly detected the millions of users logging on to complete their civic duty as some kind of denial-of-service attack.

Then there was the tax office debacle and the ongoing Centrelink ‘data matching’ program which has resulted in millions of Australians being chased by debt collectors to pay bills they don’t actually owe.

And the year before that the Department of Immigration accidentally leaked the personal details of hundreds of thousands of thousands of refugees seeking asylum in Australia.

Steve Wilson, VP & Principal Analyst at Constellation Research told Hello Humans that the Federal Government has suffered more preventable accidents than actual hacks.

“Immigration staff posted on the internet a file of thousands of refugee details,” he said. “DFAT leaked via a CCed email the passport details of APEC leaders. This goes to poor IT maturity. Staff seem to not be terribly sophisticated, and/or they are under pressure, and are poorly trained or supported.”

According to the Australian Cyber Security Centre (ACSC) Cyber Security Survey 2016, nine out of every 10 Australian organisations dealt with an attempted or successful cybersecurity breach during fiscal year 2015/16 — and that 58% were successfully compromised.

Meanwhile, our Attorney General, George Brandis, a man who was given three attempts and still couldn’t correctly explain what metadata was, is seeking legal avenues to backdoor encryption services to the benefit of intelligence and law enforcement, but also to the benefit of those with prying eyes and skills that outpace Australian security professionals.

A security professional who wished to remain anonymous described Brandis’ campaign as a “crazy war against maths” and “a very poor policy.”

“Backdoors can be used by anyone,” he said. “That’s why the tech industry completely opposes it. Once you put in a backdoor, someone will inevitably find out about it. The second someone sends this out to Wikileaks or there’s another Snowden, everyone will know how to get into your iPhone, PC, TV set (or government database). You open your entire system to state actors and common criminals, which is what seems to have happened with these last two cyber-attacks.”

That public and government sector security protocols are largely rubber stamped and administered by people with no security training, let alone technology backgrounds is indeed part of the problem. But that is just the tip of the iceberg.

Billions spent on ‘shelfware’

A security professional with more than 20 years working for the Australian Government and the Department of Defence revealed that billions of dollars is being spent on mismanaged and wasted projects that never get off the ground.

“The government spends billions of dollar on shelf-ware,” he said, describing the term for software or hardware that is bought but never used.

Hello Humans spoke to several employees of Australia’s National Broadband Network on the condition of anonymity who revealed IT departments had knowingly bought up “room-fulls” of hardware and software that would never be used for the sake of maintaining quarterly budget increases.

Read the rest on Hello Humans