Former cyber chief warns shipbuilding programs at risk
A former cyber security adviser warns Australia’s $90bn program could be at risk through theft or sabotage of data held by supply-chain firms.
Former national cyber security adviser Alastair MacGibbon has warned that Australia’s $90bn naval shipbuilding program could be at risk through theft or sabotage of data held by supply-chain firms working on the new submarines and frigates.
The former head of ASD’s Australian Cyber Security Centre said thousands of small and medium suppliers to the big defence contractors were prime targets for state-sponsored hackers looking for weaknesses in the next-generation naval platforms. “(A cyber attacker) may not need to compromise all the aspects of a weapons platform or system to understand enough about it to work out how to counter it,” Mr MacGibbon said. “It might be they are after just one aspect of the design of a multi-generational platform. Or they might do something to alter the integrity of the information.”
In a wide-ranging interview, Mr MacGibbon said cyber security failure represented an “existential threat” to Australian society. He said China was the “most audacious” state sponsor of malicious cyber attacks followed by Russia, Iran and North Korea.
Days after Home Affairs Minister Peter Dutton lashed out over Chinese hacking and intellectual property theft, Mr MacGibbon warned that mining companies, universities, utilities, health companies and defence contractors were among the biggest targets for cyber attackers. He also predicted it was only a matter of time before someone died from a cyber intrusion, as power companies, industrial plants and cars were connected through the “internet of things”.
Mr MacGibbon is the chief strategy officer of a new private-equity backed company bringing together 400 of the nation’s top cyber professionals.
CyberCX is headed by former Optus Business managing director John Paitaridis and merges 11 leading cyber security businesses under an umbrella organisation.
It is the biggest venture of its kind in Australia and will work with government and the private sector to protect critical systems and intellectual property.
The threat to Australia’s sovereign shipbuilding industry was brought home late last year with the hacking of Perth-based shipbuilder Austal, the designer and builder of the US Navy’s Littoral Combat Ship and the Guardian-class patrol boats being gifted to Pacific nations.
Cyber attackers accessed ship drawings and designs, with some of the information offered for sale on the dark web in an apparent extortion attempt.
Mr MacGibbon said while defence giants were more able to deal with cyber risks, the $50bn Future Submarines and $35bn Future Frigates projects could be compromised through smaller engineering, component and technology suppliers.
“The defence supply chain is complex,” he said. “You don’t need to compromise the entire project to have an effect.
“We need to protect all aspects of the supply chain from the (prime contractors) down. And there is no doubt that the complexity of that supply chain, and sometimes the quite small nature of the specialised firms that provide services in that supply chain, need to be protected — probably to the same level that the primes are. That’s the vexing issue — you can’t have any points of weakness in the supply chain.”
As a hypothetical example, he said a state-sponsored hacker could “alter the dimensions of the steel that gets cut”.
France’s Naval Group is already dealing with 1500 Australian-based companies in a bid to source local components for the promised 12 Attack-class submarines that will come into service between 2035 and 2057. That number is likely to rise to about 4000 before the final suppliers are selected.
Future Frigates contractor BAE Systems will engage an estimated 1500 Australian suppliers as it builds nine Hunter-class anti-submarine ships.
Defence Minister Linda Reynolds said her department was “acutely aware” of evolving cyber threats and was working with security agencies and international partners to counter them.
She said Defence required suppliers working on weapons systems or providing security services to have minimum cyber security practices under the Defence Industry Security Program.
Naval Group was unavailable for comment, but BAE Systems said cyber attacks posed a “continuing threat”.
Join the conversation
Keating takes swipe at AUKUS ministers meeting
Former prime minister Paul Keating has slammed the AUKUS alliance partners for failing to respond to concerns about the future of Australian military sovereignty.
Read more
Unis warned on menace of foreign spies
ASIO has told universities to hire security escorts for foreign scientists and academics, and keep gifts out of high-security zones to safeguard research from espionage.
Read more