Aussie Parliament's sad cyber espionage saga is a salient lesson for others

Australia's Parliament downplayed a leaked report saying its cybersecurity was 'at a low level of maturity', claiming it's OK now. But parliaments and politicians are high-value cyber espionage targets.
Written by Stilgherrian , Contributor

"Parliaments of all descriptions are of interest to intelligence services," says Tom Uren, senior analyst with the International Cyber Policy Centre (ICPC) at the Australian Strategic Policy Institute (ASPI) in Canberra.

The spooks want to know what issues the politicians are looking at, their stand on particular issues of interest, and even their personalities and those of their staff.

"A lot of politics ultimately come down to personalities," Uren told ZDNet. "They want to know about those issues."

Some of the things that you might learn from hacking a parliament are of only short-term interest, he said. The latest stance on a current negotiation, for example, will come out in time anyway, and after that, the intelligence has no further use.

The politics and personalities -- that's the stuff with long-term value. That's the stuff that can provide leverage for blackmail or bribery.

There's nothing new here, of course.

"Human intelligence has always worked like that. Understanding people to understand their motivations and how you can influence, or even manipulate, or even coerce them," Uren said.

"The cyber aspect is just a different avenue that allows remote access, it's deniable, and sometimes access is a lot easier than engaging with people."

Cyber espionage can also provide an enormous volume of documents.

"In a kind of weird bureaucratic way ... it looks like you're doing more work because you're getting more documents," Uren said. "Spies becoming more productive because of digitalisation!"

We shouldn't be surprised, therefore, that we've already seen some high-profile parliamentary hacks.

In 2017, for example, a sustained and determined cyber attack on UK parliament's systems compromised 90 accounts, or about 1% of total users. That one seems to be down to script kiddies, however.

In 2018, in the lead up to the 2019 European Parliament election, Microsoft claimed it was Russian unit APT28 -- a.k.a. Fancy Bear a.k.a. Strontium -- that had hacked into 104 accounts belonging to employees at political organisations in Belgium, France, Germany, Poland, Romania, and Serbia.

APT28 is one of the two Russian groups known to have breached the Democratic National Committee servers ahead of the US presidential election of 2016.

Hackers have also targeted non-government organisations such as the German Council on Foreign Relations, and European offices of The Aspen Institute and The German Marshall Fund.

National leaders are also of particular interest.

Documents leaked by Edward Snowden starting in 2013 revealed that the US National Security Agency (NSA) had wormed their way into the phones of 35 world leaders, including Germany's Angela Merkel and Mexico's Felipe Calderon.

Australia's contribution to the global game of phones was to spy on then-Indonesian President Susilo Bambang Yudhoyono, plus the country's vice president, foreign affairs spokesman, security minister, information minister, and a former vice president.

More recently, The New York Times reported that China and Russia have been eavesdropping on US President Donald Trump's cellphone calls.

"China is seeking to use what it is learning from the calls -- how Mr Trump thinks, what arguments tend to sway him and to whom he is inclined to listen -- to keep a trade war with the United States from escalating further," the newspaper wrote.

"In what amounts to a marriage of lobbying and espionage, the Chinese have pieced together a list of the people with whom Mr Trump regularly speaks in hopes of using them to influence the president."

All this makes February's revelation that the Australian Parliament's cybersecurity wasn't up to scratch all the more interesting, because government officials are trying to downplay the whole thing.

Australian Parliament's two big hacks - the ones we know of

Australia's Parliament is known to have suffered two serious cybersecurity incidents in the last decade.

In 2011, hackers busted the parliamentary email accounts of then-Prime Minister Julia Gillard and at least two other senior ministers: Foreign Minister Kevin Rudd and Defence Minister Stephen Smith.

The hackers, widely speculated to be state-based actors from China, were believed to have had access for up to a month to thousands of emails.

In February 2019, a seemingly more comprehensive hack of the Australian Parliament network -- as well as political party networks -- was revealed.

According to Prime Minister Scott Morrison, it was down to a "sophisticated state actor", again speculated to be China.

The attack forced a password reset of all Australian Parliament House network users, including politicians and all of their staffers.

It took eight days to remove the bad guys from the parliamentary network, according to evidence given to the Senate Finance and Public Administration Committee.

The incident also revealed some poor password practices. Staff could phone or email to reset a parliamentarian's password and then be told that password. Obviously anyone pretending to be a staff member could do the same.

Parliament's shoddy cybersecurity of 2019

A leaked report obtained by Australia's ABC -- a draft internal audit report written by KPMG for the Department of Parliamentary Services (DPS) in mid-2019 -- identified more problems.

Compliance with the Australian Signals Directorate (ASD) Essential Eight strategies to mitigate cyber intrusions were "at a low level of maturity", the report said.

While the Joint Committee of Public Accounts and Audit (JCPAA) decided in April 2019 that the Essential Eight was not actually essential, the KPMG report said DPS had an "ad hoc" approach to all elements of cybersecurity management. That's the lowest possible rating.

"The draft report also found significant deficiencies in the management of key systems that hold potentially classified information," the ABC wrote.

Critical information assets hadn't been identified. Legacy systems weren't being patched. The physical security of computers was a continuing problem.

A critical problem, wrote the ABC, was "the lack of an overarching approach defined for protective security management and security risk management processes".

"Up until now, the department has had a responsive approach to protective security management, rather than based on formal, documented, and integrated risk-based approach," the report said.

All of this was in the first half of 2019, long after the first half of the Essential Eight, the so-called Top Four, had been mandated for all government departments in 2013.

It's a scathing report, but in statements delivered to the Senate and the House of Representatives, DPS dismissed it as an inaccurate, out-of-date draft.

"I wish to assure senators that this [ABC] article does not reflect the true state of the department's protective security maturity," said the President of the Senate, Senator Scott Ryan, on February 13.

"It reflects early fieldwork by KPMG and was not scrutinised or verified by the department and does not incorporate a body of work undertaken to demonstrate the department's PSPF [the government's Protective Security Policy Framework] maturity rating of 'managing' for the relevant criteria," he said.

He did confirm, however, that KPMG had been engaged as part of a program started in October 2018 to audit the DPS's alignment with the PSPF.

"The department has in fact achieved a maturity rating of 'managing' against 85 of the 88 relevant PSPF criteria and against a further three criteria was rated as 'developing'. The department did not rate 'ad hoc' against any of the 88 criteria."

Ryan also cited the ASD's 2018-2019 annual report [PDF] in relation to the early-2019 breach: "The Department of Parliamentary Services had implemented security practices that helped to identify and restrict the extent of the compromise, minimising the potential impact."

Should we believe those comments? Uren is sceptical.

"Do you believe the raw unfiltered report, or do you believe the report that's being massaged through the management?", he said.

"And then, you know, which report conforms most to the evidence we have available outside the report?"

Unsurprisingly, it turns out that DPS' current cybersecurity rating is entirely self-assessed.

Parliamentary cybersecurity is tough to fix

The reality is that the DPS is challenged by the sheer size and dispersed nature of its network.

The department is responsible for Parliament House itself, plus the local electorate and Commonwealth offices of all the MPs and Senators -- the computers of 5,000 users in all, plus another 2,000 mobile devices.

"DPS is kind of in this unenviable position where they have important people politically who no doubt don't want to be constrained by security," Uren said.

"I would imagine that there's many politicians who would go insane working in a high-security environment because it's so restrictive."

Every parliament and every government in the world would have similarly egotistical or even narcissistic characters.

The same would apply to billionaire CEOs.

As Uren put it. "Are you, the IT person, going to say to the CEO of a big company 'No, you can't do that, because security'?". No, that's not going to happen.

It's about culture change and 2FA

Trump is the most obvious example of a boss who won't listen to advice. He refuses to give up his personal phone despite constant warnings.

"Trump keeps the personal phone [a stock iPhone], White House officials said, because unlike his other two phones, he can store his contacts in it," The New York Times reported.

Those "other two phones" are his official devices, locked down hard by the NSA.

"Trump is supposed to swap out his two official phones every 30 days for new ones but rarely does, bristling at the inconvenience," the report said.

"Still, Trump's lack of tech savvy has alleviated some other security concerns. He does not use email, so the risk of a phishing attack like those used by Russian intelligence to gain access to Democratic Party emails is close to nil."

If politicians are reluctant to follow even this sort of advice, entreaties to use two-factor authentication (2FA) are even less likely to succeed. Yet 2FA is probably one of their best methods of defence.

That UK Parliament email hack was down to lawmakers' "primitive and easily discovered passwords", for example.

While the Australian Parliament's most recent cyber-oopsie began with a spearphishing attack, 2FA would have enabled a faster cleanup. As it was, they had enough trouble even telling users what was going on.

In that Senate committee hearing, which was on 14 November 2019, Senator Kimberley Kitching asked why DPS hadn't called or messaged everyone's mobiles with news of the password reset.

Instead, they waited for users to try logging in, failing, and calling the helpdesk -- which resulted in more support staff having to be put on.

"There has been work with whips, I think, looking into that. That's currently, at least in my experience, still under discussion with whips," Ryan replied.

That's right, nine months after the breach and there still wasn't a list of all users' phone numbers.

Parliaments and politicians may well be prime targets for attack, but they're also very slow to change. We'll see plenty of new breaches through 2020.

Related Coverage

Editorial standards