Political Target

It’s the most visible edifice of government and a linchpin of our democracy. No wonder the Parliament House finds itself a constant target of attacks, both online and off.

The underground carpark of Canberra’s Parliament House, which lies directly underneath the iconic water feature that’s ubiquitous on TV news broadcasts, is in disarray. Pedestrian barriers, construction residue, scaffolding and dust are everywhere as Stephen Campbell, half apologetically, escorts me past the metres-thick concrete and steel barriers that are being erected in the carpark as a security measure.

It’s ironic because this same building was, not too long ago, subject to violating and aggressive attacks against which no amount of concrete or steel could have protected it. In February 2010, notorious hacking group Anonymous — which has made a name for itself compromising the Web sites of everybody from the Department of Broadband, Communications and Digital Economy (DBCDE) and the CIA to the US Federal Trade Commission, Church of Scientology and Greek Ministry of Justice — launched a distributed denial-of-service (DDoS) attack on the Parliament House Web site in a protest against Senator Stephen Conroy’s proposed mandatory Internet content filter.

For a group trying to choose the highest-profile target possible, there couldn’t have been a more tantalising target than the Parliament House Web site, which was still running software that had been in place for nearly a decade and riddled with potential soft spots.

Part of a year-long campaign of filter protests that also included the February 2010 ‘Operation Titstorm’ scorched-earth DDoS assault on government Web sites, the attack took the site offline for 50 minutes — boosting Anonymous’ global profile and creating further urgency for a massive overhaul of the site.

Web site refresh

Even as the Parliament House Web site was brought back online, however, staff within the Department of Parliamentary Services (DPS), in which Campbell serves as director of the Project Management Office, had to front perhaps the country’s most demanding user base to explain how the attack had been possible.

The answer was, in the main, far from complex: the existing site was old, non database-driven, and built on static HTML pages with inconsistent style sheets; so it was old and had a number of known vulnerabilities, so it was more a matter of if rather than when. Unfortunately for DPS staff, the Anonymous attack came just a month after the team, along with prime contractor Fujitsu, had begun working to code a complete replacement for the site based on the Sitecore CMS.

Replacing the site, which was launched in March 2002 based on static HTML pages and lacked even basic modern features such as support for style sheets and banners. The site had been earmarked for replacement some time earlier, having reached its end of life and proved unable to support growing demands from internal and external users that wanted features like on-demand streaming, live updates on legislation schedules and progress, better information about Parliamentarians, and so on.

Also important was the need to support a transition to mobile devices like tablets and smartphones, as well as the government-wide requirement that its site support features like WCAG 2.0 accessibility standards. “You wouldn’t have wanted to do all that on our old Web site,” Campbell offers. “It was too far gone.”

“Now, we’ve taken that next step and made sure it’s mobile and provides all the services people want. It’s all about giving our clients and the public a more interactive experience with Parliament; our ultimate goal is to provide a Web accessible tool for timely access to information about Parliament and its activities to support the Parliament, and the work of Senators and Members.”

Despite some claims to the contrary by outside parties who argued that the site was relatively simplistic, the project ultimately ended up costing $3.1 million and running twelve months over schedule before it was launched this February.

The delays stemmed not from any inherent inability to deliver — but, rather, the need to not only deliver a complex and extensively integrated site experience to the satisfaction of all stakeholders, and with an iterative security approach designed to prevent a repeat of the Anonymous attack. Testing may have pushed the launch date back, but political sensitivities around its security offered little alternative.

“We’re very conscious about our front page,” says Campbell. “It’s a shared page, owned by the three Parliamentary departments to provide the right information for all. It’s not a political tool — we represent the Parliament and not the view of the government or Opposition — and we need to be careful about what information is put up there.”

Engaging stakeholders

When your key stakeholders are the Senate and House of Representatives, prosaic notions of ‘mission critical’ deployments go to a whole new level: both groups of Parliamentarians are used to scrutinising public projects closely, and all had their own opinions about how the site should be redeveloped. Recognising this, Campbell says, the project was always run from its earliest days with extensive consultation from DPS, Senate and House stakeholders. Workshops were run to gather requirements by targeting each functional area across all three departments prior to going to market for a solution.

During the design phase, the project team — which included a range of roles from project manager and project officers to infrastructure staff, Web administrators, database administrators and others — brought design mockups to staff throughout Parliament House offices, coffee shops, and other places where people gathered.

Feedback was solicited directly from Senators and Members as well as their staff, with regular forums run to ensure everybody involved had the chance to offer their feedback on the emerging design. Usability testing was run based on personas ranging from a student to a home-owner, to a legal professional, to a member of a Senator’s or MP’s staff. Representatives of each persona were selected from rural areas as well, to undertake testing. Eye tracking capability was exercised to determine how to best present information on a Web page for maximum effectiveness.

The process also expanded to include guidance from the Parliamentary Library, which offered extensive guidance on information structures and archival requirements, and the publishing unit responsible for services like the production of Hansard records and the ParlInfo database.

As with any content management environment, tight controls over publishing rights were essential — and had to be tied in with core identity management systems capable of enforcing tightly granular control policies.

“We all share the systems and various components and content of the system,” Campbell explains. “It’s not one owner who gets control of everything, and everyone has their own opinions on how it should look or how things should be presented. Trying to come together, and to agree on a consistent view on how we do our business, was one of the challenges of the project. The key thing was the core functionality: our end goal is to ensure the proper functioning of Parliament.”

Despite a concerted plan to get the site completed quickly, getting a consensus with so many stakeholders wasn’t easy. But that turned out to be the least of DPS’ problems: by late 2010, issues with functionality and data migration — as well as a limited number of potential windows of opportunity coinciding with the off-peak times when Parliament isn’t in session — had already pushed back the delivery timeframe.

By the time Anonymous struck again at the end of that year, it became clear that there was a lot more still to be done before the redeveloped site could go live.

“The migration progress is very difficult,” Campbell explains. “When people need to continuously maintain and update the content, it’s difficult to get that content ready for us to move it over; we have to run systems in parallel, and be able to verify and validate that everything’s working.”

Border protection

Ensuring the new site’s security was up to par took even longer: extensive security testing was undertaken with the assistance of DPS’ internal security team, third parties and the Defence Signals Directorate (DSD), whose security mandate includes the provision of security advice for protecting the Web site and other operational systems of DPS and other government departments through its own Cyber Security Operations Centre (CSOC).

“Even before Anonymous hit, we knew we are always up for substantial attacks because of the the policies and business of Parliament being discussed,” Campbell says, noting that DPS security team deals with an almost steady stream of minor — and unsuccessful — attempts to breach the site’s security.

“We’re under no illusion that the attacks are anything but real, and they range from a number of sources ranging from issues-motivated groups and amateur hackers to criminal organisations. Our penetration and vulnerability testing revealed a number of issues we were not satisfied with, so we implemented processes to resolve those ASAP.”

The process of security remediation was conducted in an iterative fashion, with testing revealing vulnerabilities that were subsequently fixed and re-tested. At each stage, vulnerabilities were measured and risks evaluated against the issues identified — and the process was repeated over a course of months until evaluations of potential risk had dropped to acceptable levels.

Although he’s reluctant to go into details about the specific protections introduced around the site, Campbell says that prevention against the full spectrum of attacks — including DDoS attacks, unauthorised information access and manipulation of Web page content — is all on the department’s agenda.

Remediation efforts implemented across the department’s systems include a range of firewalls and protection systems to raise alerts when set performance thresholds are exceeded; DPS and CSOC staff also worked together to proactively analyse potential threats and minimise the potential impact should such threats become real attacks.

“We’re all looking out for each other to make sure we’re following best practice and doing the right thing,” says Campbell. “Our focus is on security and that was the cause of some delays. We’ve got to protect the Parliament.”

This focus on security contributed to pushing out the delivery of the site, since each stage in the cycle of feedback around the site’s design required security to be re-evaluated. Even after the site went live on a test basis in the middle of 2011, it continued to go through numerous iterations as the security team continued hunting down and stamping out potential issues.

“Because it was a long design process, the security testing took a lot longer than we expected,” Campbell explains. “We were never going to push out a poor quality subsystem; we wanted a quality system and we wanted a secure system. As with any security I’m not sure you can eliminate the risks, but we are undertaking as many measures as we can to ensure that it’s protected.”

Bringing it all together

Given the growing demands on the Web site, an upgrade of the software wasn’t the only change on the cards: the DPS team had to plan and execute an upgrade of the site’s back end, ensuring — as with its other key operational systems — that it had adequate network and server capacity to meet heavy periods of demand.

“We’re coming off 12 year-old technology, so we need to make sure we have the right bandwidth, equipment and redundancy to be able to maintain that,” says Campbell. “There’s more content and more information out there, and more of it is in real-time than ever.”

Thanks to its uncompromising approach to security and the constant involvement of its many stakeholders, the many facets of the Web site rollout pushed through to the end of 2011 and the site was finally brought live during Parliament’s February 2012 break period.

Completion of such a major project brought many sighs of relief relief across all three Parliamentary departments, and Campbell says the iterative and consultative approach taken by the department was crucial to making this happen. “It’s critical that the business areas are engaged from the word ‘go’,” he explains.

"We're very conscious about our front page.... it's not a political tool, and we need to be careful about what information is up there.

“They need to understand exactly where things are headed, and communication with them is essential because changes to the way they do business can be difficult for a lot of users. From a security perspective, it was key to put as much attention in before hand to ensure the right outcome.”

So far, the site’s design is holding up well, with Campbell reporting strong positive feedback from the public and from interested government agencies. agencies. Parliament became a focus for national attention during February’s government leadership contest, and the subsequent resumption of Parliament has put the site into full swing.

Ideas for new tweaks and small patches for the site are emerging all the time, and DPS maintains its working relationship with CSOC to regularly review the current security profile of its Web site and all of its other systems. “We’re trying to be on the front foot so that when we identify anomalies, we can get on top of them,” Campbell says.

Anonymous has subsequently become a high-profile target itself, with 25 alleged members recently arrested in Interpol raids across Europe. But that’s small comfort for the DPS team, which knows there are myriad other barbarians at the gate just waiting to discover or exploit a weakness in the system.

Campbell however, is quietly confident the DPS team has done everything it can to keep them from breaching the site’s walls again: “As with any risk, we put in place as many measures as we can to minimise the chances of those breaches happening — but there are some pretty smart groups out there. You don’t want to be on the front page of the papers; you just want to do things right. And if you can transition a system without it being noticed, that’s the best thing.”