Parliament hack report too torrid for public release

The federal government is unlikely to release even a redacted version of the final report on the state-sponsored cyber attack against the parliamentary computing network earlier this year.

Senate President Scott Ryan told a senate estimates hearing on Monday that the “very interesting” report on the February security breach had been received last week.

After reading the “rather technical” report for the first time on Friday, he is now awaiting a “plain language briefing” from cyber security experts before providing an update to the Senate.

“I am awaiting what I will call a layperson's briefing on the report that I read last week,” he said

“I think I understood about 80 to 90 percent of it, but there were some technical aspects to it, and I want to make sure that what I think I understood was correct.”

“But I will say at this point that there are obviously implications for our future security as a parliament, as well as our cooperation with various agencies.”

However, in stark contrast to the Australian National University, which was praised for its transparency after its recent cyber attack, Ryan said it was unlikely that an unclassified version of the report would be released.

“I am not convinced that publishing the report I have received, even in a redacted form, would be helpful,” he said, adding that this was purely his personal view and had not been discussed with the Speaker of the House Tony Smith or other officials.

“I have made clear that I will come back with more information as it becomes available, and I think I will be doing that shortly.”

The cyber attack, which extended to the networks of the Liberal, Labor and National Parties, forced more than 4000 parliamentarians and their staff, as well as the Department of Parliamentary Services, to reset their passwords.

Despite assurances no data had been accessed or taken at the time of the attack, an ASD damage assessment of the attack has since revealed that a limited amount of non-confidential data was stolen by a state-sponsored actor.

That state-sponsored actor has not been disclosed by the government, though reuters has reported that multiple sources claim ASD has concluded the attack was conducted by China.

ASD said in its 2018-19 annual report, released this week, that the attack was "Australia's first national cyber crisis".

"The C1 incident saw the ACSC [Australian Cyber Security Centre] operate at a heightened state of activity to provide advice and assistance to Australia's major political parties and government agencies after they were targeted by a sophisticated state-sponsored actor," it said.

In its latest annual report, DPS said “significant advancements” had been made during 2018-19 to strengthen its cyber security capabilities.

However, the agency does not say whether all of the Essential Eight cyber rules have now been implemented.

“Work continued on the information security manual controls and protective security policy framework information security elements, to enhance whole-of-government compliance including improvements in cyber hygiene and resilience across the network,” the report states.

One such initiative to improve DPS’ cyber security capabilities was the establishment of a new cyber security branch earlier this year.

The branch, which was funded in the 2018 budget, has already completed the first stage of an identity access management project to improve how “secure management of access to parliamentary resources is provided”.

“The first stage of the network segmentation project was completed and improves resilience of the network to limit the impact of any potential cyber attack,” the report states.

The DPS has also enhanced cyber security awareness and education and plans to incorporate this into the “induction process for all parliamentary computing network users”.