When Australia announced it was setting up a new cyber security centre earlier this year, computer screens in the Australian Signals Directorate’s (ASD – formerly Digital Signals Directorate, DSD) Cyber Security Operations Centre were clearly visible. Are national security agencies underestimating the threat posed by visual data capture?
There was a media melee when the then-Prime Minister Julia Gillard visited her government’s premier security agency last January. Press and TV crews had been afforded rare access to the facility. Whilst reporting their PM’s words of praise for the agency, her pride in announcing new cyber security initiatives, video crews were able to capture agency computer screens. They are clearly visible on the official news footage.
As one commentator recently posted on LinkedIn: “The video … doesn’t appear to show any privacy filters on the screens, despite the high likelihood that at least some of the information normally present is sensitive. Content displayed on the screens for the cameras were nice ‘wall papers’ that I can only assume someone had approved.”.
Australia boasts it is the Commonwealth authority on cyber security, yet its 35 Strategies to Mitigate Targeted Cyber Intrusions focus exclusively on high-tech solutions. However, the official government Information Security Manual does refer to the issue, advising agencies to:
- “Prevent unauthorised people from observing systems, in particular, displays and keyboards.” Blinds or drapes should be used where there is potential for observation through windows.
- Apply privacy filters to the screens of mobile devices, mitigating risks from shoulder surfing.
- “Ensure personnel are aware not to access or communicate sensitive or classified information in public locations, unless extra care is taken to reduce the chance of being overheard or having the screen of the device observed.”
Perhaps the ASD could re-assert its world infosec leadership by promoting these low-tech, low-cost and low-effort solutions, too. Widening provision of screen privacy filters from mobile to office devices would make a good start.