Vigilance is key to protecting Australia Data

The nature of global warfare and political manoeuvring has changed dramatically over the last 20 years. The physical conflicts of the past are moving into subtler, and potentially more catastrophic cyber espionage, and Australia, as a major economic and political power is no exception.

 In an address to reporters in Canberra last January 2017 about new measures to protect Australian democracy from foreign interference, Prime Minister, Malcolm Turnbull acknowledged the significant risk of cyber espionage by saying

"This (cyber espionage) is the new frontier of warfare — the new frontier of espionage. It's the new frontier of many threats to Australian families, to governments, to businesses.”

Guarding our cyber borders

Just as we require Naval ships to guard our borders in the physical realm, we need an equal show of strength on our cyber borders. Whilst our physical borders are clear and unchanging, the cyber borders of our vital national information is shifting. This is due entirely to the evolving nature of the technology we use to determine where, why and how our sensitive government data is stored.

In the age of physical information, we can envisage the secrets which are vital to our government being locked away in a safe located in an unassuming building in our capital. This too is an anachronism of the past.

Our government bodies, and services are now interconnected in ways which were previously unheard of, many  have now transitioned, or are transitioning, to the cloud. As many aspects of the governance of our infrastructure become streamlined into a fluid reciprocal network, so too does the implicit weakness of such a network become apparent. Indeed, if we think back to the vulnerabilities of that safe, we can see that the less access to something valuable, the better. However, this is now impossible.

Digital data requires access and communication of users simultaneously connecting to information, especially in the case of cloud based technology. A government official may transfer or submit confidential documents and connect to information just as readily when they are on their smartphones at lunch, as they would when they are in their office using various applications.

Unauthorised applications

Therein lies the issue as this efficient and highly user friendly form of information exchange can be incredibly vulnerable to attack. This can be seen by the Australia’s Department of Defence banning of the popular WeChat app for government devices. The Chinese application has been recognised as a vulnerability for attacks through the app onto connected cloud software. Unauthorised applications which are used to communicate can be exploited by cyber espionage to not only steal information in the form of communication, but also serve as a gateway to whichever cloud that device is connected to. It is apparent that hackers would be able to surreptitiously access critical Australian data through a vulnerable app on a personal device that has access to the said network.

Both the strength of the cloud and its weakness about how accessible it is as a threat, is outlined in the 2017 Annual report by ASIO.

“In addition to technological challenges in the operating environment, we faced heightened threats to our staff, facilities and information. This requires the diversion of resources to ensure the security and effectiveness of our operations."

ASIO recognises that with the advances in technology comes the advancement of risk and vulnerability. The consequences of which may not easily be measurable or understood by the everyday observer. Espionage in a sense is a somewhat distant concept associated with representation in popular media, as a debonair Englishman saving the world. In reality, it’s a very harmful and potentially catastrophic weakness which can be exploited by other countries or companies.

Cost of cyber espionage

The instances of cybercrime and its costs are becoming better understood, and unfortunately more frequent. According to Verizon’s 2017 Data Breach Investigations Report, public sector, healthcare and financial services account for one fifth of all cyber espionage attacks. What’s even more alarming is that a large scale global cyber attack could cost Australia a staggering average of AUD 67.1 billion - over five times more than the Queensland floods in 2011.

Australian data should be kept within our jurisdiction and control

We must think about cyber espionage on a global level. This leads into the vulnerability of our cloud based networks, offshore data storage. Our data is only as safe as the space in which it is kept - both physical and virtual. If we had a valuable object, we wouldn’t store it in our neighbour’s home. We would want to ensure its safety ourselves, rather than entrust it to other people, who are in essence our competition. This notion should be applied to how we protect vital government information.

If we entrust critical Australian information to global cloud companies, our information is likely accessible outside our own country. Information that is stored in other countries, it is subject to that countries’ laws. Recently in the US, legislation has been passed which will allow the US government  to access any data that is stored by a US company, regardless of where it is stored. Meaning that if global organisations such as Microsoft or Facebook are storing Australian data, the US Government could legally gain access to that data.

Currently, all government agencies are advised by the Australian Signals Directorate (ASD) to exclusively utilise a ‘Protected Cloud’ for ‘Protected Workloads’. This ensures sensitive and private data does not and cannot leave Australian shores.

This approach is very much in keeping with public sentiment with results of the 2017 Australian Community Attitudes to Privacy Survey revealing that 93 per cent of Australians don’t want their data to be stored overseas. As such Government agencies need to stay vigilant and be more pedantic in how they safeguard critical information, so as to stay miles ahead of any opportunistic adversaries.