Australia, your lack of cyber transparency disturbs me

There's little public trust in the government's push for more online surveillance and broader powers for its spooks. Perhaps it's time for more openness, less hypocrisy.
Written by Stilgherrian , Contributor on

As Australia, like the rest of the world, ramps up its defences against all the cybers, I sometimes wonder whether the government and our cybersecurity agencies realise how out of step they look. Silly, even. Events this week highlight the disconnect.

On Monday night, ABC TV's Four Corners claimed that a series of sensitive government systems had been hacked and pointed the finger at China — although China has of course denied the allegation.

The targets included the Department of Defence's classified email system and the Department of Prime Minister and Cabinet. The data stolen included a "highly sensitive document" relating to the Australian Secret Intelligence Service (ASIS), and detailed plans of the new $630 million headquarters building for the Australian Security and Intelligence Organisation (ASIO) and its internal communications systems.

How did attorney-general Mark Dreyfus respond to these claims?

There's a great deal of intelligence material, espionage related material that we don't comment on. That's been the long standing practice of Australian governments for many decades ...

Reporter: But why is that?

Dreyfus: Well, I'm proposing to continue that practice.

Well thanks, Mr Dreyfus, I'm glad you've cleared that up.

Sticking with the script, Foreign Minister Bob Carr refused to confirm the hacks as well.

Then on Tuesday morning, the CeBIT Cyber Security conference kicked off in Sydney with a keynote from Defence Signals Directorate (DSD) assistant secretary for cyber-security John Franzi — from which the media was banned.

That's kinda funny, given that Franzi's presentation was delivered in front of roughly 100 conference attendees who weren't vetted, most of whom had smartphones, and some of whom tweeted the presentation highlights anyway.

It's even funnier, given that the ban wasn't enforced properly and at least four journalists made it into the room — and of course, there wasn't anything secret in what Franzi said anyway.

It's always like this. Australia's security agencies are amongst the most secretive on the planet, far more so than their counterparts in the US and UK.

Why is this?

Four Corners journalist Andrew Fowler was told that it's down to Australia's junior relationship with its historical allies, the UK and then the US.

"We, the Australians, look after other people's secrets, and so we have to prove we are more able to look after their secrets than anybody else ... It's a way of explaining in some way this rather, I suppose you could say, closed shop," he told the BCC World Service program World Have Your Say (MP3).

Whether the explanation Fowler was given is true or not, this culture of extreme secrecy leads to an information vacuum.

Is China trying to hack Australian government agencies? Yes, of course. Everyone is hacking everyone else. That's how espionage is done these days. But how successful were they? Who knows. Does the government have a valid case for more surveillance? Again, who knows.

Without hard facts, critics and supporters alike are free to assume the worst — either that incompetent security services are riddled with hacks while pursuing a massive power grab, or that Chinese hackers will bring the country to its knees unless we immediately lock down the internet and log everything. The truth is presumably somewhere in the middle, but without facts, a nuanced debate is impossible.

And without facts, we're free to judge the government's credibility by the hand-waving cyber language they use. I've already given my opinion on all this cybering and the cyberthreat beat-up, but things reached a new low this week with the coining of "cybercrisis".

While the government continues to play secret squirrel, the infosec industry is getting into transparency.

At CeBIT Cyber Security, the very next speaker after the DSD's Franzi was John Suffolk, global cyber security officer for Huawei. As a Chinese company trying to sell its equipment in the West, Huawei knows all about the need to engender trust. After all, they've been banned from selling equipment for the National Broadband Network on ASIO's advice.

Suffolk said that the answer is transparency and claimed that Huawei has become the most audited company in the world, with the ability to trace pretty much every component through their supply chain except the basics like cables and batteries.

"We welcome being audited, inspected, poked, and prodded and probed," he said, and encouraged other vendors to do the same.

Russian vendor Kaspersky Lab has also decided that transparency is the way to go, to the point of revealing source code to prove their products are safe.

"In the USA, Australia, and Western Europe, we are facing similar issues of trust," Eugene Kaspersky told Australian journalists on Wednesday night. "We are entering the United States, and we are about to have second backup and compiling systems in the States ... US citizens will have access to source code, and we will be very open to disclose the source code in case of requests."

There were calls for transparency on Four Corners, too.

From Alastair MacGibbon, described as a "government cyber security advisor" and founder of the AFP's high-tech crime centre: "I think it's fair to say that some of our allies are more open in talking about cyber matters than Australia is ... It would be churlish to deny that there have been probably many other breaches of government agencies, but we don't have a culture in this country of talking about it."

And from Deloitte Australia's Andrew Johnstone-Burt: "Certainly more disclosure is needed. By more disclosure, we can get more information as to what attacks are occurring and why, and with that, we can build greater resilience and greater defence."

As a final twist, the government has been calling for more such transparency from the business sector, and this week announced that it'll finally introduce mandatory data breach notification laws.

"There's a hypocrisy here," Fowler told the BBC. "I think if you want the Australian people to understand that cyber security is an important thing, they should put their house in order first, and talk to the Australian people honestly and openly about what happens."


Editorial standards