Posts

Sensitive Defence information is still being held at data centers owned by Global Switch, a Chinese-owned multinational company, despite promises to have all government data migrated out by 2020. Regardless of the complexity of the move or data being “less sensitive”, this is an unacceptable situation. The Chinese Communist Party must be laughing at our Government.

Transcript

Okay, thank you. Getting onto storage of defence data, including critical secure data. In February, 2021, the Australian federal government renewed its contract with the firm Global Switch, despite serious security concerns. The company has hosted Australia’s sensitive and high security data for some time. Elegant Jubilee, a Chinese consortium, bought 49% of the parent British company Alders Gate Investments, causing an ownership change for Global Switch in 2016. Then treasurer Scott Morrison said in 2017 that the defence data would be shifted back to a government owned hub for security reasons. After he became prime minister, he later decided to extend their contracts with Global Switch. Does the firm Global Switch still host Australia’s sensitive and high security defence data?

Senator, Jeff Goedecke, First Assistant Secretary ICT Service Delivery and Reform. The Global Switch facility, which is completely controlled by the commonwealth, does hold some of the less sensitive data. There are as indicated in the release by secretary Moriarty in February last year, there are plans in place to migrate that data from Global Switch by 2025. This is in accordance with the whole of government hosting strategy.

So why was it decided to continue this arrangement, hosted ultimately with, with Chinese ownership?

It’s, it’s, it’s not Chinese ownership. As I said, the Commonwealth owns, has complete control of the facility, both from a physical perspective and from a, and a, a protection from a logical sense, from an ICT perspective and security perspective. The amount of equipment and data, and the complexity and interdependencies, necessitate a longer term to remove these things. There’s a, a great deal of reliance on defence business continuity, that requires a staged approach to remove this stuff. It basically, the complexity and size of the footprint, the payload inside the data centre, means it was impossible to, to move that over a very short period of time.

So when was the decision last made to, to leave it there, and eventually you take it off by 2025?

So, just bear with me, Senator

And Senator, Greg Moriarty, Secretary of the Department. All of, all of the highly sensitive information is, is long gone. So what, so-

What sort of information is there?

Well, this-

So we, so what happened was the government approved, back 2018 for defence to be funded to move what was sensitive data from the data centre out. That occurred by June, 2020. So that was all removed. Because of the size of the footprint of the remaining data, which is less sensitive data, again, still protected from a government perspective and government controlled. There was a, there is a process in place now where we are, have an evolution to move that data out. And that ties in with the additional lease, which expires in 2025.

So what is that less sensitive data?

It, it’s for a range, range of things. It could be administrative related. It could be some sort of logistic, but we wouldn’t normally discuss exactly what type of data we hold in what locations.

So there’s no risk whatsoever of the Chinese accessing it, ’cause they’re pretty good hackers.

There, there is no risk.

What, what, why can you be sure of that?

It’s, it’s based on the, the the facility itself has physical controls in place. That’s everything from, from it being a fully manned facility, it has all of the CCTV capabilities. It has, you know, alarms, it’s fully accredited. And in fact, the facility is accredited to look after more sensitive data. That hasn’t changed. So there’s a higher level of security than would normally be afforded that level of data, which is an important factor as well. In addition to that, we have ICT securities. So cybersecurity controls where we, we monitor that we have a, the defence security operations centre monitors cyber activity. And that includes that within the footprint as well. Gateway, secure gateways also assure the information. So from a defence perspective there aren’t risks related to that, Senator.

Has it been tested at all? ‘Cause the Chinese, some Chinese are very good hackers. I’m sure you know that.

Absolutely. So there are, defence has no indications at all that there’s been any compromise at all related to data held in that facility.

So it’s not a case then of the, the Fox looking after the hen house?

Not at all.

Okay.

No, but, and, and just to make sure that, I mean, that, that is why the government has, has directed defence to move all of the data by a particular point in time. Senator, we believe that the mitigation strategy that we have in place is very robust for the, for that level in, in fact, as Mr. Goedecke said, it’s, it’s much more significant wraparound than what normal data of that level would be. But we are moving out. We are, we are gonna remove absolutely any risk by, by removing ourselves from that, from that data centre. And the government has, has agreed the timeline.

Thank you. And thank you, too.

Additional Information

https://www.itnews.com.au/news/defence-delays-global-switch-data-centre-exit-by-up-to-five-years-560042

https://www.afr.com/companies/telecommunications/federal-bodies-struggle-to-exit-chinese-owned-data-centre-20200304-p546p5

Transcript

[Senator Roberts]

Thank you Chair and thank you all for being here. I have a few short question mostly about elections. My questions are about the Australian Cyber Security Centre, in Senate estimates on the 19th of February 2019, Tom Rogers, the Deputy Director of the Australian Electoral Commission said, “We work very closely with our partner agencies, the Australian Cyber Security Centre from the Australian Signals Directorate,” and then he went on and then said again, “We work with them closely and we are very confident,” pause and then, “That there has been no breach of the AEC systems,” is that an accurate statement?

[Rachel Noble]

It absolutely is, we work very closely with the Australian Electoral Commission and actually as we do with all State and Territory electoral commission equivalents, particularly focused together in partnership in the lead up to an election, during the election and then post the election, where we’ll partner on looking for any cyber security or threats to the proper running of the election.

[Senator Roberts]

Thank you. Last night, the Australian Electoral Commission advised they have never used the Scytl software they purchased and instead used a bespoke system. They further commented that the internal code had been audited and reviewed. Has your office conducted a code level and server level audit of the Australian Electoral Commission election software?

[Rachel Noble]

Unless Ms. Bradshaw knows the answer to that specific question or Mr. Hanmore? No? We might have to take that level of detail on notice, Senator.

[Senator Roberts]

Okay. So, if you don’t know who did this mysterious audit, and do you also know if the software passed the audit? So, if you could, let us know that.

[Rachel Noble]

I could take that on notice, yes.

[Senator Roberts]

Thank you. During the election period, is the Australian Cyber Security Centre responsible for securing the data systems used by the Australian Electoral Commission?

[Rachel Noble]

Our functions, which are set out in the Intelligence Services Act allow us to provide advice and assistance, the ultimate accountability and responsibility is for the organisation, in this case the Australian Electoral Commission itself.

[Senator Roberts]

So, are you saying then that the Australian Electoral Commission itself secures the data systems that it uses?

[Rachel Noble]

[Rachel Noble]

That’s right.

[Senator Roberts]

[Rachel Noble]

Thank you. Last question, are you 100% confident the software and systems available to the Australian Electoral Commission for the 2022 election are fit for purpose?

We will partner, continue to partner with them but it would be unwise to sort of project into the future, we will, as I said in the lead up to that election, during and after, be working in, you know, the contemporary environment both based on the state of their systems that they in place at the time, our understanding of the threat environment that we will provide to them and we’ll work in a contemporary, agile and current environment at that time, but it would be unwise for me to provide guarantees about what may or may not happen in the future.

[Senator Roberts]

So, you don’t work with them on a regular basis more just around the elections?

[Rachel Noble]

That’s right, We’ll stay in partnership with them like we do all Australian government entities at all times, so, if we become aware of a specific threat to any Commonwealth or State and Territory or private entity for that matter, we will reach out with them and engage them on that, so, we’ll do that at any time throughout the year but we will have a particular, dedicated, focused effort with them, pre, during and after an election on top of that.

[Senator Roberts]

Okay, so, you will assess the situation at any time, and any time you might hear some potential threat and you get involved, but other than that you will only get involved just before during and after the election?

[Rachel Noble]

That’s right.

[Senator Roberts]

Thank you very much.

[Rachel Noble]

Thank you.

[Senator Roberts]

Thank you, Chair, see, it was less than five minutes.

[Chair]

Senator Patrick, you could take a leaf out of Senator Roberts’ book in relation to timeliness, but over to you.