Business reporting of cyber attacks will be a game changer
Cyber #Cyber
The need for enhanced cyber security was hammered home in June, when Prime Minister Scott Morrison revealed a “sophisticated state actor” – widely assumed to be China – was behind a wave of cyber attacks targeting governments, universities and businesses.
Bradshaw says the cyber security strategy and Cyber Enhanced Situational Awareness and Response (CESAR) funding package is a “step change” for the centre’s protect and assist function for organisations in Australia.
The recent reports of companies harvesting social media data online underscores the dangers of putting that information out there.
— Abigail Bradshaw
“I think it actually balances quite nicely the responsibilities and the types of things which businesses can do to defend themselves, and the areas in which government has capabilities which aren’t resident in the business community, to step in where absolutely necessary to defend critical infrastructure and essential services in the same way, in a non-virtual sense, that you expect government to step in and protect services that the community relies on,” she says.
Private sector staying mum
One of the most important aspects to the strategy Bradshaw hails is mandatory reporting requirements for critical infrastructure providers – such as banks, defence contractors and power and telecommunications companies – experiencing cyber incidents.
The threshold for what is deemed an incident requiring reporting is still being determined.
“The ASCS’s role does not include the mass surveillance of the domestic use of the internet. We don’t have the power and nor do we seek it,” she says.
“So to the extent that we are able to identify vulnerabilities, but more importantly, whether those have been exploited, or if there’s malicious activity on domestic internet-facing devices, usually we need people to tell us unless we’ve got an arrangement where we’re doing enhanced monitoring by consent because of a particular threat or risk environment.
“So the mandatory reporting helps to enrich our situational awareness because the conundrum is, if we’re not told, then chances are we won’t know, unless it’s coming from a foreign vector. And then if we don’t know, we can’t tell the next victim.”
The centre’s threat report, released last month, showed the agency responded to 2266 cyber incidents in 2019-20, with federal and state governments responsible for 35 per cent of reports.
Bradshaw says the overwhelming number of cyber incidents reported are from government agencies, while from the private sector it is “underdone”.
“Either for reasons of wanting to protect commercial reputation or sensitivities, or concern about market response, those reports aren’t coming forward,” she says.
“Rather counterintuitively, a KPI for me is to see those numbers increase, and not just because of greater volume, but as representative of a closer relationship between us and industry going forward.
“We want industry to regard us as a trusted partner. We are not a regulator. Our role is to protect and assist. That means we do not pass information on that comes to us from industry or government entities. We treat it with the greatest of confidence, with the sole focus of assisting through remediation and mitigation activities and then passing that information on in an anonymised way to protect the next victim.”
Bradshaw says there are positive signs the business community has a greater appreciation that the cyber security environment is becoming more complex but there needs to be a broader understanding of the costs.
“The cost of a cyber attack is perhaps understood by business as a business cost,” she says.
“That is, ‘What will it cost me in terms of lost revenue and IT services to get my businesses back up and running after a large ransomware attack?’
“But I think the job actually is for us to understand as a populace the cost of cyber attacks more deeply. On one level you’ve got the business revenue cost of a ransomware attack, but there is also the cost from theft of intellectual property, theft of R&D, there is that sort of cost.
User beware on social media
“The costs of potential interference in our democratic institutions we observe largely in the main from sophisticated state-based actors. There is the cost we saw through the COVID related scams of economic stimulus where criminals very rapidly evolved their syndicates and strategies to knowing what the government policy was, and then very quickly setting up highly credible SMS messages to scam people to acquire COVID stimulus.
“And at the very highest end we’ve seen in the last few weeks reports of the first death alleged to be associated with a cyber attack on critical infrastructure – in Dusseldorf, Germany, the death of a woman whose emergency care was reported to have been disrupted after a hospital was struck by a ransomware attack.”
Bradshaw says Australians are an attractive target for cyber criminals because of the responsiveness of the country’s social security safety net at times of need, as well as high digital literacy for people to organise their lives online.
A recent pilot program with Telstra and Services Australia to block scam text messages paved the way to work with other telcos on automated technology to counter threats.
“There’s no good us operating on a basis where we simply cut off malicious domains one by one, or attempt to take down a narrow law enforcement lane through to an individual prosecution,” she says.
“Actually our best option at defending ourselves … is to block at speed and to block at scale in order to get to the volume.”
One area of vulnerability for many Australians is their personal private data. In the age of social media, most people providing their information to operators such as Facebook or Google will see it commoditised for targeted advertising.
However, some criminals will steal personal data. And recent revelations that 35,000 Australians, including prominent politicians and business figures, had their personal details stored on a Chinese military contractor’s social media database has highlighted how it could be used for foreign influence operations.
“The recent reports of companies harvesting social media data online underscores the dangers of putting that information out there,” she says.
But she feels Australians are at a turning point in their relationship with social media, with greater recognition of the dangers of “feeding those platforms with private information”.
Bradshaw says while social media companies should be more transparent about their data collection policies and stop third-party bots from scraping personal information, users also have to take more responsibility for what they share with tech giants.
“The cost of presence has always been personal data and you can’t take that away,” she says.