Thousands of significant cyber incidents hit Australian organisations

Australian business and government are a target for malicious cyber activity, with the nation’s 2016 threat report identifying more than 15,000 significant incidents.

The Australian Cyber Security Centre’s (ACSC) 2016 threat report, the second produced by the centre since it was established, said it remained challenging to assess the full impact of cyber crime on Australia because it relied on voluntary self-reporting.

The government’s bill to amend the Privacy Act in order to mandate serious data breach notification is slated to be introduced and passed (it has bi-partisan support) by parliament in the near future, but for the time being, the ACSC said: “High levels of misreporting and under-reporting make it difficult to accurately assess the prevalence and impact of cyber crime.”

To assess the scale of the problem in the private sector, the ACSC has relied on data from callouts to CERT Australia, the national first responder to cyber incidents, which responded to 14,804 incidents from the private sector in the year to the end of June. Of those incidents, 418 involved systems of national interest and critical infrastructure. The energy, banking and finance, and communications sectors were targeted the most often.

Meanwhile, between January 2015 and June 2016, the Australian Signals Directorate was involved in 1,095 security responses to incidents on government systems, including a damaging penetration of the Bureau of Meteorology’s computer system by a foreign intelligence service in which data was stolen.

Despite the clear and present threat, the report said that to ensure corporations remained alert to the issue, the language surrounding computer security problems needed to be toned down and incidents should be referred to as “malicious cyber activity” launched by “cyber adversaries” rather than attacks by hackers, which tended to sensationalise the issue.

A cyber attack, meanwhile, was defined as “a deliberate act through cyber space to manipulate, disrupt, deny, degrade or destroy computers or networks or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”.

This year’s ACSC report again confirms the extent of the problem and profiles a series of malicious incidents.

In one case, an adversary gained access to an unnamed government network using malicious Microsoft Office macros. And in the financial sector, a domain controller was compromised and had been communicating with malicious domains for at least a year before detection. Elsewhere, a critical infrastructure provider found a cyber adversary had used legitimate credentials belonging to a staff member and a contractor to effect a systems compromise.

Although in that last case the offshore suspect was identified and subsequently arrested, incidents point to the growing challenge of dealing with the “insider threat”, according to Keith Lowry, senior vice-president of Nuix, a global provider of security services, headquartered in Sydney.

A US government employee for 30 years, Lowry was involved in both the Edward Snowden and Bradley/Chelsea Manning investigations before joining the US Food and Drug Administration’s security team.