Australian governments have been warned that physical protections are not sufficient and all information should be encrypted when it is delivered across a public network.
Australian governments have been warned that physical protections are not sufficient and all information should be encrypted when it is delivered across a public network.

Hole in nation’s cyber security exposed

FORGET  Chinese hackers. The Daily Telegraph has discovered an unsecured pit on a main road of Canberra, a few hundred metres from Capital Hill, where anyone with a $150 device could hack into the government's "dark fibre" secure intranet.

The Intra-government Communications Network (ICON) connects more than 85 government agencies via 840km of "dark fibre" optic cable.

There are 1766 access pits into the network dotted on roadsides and grass verges all over the nation's capital and regular household padlocks have been used to secure the pit covers, one Canberra-based cyber security expert said.

But the metal pit cover observed this week by the Telegraph, on a grass strip in the middle of a busy road, did not even have that Bunnings-level security.

A Telstra cable pit that gives access to ICON, the Intra Government Communications Network, on the side of a road in Canberra.
A Telstra cable pit that gives access to ICON, the Intra Government Communications Network, on the side of a road in Canberra.


The pit cover is heavy and would be difficult for one person to move but, with the right tools, cyber experts say it would be easy to access the blue ICON optic cables underneath. Then, with a widely available $150 "Micro-bend clamping device", it would be a simple process to intercept secure government communications.

The ICON is the federal government intranet, where emails are exchanged and information is transmitted between staff in various departments and agencies, and backup data is moved between data centres at high speed.

Cyber security experts say the ICON pits in Canberra often have little or no security measures.
Cyber security experts say the ICON pits in Canberra often have little or no security measures.

It has long been considered by cyber security experts to be vulnerable to physical hacking.

"There is limited physical security on those pits and that physical security may be bypassed," said one Canberra-based cyber security expert who warned the Gillard government in 2013 about the vulnerability of the network.

"We kicked up a stink at the time directly with the government. We raised the concerns that physical protections are not sufficient to ensure that access cannot be gained to the pits and therefore all information should be encrypted when it is delivered across a public network infrastructure …

"All physical security can be bypassed … There is only one secure way to protect yourself against hacking - and that is encryption."

 

The Australian Signals Directorate's (ASD's) updated Government Information Security Manual, issued to all departments on December 4 last year recommends encryption of all information to ASD standards to provide "an additional layer of defence" against hackers and make it "unreadable to all but authorised users".

But the ASD leaves it up to individual departments to make their own risk assessment and decide whether to encrypt their data.

In May 2013, when Finance Minister Mathias Cormann was in Opposition, he raised concerns about the security of the ICON network in Senate Estimates.

He asked if "encryption technology has been deployed [across all agencies] to protect information from interception," and queried whether individual agencies had the "expertise" to decide whether or not their needed to encrypt their data.

Minister for Finance Senator Mathias Cormann (pictured at Senate Estimates on Monday) raised concerns about the ICON network security in Senate Estimates in May 2013. Picture: Kym Smith
Minister for Finance Senator Mathias Cormann (pictured at Senate Estimates on Monday) raised concerns about the ICON network security in Senate Estimates in May 2013. Picture: Kym Smith

While government entities such as the Australian Federal Police, ASIO, ASIS, Australian Taxation Office, Department of Defence, and the Bureau of Meteorology do encrypt their data before it goes through the ICON network, many do not, says the cyber expert.

"Some agencies are encrypted and do so in accordance with ASD best practice recommendations," he said. "But others may feel that the physical security measures are sufficient".

A spokesman for the Department of Finance said last night it was satisfied with the physical security of ICON pits: "Finance maintains physical controls and inspection regimes to deter and detect any unauthorised access to ICON fibre optic cable."

She would not confirm how many government departments or agencies do not encrypt their data: "The encryption of data sent over ICON is a matter for each customer entity."



Chance to support Cancer Council Qld at morning tea

premium_icon Chance to support Cancer Council Qld at morning tea

Biggest Morning Tea, Warwick style, coming up

Mum planned to sell cocaine to buy booze for girls' trip

premium_icon Mum planned to sell cocaine to buy booze for girls' trip

She was busted shortly after she returned to Warwick

How Winton has become the Outback Hollywood

How Winton has become the Outback Hollywood

Even the town has some attractively derelict buildings