Australia's new cyber security policy must consider past mistakes

Last week saw the release of Australia’s refreshed cyber security policy, a catch-up effort that’s well overdue.

But before you get your hopes up about Australia building a safe online playground that internet baddies can’t get into, consider that the internet runs on a huge amount of insecurely connected technology.

Much of that technology involves legacy and end-user systems that are firmly entrenched, and in many cases, abandoned.

What this means is it isn’t enough to educate, create awareness and share information with a high-level cyber security policy. Some hard decisions have to be taken that result in action; this will be a key test for the government’s new cyber policy.

For instance, it would have been fantastic if the policy had pushed for a liability on end-user network equipment vendors and smartphone makers to ensure that their products have been tested for common vulnerabilities, and that they are actively supported for their lifetime.

These are, after all, the things most Australians will use for their high-speed internet connections.We test cars to make sure they’re safe, but not the gear we transmit financial, personal, government, any type of sensitive information over.

Millions of insecure devices are waiting to be easily abused in Australia, if they aren’t being hijacked already.

And it’s not just Australia that’s grappling with these situations. 

Take the widely-used Signalling System 7 phone call and message setup network.

SS7 has been with us since the mid-70s. It is used globally by telcos servicing billions of landline and mobile phone users.

Think of it as an unencrypted closed internet for phone control and metadata, one that was secured by trust between a few operators and ye olde 'security through obscurity' principle.

But lots of telcos now use SS7. And, as was demonstrated by tracking a United States congressman and recording his calls and text messages, it’s not secure. 

This is not news. In 2008, old-school hackers Chaos Computer Club got security researcher Tobias Engel to demonstrate how you track users through SS7.

The key thing about the lack of security in the SS7 network is that it can be used in an offensive capacity. Communications between individuals, businesses and organisations can be intercepted and even spoofed since it’s possible to track the location of mobile phones via SS7. Government spy agencies take advantage of that feature.

There are ways to secure SS7 to some extent (the network is only as strong as its weakest chain, or that shonky Eastern European telco operator who doesn’t give two hoots about security). It is also supposed to be on its way out, replaced by 4G signalling systems.

But that hasn’t happened. SS7 will likely be with us for at least a decade longer, probably more, running alongside and interacting with 4G networks. It’s a safe bet that clever people will find ways to exploit the unsafe, yet deeply entrenched, SS7 network.

When the SS7 network was born, few people realised the dangers of legacy technology and abandonware. That's no longer the case. You can barely go a day without reading about a new vulnerability being exploited by attackers.

Ensuring that there is guidance, education, research and resources to prevent users and organisations from getting caught in the legacy death trap should be top priority for any government cyber security initiative. The Americans have recognised just that. 

If Australia's cyber security policy can ignite thinking around solving this problem, it will have achieved something that’ll make the country a leader in the infosec field - much more than cyber rattling about offensive hack-back capabilities ever will.

Besides, how much sense does it make to go on the cyber offensive when you're leaning on vulnerable legacy systems and networks?