17 April 2018
Cyber security has long been a significant priority for Defence. Recently announced cyber roles and units take Defence’s cyber focus to the next level.
Defence will be expecting the same from its contractors, with rigour applied to security measures and proactivity in identifying and mitigating cyber security risks.
Cyber security has been on Defence’s radar since the turn of the millennium, with cyber-attacks raised as a “new security challenge” in the 2000 Defence White Paper. Since then, the threat of cyber-attacks, particularly in the field of national security, has grown in prominence.
In 2010, the government established the Cyber Security Operations Centre (CSOS) within the Australian Signals Directorate (ASD) to identify cyber attacks against Australian national security interests.
The Australian Cyber Security Centre (ACSC) was launched in November 2014 to coordinate the cyber security capabilities of a number of Commonwealth departments. It is led by Defence and includes the Attorney-General’s Department, ASIO, the AFP and the Australian Criminal Intelligence Commission.
Most recently, on 29 January 2018, Defence established two new cyber units – a defence signals intelligence unit called SIGINT and “Cyber Command”. Within those units, the Joint SIGINT Unit and Joint Cyber Unit will work alongside the ASD.
With this heightened Defence focus on cyber security, what should the priorities be for existing and aspiring Defence contractors?
The first priority for a Defence contractor is to ensure that it meets the same cyber security standards required of Commonwealth government agencies.
The ASD regularly publishes Strategies to Mitigate Cyber Security Incidents, identifying a myriad of mechanisms to increase cyber security. It particularly calls out a number as being ‘essential’ – known as the Essential Eight. The Strategies were last updated in February 2017.
Of the essential eight, the ‘top four’ are mandatory for Commonwealth entities as listed in the Australian Government Information Security Manual which is given force through the Protective Security Policy Framework. The Framework requires agencies to make sure that their contractors are aware of, and meet the requirements of, the Framework.
As such, contractors are expected to have, at the very least, the top four cyber security measures established in their organisation to be eligible for Defence work. The implementation of these measures should be demonstrable – for example, by maintaining logs demonstrating that the cyber security measures have been undertaken.
Contractors should also demonstrate commitment to cyber security by having a security framework, that is, documentation which sets out their organisation’s specific requirements and procedures. An organisation’s security framework may include an information security policy, a security risk management plan, a system security plan, a data breach response plan, and standard operating procedures for security tasks.
Late last year, the government revealed that a Defence contractor had been subject to a cyberattack which had stolen large amount of data, including plans for military vehicles. While the company has not been named, it is known to be a “mum-and-dad” company, which was contracted “four levels down” from Defence. It had only one IT employee and reportedly, the relevant credentials were username “admin” and password “guest”.
While this incident may not have caused a breach of contract, it caused significant adverse media attention for Defence. Legalities aside, it’s likely that Defence will not be willing to have the same contractor involved in future Defence work.
If a contractor is engaging a sub-contractor in relation to Defence work, it should ensure that its cybersecurity terms and conditions are water-tight. It may not be enough to flow down the ASDEFCON terms, which do not address or control all types of sub-subcontracting.
As well as setting out prescriptive cybersecurity requirements (such as the requirement to comply with the top four strategies and to have a data breach response plan), a contractor should retain some control of its supply-chain by requiring that:
In September 2017, it was reported that the US Army grounded all of its drones manufactured by DJI (a Chinese drone manufacturer) after sudden concerns about cyber security. The Australian government acted “virtually immediately” to implement a suspension over the same products.
It was reported that the cyber security risk relating to those drones was that DJI’s encryption algorithms would be available to the Chinese government. After a risk assessment was carried out over two weeks, use of the drones recommenced under “revised operating procedures”.
It is not known whether the US Army actually proved that the encryption algorithms became known to the Chinese Government. DJI’s response to the grounding of its drones was that they were "surprised and disappointed" and were “happy to work directly with any organisation…that has concerns about our management of cyber issues.” It is possible that after the risk assessment, concerns were allayed which allowed the use of the droned to progress.
This issue (and the hype surrounding it) would have been avoided if risk assessments were conducted up-front, and cybersecurity assurances and information provided with the drones.
When Defence contractors supply goods to Defence, they should be proactive with providing sufficient information about the cybersecurity of its products to avoid scares and suspension of use down the track.
There is no doubt that in some Defence projects, cyber security capability and maturity will be a significant factor in selecting the right contractor. Contractors can position themselves best for work from a cyber security perspective by:
 The Australian, 21 September 2017, ‘Chinese drones grounded by ADF’.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.