Australian security & the cult of mediocrity
Australia is a technological back-water and its cult of mediocrity has come home to roost, big time.
It was revealed today by The Guardian that the Medicare details of millions of Australians are now available for sale on the dark web.
Last week it was revealed that WannaCry ransomware leaked into Victoria’s roads and safety systems.
While this was going down, I was interviewing more than thirty security professionals locally, and tens more internationally who have concluded that outside of Defence and Intelligence Departments, Australia’s security protocols and procedures are inadequate.
These incidences are not outliers, or exceptions to the rule. Australia’s public sector has embarrassed itself with incident-after-incident owing to poor security practices and basic human error.
Last year IBM shut down Australia’s first online Census because its systems wrongly detected the millions of users logging on to complete their civic duty as some kind of denial-of-service attack.
Then there was the tax office debacle and the ongoing Centrelink ‘data matching’ program which has resulted in millions of Australians being chased by debt collectors to pay bills they don’t actually owe.
And the year before that the Department of Immigration accidentally leaked the personal details of hundreds of thousands of thousands of refugees seeking asylum in Australia.
Steve Wilson, VP & Principal Analyst at Constellation Research told Hello Humans that the Federal Government has suffered more preventable accidents than actual hacks.
“Immigration staff posted on the internet a file of thousands of refugee details,” he said. “DFAT leaked via a CCed email the passport details of APEC leaders. This goes to poor IT maturity. Staff seem to not be terribly sophisticated, and/or they are under pressure, and are poorly trained or supported.”
According to the Australian Cyber Security Centre (ACSC) Cyber Security Survey 2016, nine out of every 10 Australian organisations dealt with an attempted or successful cybersecurity breach during fiscal year 2015/16 – and that 58% were successfully compromised.
Meanwhile, our Attorney General, George Brandis, a man who was given three attempts and still couldn’t correctly explain what metadata was, is seeking legal avenues to backdoor encryption services to the benefit of intelligence and law enforcement, but also to the benefit of those with prying eyes and skills that outpace Australian security professionals.
A security professional who wished to remain anonymous described Brandis’ campaign as a “crazy war against maths” and “a very poor policy.”
“Backdoors can be used by anyone,” he said. “That’s why the tech industry completely opposes it. Once you put in a backdoor, someone will inevitably find out about it. The second someone sends this out to Wikileaks or there’s another Snowden, everyone will know how to get into your iPhone, PC, TV set (or government database). You open your entire system to state actors and common criminals, which is what seems to have happened with these last two cyber-attacks.”
That public and government sector security protocols are largely rubber stamped and administered by people with no security training, let alone technology backgrounds is indeed part of the problem. But that is just the tip of the iceberg.
Billions spent on ‘shelfware’
A security professional with more than 20 years working for the Australian Government and the Department of Defence revealed that billions of dollars is being spent on mismanaged and wasted projects that never get off the ground.
“The government spends billions of dollar on shelf-ware,” he said, describing the term for software or hardware that is bought but never used.
Hello Humans spoke to several employees of Australia’s National Broadband Network on the condition of anonymity who revealed IT departments had knowingly bought up “room-fulls” of hardware and software that would never be used for the sake of maintaining quarterly budget increases.
“This is bad behaviour,” said the former public sector professional. “It is a situation of the tail wagging the dog. The data is the critical asset, not the systems it runs on. But they get to the end of the month, and this bad behaviour is being driven by these budget constraints, so they do everything they can to spend their entire budget before the end of fiscal year.”
Stuck in the past
Government and public sector IT departments too often employ people whose technical education has not kept up with the rate of change. Worse, high-risk security projects are mediated and managed by people with no technical know-how whatsoever.
“If someone is spending too much money on an IT project they don’t quite understand, no one is regulating that,” a security professional with public sector experience told Hello Humans.
“People are too afraid to admit what they don’t know. There are far too many people in the industry that refuse to change with the times. They get stuck in their ways, living in the past, too emotionally attached to the tech they have spent their life learning and becoming experts in, desperately hanging onto it, trying not to become obsolete.”
The result is either the implementation of inappropriate technical solutions, or outsourcing entirely to consulting agencies who charge hefty premiums, for fly-in-fly-out (FIFO) workers on very heavy premium day rates. “This happens in government departments all the time,” he said.
“Consultants on $2000 a day are not uncommon. What happens is they burn through their entire budget in four weeks, and the consulting company pulls up stumps, even if the project is not yet complete, because the department has run out of money.
“But the two guys who instigated the project at the golf-club already have their money, so they don’t care.”
The public sector professional says there is a critical need for ‘fundamental change’. He called for an independent auditing body to assess how money is being spent on critical infrastructure.
Programmers are part of the problem
Steve Wilson, VP & Principal Analyst at Constellation Research told Hello Humans that Australia is suffering from a crisis of programming mediocrity.
“I am afraid the code quality of Australian programming is farcical,” he said. “At every turn, programmers are under pressure, (often self inflicted), to rush their work.”
Wilson says the evangelism over Agile working and minimum viable products has resulted in poor security practices becoming commonplace procedure.
“The truth is, programmers are hasty,” he said. “They under document, they under analyse, they under think, they under test, and Agile software development just gives them license to cut corners. We need to be taking a lot more time engineering complex software systems. Programmers are themselves a big part of the problem. As a class, they simply lack the professionalism that should go with the digital transformation.”
Complacency: Aussie government ‘sleep-walking’ into disaster
Wilson revealed that cyber security is not funded at anywhere near the level that makes sense for the criticality of digital systems for life today.
“There is no solid sign in my view that governments are attending to security in a systematic, careful, patient way,” he said.
Wilson lays some blame at the feet of the ‘open government’ movement, where data sharing occurs between departments with little or no consent of the people whose personal information is being stored.
“There is a rough quasi-religious faith in the benefits of sharing government data that seems to over-ride sober risk assessment,” he said.
Moreover, Australian security culture has yet to mature.
“Teams are not given enough time or self-determination to get a decent job done. IT security is largely about going through the motions. Risk assessments are too often box-ticking exercises, rarely involving the care and attention to detail needed to find real problems.
“Think about the value of digital assets today. Citizen and healthcare databases at population scale are worth billions of dollars, and yet governments are penny pinching. We know cybercrime is industrialised. Yet we are sleep-walking into disaster with slipshod security around e-health records, taxation, national infrastructure, really every area of government and private sectors in which sensitive and personally identifying information is stored.”
Standards have slipped
Nick FitzGerald, ESET’s Senior Research Fellow for APAC told Hello Humans that WannaCry, Petya and other similar cyber-attacks demonstrates how much the IT industry has either forgotten to or simply failed to train new people.
“Standards have slipped,” he said.
FitzGerald attributes the growth of for-profit universities has completely altered the way security is being taught. “Increasingly universities are partnering with banks, technology and software companies which provide scholarships, technology, and training courses to provide several certifications required for any IT related employment, particularly in the public sector,” he said.
Students are being trained in siloed, corporate fields that encourage them to spend thousands of dollars on certification for only one particular kind of software. No longer is holistic network security and the basic fundamentals of connecting one system to another a priority in education. If anything, the opposite is true.
“What training that does exist encourages software silos that often deliberately make it difficult to connect with other competitor brands, making any kind of coding for these systems to read each other an ad-hoc job filled with danger and room for human error,” he said.
FitzGerald’s partner, a former New Zealand university lecturer says that because the cost of degrees have become exponentially more expensive, students arrive at university with the expectation of passing. In many cases they expected to pass and get a good grade, because hell, they’re paying for it.
“To the extent there are tertiary courses, it seems to me a lot of the newer ones, what they offer focuses on how to configure the products from Vendor X, as a way to train them up so they can pay several thousand dollars in fees to get the several ‘professional certification’ employers require for you to even get your foot in the door,” he said.
“It has usurped a formal training role and removed the knowledge and understanding of the many facets and complexities of IT security and replaced it with specific product specialisation with no real understanding or regard for how it or any other systems operate in the real world.”
Five years to fix the skills gap
A former public servant told Hello Humans that Australia is suffering from a ‘huge’ skills gap that will take at least five years to solve if-and-only-if today’s high-school students are incentivised into career paths that offer holistic security practices, rather than the ones dominated by proprietary certification. He called for the creation of an IT body or commission for Australian technology direction and strategy that can address the skills shortage and under employment simultaneously.
“The payoff will be significant,” he said.
In the meantime, it would probably help if technical portfolios were held by MPs who understand how technology works and their programs administered by competent professionals whose knowledge is up-to-date.
That would be a damn good start.
So long as security is treated as an afterthought these leaks will continue to be business as usual.