Australia's most sensitive government websites are under siege. Web saboteurs are attacking the Federal Government's most critical sites at 10 times the rate of 18 months ago, according to Brian Denehy, chief scientist at 90East, the security company that protects Australia's most important websites.

While Dr Denehy won't name his clients, 90East last year confirmed that it handles Web security for ASIO, the Cabinet Office and most government departments. Even the Defence Department has considered outsourcing Web security to 90East.

Tom Hillman, the American businessman who is a non-executive director of 90East, says: "Yes, we're actually the largest provider of security services to the government. We provide perimeter security services for their websites and networks, and we manage all the traffic, from where it emanates to where it is supposed to be received."

ASIO, Hillman says, is one of several "highly protected clients who are grouped together in a single cluster".

"The defence force is seriously looking at outsourcing their Internet security needs too. But they're all relatively sensitive about discussing it publicly," he says.

90East is the default provider of the government's most vital Internet security needs. Former Defence Signals Directorate and Australian Defence Force Academy experts manage the little private company, which counts several powerful American investors among its biggest shareholders. If you think it sounds like jobs for the old boys of the civil service, you'd be right. But they're very highly skilled old boys.

Denehy, for example, is a former government policy adviser on scientific matters. He says that each month there are up to 400,000 intrusions into government websites and that he has traced many of the "knocks at the door" to China, North Korea, and terrorist groups. "There is good evidence that al Qaeda are using the Internet to organise themselves and are using it as a research tool," he says.

"The numbers of website defacements has gone up by at least a factor of 10 in the past 18 months. We are now seeing hundreds reported each day, whereas two years ago a high day was in the range of 10 to 20 defacements.

"The level of routine (security) scanning has increased significantly from a year ago. Anyone who runs a personal firewall and looks at the logs will often see a probe a minute, even on dial-up lines, originating from just about anywhere.

"Some of this is due to automated activity caused by worms such as Code Red or BugBear, but there appears to be more purposeful activity."

What sort of activity? It seems that compromised machines are being used as rendezvous points for criminal activities. The US administration also believes that terrorist activities are "being coordinated via compromised machines that are discarded after short periods of use".

The Prime Minister's office alone receives more than 300,000 Internet intrusions a month, from hackers, e-mail attacks, viruses and roaming geeks with nothing better to do, according to 90East's estimates.

"All our clients get poked, prodded, scanned and attacked at all hours of the day and night, from anywhere on the Internet," Denehy says. "What we don't know is what proportion of these are compromised systems that are being used from elsewhere."

In short, 90East doesn't know the source of the hundreds of attacks its clients receive every day. Are they al Qaeda cells, or just crazed anoraks?

"To find that out will require global cooperation and more secure infrastructure," Denehy says. "One step forward would be following the ICANN (Internet Corporation for Assigned Names and Numbers) recommendation to implement egress filtering on all edge ISPs so that IP spoofing becomes less prevalent. Others would include deployment of DNS SEC (domain name system security) and stronger authentication on many of the common network infrastructure protocols, eg SMTP, but that requires a trusted DNS in the first place."

So what is the best we can hope for?

"The best-practice configuration now requires firewalling, hardening the operating system, configuring Web server and application according to security standards, deploying network and host intrusion monitoring and keeping fully up to date with vendor patches," Denehy says.

"There also needs to be contingency plans in place for Denial of Service attacks. 24x7 monitoring is also now regarded as best practice, since the threats come from every time zone."

The merger of 90East and the hosting company PeakHour is meant to improve its ability to provide secure Web servers. In the past, 90East's federal government customers have tended to provide their own applications but that is changing.

"We are finding that attacks are becoming increasingly data-driven, that is using allowed network protocols to provide indigestible data to applications, causing them to misbehave - hence the increasing need to secure applications," Denehy says.

"This is not to say that the old attacks have gone away, just that improvements in firewall technology has been making them less relevant."

90East is also concerned that the growing use of mobile code will soon require a new model, where firewalling, intrusion detection and configuration control will need to be built into all systems on the network, and even the network infrastructure. "The hard shell surrounding the crunchy centre will no longer be viable as a security model," Denehy says.

For this reason, 90East helps ASIO ferret out spies and subversive elements.

"There's a process established by which we inform our highly protected customers of what's going on and give them as much information as possible."