Why would a defense contractor be allowed to handle sensitive information when their network isn’t highly secure? That’s the question we asked ourselves when we found out that a defense agent in Australia had about 30GB of “commercial-in-confidence” data hacked from their poorly protected systems.
The truth came out when the Australian Signals Directorate (ASD) presented the information to the Australian Information Security Association (AISA) as a case study.
Reacting to the hack, Christopher Pyne, Minister for Defence Industry simply shrugged it off, saying that the government can’t be held responsible for a contractor’s lax security. That certainly strikes us as odd, because anywhere else in the world, defense contractors are vetted thoroughly before being awarded any sort of contract by the ministry or department responsible for the country’s defense.
The problem that has been exposed is a much larger one that meets the eye. It’s not just about this one contractor losing valuable data to hackers. It’s about the whole system. Apparently, there’s no audit process for contractors and sub-contractors and their information security protocols. The nation does have manuals outlining what can and cannot be done, but these are seen more as best practices documents rather than rule of law. It’s known as the ASD’s Essential Eight, or in our own words, “The Eight OMG Things that Contractors Should Do/Never Do.”
An incidence response manager at ASD, Mitchell Clarke, had this to say:
“One of the learning outcomes from this particular case study for at least the Australian government is that we need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required”
In our opinion, “find a way to start to be a little bit more granular” sounds like they’re dead serious about committing to greater cybersecurity NOW, THIS INSTANT.
The lack of enforcement measures often leaves contractors to their own devices. So, why not just make all the documents public, since that’s the end effect of such a lax system, anyway? What’s really crazy is that this medium-sized defense contractor with a one-man IT team and its Internet-facing services with logins and passwords like Admin::Admin and Guest::Guest is supposed to be ITAR-certified. The International Traffic in Arms Regulations is a US system and certification purpose-designed to control the flow of defense-related technologies.
If the government wants to extract efficiency by outsourcing its work, then it needs to make sure that the “chain of custody” of all documents – classified or otherwise – has every link equally strong and resilient to being hacked. If not, the whole thing falls apart, as it did in this particular case.
Thankfully, the information that was hacked was not classified as “classified”, but merely as “commercial-in-confidence.” But that doesn’t make things any better. Here’s what was stolen, per ZDNet:
“Restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels” was among the sensitive data stolen from a small Australian defence contractor in 2016.”
I’d say that kind of information being hacked is sensitive enough to warrant some sore of irate reaction from the government. Sadly, it wasn’t and it didn’t. Instead, what ended up happening is that the ASD merely gave the advanced persistent threat, or APT, a cute name after a character in the Australian soap opera Home and Away: “APT ALF”. Go figure!