Defence Industry Minister Christopher Pyne says the government can’t be blamed for the sloppy cyber security of its sub-contractor that led to hackers stealing 30 gigabytes of commercially-sensitive data.
So lax were the security measures employed by the defence sub-contractor – a small aerospace engineering firm with about 50 employees – that it used default logins and the passwords “admin” and “guest”.
Details of the hacking were revealed at a conference on Wednesday by Australian Signals Directorate manager Mitchell Clarke, who described the data breach as “extensive and extreme”.
Defence Industry Minister Christopher Pyne said it was a “stretch” to blame the government for the breach. Photo: Alex Ellinghausen
A “significant” amount of data was stolen over four months in 2016, including sensitive information about Australia’s $14 billion Joint Strike Fighter program, our next fleet of spy planes, and several naval warships.
Mr Pyne, who has responsibility for such projects, said while the information was not classified the situation was “not good enough”, and was a “salutary reminder to everyone in the industry and the government” of the importance of taking cyber security seriously.
But he said it was a “stretch” to blame the government for the procedures of what could have been a small sub-contractor working for one of the Defence Department’s main contractors.
“I don’t think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch,” Mr Pyne told ABC Radio National’s Breakfast program on Thursday.
“You don’t know that we’ve tendered a major defence contract to a small enterprise with poor cyber security protections, you don’t know that. The contractor could well have been working for a prime [contractor].”
Mr Pyne said the government had been alerted to the breach by a prime contractor, suggesting the small company was a sub-contractor working for a “prime” contractor such as Raytheon, Boeing or Lockheed Martin.
Dan Tehan, the Minister Assisting the Prime Minister for Cyber Security, had on Tuesday alluded to the hacking of a small Australian company with “contracting links to national security projects”, without providing details.
He said the Australian Cyber Security Centre had worked with the company to fix the data compromise, expel the hacker and provide advice on how to prevent such a breach from happening again.
Mr Pyne on Wednesday said he did not know who the hackers were, but also suggested the government might know and wasn’t prepared to divulge the details.
“I don’t know who did it,” he told the ABC. “It could be a state actor, a non-state actor, it could have been someone who was working for another company.”
Mr Pyne later noted the information collected by the ASD was highly-classified and “we don’t necessarily let the public know” about the identities of hackers.
These kinds of attacks were attempted “all the time” and “they are going to be successful on occasion”, he said.
This story Administrator ready to work first appeared on Nanjing Night Net.