An executive at the Australian Signals Directorate (ASD) who declined to sign off on Microsoft’s Azure and Office365 cloud services being granted Protected Certification has since left the agency, according to InnovationAus.com.
The certification, awarded in April, allows Microsoft’s “government-configured” clouds to be used for Australian government data classified up to PROTECTED level. But unlike all previous such certifications, Microsoft’s certifications were provisional, and came with what the ASD called “consumer guides”.
“The Australian Cyber Security Centre (ACSC) has certified the storage, communication, and processing of government data at PROTECTED in specified cloud services in Microsoft’s Australian-based public cloud. Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services. The ACSC is working with Microsoft to ensure general compensating security control blueprints are made available in the coming weeks,” the guides said.
The ASD executive, a 24-year veteran of Defence, declined to sign off on these provisional certifications. She was reportedly “removed from the role” by the ASD’s new director-general Mike Burgess. However in a LinkedIn post, the executives said she was “disappointed” by the inference that Burgess was the blame for her resignation.
“Mike has been nothing but supportive of my career and has provided me with encouragement and mentorship,” she wrote.
The certifications were subsequently signed off by the new head of the ACSC, Alastair MacGibbon, who was previously the prime minister’s special advisor on cybersecurity.
According to InnovationAus.com, this reflects “internal frictions” as the ASD transitions to being an independent statutory agency, and the changed priorities under Burgess. It also reflects a “radical rethinking” of the government’s approach to cybersecurity, with the accreditation process “caught between an ongoing adherence the government’s Information Security Manual (ISM) … and the new management’s desire to quickly introduce an overhauled manual based on a risk management/mitigation approach”.
This isn’t the first time that we’ve seen hints of the division between what might be called “ASD secret squirrel traditionalists” and those holding a more risk-based approach.
In 2015, the outgoing head of the ASD’s Cyber Security Branch, a role which is now held by MacGibbon, called for a more “forward-leaning” cybersecurity posture, citing prime minister Malcolm Turnbull’s use of the encrypted messaging app Wickr as an example.
“You need to balance reducing risks, and reducing efficiency and convenience,” Joe Franzi said.
“That used to be the old ASD model. We used to say ‘no’ so many times that we hamstrung organisations from actually doing too much. That’s not going to cut it in today’s world, and certainly tomorrow’s world.”
Franzi made these comments during the first-ever on-record interview in his Defence career, giving this writer the distinct impression that his message was directed more at ASD insiders than the general public.
More recently, in October 2017, an ASD incident handler giving a technical presentation at the national conference of the Australian Information Security Association (AISA) revealed details about the theft of secret defence data from a small engineering contractor. Some of it related to the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and other key projects.
Some people, including your writer, thought this presentation was exactly the kind of thing the ASD should be doing, combining concrete facts with actionable cybersecurity advice into a engaging presentation. Unfortunately the story briefly garnered mainstream global attention, with government ministers scrambling to distance themselves from the controversy. Australia’s assistant minister for cybersecurity was suddenly unavailable “doing electorate business” and unavailable for comment.
The ASD’s next such presentation at the agency’s own conference in April 2018 was, to say the very least, dry. It didn’t make the news. There’d be many traditionalists who’d have liked it that way, but it meant any potential cybersecurity lessons went no further than the walls of that one small conference room.
The ASD is going through some radical changes — radical in the good sense. It’s now an independent agency with Burgess at its head. The ACSC is now a division of the ASD, with MacGibbon at its head. The structure mirrors that of the UK’s Government Communications Headquarters (GCHQ) and National Cyber Security Centre (NCSC). Both structures provide a clear distinction between the nations’ offensive and defensive cyber capabilities, and provide the cybersecurity divisions with a clearer mandate. But there are differences.
The NCSC was launched two years later than the ACSC, but has roared ahead, with an open technical plan to secure the UK launched in 2016, and regular reporting of its progress with real data.
Meanwhile, Australia seems to have added confusion to its cybersecurity management, forming a separate Critical Infrastructure Centre (CIC) which also deals with physical security, and flip-flopping on the responsibilities of the ASD and the Digital Transformation Agency (DTA) for government agencies’ own cybersecurity strategies.
There’s also the curious new arrangement whereby MacGibbon is both deputy director-general of the ASD on the operational side — which ultimately reports to the minister for Defence — and a deputy secretary of the Department of Home Affairs as National Cyber Coordinator on the policy side. That split role is bound to be tough, especially with the two organisations still to fight for who, exactly, is responsible for what.
Both Burgess and MacGibbon are generally well respected in the sector, with reputations for getting things done. But they face the challenges of transforming the culture of the ASD while simultaneously untangling messy high-level organisational structures.
Plus the actual challenge of, you know, running the nation’s cyber defences during an arms race.
Unfortunately for both of them, they can probably look forward to plenty of trouble at t’ mill.
When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?
Mike Pezzullo’s apparent thought bubble on domestic digital surveillance has been burst, but it foreshadows tense times ahead for Australia’s new domestic security arrangements.
Microsoft has received accreditation from the Australian Signals Directorate, allowing it to store highly classified government information up to ‘protected’ level on its Office 365 platform and specific Azure services.
The Australian Signals Directorate’s newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there’s a need to ensure the people at the top of government departments are aware of the threats they face.
According to an IBM report, a data breach can cost $3.86 million. Here are the main factors.