An email to parliamentary staffers from DPS said outages were affecting several ICT services including interrupted updates to email, calendar and contacts on smartphones and tablets. However, emails, calendar events and contacts that were already stored on devices were not removed.
These services were progressively restored througout Monday, with staffers able to access emails on their phones again from late morning.
“The government is aware of an issue impacting the DPS IT system,” Mr Hastie said in a statement. “The issue relates to an external provider, and once the issue was detected the connection to government systems was cut immediately as a precaution.
“The Australian Cyber Security Centre has been in contact with DPS and is providing support and continuing to monitor the situation … The government acted quickly, and we have the best minds in the world working to ensure Australia remains the most secure place to operate online.”
The weekend’s attempted systems breach was not the result of MPs’ technology use, but it will further focus the minds of MPs on their growing cyber vulnerability, coming a week after phone contacts of Finance Minister Simon Birmingham and Health Minister Greg Hunt were invited to chat on encrypted app Telegram, by actors who had set up fake accounts in their names.
Mr Watts– who before becoming an MP was a broadband policy advisor to former Labor Communications Minister Stephen Conroy, and a government relations executive for Telstra – said that in spite of the obvious threats of compromises, MPs were given no formal rules or guidance to follow when it came to messaging tools and other apps.
“I’ve been banging the drum on the importance of MPs’ and ministers’ personal cybersecurity for years now,” Mr Watts said. “Because at the moment the situation is that we get given a handset and equipment from DPS, and then can install and use any ‘over-the-top’ applications without any guidance or directive that some apps are not safe, or that using an app in a certain way would not be a smart thing to do as a member.
“But the attacks on ministers Birmingham and Hunt really highlight that MPs and particularly ministers are major targets, who are constantly targeted by state-based actors and by criminal enterprises.”
Mr Watts said he believed it was more secure for MPs to use only the phones provided to them by DPS, which have device management software on them to monitor usage. However, he said practices varied dramatically across the House and many MPs used personal devices as well.
The security of apps like WhatsApp, Signal and Telegram is much stronger than SMS, due to end-to-end encryption, but they all have features that can erase messages permanently after a set period of time. The app makers pride themselves on their refusal to crack their own encryption in the face of government demands, so any FOI requests for conversations would rely on MPs willingly retaining and handing them over.
“The law is really clear that whatever tool you’re using to create government records, they need to be preserved,” Mr Watts said.
“Under the law you are not supposed to be engaging in government business on platforms where the messages disappear.”
Shannon Sedgwick, a cyber expert and senior managing director at professional services firm Ankura, said there had been a global precedent set for government employees using encrypted messaging apps in late 2019, when the European Commission enforced the use of Signal for public instant messaging by their staff.
Although the services are incredibly secure, he said they did present clear issues related to government transparency and freedom of information.
“How do we know that staffers are not discussing sensitive government business via these apps? Most of these apps have a disappearing message functionality, making enforcement of data classification and sharing standards impossible,” he said.
“Likewise, government agencies responding to FOI requests for such data transmitted and stored via encrypted messaging apps may claim an exemption under the FOI ACT 1982 because it has ‘material collected in confidence’.”
The issue of ministers using encrypted apps to discuss matters was first raised during the prime ministership of Malcolm Turnbull, when he was revealed to be using Wikr in preference to SMS.
Mr Turnbull told The Financial Review that he had only ever used a work-supplied phone during his time in office, and that it had been both more practical and safer to use such apps to conduct his affairs.
“Certainly when I was there an app like Signal or WhatsApp was more secure than the government’s own email system, where of course the mail server itself is the key point of vulnerability,” Mr Turnbull said.
“The messages are only secure in transit though, so if you have messages sitting on your phone or in an un-encrypted cloud back-up then they can be accessed there.
“However, the convenient functionality and security of encrypted messaging has meant that some government agencies have had to acquire and or develop apps with comparable features since then.”
On Friday, MPs were sent an email from the Australian Federal Police warning them about the messaging scam now targeting them. It said the scam originates on WhatsApp where recipients of messages purporting to be from MPs are told to download the Telegram app and to forward their two-factor authentication codes back to the sender.
This lets the impersonator take over the person’s Telegram account.
MPs were told not to respond to the messages if they receive them, to send a screenshot of the messages to police and to keep the messages to aid in any evidence collection.
Mr Watts said that since he was first elected to Parliament in 2013, cyber hygiene practices had improved a long way. Back then, he said it was common for multiple social media accounts to share the same passwords, which were shared with all and sundry, including casual campaign volunteers.
Although things have tightened up, he said there remained a long way to go for politicians to follow best practice. He said he runs personal training sessions on cyber hygiene with fellow Labor MPs and starts by taking them to the Have I been Pwned website, run by Australian cyber expert Troy Hunt, which lets users check whether their email address has been caught up in any data breaches.
“When I was a backbencher I did a trial where I plugged in a load of MP email addresses into the site and a whole number, including Julie Bishop’s were in there,” he said.
“MPs are like any other people in society, our data is exposed in data breaches in the same way, it is just that the consequences of us being breached are much more significant. So things like stopping password re-use and being really diligent about multi-factor authentication is a really important obligation.”
Mr Watts said the onus was on the government to raise its own standards and insist on rules being put in place – probably through DPS – to mandate better internal cyber hygiene. Although anyone can be attacked, he said there needed to be some form of consequences when ministers and MPs failed to take their cybersecurity seriously enough.
In an Australian National Audit Office review of seven of the biggest government departments released this month, it was found that the Attorney-General’s Department, Department of Prime Minister and Cabinet, Department of Health, Department of Education, Skills and Employment, Future Fund Management Agency, IP Australia and Austrade had not implemented all of the top four cyber risk mitigation strategies mandated by the Australian Signals Directorate.
“There needs to be some form of parliamentary accountability mechanism, appreciating that there are sensitivities around disclosing individual vulnerabilities and individual instances of non-compliance,” Mr Watts said.
“I think it would make sense for the Joint Committee of Public Accounts and Audit to have an oversight function, where reports are provided to the parliament.
“It had a recent bipartisan recommendation to fund the Auditor-General to hold annual limited assurance cyber audits across the Commonwealth. Putting the fear of external accountability into everyone to try to change behaviour, because at the moment, the Auditor-General is really clear that the current accountability mechanisms don’t change behaviour.”
Cybersecurity expert Troy Hunt said Parliament’s cybersecurity defences were being challenged by the same “shadow IT” issues that businesses have been contending with in recent years. As people have become more accustomed to picking and choosing the apps they use to run their personal lives, they have increasingly begun conducting their working life in the same way, despite corporate technology policies.
He said businesses that wanted to keep a tighter focus on their data had needed to take notice of what external apps and services employees were using, and why. That way they could plug the gaps by introducing more controlled services to do similar things.
“I guess the question then is: ‘How grey is the line between personal tech use and work on devices?’,” Mr Hunt said.
“If we accept that they’re still humans, and they have personal lives, then they will want to be able to organise their kid’s soccer game over WhatsApp, or browse Facebook while eating lunch. It is just about defining, ‘How segmented should that be in government?’”