If there was one event in 2016 that characterised Australia's total lack of preparedness against cyber attacks, it was the epic failure of the Census on August 9.
The Australian Federal Police is still investigating who was responsible for the attack on the nation's first e-Census.
More Digital Life Videos
Portrait of a cyber attack
How would a cyber attack impact upon a major Australian city?
Alastair MacGibbon, special adviser to the Prime Minister on cyber security, in his review of the events surrounding the e-Census debacle, hints it may never be clear: "Attribution of malicious actors online is difficult and denial of service incidents are hard to trace."
MacGibbon's 91-page report explains in detail how one of the government's once most-respected agencies, the Australian Bureau of Statistics, together with technology giant IBM, failed miserably on Census night.
While no individual's data was compromised – once breaches were discovered ABS did make the right move and shut down the site for almost 43 hours – it left Australians with a bad taste.
The public, already edgy about sharing detailed personal and financial history online, had now effectively been told they had a right to worry.
Cyber attacks – from state-sponsored criminal activities by nations attempting to gain intellectual property or political advantage, to organised crime syndicates and individuals looking to profit from stealing peoples' information, to ideologically-driven "hactivism" – are real and constant.
Telstra chief executive Andy Penn says: "We get to see the scale of cyber activity every day and it is pretty frightening."
He told the Sir Edward Weary Dunlop Lecture at the annual Asialink dinner in November that greater connectivity – while a positive force in many ways – had also lowered barriers to crime, espionage and protest.
As a result, "mistakes can happen at a pace and at a scale that is unprecedented".
Major cyber attacks in 2016
Illustration: Simon Bosch
There's no shortage of major cyber attacks across the globe wreaking damage.
This year alone we've seen one of the most damaging cases of Distributed Denial of Service (DDoS) – an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources – against New Hampshire-based web company Dyn, which controls much of America's internet infrastructure. It led to outages of major websites such as Twitter, Airbnb, Amazon, Reddit and The New York Times to name a few.
We've seen Yahoo! admitting to one of the largest data breaches of all time. The company was hacked by a state-sponsored actor in 2014, with more than half a billion usernames and passwords of its customers stolen.
We've seen US intelligence agencies blaming the Russian government for leaking emails stolen from senior Democrats in an attempt to influence the US election (the Obama administration later confirmed the results "accurately reflect the will of the American people").
We've seen a data breach of major Indian Banks – an estimated 3.2 million debit cards compromised, resulting in the country's banks announcing the blocking and replacement of almost 600,000 debit cards.
Lack of public confidence lingers
The ability to wreak this sort of real damage via the online world – 90 per cent of Australians will be online by next year and by 2019 it's expected that the average Australian household will have 24 devices – is why Prime Minister Malcolm Turnbull in April launched Australia's Cyber Security Strategy.
The government will invest $230 million over four years, with the strategy confirming that resources have already gone into "offensive cyber capabilities". But it's just a first step in a long battle.
MacGibbon, a former AFP agent who was also Australia's first Children's eSafety Commissioner, got appointed as Turnbull's cyber security adviser a month after the launch of the strategy.
He says the lack of confidence created in the aftermath of the e-Census will linger unless government and business collaborate, and ordinary Australians become more cyber-savvy.
"We've got to get our house in order," MacGibbon tells Fairfax Media. "We really need to step up."
His biggest concern is that the impacts of cyber security threats are not well understood. This, he says, is largely because until recently the conversation was being held by technical experts in their own vacuum.
The language surrounding the issue is seen by most as too complicated, and many stakeholders including media, misuse definitions, such as calling the e-Census a "hack".
In fact the e-Census was hit with a DDoS attack, not a hack per se, but such a tactic can be used as a cover to divert attention and resources so hackers can get in.
MacGibbon says: "We all know what a murder is," now it's time we know the difference between hacking and denial-of-service attacks.
"We've got to stop being so generic," he says. "We have to be specific [in order to] categorise and talk about what actions to take."
The good news, is that "in 2016 we [Australians] are much more open and engaged".
MacGibbon's job now is to ensure there's everything from closer information sharing between industry and government, greater education of the cyber threat for individuals and small business, to developing actual cyber defence systems.
Australian agencies hit
Cyber security adviser Mike Burgess. Photo: Ben Rushton
Reports flow in almost daily of scammers targeting Centrelink, the Department of Immigration, the Department of Human Services and the list goes on.
If the e-Census was not bad enough, on October 31 as thousands of taxpayers were trying to log on for the end of self-lodgements for tax time, cybercriminals launched another denial-of-service attack on myGov.
And as Penn alludes, the nation's largest businesses from the big four banks, to energy and utility companies to the major telcos are fighting threats on a second-by-second basis.
To date, business has been reluctant to talk about the threat for fear of brand damage. This is now changing with boardrooms now recognising that cybercrime is today's top threat to business.
Telstra's former chief information security officer Mike Burgess, who is now a strategic cyber security adviser to business and government, says for too long business has viewed cyber as an IT risk. "They need to understand it's actually a business risk," he says.
Non-executive directors of major company boards are seeing it that way, he says, now every other business also needs to.
"The real thing I would like to see government do more of is help SMEs and normal people," Burgess says. "We have road safety campaigns so why not have cyber security campaigns?"
The consensus from cyber security experts is while the top end is paying attention, smaller businesses and individuals are not.
Cybercrime No.1 economic crime
Australia post CEO Ahmed Fahour. Photo: Eddie Jim
Cybercrime is now the No.1 economic crime in Australia.
Between July 2015 and June 2016, CERT Australia – which sits within the Attorney-General's department and is the main point of contact for cyber security issues affecting Australian businesses – responded to 14,804 cyber security incidents, 418 of which involved systems of national interest and critical infrastructure.
PwC Australia national cyber leader Steve Ingram, who previously headed fraud and security management for the Commonwealth Bank, says cyber attacks happen all the time. "It's prolific," he says.
According to a recent PwC survey of almost 6400 organisations across 115 countries, Australians are now experiencing a significantly higher rate of economic crime than the rest of the globe.
PwC found 65 per cent of Australian organisations experienced cybercrime in the last 24 months with more than one in 10 reporting losses of more than $1 million (compared to the global average of 32 per cent).
Yet the threat is severely underestimated by Australians. Only 42 per cent of Australian organisations have an operational incident response plan and just 40 per cent described their first responders as fully trained.
Ingram also uses a road safety analogy to demonstrate how totally unprepared we are. Decades ago people got into cars and drove without a seat belt.
"You would not [now] take your family on the road with those risks, but we happily go down the information superhighway undertaking those risks."
While "we're not going to stop state-sponsored" activity, a national cyber security strategy will make it harder for hackers and general criminals operating in cyber space.
It will, he says, allow better intelligence sharing between the public sector and the private sector, which he says, to date has been lacking.
"If I am a repeat drink-driver in Victoria, that information will get shared with NSW," he says. "We need to get to the same place [with cyber attacks] ... Business can't solve this on their own."
Australia post chief executive Ahmed Fahour also believes the cyber threat is underestimated. Speaking at an American Chamber of Commerce in Australia business lunch in Melbourne this year, he said Australia should learn from the failed e-Census.
Denial of service attacks were so frequent that big companies viewed them as "just part of the usual business".
Australia Post was investing in new technologies such as blockchain to help fend off hackers and protect people's data.
Cat and mouse game
But for every new-edge system aimed at beating cyber crime, another is developed to circumvent it.
It's all a "cat and mouse" game says Intel Security's APAC vice-president Daryush Ashjari.
He says ransomware – a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid – is more prevalent than ever.
"It's a lucrative business," he says, and one of the most common attacks against business and individuals.
More worrying is that what used to be the domain of smart criminals, is now in the hands of, well, just criminals, who can purchase ransomware off the internet.
"You can even get the bad guys to build and execute ransomware for you and charge you a fee. For example they say, 'if you have $20,000 we can target Westpac's high-net customers'."
For too long, Ashjari says, businesses have viewed security as an afterthought. "But it needs to be incorporated in the design of business architecture." He says the big companies already ensure that. But for SMEs it's a harder battle.
He says the majority of organisations work in isolation; they deploy "silent products". The national Cyber Security Strategy could bring all this intelligence in a central point, which everyone can draw on.
Big banks constantly attacked
Even the most sophisticated systems can be useless if there's human error.
ANZ's head of financial crime Guy Boyd says the government needs to educate individuals about becoming more cyber-savvy.
The biggest challenge for Australia, he says, is the creation of a digital identifier for every individual across the country. This "would give a degree of trust that confirms you are who you say you are [in the digital world]".
Boyd says new cyber scams aimed at banks originate on a daily basis from hackers as well as state-sponsored criminals.
A report released by financial data business Veda in November revealed a hefty rise in cybercrime and fraud this financial year, particularly identity theft. It found the use of stolen identities in fraud events has risen by 80 per cent in the year to June 2016, with 57 per cent of credit application fraud now occurring online.
And Australian Payments Clearly Association figures found that fraudulent payments cost the Australian banking industry $469 million last year, a 13 per cent rise. A key reason for this increase was a lift in fraud where stolen card details are used online to make unauthorised transactions.
Boyd says the most common way criminals try to target the bank's customers is via a phishing email. It attempts to convince the recipient of the email to click on a link – purporting to be from the ANZ Bank – but that actually is designed to give the hacker a way into their bank accounts, gain control and steal money.
None of the companies interviewed by Fairfax Media could give too much detail about what they are doing to protect data, but Boyd says the bank has spent millions on sophisticated authentication tecnology as well as systems that monitor anomalies in customer behaviour.
Like its competitors, Commonwealth Bank is spending millions annually to ensure it has "up-to-date with sophisticated detect, prevention and defence systems", says its chief information officer David Whiteing.
But no company can fight on its own, Whiteing says. Cyber security is, he says, a "shared responsibility" and business needs government to help.
He also wants industry and academia to work together to address Australia's cyber security skills shortage. A recent survey of 775 global IT professionals by Intel Security, in partnership with the Centre for Strategic and International Studies found compared with France, Germany Israel, Japan and Britain, the cyber skills shortage is most acutely felt in Australia.
8000 cyber specialists required, today
To even begin to have cyber capability we need 8000 new cyber security specialists hired today, says Professor Greg Austin, from UNSW's Australian Centre for Cyber Security.
He says US President Barack Obama this year declared, for the second time, that the cyber threat was a national emergency.
"If the world's No.1 military power and technology power has made that assessment and backed that up with a number of policy decisions in the past year, we should take our understanding from that," Austin says.
The 2016 cyber threat report published by the centre "made it quite clear that most Australian agencies do not have advanced cyber security". He says several ANOA reports have drawn similar conclusions.
"The Australian government believes that most agencies aren't prepared for top 15 per cent of threats – that is, those which are the most serious," he says. "If anyone does decide to attack us most organisations are vulnerable".
Austin wants the federal government to set up a cyber security force – special forces have been deployed in other areas such as Operation Sovereign Borders that was aimed at stopping maritime arrivals of asylum seekers – to defend against the threat of cyber warfare.
He also notes that the cyber security strategy report gives different estimates of the potential cost of the cyber threat – in one section the $1 billion figure is used and in another it's as high as $17 billion.
"If the government cannot be more precise about the scale of the threat, then we the public don't know if they're spending enough to prevent it," he says.
"We need more information in the public domain to have confidence. We also need the best brains behind it."
An immature region?
Tim Wellsmore served in government cyber organisations before joining FireEye, where he is director of threat intelligence and consulting.
He says in general Australian organisations are "very immature" in their cyber capability. "It takes on average 520 days for enterprises in the Asia Pacific to realise they've been compromised," he says. "Theres nothing you [a cyber criminal] can't achieve in 520 days."
He also notes that state-sponsored activity is no longer the topic of Hollywood movies. The new reality is "Russians bringing down another nation's democratic process," he says referring to attempted hacking during the recent US election.
"That's a big step forward in the Russian agenda to influence democratic processes," he says. "If we start to have strong opinions of anti-Russian sentiment, I wouldn't be surprised if you see that type of activity in Australia."
More worrying is the next step: targets of gas lines, power grids, control of industrial systems. The Australian government has started asking the questions, he says, "but there's not a lot of confidence" in whether it could defend against such attacks.
"There are vulnerabilities," he says, noting that Chinese-state sponsored attacks against Australia have and will continue to happen. The motivation behind them? For now: "Understanding IP data sets."
Weapon of mass destruction
Israel's former head of national security Yaacov Amidror. Photo: Eddie Jim
Asked if the cyber threat is bigger than the threat of terrorism, Israel's former national security adviser Yaakov Amidror says: "Cyber is only a threat because it's something new that people don't have the ability to understand the consequences of."
Amidror, who was recently in Australia to talk about how the two countries can share intelligence in the cyber space, says, "unlike mass destructive weapon systems that only states can build and have ... cyber can be used by any smart group of people".
And imagine that smart group of people is a government wanting to launch cyber warfare?
The now well-known computer virus dubbed Stuxnet, which was in 2007 deployed jointly by the US and Israel to destroy Iranian centrifuges used to process uranium at its enrichment facility at Natanz, is seen by some as the first step. (Iran later responded with cyber intrusions on US banks.)
As a recent documentary called Zero Days by Oscar-winning documentary filmmaker Alex Gibney highlights, Stuxnet was the launch of the world's first digital weapon.
Amidror did not discuss the repercussions of Stuxnet with Fairfax Media, simply saying it was used as an "offensive" strategy. But there's no doubt that Stuxnet proved what many had feared: nation states can wreak physical destruction.
If China, Russia, North Korea and Iran are among the nations suspected to be the most active in launching daily cyber crime intrusions against government, business and people in Australia, should we be taking this more seriously?
Amidror refers back to his own nation's experience when answering such questions. "It's not a cyber question," he says. "It's a political question." (In November the Australian government appointed Tobias Feakin as Australia's Ambassador for Cyber Affairs whose job no doubt is to deal with political questions.)
Amidror says a few years ago Israel's Prime Minister Benjamin Netanyahu launched a national cyber security strategy, Israel decided that its agency will be "covert in that we don't announce what we're doing – what measures will be taken to defend infrastructure".
But he says that doesn't mean business and government shouldn't collaborate. "If they [business] don't talk about what's happening no one can help them. At the end the price will be so high...The good people should co-operate because the bad people are co-operating."
28 comments
Comment are now closed