Cheap hardware infects govt agencies

Shadow Defence Minister David Johnston will seek to introduce new cybersecurity auditing powers into the Trusted Information Sharing Network (TISN) after ministerial advisors reported that government agencies have bought cheap foreign IT hardware loaded with malware.

(Multi lock image by Mike Biard, CC2.0)

The TISN is a government forum for sharing data pertinent to national cybersecurity between the public and private organisations in seven industries including banking, health, food and utilities.

The reforms would allow the TISN to harden baseline security standards required to interact with government.

Johnston told ZDNet Australia that he intends to push a ban on government agencies shirking expensive but trusted technology brands for cheap white-box goods after unnamed departments had discovered backdoor malware in computers, servers and processor chips.

Backdoor malware can provide an access point through which criminals can access and steal data, often silently. Figures released by the Australian Communications and Media Authority last week point to over 30,000 computers reportedly taking part in botnet activity every day.

Johnston told an audience of cybersecurity experts in Canberra that he will seek to reform procurement practices and enforce minimum security standards to help build Australia's cybersecurity "fortress".

"I want to take [TISN] to another dimension by allowing it to retain intellectual property, to contractually conduct detailed audits," Johnston said.

"Many departments purchase computers, servers and chips from the cheapest sources, which I suggest have a question mark over their heads from a backdoor perspective."

He told ZDNet Australia how advisers had informed him of the security breaches that occurred after agencies sought exemption from Defence Signals Directorate (DSD) procurement guidelines.

The TISN would have "ongoing, great and aggressive" auditing powers to help establish what Johnston calls the security "fortress" of interaction between government and private technology systems.

He said he agrees with statements by security expert Alastair MacGibbon saying that government must reduce the discretionary powers of departmental chief executives within the defence Information Security Manual (PDF), while increasing the authority of the DSD.

Software designers would also undergo baseline security training: "Like Occupational Health and Safety, it would be an induction practice to ensure all systems meet certain security standards," said Johnston.

Johnston also wants to see the virtual global cyberwar game, Cyber Storm, conducted twice a year, rather than every 24 months.

The third instalment of the war game will kick-off next week and will be the largest to date. Cyber Storm III will include national security and critical infrastructure agencies from Australia, America, Canada, Britain and New Zealand.