An unknown malicious actor stole 30 gigabytes of data from a defence contractor. That’s a huge security oopsie. But it’s also a massive failure of governance, one the government is keen to sweep under the rug.
On Wednesday afternoon, ZDNet broke the story that the stolen data included information on defence projects including the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels”, as an officer from the Australian Signals Directorate (ASD) put it. The story was soon picked up by the mainstream media.
On Thursday morning, the government spin doctoring began.
“This attack on the defence contractor here in Adelaide is really a salutary reminder to everyone that when the government says that businesses need to take their cybersecurity very seriously, we aren’t joking,” defence industry minister Christopher Pyne told ABC Radio.
“It’s a very, very significant part of the defence of these major projects, and all Australian businesses, small and medium enterprises, and primes need to be getting their cybersecurity protections at top level, at top drawer protections, because these kinds of attacks will occur,” Pyne said.
All that is true.
By “primes”, Pyne means the top-tier defence contractors, Lockheed Martin and Boeing and Raytheon and BAE Systems and Thales and all the other big players. Apparently a prime — we don’t know which one — was the “partner organisation” that alerted the ASD to the breach, not an intelligence organisation.
The data that was exfiltrated by this unknown malicious actor, which the ASD dubbed “APT ALF”, was “commercial data not military data … not classified information,” according to Pyne.
“I don’t think you can try and sheet blame for a small enterprise having lax cybersecurity back to the federal government. That is a stretch,” he said.
Pyne’s message was that the Australia government has “been saying relentlessly” that organisations need to take cybersecurity “very seriously”. “We work very hard with businesses”, he said, including the “4000 defence industry businesses in Australia”.
Let’s unpack that a bit.
According to the ASD officer, some of the exfiltrated data was restricted under the International Traffic in Arms Regulations (ITAR), the US system designed to control the export of defense and military related technologies. Since that’s a US thing, certification to handle ITAR data is done according to US standards. Such data may well be more commercial-in-confidence in nature, a prime’s “11 secret spices”, if you like.
But if this information is flowing from the US, through a prime, to a sub-contractor a notch or two down, would it even be seen by Australian government agencies, let alone run through a formal classification process?
I have no reason to believe that Pyne is telling porkies. In the context of this very visible discussion, he’d be a fool to straight-out lie. But he’s certainly trying to parse the subtle, fuzzy boundaries between classified, sensitive, restricted, and confidential. Handy.
The other issue for me is Pyne trying to distance the government from any responsibility for this security lapse.
Yes, the ASD’s cyber defence team is tasked to protect government and military agencies, critical infrastructure, and, more broadly, national security. Third- and fourth-tier contractors are not its problem. The ASD just came in to clean up the mess.
Technically it’s not the government’s fault. But if the government isn’t making sure that the entire defence supply chain is properly secured, who is? Nobody, it seems. That sounds to me like a governance oversight.
Will the Australian government now improve its oversight of defence contractor security? Or will it merely spin the problem under the rug with the usual generic comments about working very hard?