After pinning the cost of keeping Australia’s COVIDSafe app running at AU$100,000 a month in March, DTA CEO Randall Brugeaud has said the agency is almost halving its previous estimate.
“I estimated AU$100,000 per month to host COVIDSafe at the last hearing, that has ended up at AU$75,094.98 per month. And we’ve made a number of performance improvements to the app over the last couple of months, which should see that sitting at about AU$60,000 per month from the first of July,” he said on Monday.
“There’s been a range of tuning efforts that we’ve applied, quite considerable improvement on the backend, which is the COVIDSafe National Data Store and how the data is stored as the app is in operation.”
The total cost to build and operate the app was now sitting at AU$7,753,863.38 including GST, the DTA CEO said. To the end of January, that figure was AU$6,745,322.31.
“That includes a combination of development, which is the actual build of the app, and the hosting of the app. So the breakdown is, for the development of the app, AU$5,844,182.51 and the hosting is AU$901,139.80,” Brugeaud said in March.
On Monday, Brugeaud also said the app had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts, and there has been 779 uploads to the National Data Store since inception last year.
When introduced, Prime Minister Scott Morrison said the app would be digital sunscreen.
DPS attackers tried to brute-force on MobileIron kit
Providing a little more detail on the March outage at Parliament House, Senate President Scott Ryan said the MobileIron equipment in the parliamentary network was targeted.
“A malicious actor sought to access DPS network accounts through MobileIron devices using unsophisticated, brute-force tradecraft. The malicious activity lasted just under 24 hours. It was unsuccessful, and DPS networks were not compromised,” Ryan said on Monday.
“Appropriate network controls were implemented, which ensured that accounts were locked down, preventing compromise. Those controls were successful in blocking the malicious actor but also impacted legitimate users’ ability to access DPS networks for several days while even more rigorous IT security arrangements were implemented.”
Those controls involved taking the existing solution offline and putting into production an MDM system being piloted.
“While the outage did cause significant inconvenience, the Department of Parliamentary Services put significant effort into implementing a new mobile device management system in a very short period of time. This migration had been planned well before the incident, but it was to be implemented over a three-month period,” Ryan said.
“DPS staff migrated most email data to new services over the course of just three days between 27 and 31 March. Contrary to media coverage, the complexity of the migration did not extend the outage.
“14 technical staff across different IT disciplines worked over the Easter long weekend to ensure the remaining migration and to provide support to parliamentarians and other users who needed assistance.”
Acting secretary of DPS cybersecurity branch Gary Aisbitt said within “several hours of identifying that we were under attack”, the department had put mitigations in place to prevent “any more potential intrusions”.
Under questioning from South Australian Senator Rex Patrick, Ryan tried to spell out the difference between the cyber realm and regular old household burglary.
“We need to accept that such a prominent network as this is not like your house being burgled, because you don’t expect your house to be burgled every hour,” Ryan said.
“In this particular world, the idea of comparing it to a break-in of your house and reporting it to the police is simply not realistic. We work with the authorities and agencies extensively to protect the network. Protection of the network is paramount. Secondary is usability of the network.”
Ryan added that a “great deterrent” against cyber intrusions was not present, as there was no shortage of actors trying to access the DPS network.
“There is incredible resourcing that goes into protecting this network. The agencies are actually very happy, given what happened several years ago, about what this network does, its capabilities and how it protects itself,” he said.
“While it was an unsophisticated, brute force type of attack, there was no penetration of the network.”
Ryan reminded the committee that simply because an unsophisticated approach was taken, did not mean the actor was unsophisticated.
In February 2019, it took eight days to remove malicious actors from the DPS network.
“While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised,” Ryan said at the time.
“This caused malware to be injected into the Parliamentary Computing Network.”
Since that time, Aisbitt said DPS has stood up a cybersecurity operations centre.
“It’s a very capable cybersecurity operations centre,” he said.
“Our role is to initially triage and have a look at those incidents ourselves. We get a number of attacks — for want of a better term — and they happen regularly. We triage these and at some point we decide whether we need to notify the ACSC and seek their assistance, and that occurs as par for the course.”