Threats to the IT network security of Australian Parliament House in light of PRISM

estimates

Senator LUDLAM: I have a question for IT support if those people are here. As a member of the parliamentary ICT advisory board, I am well aware of the enormous effort that gets put in behind the scenes to facilitate and advance the work that this parliament and its committees do, so I want to open with a note of appreciation from my colleagues and me. On the subject of security, we are all changing our passwords regularly and using remote access tokens because collectively we understand that security in here is important. Can you give us a brief run-down of the number of attempted cyberintrusions into the APH system over the last year?

Ms Seittenranta : We get an average of about 400 incidents of malware a month in the parliamentary computing network. In the last three months we have also had three specific phishing-type attempts against various users on the parliamentary computing network. All of those were part of broader campaigns across the government and other organisations, so none of them were specifically about us, but we have had a set of those.

Senator LUDLAM: None of those were specifically about parliament? There were just part of what is generally-

Ms Seittenranta : They were part of broader campaigns targeting multiple government agencies. In each case we received advice from the Australian Signals Directorate about the nature of those attempts and remediation actions.

Senator LUDLAM: Are you aware of any that were targeting parliament specifically?

Ms Seittenranta : No.

Senator LUDLAM: All of our staff and I presume most of the building runs in Microsoft software. Are there any other operating systems in widespread use under your purview?

Ms Seittenranta : Microsoft Windows is the most prevalent operating system we have. We do have people now with Apple devices which run the iOS operating system and we have a small number of users who are using Android-type telephones.

Senator LUDLAM: But, in terms of the servers that are used in here, they are mostly Microsoft.

Ms Seittenranta : They are mostly Microsoft. We do have some Unix servers in the data centre.

Senator LUDLAM: I figured.

We know that Microsoft software contains a back door which is utilised by the US NSA and Microsoft has been very active in assisting the NSA to circumvent the company's own encryption standards. What can you tell the committee about the network-level security threats posed by using Microsoft software given that it has been backdoored by foreign intelligence agencies?

Ms Seittenranta : I would have to take that on notice.

Senator LUDLAM: Why is that?

Ms Seittenranta : It is not a level of detail that I am familiar with.

Senator LUDLAM: I am not sure that I would call it detail. For example, do we provide for a specific patch against that back door, or is the parliament's network open to intrusion by the US government?

Ms Seittenranta : We implement the patches provided by the Microsoft organisation to their systems based on malware that they are aware of. We do not get specific advice on vulnerabilities that may or may not be built into the software.

Senator LUDLAM: Okay, but you are aware that Microsoft is under a legal obligation to allow the US NSA access to its servers and its hosting services.

Ms Seittenranta : We are aware that there are rumours to be things like that around, yes.

Senator LUDLAM: It is not a rumour; we have primary source documentation and know that is correct.

Ms Seittenranta : We do not have capabilities to create any patches for vulnerabilities of that nature. We are dependent on what the industry provides us and advice that we might get from the Australian Signals Directorate.

Senator LUDLAM: So should parliamentarians and staff working in this building assume that we are exposed to that level of intrusion.

Ms Seittenranta : Yes, I suppose you should be able to assume that. Also, it probably should be noted that our network is not a protected network. It is unclassified.

Senator LUDLAM: Yes. What about ministerial?

Ms Seittenranta : For ministers their home departments provide their IT. Each minister has access to the parliamentary computing network in the same way as backbenchers.

Senator LUDLAM: I would have to chase the departments around this building one after another to see what they do, wouldn't I?

Ms Seittenranta : To see what they do.

Senator LUDLAM: Okay. But, as far as the work of ordinary MPs-everybody sitting around these tables and most of the people behind-that back door is in effect? You have not taken any actions to remedy that security hole that has been opened by the NSA?

Ms Seittenranta : No, we would not have taken a specific action?

Senator LUDLAM: Is there any reason why not? Could I request that you might take that action on behalf of all of us?

Ms Seittenranta : We would be dependent on somebody being able to provide us appropriate patches to close that. We do not have the technical skills to create patches to close that nature of vulnerability, so we would have to take that on notice to work with the Australian Signals Directorate.

Senator LUDLAM: I agree that they would be the ones with that expertise. You said you were aware of the rumours, as you called them. Have you sought to verify whether those rumours are correct? Have you called on the ASD to date to provide you with advice on the fact that all of our email, calendars and data traffic in this parliament has been exposed to a fairly serious security flaw?

Ms Seittenranta : We have not had a discussion with the ASD specific to any particular nation-state. We have had some general discussions about potential intents from all styles of potential threats-a nation-state, hacktivists or organised crime. So we have some regular conversations with them.

Senator LUDLAM: But, if the Chinese government had opened a back door in the operating system of every device in this room-indeed, in this building-it would have been a gargantuan scandal and, presumably, you would have called the ASD as soon as you were notified. Is it the fact that it is the United States government that means you have taken this rather more relaxed attitude?

Ms Seittenranta : No, we have not considered any differences between any nation-states.

Senator LUDLAM: So if the Chinese government, to use that as an example, had opened a security hole on every device in this building, you would not have sought advice?

Ms Seittenranta : We would have sought advice, yes.

Senator LUDLAM: But have you sought advice given that it is the US government that has done this to us?

Ms Seittenranta : No, we have not.

Senator LUDLAM: Why is that?

Ms Seittenranta : We have not been given any validation that that exposure exists or is there at the moment?

Senator LUDLAM: What sort of validation do you need? The primary documents are in the public domain that Microsoft is under a legal obligation to open that security hole. What validation are you awaiting? It has been in every newspaper on the planet for three or four months.

Ms Seittenranta : We would need some evidence that the exposure has been used against us. We have not had any.

Senator LUDLAM: Have you sought evidence?

Ms Seittenranta : We do not have that capability or the skills in our fairly small IT team to look for that sort of evidence. We would be dependent on advice from-

Senator LUDLAM: ASD?

Ms Seittenranta : Yes.

Senator LUDLAM: Have you asked them?

Ms Seittenranta : We have not asked that specific question.

Senator LUDLAM: Why is that? Don't you think it's kind of remarkable? Every device in this building has been backdoored. You are not primarily responsible for security?

Ms Seittenranta : I am responsible for IT security.

Senator LUDLAM: Okay, so do we have a serious problem here or is this something you are perfectly relaxed and comfortable about?

Ms Seittenranta : I am not perfectly relaxed and comfortable that there would be an exposure, but it is not on that has been specifically on the top of our minds or specifically brought to our attention earlier on.

Senator LUDLAM: You are aware that security holes such as the one that we are discussing here are open to exploitation by parties other than the US NSA once they are open?

Ms Seittenranta : We are reliant on the Microsoft patching program for their systems.

Senator LUDLAM: And you are aware that Microsoft is under a legal obligation in the United States to leave the security vulnerability as built-that there will be no patches from Microsoft for this particular hole?

Ms Seittenranta : I would imagine that they would give us patches if it was open to other than the intended target or the intended recipient.

Senator LUDLAM: When you became aware that the security vulnerability existed that has been built into the software that we are all forced to use in this building, did you notify occupants of this building? Was there a memo that I missed?

Ms Seittenranta : No, there has not been notification.

Senator LUDLAM: Why is that?

Ms Seittenranta : It is just something that we have overlooked.

Senator LUDLAM: It is a pretty big thing to overlook, I would submit to you.

Ms Seittenranta : What we can do, now that you have brought this to our attention, is seek advice from ASD. Generally for exposure like that which would impact all of the government computing networks, not just ours, we would be expecting that they would give us some advice and guidance on how to treat that.

Senator LUDLAM: These vulnerabilities have been in the public domain for months. Were you waiting on an estimates session to give this some consideration? I am not sure what kind of trigger you would be seeking otherwise.

Ms Seittenranta : Normally the trigger would be that we would be getting advice from Australian Signals Directorate.

Senator FAULKNER: Do the risks include malware?

Ms Seittenranta : Malware is something that we get regularly through all sorts of means. We had over 400 incidents of what we would call stock-standard malware a month in the network.

Senator FAULKNER: How do you detect and remediate that risk?

Ms Seittenranta : For malware we have software systems that are designed to detect and clean out that style of things. There are a number of companies and we have got Trend Micro and a couple of other products which will help us detect.

Senator FAULKNER: Are those ongoing programs that you have got to address malware?

Ms Seittenranta : Yes, they are.

Senator FAULKNER: All of them?

Ms Seittenranta : The ones that we have implemented are operating in real time all of the time on the network. They will pick the products that are known malware that have hit before. The companies who provide the software are constantly updating and releasing patches and patterns that help identify content that is malicious or potentially malicious and those products are blocked at the gateway.

Senator FAULKNER: We have got public wi-fi now available in the building, haven't we?

Ms Seittenranta : Yes.

Senator FAULKNER: Can you just explain what that means in terms of any additional risk to the network?

Ms Seittenranta : We have not had any incidents of malware or things having been introduced through the public wi-fi. We have got firewalls that separate the public wi-fi from the rest of the network.

Senator FAULKNER: Could you say that last bit again, sorry?

Ms Seittenranta : We have firewalls that separate the public wi-fi from the remainder of the network and we have not had any instances that we have detected of any malware being introduced through the public wi-fi into the private parts of the network.

Senator FAULKNER: So that means there is no risk or no additional risk. Is that fair?

Ms Seittenranta : There is some additional risk but it has not eventuated. The likelihood is quite low. There are strong security protections between the various elements of the network.

Senator FAULKNER: If there is additional risk, are you doing anything to address it?

Ms Seittenranta : Yes, we have got the firewalls and we have got the monitoring and logging of what happens.

Senator FAULKNER: Do you actually test it for risk?

Ms Seittenranta : There have been risk assessments undertaken as part of the projects that implemented the wi-fi, and we do penetration testing.

Senator FAULKNER: And what was the original date in relation to wi-fi?

Ms Seittenranta : I do not have the original date, it preceded me. I can take that on notice.

Senator FAULKNER: Has there been ongoing testing since that time?

Ms Seittenranta : There is regular testing of penetration, but not constant testing of penetration.

Senator FAULKNER: And you are responsible for coordinating that testing?

Ms Seittenranta : Yes-or my teams are.

Senator FAULKNER: Your team, sure. And the results of that testing are reported to whom?

Ms Seittenranta : The results are reported internally. We also work with ASD on a series of capabilities and they do look at our traffic and also use their capabilities to help us monitor our environment.

Senator FAULKNER: And so on the basis of that you are able to make the comments you have made to me about risk and additional risk?

Ms Seittenranta : Yes.

Senator LUDLAM: Look, just by way of follow-up: I do not know whether you are aware that the ABC made an FOI request to the Attorney General's Department, maybe a month or six weeks ago. That was provided to us, that they had prepared a briefing for the Attorney-General-that is the former Attorney General-about PRISM. So this is about the NSA security program that has installed these back doors in major US service providers and software companies over a period of years.

The Attorney General's Department had briefed the attorney roughly two months prior to the revelations when the whistle-blower Edward Snowden put the issue into the public domain. Two months before that, the AG had been briefed by his department. I am just wondering, whether on or after that time, the Attorney General's Department provided a briefing to DPS, or to the Clerk, or to the Black Rod, or to the Senate IT or to the people who are responsible for the security of the network in this building?

Ms Seittenranta : I have not been provided with a briefing, I do not know what briefings other people have been provided on that matter.

Senator LUDLAM: I am inviting anybody at the table to speak up if you were provided a briefing by the AG's department or anybody.

Ms Mills : No we have not been.

Senator LUDLAM: Okay, thank you. So the AG knew and they did not think it-and I will follow these questions up with them later in the week-worth briefing the people responsible for security of this network that Australia's parliamentarians use, that that system had backed all of the software that we were all using in here. You had heard nothing from the AG's department?

Ms Seittenranta : Not specifically about PRISM and those back doors.

Senator LUDLAM: Okay, thank you. Has APH IT security staff engaged with the new cyber security centre on this issue in particular? Do you guys have a seat at that table?

Ms Seittenranta : We have not, to my awareness, had any particular discussions about PRISM and that exposure with the ASD or the new Cyber Security Operations Centre.

Senator LUDLAM: Okay. Now, your colleague came to the table just before we broke before. We were just wondering-the Chair was wondering out loud-whether you had had a message from the NSA. Do you have any information that you could enlighten us with?

Mr McCauley : I have had some discussions or communications with my Director of Security. They can advise that we are aware of such communications. We are patched, and there are no outbound messages that are sent to Microsoft or any other organisation that we are not aware of and that we would not then choose to select. And we are not aware of those types of backdoors, so to speak, for Microsoft to obtain that data. We have worked with ASD and they also monitor all outbound messages in conjunction with us as a partnership.

Senator LUDLAM: All right, this is interesting. It is also somewhat at odds with what your colleague had told us, but that is okay. I am presuming those patches have not been provided by Microsoft because it would be illegal under US law for them to do so. So is that something that your staff had written here?

Mr McCauley : The specific patches, I cannot comment on. I can take that on notice if required, but I have been advised that we have specific patches to negate these types of things as recommended from time to time by ASD. If there are any vulnerabilities discovered, again, any outbound requests for this type of data would be trapped, I am advised, at our security frameworks. And therefore we would choose as to whether we send them or not and I am not aware of us sending any such data to Microsoft.

Senator LUDLAM: I am trying to be very specific here; this is not a generalised question. The patches that you have installed to close those loopholes in the Microsoft OS and its various applications: have they been designed to prevent PRISM from collecting data or traffic?

Mr McCauley : They are not necessarily Microsoft patches; they are Firewall, another security-type gate, so to speak, that stops those sorts of requests going back to-

Senator LUDLAM: I know I am picking on Microsoft a little bit. I am presuming members of parliament and staff also use Facebook and various other applications which have been backdoored by the NSA. Are you telling us that the Parliament House firewall is designed to explicitly block data traffic going back-to block PRISM collection capabilities?

Mr McCauley : Not specifically for those applications. Again, we can monitor the traffic flow. If there were things detected or known of, as far as vulnerabilities were concerned, we would work with ASD to close those gaps-if any.

Senator LUDLAM: I am seriously trying to get a yes or no. Once I have it, I am happy to wind up. Has the parliament, and the applications and devices used by ourselves and our staff, been firewalled against use of the PRISM system in the United States?

Mr McCauley : I will take that on notice and follow it up for you.

Senator LUDLAM: It sort of sounded as if it had, but I am not sure you are walking back from that or whether you are not sure. What are you telling us exactly?

Mr McCauley : We have not specifically been firewalled for PRISM, as far as I am aware. But, again, there are processes in place which would generally prohibit these types of requests going out.

Senator LUDLAM: I would imagine so. What reaction did you and/or your staff have-or what action did you and your staff take-when those revelations became public? Your colleague has informed us that AGD did not provide you with a briefing. When those revelations broke into the public domain, did you take any specific action?

Mr McCauley : I believe my security staff had discussions with AGD around those revelations. As to what things were put in place to mitigate the risks, I would have to take that on notice.

Senator LUDLAM: You are aware what the specific question I am asking is? I am interested in the PRISM program which, effectively, bifurcates traffic and leaves a copy on the NSA servers in the United States-whether this building is immune from that collection capability or not.

Mr McCauley : I understand your question and that is what I will take on notice.

Senator LUDLAM: Thank you for providing that additional information. That has been helpful. I have a couple of questions about the Science Applications International Corporation, or SAIC. DPS has a contract, to the tune of nearly $1.4 million, with that corporation for software services. Can you tell us what kind of software that entity is working on for DPS?

Ms Seittenranta : There are a number of contracts with SAIC. I am not sure which specific one you are talking about, so I will take that on notice. But the types of products they provide include support for the ParlInfo system in the library-they have provided a product called TeraText which supports the search capability in that product. The company's software is also used in the bills system which supports the work of the chambers. They are developing the new Table Office production system for the chamber departments at the moment. So there are a number of contracts with them.

Senator LUDLAM: That is fairly serious stuff. Maybe on notice-because I know we are short of time-could you break down the contracts? I am interested in the dollar amounts, the dates they were initiated, their duration and exactly what services are being provided.

Ms Seittenranta : Some of those contracts might be with the chamber departments. They may not all be directly with us.

Senator LUDLAM: To the limits of what you are responsible for, please provide that information. If you are aware of other contracts, please give us some pointers so I know whom to chase. Is DPS aware of just how notorious this company is for false claims and misconduct allegations against it over federal tenders in the United States-and that in March 2012 it agreed to pay half a billion dollars to the City of New York after the company CEO admitted to criminal behaviour by employees on a contract? Did that behaviour come up when you were doing the due diligence on this company?

Ms Seittenranta : I would have to take that on notice. Some of these contracts are quite old. They are not new contracts.

Senator LUDLAM: But you are rolling them over. The original one went from February 2012 to 2013 and has just been extended to February 2015.

Ms Seittenranta : I am not sure which contract you are-

Senator LUDLAM: You have indicated that there are a number. On notice, will you please provide us with what due diligence you have done and whether you are aware of those specific allegations of misconduct-a half a billion dollars is a fairly serious breach penalty-and whether you spotted that behaviour before you rolled these contracts over.

Ms Seittenranta : I will take all that on notice.

Senator LUDLAM: That is very much appreciated. Thank you.