{"id":35187,"date":"2017-11-01T06:00:54","date_gmt":"2017-10-31T19:00:54","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=35187"},"modified":"2017-10-31T16:39:29","modified_gmt":"2017-10-31T05:39:29","slug":"outsourcing-accountability","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/","title":{"rendered":"Outsourcing accountability?"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"338\" class=\"alignnone size-full wp-image-35189 aligncenter\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg 640w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z-205x108.jpg 205w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/figure>\n<p>The recent defence security breach\u2014labelled \u2018ALF\u2019 by the Australian Signals Directorate\u2014involving an Adelaide-based defence contractor has been characterised as a cybersecurity incident. But closer examination indicates that the underlying causes have more to do with poor security governance and failures to implement, maintain and oversee basic security hygiene.<\/p>\n<p>Details of the information that was compromised and how it was compromised have not, understandably, been released into the public domain by government. That said, it\u2019s possible to construct a plausible account of the circumstances of the breach from government and media sources\u2014in particular, <a href=\"http:\/\/www.zdnet.com\/article\/secret-f-35-p-8-c-130-data-stolen-in-australian-defence-contractor-hack\/\" target=\"_blank\" rel=\"noopener\">comments made<\/a> at a security conference by an ASD officer.<\/p>\n<p>We know that the defence contractor was an engineering firm with a headcount of about 50 and an IT staff of one. It was several tiers away from being a prime defence contractor. It held information about some of Australia\u2019s most sensitive and expensive defence projects, including the F35 Joint Strike Fighter; the Hercules C-130 transport aircraft; the P8 Poseidon patrol aircraft; the Joint Direct Attack Munition smart bomb; and naval vessels, in all likelihood Australia\u2019s new frigates. It was contracted to defence projects involving Australia\u2019s national security.<\/p>\n<p>In July 2016, the company\u2019s IT system was compromised by an attacker. About two weeks later, the attacker began taking data from the system. Over the next three months, 30 gigabytes of data was stolen. The breach was facilitated by the contractor\u2019s poor ICT security, which included internet-facing servers\u2019 passwords being left at their default settings of \u2018admin\u2019 and \u2018guest\u2019.<\/p>\n<p>The government has been at pains to emphasise that the data breach was the result of a cybersecurity attack. Implicit in its cybersecurity messaging is that we\u2019re all vulnerable to the complex and inscrutable machinations of hackers and that this event, although regrettable, was beyond our control.<\/p>\n<p>Although that is correct, it\u2019s not wholly correct. The hacking that occurred was far from a sophisticated exercise. It exploited simple security vulnerabilities and was in no way comparable to a highly skilled and intricate cyber operation against an equally skilled and prepared adversary: not all cyber incidents are equal.<\/p>\n<p>Characterising the attack as a cybersecurity incident <em>simpliciter <\/em>has the effect of normalising cyberattacks and reinforces a widely held perception that we\u2019re powerless. It privileges cybersecurity over mundane but essential basic security procedures to the detriment of the latter. Although we\u2019ll never know whether a more sophisticated attack would have been successful if the contractor had been better defended, the chances are that the attacker would have moved on to a softer target.<\/p>\n<p>The <a href=\"http:\/\/www.zdnet.com\/article\/blaming-government-for-defence-contractors-lax-cybersecurity-a-stretch-pyne\/\" target=\"_blank\" rel=\"noopener\">government\u2019s line<\/a> was that it\u2019s not responsible for the security measures taken by a private-sector contractor. Minister for Defence Industry Christopher Pyne said, \u2018I don&#8217;t think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch.\u2019 Again, although that\u2019s true, it\u2019s not wholly accurate.<\/p>\n<p>One of the most troubling aspects of our information security infrastructure is outsourcing. The problem is how to ensure that the security obligations imposed on the public sector are passed on to and observed by private-sector contractors. The fact that the delivery of a product or service has been outsourced doesn\u2019t displace the outsourcer\u2019s security obligations. Often outsourcing is used to drive cost efficiencies. The problem with the way this model is implemented is that government books the savings, but neglects to perform the required oversight and supervision.<\/p>\n<p>As a number of information and security regulators have noted, you can outsource responsibility but you can\u2019t outsource accountability. That rule is built into the Commonwealth\u2019s Protective Security Policy Framework, which <a href=\"https:\/\/www.protectivesecurity.gov.au\/overarching-guidance\/Pages\/Mandatory-requirements.aspx\" target=\"_blank\" rel=\"noopener\">makes agency heads<\/a>\u2014in this case, the secretary of the Department of Defence\u2014accountable for compliance with its standards and for taking action to mitigate security risks. This means that security is an active, not a passive, task. We\u2019re entitled to know when the contractor was last subject to a security review or audit and whether it had made security commitments, such as asserting its compliance with relevant security standards, to the department either directly or through a prime contractor.<\/p>\n<p>The national security community can learn several lessons from the ALF incident. Apart from the obvious ones\u2014such as the need for all participants in the defence supply chain to implement ASD\u2019s \u2018<a href=\"https:\/\/www.asd.gov.au\/publications\/protect\/essential-eight-explained.htm\" target=\"_blank\" rel=\"noopener\">Essential Eight<\/a>\u2019\u2014they include the need for more rigorous security governance, a focus on security fundamentals and an appetite to deal with the challenges of outsourcing. Addressing those issues is not assisted by shaping the narrative to minimise the fallout.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The recent defence security breach\u2014labelled \u2018ALF\u2019 by the Australian Signals Directorate\u2014involving an Adelaide-based defence contractor has been characterised as a cybersecurity incident. But closer examination indicates that the underlying causes have more to do with &#8230;<\/p>\n","protected":false},"author":723,"featured_media":35189,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[139,713,126,301,727],"class_list":["post-35187","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-accountability","tag-cyberattack","tag-defence-industry","tag-national-security-2","tag-outsourcing"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Outsourcing accountability? | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Outsourcing accountability? | The Strategist\" \/>\n<meta property=\"og:description\" content=\"The recent defence security breach\u2014labelled \u2018ALF\u2019 by the Australian Signals Directorate\u2014involving an Adelaide-based defence contractor has been characterised as a cybersecurity incident. But closer examination indicates that the underlying causes have more to do with ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-31T19:00:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-10-31T05:39:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"338\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"David Watts\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Watts\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg\",\"width\":640,\"height\":338},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/\",\"name\":\"Outsourcing accountability? | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#primaryimage\"},\"datePublished\":\"2017-10-31T19:00:54+00:00\",\"dateModified\":\"2017-10-31T05:39:29+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/e9d1f94eb7d9c9e3d6499ad2878dbe54\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Outsourcing accountability?\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/e9d1f94eb7d9c9e3d6499ad2878dbe54\",\"name\":\"David Watts\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/415beb37d58390fb48a20eafb6103f2b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/415beb37d58390fb48a20eafb6103f2b?s=96&d=mm&r=g\",\"caption\":\"David Watts\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/david-watts\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Outsourcing accountability? | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/","og_locale":"en_US","og_type":"article","og_title":"Outsourcing accountability? | The Strategist","og_description":"The recent defence security breach\u2014labelled \u2018ALF\u2019 by the Australian Signals Directorate\u2014involving an Adelaide-based defence contractor has been characterised as a cybersecurity incident. But closer examination indicates that the underlying causes have more to do with ...","og_url":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2017-10-31T19:00:54+00:00","article_modified_time":"2017-10-31T05:39:29+00:00","og_image":[{"width":640,"height":338,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg","type":"image\/jpeg"}],"author":"David Watts","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"David Watts","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2017\/10\/32861719652_5df106fde9_z.jpg","width":640,"height":338},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/","url":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/","name":"Outsourcing accountability? | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#primaryimage"},"datePublished":"2017-10-31T19:00:54+00:00","dateModified":"2017-10-31T05:39:29+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/e9d1f94eb7d9c9e3d6499ad2878dbe54"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/outsourcing-accountability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Outsourcing accountability?"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/e9d1f94eb7d9c9e3d6499ad2878dbe54","name":"David Watts","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/415beb37d58390fb48a20eafb6103f2b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/415beb37d58390fb48a20eafb6103f2b?s=96&d=mm&r=g","caption":"David Watts"},"url":"https:\/\/www.aspistrategist.ru\/author\/david-watts\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/35187"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=35187"}],"version-history":[{"count":4,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/35187\/revisions"}],"predecessor-version":[{"id":35192,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/35187\/revisions\/35192"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/35189"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=35187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=35187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=35187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}