Recent cyber attacks on the US election are a “salutary warning for Australia”, with the federal government “blind to the threat” of an attack on democratic institutions, shadow assistant minister for cybersecurity Tim Watts says.
Speaking in Parliament on last week, Mr Watts said news of cyber attacks on the 2020 US Presidential election by Iranian-based hackers should serve as a wake up call for Australia.
The FBI this month revealed that Democratic registered voters had received emails threatening violence purporting to be from the far right group Proud Boys. According to the agency, hackers based in Iran had spoofed the email domain used by the Proud Boys, with the data potentially obtained from government voter data registration.
The federal government isn’t doing enough to prevent a similar attack on non-government democratic institutions in Australia, Mr Watts warned.
“There are currently no institutional frameworks to build resilience against foreign interference through cyber attacks on non-government democratic institutions. An Iranian Proud Boys-style attack would be easily replicable in Australia via attacks on the IT infrastructure of Australia’s political parties,” Mr Watts said.
“When the vector of this threat is a hack-and-leak campaign against these targets, the government is blind to the threat. As a result, these non-government democratic institutions are left to face advanced persistent threats from sophisticated state-based hackers largely on their own. It’s not a fair fight, and the stakes couldn’t be higher.”
While the IT systems of Parliament House and the AEC are considered to be critical infrastructure, the IT systems of political parties are not.
The four major parties have received funding in 2017 and 2019 to improve their cyber security and implement the ASD’s mitigation strategies, but Mr Watts said there needs to be an ongoing institutional framework to build resilience in these organisations.
“While government security agencies provide robust cybersecurity protections for their parliamentary email systems, these protections stop when MPs use private email systems, social media accounts, CRMs, privately-hosted websites and smartphone apps,” he said.
“The cyber-resilience of these non-government democratic institutions falls through the cracks of our current arrangements.”
There needs to be more work to proactively protect these institutions from cyber attacks, Mr Watts said.
“There’s no capacity-building program for our democratic institutions, no targeted cyber hygiene training, no real-time sharing of threat intelligence and no assistance with vulnerability assessments,” he said.
“Nor are there any public awareness campaigns on the nature of this threat to our sovereignty or any clear institutional responsibility for identifying and informing the public about cyber-enabled foreign interference.”