Even though Australian Parliament House could be susceptible to the US National Security Agency's Prism program, Monday's Senate Estimates hearing shows that the Department of Parliamentary Services (DPS) stood by and did nothing.
In a series of questions over the state of Parliament House's IT security, DPS CIO Eija Seittenranta agreed with Greens spokesperson Senator Scott Ludlam's assessment that parliamentarians and staff working in the building should assume that they are being exposed to vulnerabilities that would allow the US government to capture their communications.
Ludlam's line of questioning focused primarily on the notion that Microsoft is required to provide NSA with access to its servers and had purposefully opened vulnerabilities in its software to allow unfettered access to information.
Seittenranta confirmed that the majority of servers run Microsoft software, but that it was Redmond's mercy to close off any vulnerabilities introduced.
"We don't have capabilities to create any patches for vulnerabilities of that nature. We are dependent on what the industry provides us and advice that we might get from the Australian Signals Directorate (ASD)," she told the committee.
However, DPS had not sought any advice from the ASD, or advised parliamentarians that they could be at risk. The reasoning behind such a decision was that DPS had not yet seen any evidence that any exfiltration of data had occurred.
Yet, Seittenranta also said that DPS doesn't have the "the capabilities or the skills in our fairly small ICT team to look for that sort of evidence."
In hindsight, Seittenranta said that the decision not to advise parliamentarians was "just something that we've overlooked."
"It's not one that's has been specifically on the top of our minds."
While Seittenranta — who told Ludlam explicitly that "I am responsible for IT security" — appeared not to know whether the US Prism program was rumour or fact, she had also not been informed by those that did.
In October, as the details of Prism began to reach the media, the Attorney-General's Department began to brief ministers on the program. Yet DPS was kept in the dark, Seittenranta told the committee that it was never contacted by the department.
Ludlam is expected to similarly ask the Attorney-General's Department why DPS was not informed of any risk to IT security.
Joining Senate Estimates later, DPS assistant secretary of ICT infrastructure and services Steve McCauley clarified that while it had no patches or security measures specifically in place to counter the US spy program, outbound traffic was routed via the ASD for inspection first for sensitive data.
"There's firewall and other security-type gates, so to speak, that stop that sort of request from going back," McCauley said.
Should data be leaked out, however, damage should be limited — DPS' network contains information limited to Unclassified.
DPS has seen some success against mitigating attacks. It has seen an average of 400 malware incidents each month, according to Seittenranta, and in the past three months it has seen three phishing attacks. None of the attacks specifically targeted DPS.