deepagopi2011 - Fotolia
Australian business and government are a target for malicious cyber activity, with the nation’s 2016 threat report identifying more than 15,000 significant incidents.
The Australian Cyber Security Centre’s (ACSC) 2016 threat report, the second produced by the centre since it was established, said it remained challenging to assess the full impact of cyber crime on Australia because it relied on voluntary self-reporting.
The government’s bill to amend the Privacy Act in order to mandate serious data breach notification is slated to be introduced and passed (it has bi-partisan support) by parliament in the near future, but for the time being, the ACSC said: “High levels of misreporting and under-reporting make it difficult to accurately assess the prevalence and impact of cyber crime.”
To assess the scale of the problem in the private sector, the ACSC has relied on data from callouts to CERT Australia, the national first responder to cyber incidents, which responded to 14,804 incidents from the private sector in the year to the end of June. Of those incidents, 418 involved systems of national interest and critical infrastructure. The energy, banking and finance, and communications sectors were targeted the most often.
Meanwhile, between January 2015 and June 2016, the Australian Signals Directorate was involved in 1,095 security responses to incidents on government systems, including a damaging penetration of the Bureau of Meteorology’s computer system by a foreign intelligence service in which data was stolen.
Despite the clear and present threat, the report said that to ensure corporations remained alert to the issue, the language surrounding computer security problems needed to be toned down and incidents should be referred to as “malicious cyber activity” launched by “cyber adversaries” rather than attacks by hackers, which tended to sensationalise the issue.
A cyber attack, meanwhile, was defined as “a deliberate act through cyber space to manipulate, disrupt, deny, degrade or destroy computers or networks or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”.
Read more about cyber security in Australia
- Australia might be ranked low for its computer security preparedness today, but there is enough innovation in the country to point to a more secure future.
- The relaxed attitude to IT security in Australia is holding back much-needed investment in security technology.
- The costs associated with a security breach can mount up and it is difficult to put a number on it, but organisations are increasingly trying to do this as attacks increase.
- Canberra is strengthening its cyber security response, but there is conflicting evidence about where the main threat is coming from.
This year’s ACSC report again confirms the extent of the problem and profiles a series of malicious incidents.
In one case, an adversary gained access to an unnamed government network using malicious Microsoft Office macros. And in the financial sector, a domain controller was compromised and had been communicating with malicious domains for at least a year before detection. Elsewhere, a critical infrastructure provider found a cyber adversary had used legitimate credentials belonging to a staff member and a contractor to effect a systems compromise.
Although in that last case the offshore suspect was identified and subsequently arrested, incidents point to the growing challenge of dealing with the “insider threat”, according to Keith Lowry, senior vice-president of Nuix, a global provider of security services, headquartered in Sydney.
A US government employee for 30 years, Lowry was involved in both the Edward Snowden and Bradley/Chelsea Manning investigations before joining the US Food and Drug Administration’s security team.
He said it was clear that technology could not solve the computer security issue. “Once you penetrate the outside perimeter and are inside, to me it’s irrelevant how you got there or your position,” he said. “That is an insider threat.”
This meant that the traditional model of security as “gates and guards” was not adequate, said Lowry. Organisations in all sectors needed to rethink their approach to counter insider threats which, without proper surveillance, could go undetected for months.
Organisations needed to take a higher-level view and define threats, define critical value data, designate a senior official, conduct a capabilities assessment, and then develop, publish and prosecute policies and procedures, he said.
Lowry, who was in Australia recently, said companies needed to appoint a single person responsible for security who reported directly to the CEO or COO. “This cannot be relegated to the IT department,” he said. “The moment you put responsibility for blocking individuals to IT, it becomes an IT problem rather than a person problem.”