Australian Home Affairs thinks its IT is safe because it has a cybermoat

Source: ZD Net, 02/02/2018

For a department that is focused on protecting borders, it seems
virtual border protection is missing in action.
The cyber realm is fast becoming the battleground of this century,
and not the first time, Australia is missing the boat and trailing
the field.
The best evidence of the cyber ignorance of the Australian government
was presented yesterday in Senate Estimates by the Department of Home
Affairs -- the Peter Dutton-led superministry created last year that
sees the majority of the federal government`s enforcement agencies
under one roof -- when discussing how it would protect the facial
recognition system it is developing.
Under questioning from Australian Greens Senator Jordon Steele-John,
Home Affairs initially responded that its `hub-and-spoke` topology
was helpful in preventing breaches, and presumably making infosec
defences someone else`s responsibility if you are a mere message
passing hub.
But in the wake of the Australian government being unable to protect
its own Cabinet data, the absolute shambles of the Australian 2016
Census, the complete mess of the Australian Electoral Commission and
its dealings around the Senate ballot scanning solution, and the
festering sore of the Centrelink robodebt saga, one may begin to
think that Canberra and computers don`t mix.
To shore up that line of thinking, we need to head to the transcript
as Steele-John presses his case.
Senator Steele-John:
Have you ensured that the systems you`re using differ from the
systems which have been breached in recent times in relation to
Medicare and other personal information breaches that`ve been --
Maria Fernandez PSM, Deputy Secretary, Intelligence and Capability:
I might address that from a cybersecurity perspective from the
department. The systems that Mr Rice refers to -- for example, the
visa and citizenship systems, the biometric systems -- are held
behind our firewalls. Our cybersecurity measures are layered in the
department. We have two internet gateways that are secure internet
gateways. And then, beyond the gateways, we have cybersecurity
software on the desktops, and in our software and in our service --
Michael Pezzullo, Secretary, Home Affairs:
Inside the gateways, I think.
Fernandez:
Inside, yes.
Pezzullo:
We`ve also got a moat on the outside of the gateway, don`t we?
Fernandez:
We do. So the cybersecurity arrangements for the Department of Home
Affairs apply to these biometric systems.
Pezzullo:
Don`t we also have forward posts ahead of the moat, as well, that
detect through geoblocking and other --
Fernandez:
Added on to the gateway, yes.
Pezzullo:
Yes.
Steele-John:
Thank you for your time.
What is being described here appears to be the Klein bottle of
cyberdefences, where the moat surrounds the firewall, yet the there
are forward posts that are somehow on the gateway, yet beyond the
moat.
This exchange would be absolutely hilarious if its implications were
not so consequential. Here we have the heads of the largest
government department, home of the Australian Federal Police, ASIO,
Border Force, thinking that they can glibly discuss the information
security of a national biometric system in terms that are equivalent
to a castle defence game on Facebook.
The dye was set for this sort of interaction when former Minister
Assisting the Prime Minister on Cyber Security Dan Tehan said in 2016
that centralised approach by government to cybersecurity is
dangerous, and it is preferable for departments to take care of
themselves instead.
Add to the mix that the Audit Office last year found the then
Department of Immigration and Border Protection had insufficient
protection against external threats, and was under the belief it was
doing better than it was. To add insult to injury, Immigration was
ranked below the derided Department of Human Services that concocted
the robodebt system.
Given this, it is little wonder Pezzullo said yesterday that
Australia`s push for a decryption magic bullet will not
undermine `legitimate encryption`.
Amid the bluster in recent months from Canberra on gaining access to
encrypted communications, the least-worst scenario would appear to be
targeted end-point compromises by law enforcement to get access to
data prior to it being sent -- but it wouldn`t surprise me to learn
that the likes of Pezzullo think there is a magic formula that allows
a separation of good encryption and bad encryption, if only the tech
vendors would cooperate and tell them what it is.
Pezzullo struck out yesterday at descriptions of the decryption
proposal as a `backdoor`.
`That`s the shorthand, colloquial, and in many respects, highly ill-
informed shorthand that is sometimes used in this field,` Pezzullo
said.
`You assume that a backdoor has to be created, I`m just saying that
that is a cartoon-like assumption.`
Rest assured that in the realm of ill-informed, cartoon-like
assumptions, Home Affairs and its cybermoat is going to take a lot to
beat.