More Stilgherrian, Pyne opines

Email update, 12 October 2017

Today we have some more fall-out from the Defence contractor hack, starting with a follow-up rant by Stilgherrian on the state of cyber security knowledge in the media generally:

ACSC Threat Report highlights deplorable ignorance

I had trouble finding any newsworthy fresh meat in the 2017 Australian Cyber Security Centre (ACSC) Threat Report, and that’s a worry. Not because the report is bad, because it’s not. Not because the ACSC is bad, because it’s not. No, what’s wrong is the mainstream conversation about cybersecurity.

Pretty much every media report still treats cyber matters, or quite frankly the internet in general, as something over there somewhere, where the geeks live, rather than the core infrastructure on which our society is now built.

That’s inexcusable.

He’s not far off the mark, but I think it’s unfair to portray this as disinterest - more accurately it’s ignorance. As we’ve discussed many times in the past, the media doesn’t have enough people who know their shit when it comes to any technical issue, let alone cyber security (obvious example: NBN coverage and the “wireless is better” editorials we saw for years).

And it’s not just technical issues, it’s almost any issue. Journalism as we know it is a dying art, and all of the major media organisations have seen their income completely evaporate as the foundation of their business model—a geographic monopoly—was utterly destroyed by the internet.

In the face of this existential threat, complaining about low journalistic standards is pissing in the wind.

In any case, it’s pretty hard to argue that the media has been disinterested in this particular story, given the number of articles that have popped up over the last couple of days. The latest example is an interview Christopher Pyne gave on morning radio:

Don’t blame government for lax security of defence contractors, says Christopher Pyne

Mr Pyne, who has responsibility for such projects, said while the information was not classified the situation was “not good enough”, and was a “salutary reminder to everyone in the industry and the government” of the importance of taking cyber security seriously.

But he said it was a “stretch” to blame the government for the procedures of what could have been a small sub-contractor working for one of the Defence Department’s main contractors.

Reading between the lines of this and other comments made publicly, it seems that the intrusion was reported to ASD by a prime contractor, and the “small aerospace engineering firm” who got owned was a subbie. As Pyne says it’s hard to blame the government for this, but it also raises a lot of good questions about what measures we should be taking to ensure that subcontractors aren’t terrible at security.

That’s not a question I’d want to be responsible for answering.