Australian Signals Directorate director-general Rachel Noble has defended advice given by the agency in 2021 when use of Chinese-linked surveillance cameras was left up to individual government departments and entities.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
The late Labor senator Kimberley Kitching asked the intelligence agency whether Hikvision and Dahua cameras should be prohibited from use in Australian government buildings on November 5 2021.
Senator Shoebridge read out the advice given at that time in a Senate estimates hearing on Wednesday: "Vendor choice is a matter for individual government departments and entities. ASD provides technical advice and assistance including supply chain guidance, which is available on cyber.gov.au.
"And you said, 'ASD has published guidance on identifying supply chain risks, which is available on cyber.gov.au.'"
The senator called on the intelligence agency to take responsibility for the continued risks posed by Hikvision and Dahua cameras since that advice was issued.
"Considering the risks of these products that were brought clearly to your attention, they have been operating on defence facilities and the Attorney-General's Department throughout the government for over a year and two months, because you didn't provide the timely advice that was sought," he said.
"The ASD has been given a huge budget to provide advice on cyber risks by the Australian government, has been given enormous responsibilities," Senator Shoebridge said in the hearing.
"And on this occasion, when the products that have now turned out to have such significant risks, that they've had to be removed from every part of the Commonwealth government's operations."
"When you were specifically asked for the advice you just dodged the question didn't you?"
Ms Noble said the agency had not dodged questions and had fulfilled its role in this advice, as well as through "quite a number of public advisories" on the cameras, which she had also referred Senator Kitching to in 2021.
"ASD has fulfilled the role required of it to provide technical advice about the threats of internet-of-things devices, as I said before supply chain guidance and so on." she told Senator Shoebridge.
"And I believe that we have acquitted our responsibility in that regard."
READ MORE:
"I said then what I've just said to you tonight, that ultimately, the choice of equipment and vendors is a matter for individual government departments and I referred Senator Kitching at the time to the guidance that I've referred to tonight, that can be found on our website," Ms Noble said.
The Greens senator also interrogated why the advice did not provide a threat assessment of the cameras, though then-Senator Kitching had asked for one.
Ms Noble pointed to guidance published on the ASD website, referred to in the 2021 response, which provided that threat assessment.
An alert published on the website in September 2021, identified Hikvision products as "critical" status.
"A vulnerability (CVE-2021-36260) has been identified in certain Hikvision products. Hikvision is a popular manufacturer of internet protocol cameras sold under the Hikvision brand," the alert stated.
"This vulnerability could allow a cyber actor to take full control of the vulnerable device. The cyber actor could then access device functionality or target other devices on the same network in order to steal information or install malware."
The alert notified Australian users to ensure the cameras were not able to be accessed from anywhere on the internet.
The Canberra Times did not find an alert for Dahua products.