Hole in nation’s cyber security exposed
FORGET Chinese hackers. The Daily Telegraph has discovered an unsecured pit on a main road of Canberra, a few hundred metres from Capital Hill, where anyone with a $150 device could hack into the government's "dark fibre" secure intranet.
The Intra-government Communications Network (ICON) connects more than 85 government agencies via 840km of "dark fibre" optic cable.
There are 1766 access pits into the network dotted on roadsides and grass verges all over the nation's capital and regular household padlocks have been used to secure the pit covers, one Canberra-based cyber security expert said.
But the metal pit cover observed this week by the Telegraph, on a grass strip in the middle of a busy road, did not even have that Bunnings-level security.
The pit cover is heavy and would be difficult for one person to move but, with the right tools, cyber experts say it would be easy to access the blue ICON optic cables underneath. Then, with a widely available $150 "Micro-bend clamping device", it would be a simple process to intercept secure government communications.
The ICON is the federal government intranet, where emails are exchanged and information is transmitted between staff in various departments and agencies, and backup data is moved between data centres at high speed.
It has long been considered by cyber security experts to be vulnerable to physical hacking.
"There is limited physical security on those pits and that physical security may be bypassed," said one Canberra-based cyber security expert who warned the Gillard government in 2013 about the vulnerability of the network.
"We kicked up a stink at the time directly with the government. We raised the concerns that physical protections are not sufficient to ensure that access cannot be gained to the pits and therefore all information should be encrypted when it is delivered across a public network infrastructure …
"All physical security can be bypassed … There is only one secure way to protect yourself against hacking - and that is encryption."
The Australian Signals Directorate's (ASD's) updated Government Information Security Manual, issued to all departments on December 4 last year recommends encryption of all information to ASD standards to provide "an additional layer of defence" against hackers and make it "unreadable to all but authorised users".
But the ASD leaves it up to individual departments to make their own risk assessment and decide whether to encrypt their data.
In May 2013, when Finance Minister Mathias Cormann was in Opposition, he raised concerns about the security of the ICON network in Senate Estimates.
He asked if "encryption technology has been deployed [across all agencies] to protect information from interception," and queried whether individual agencies had the "expertise" to decide whether or not their needed to encrypt their data.
While government entities such as the Australian Federal Police, ASIO, ASIS, Australian Taxation Office, Department of Defence, and the Bureau of Meteorology do encrypt their data before it goes through the ICON network, many do not, says the cyber expert.
"Some agencies are encrypted and do so in accordance with ASD best practice recommendations," he said. "But others may feel that the physical security measures are sufficient".
A spokesman for the Department of Finance said last night it was satisfied with the physical security of ICON pits: "Finance maintains physical controls and inspection regimes to deter and detect any unauthorised access to ICON fibre optic cable."
She would not confirm how many government departments or agencies do not encrypt their data: "The encryption of data sent over ICON is a matter for each customer entity."