Rachel Noble, head of the Australian Cyber Security Centre (ACSC), has fessed up to the worst kept secret in Australian cybersecurity circles, that it was indeed the ACSC that had two speakers dumped from CyberCon earlier this month.
"I made that decision," Noble told Senate Estimates on Wednesday evening.
"The advice that I made the decision on, was a proposal for Dr Dreyfus and Mr Drake to ... have a panel with Edward Snowden that was the first proposal. At that point my judgement was based on, I guess, a reputation of all of those speakers that they are known public advocates for unauthorised disclosure or the leaking of classified information outside of legitimate whistleblowing or lawful whistleblowing schemes."
Noble added the talks were not "consistent with the objectives of the conference which was actually about cybersecurity and helping Australians raise their awareness and technical knowledge about cybersecurity issues", and could express views not in line with Australian law, processes, and values.
Dreyfus and Drake were dropped from the program with only a week's notice, and were told their talks were "incongruent" with the content of CyberCon. Drake was a whistleblower formerly with the US National Security Agency, while Dreyfus is a lecturer in the School of Computing and Information Systems at The University of Melbourne. The decision drew a sharp rebuke from cryptographer and computer security professional Bruce Schneier, who was allowed to speak at the conference.
"[Drake] was going to talk about basically surveillance, the kind of talk I would give. Government and corporate surveillance, and how everybody's spying on all of us. I mean, nothing we don't know," Schneier said at the time.
"[Dreyfus] was going to give a talk on work she did for the EU on building whistleblower platforms to reduce corruption in third world countries. Kind of mundane."
Schneier posited that the ACSC saw the word "whistleblower", and freaked out.
"I would say you're morally obligated to go read the two talks," Schneier said.
"Actually if you do want to read them, censorcon.net is where you'll find the slides and the abstracts."
The Australian Cyber Security Centre now forms part of the Australian Signals Directorate (ASD).
"In consultation with operators and vendors, ASD worked to see if there were ways to protect Australia's 5G networks if high-risk vendor equipment was present anywhere in these networks," the report said.
"The review concluded that persistent and legitimate access to 5G networks by high-risk vendors -- who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law -- no matter how tightly controlled, will provide hostile intelligence services with an enduring presence in the network. This could be leveraged to undermine the confidentiality, integrity, and availability of our networks."
The report also said ACSC responded to 2,164 incidents during the year, and the first "national cyber crisis" which involved an attack on the nation's political parties by a state actor at the start of the year. It said 40% of incidents related to "low-level malicious attacks" such as targeted reconnaissance, phishing emails, and non-sensitive data loss.
"Members of the public reported the highest number of incidents, making up approximately one quarter of all reports received," the report said.
Speaking at Estimates on Wednesday, ASD said it was 90% certain which state actor was behind the parliamentary network hack, as well as the ANU incident revealed in June. ASD declined to name which states were suspects.
In the wake of the attack, the ACSC helped improve the cybersecurity posture of 25 government agencies in April.
Out goes multi-factor authentication via SMS messages, emails, voice calls, or software certificates for all but the most immature implementations of the Australian Signals Directorate's Essential Eight.