At least a quarter of the total NSW council elections last year may have been impacted by the failure of the state’s digital voting system, according to a new independent report. NSW’s iVote system crashed during the local council elections late last year, with an unknown number of people unable to access the program and…
The post Tech glitch compromised NSW council elections: report appeared first on InnovationAus.
This post was originally published on InnovationAus.
The federal government has no plans to introduce a vulnerability disclosure program despite a number of security researchers calling for a better way of notifying about significant flaws such as those found in the digital vaccine certificate. In response to questions on notice from Senate Estimates hearings last year, Services Australia brushed aside concerns about…
The post No plans to introduce government bug disclosure program appeared first on InnovationAus.
This post was originally published on InnovationAus.
The NSW government has formally launched its identity support unit, a single point of contact in the state to support citizens and organisations impacted by identity crime. Called IDSupport NSW, the service will work closely with national identity resilience IDCARE to streamline the replacement and remediation of compromised proof-of-identity documents. Stolen identity documents being used…
The post NSW launches single point of contact for identity crime appeared first on InnovationAus.
This post was originally published on InnovationAus.
Consultation has begun on the last round of the government’s significant critical infrastructure reforms which include the power to require companies deemed to be “nationally significant” to install software that share s nformation with the spy agency. Home Affairs Minister Karen Andrews announced on Wednesday that consultations had opened for the second half of the…
The post Govt embarks on last round of critical infrastructure reforms appeared first on InnovationAus.
This post was originally published on InnovationAus.
Global cyber criminals will be targeted with new targeted sanctions, such as travel bans and the freezing of assets, from the Australian government under Magnitsky-style reforms passed on the last sitting day of Parliament for the year. Both houses of Parliament on Thursday – the last sitting day of 2021 and potentially before the next…
The post Global cyber criminals to be targeted under new Australian sanctions regime appeared first on InnovationAus.
This post was originally published on InnovationAus.
The world-leading Trustworthy Systems security research team dumped by Australia’s science agency earlier this year has signed a deal with a Swiss technology company to develop cyber network safeguards for human rights groups. Announced on Monday by UNSW, which picked up the Trustworthy Systems team after it was controversially disbanded by CSIRO in May, the…
The post Dumped CSIRO security team Trustworthy Systems lands Swiss research deal appeared first on InnovationAus.
This post was originally published on InnovationAus.
The federal government wants the cybersecurity industry to help shape the “bold” new cyber hubs, which will provide more than 40 services to the public sector. The Hardening Government IT (HGIT) program was established in August 2020 as part of the Cyber Security Strategy, in an effort to improve public sector cybersecurity and whole-of-government cyber…
The post Govt wants industry advice on cyber hubs project appeared first on InnovationAus.
This post was originally published on InnovationAus.
Australian Signals Directorate director-general Rachel Noble has cautioned against proposals to establish a separate cybersecurity entity, saying that offensive cyber capabilities have now been “fully integrated” into the spy agency’s operations. In a rare speech to mark 75 years of the Australian Signal Directorate (ASD) at the National Press Club on Thursday afternoon, Ms Noble,…
The post Don’t carve out spy agency’s cyber capabilities: ASD chief appeared first on InnovationAus.
This post was originally published on InnovationAus.
The federal Opposition will launch a national anti-scams centre, introduce a new minister focused on the issue and enforce more rules for social media firms if it wins the upcoming election, as it accuses the government of being “asleep” on cybersecurity. Shadow financial services minister Stephen Jones announced the policy package over the weekend, with…
The post Labor pledges anti-scams centre and further social media crackdown appeared first on InnovationAus.
This post was originally published on InnovationAus.
Home Affairs is paying international consultants Ernst & Young $2.5 million to help establish its cybersecurity hub because it lacks the “capacity and specialist knowledge” do it in-house. The department leading Australia’s cybersecurity policy and implementation on Monday revealed it has outsourced key parts of the current plan to “harden” government IT through a whole of…
The post Home Affairs says it can’t build its own cyber hub appeared first on InnovationAus.
This post was originally published on InnovationAus.
Australia’s spy agency is “going hunting” for ransomware gangs “every night”, according to Home Affairs secretary Mike Pezzullo, who has reaffirmed the government’s commitment to an offensive cyber capability. At the same Senate Estimates hearing, it was revealed that the federal government’s new Ransomware Action Plan contains no new funding, and its mandatory notification scheme…
The post Agencies ‘hunting every night’ with offensive cyber capabilities appeared first on InnovationAus.
This post was originally published on InnovationAus.
Science and Technology minister Melissa Price has used the opening session of Australian Cyber Week to announce that government is now taking Round Two applications for grants under the Cyber Security Skills Partnership Innovation Fund. The program aims to support projects that will boost the nation’s cyber workforce by enhancing partnerships between industry, education providers…
The post $60m cybersecurity skills fund opens for applications appeared first on InnovationAus.
This post was originally published on InnovationAus.
Legislation allowing the government to take control of a company’s network as a “last resort” in the event of a cyberattack has sailed through the lower house despite a group of tech heavyweights labelling it “highly problematic”. The critical infrastructure bill was debated in the House of Representatives on Wednesday afternoon, with the Coalition moving…
The post ‘Problematic’ critical infrastructure bill passes lower house appeared first on InnovationAus.
This post was originally published on InnovationAus.
Home Affairs Minister Karen Andrews likened proposed changes to the Critical Infrastructure Bill to the fire codes and building regulations that are in place to protect people and assets from fires – saying the nation is facing clear threats from ransomware and cyber attacks. Responding to the concerns of three global technology industry associations about…
The post Karen Andrews rejects calls from industry over cyber changes appeared first on InnovationAus.
This post was originally published on InnovationAus.
A group of international technology associations, including the Australian Information Industry Association, have written to Home Affairs Minister Karen Andrews with concerns about government fast-tracking parts of the Critical Infrastructure Bill. The Washington DC-based Information Technology Industry Council, the Cyber Coalition and the AIIA have urged government not to fast-track troubling provisions of the Security…
The post Global tech groups seek changes to Critical Infrastructure Bill appeared first on InnovationAus.
This post was originally published on InnovationAus.
The federal government will introduce tougher penalties for ransomware criminals and a mandatory incident reporting scheme for large businesses that suffer an attack under a new ransomware action plan released Wednesday. The plan follows a series of high-profile ransomware attacks and warnings the risks to local companies had been growing in an Australian policy vacuum….
The post New regime: Mandatory reporting of ransomware incidents appeared first on InnovationAus.
This post was originally published on InnovationAus.
Victoria’s COVID-19 digital vaccine certificates are “woefully insecure” and “very easy” to forge in just minutes, according to a number of developers and cryptography experts who have criticised the lack of a national standard for this service. The Victorian Government this week announced the integration of vaccine certification into the Services Victoria QR code check-in…
The post Digital vaccine certificates ‘woefully insecure’ appeared first on InnovationAus.
This post was originally published on InnovationAus.
The Greens and the Australian Lawyers Alliance are pushing for COVID-19 contact tracing check-in data to be used only for health reasons, following successful attempts by law-enforcement authorities in some states to access the data and fears it could be used in legal proceedings. It follows the Australian Privacy Commissioner telling InnovationAus in September that…
The post Greens, lawyers’ alliance in push to protect COVID check-in data appeared first on InnovationAus.
This post was originally published on InnovationAus.
You don’t need to reach for an over-priced report from a Big Four consultancy to understand that cyber-related supply chain risk resides predominantly among Australia’s small and medium sized businesses. This is a reality, if only because of the nation’s disproportionately large numbers of SMBs compared to similar advanced economies. Some 97 per cent of…
The post Like Medicare, Australia’s small businesses need universal Cybercare appeared first on InnovationAus.
This post was originally published on InnovationAus.
The Victorian government is set to significantly broaden its cybersecurity priorities to “proactively” assist businesses and individuals to protect themselves and embark on a large-scale uplift program as part of a new five-year strategy. An update to the state’s first ever cybersecurity strategy covering 2016 to 2020, Victoria’s new plan sets out a four-year timeframe…
The post Victoria launches $50m five-year cybersecurity strategy appeared first on InnovationAus.
This post was originally published on InnovationAus.
Ransomware is the biggest cyber threat facing businesses today, the national cyber agency has warned, as new statistics show the digital extortion method is now reported more than once a day in Australia. The Australian Cyber Security Centre’s annual threat report released on Wednesday revealed 67,500 cybercrime reports to the government agency last financial year…
The post ‘The most serious cybercrime threat’ in Australia appeared first on InnovationAus.
This post was originally published on InnovationAus.
Opinion: More than half of the Australian population is currently in lockdown due to COVID-19 and are rolling up their sleeves and getting their second COVID-19 vaccination. As a result, they are hoping for greater freedom through their government-endorsed vaccination certificate available through the myGov portal. And therein lies a significant problem – not with…
The post We need to get Australia’s digital vaccine certificates right first time appeared first on InnovationAus.
This post was originally published on InnovationAus.
Victoria’s Stonnington City Council is the latest Australian organisation to fall prey to a cyber incident, forcing systems offline and some staff to take annual leave while the issue is resolved.
Services taken offline following the incident include payments and the council’s ePlanning portal, with an “international agent” suspected of being involved.
In a statement, the council said it had experienced “an IT issue on 27 August”.
“Some systems have been disabled while the issue is being investigated and resolved,” the council said. “Essential services delivered by council remain operational.”
CEO Jacqui Weatherill said the council’s technology team was working to keep the community connected to the council and “keep our data safe” while it resolves the issue.
“Our priority is to ensure our customer’s data is kept secure, our workforce can be as productive as possible, and our customers remain connected,” Ms Weatherill said.
“Essential services remain operational and, if any residents do require assistance, Council staff are available via our customer service number.
“We ask our customers to remain patient, understanding and supportive as we resolve this issue.”
In a subsequent interview with 7 News, Ms Weatherill said that “an international agent has come and infiltrated our systems”. A council spokesperson confirmed this to InnovationAus, but said that systems weren’t shut down as a result of the attack but rather as a proactive measure to investigate what was found over the weekend during routine maintenance.
Asked if it was ransomware, the spokesperson said it was unclear and that council was conducting “a complete investigation” to find out.
The council was working with the Victorian Department of Premier and Cabinet and other state and federal agencies to resolve the issue, as well as with its cyber insurance partner.
Stonnington is in Melbourne’s south-east and includes the suburbs of Armadale, Glen Iris, Kooyong, Malvern, Malvern East, Prahran, South Yarra, Toorak and Windsor.
The council joins a slew of Australian organisations subjected to cyber attacks in recent months, including South Australian welfare agency Uniting Communities, NSW Health, and Nine Entertainment Company, broadcaster of Channel Nine and publisher of The Sydney Morning Herald, the Australian Financial Review and The Age.
The post Victorian council ‘infiltrated’ in cyber incident appeared first on InnovationAus.
This post was originally published on InnovationAus.
Legislation handing “extraordinary” new hacking powers to Australian authorities has sailed through Parliament with support from the Opposition, despite the government not implementing some of the recommendations from the national security committee.
The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday.
Three new warrants will be introduced under the legislation, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks to identify them and take over their accounts.
“Under our changes the AFP will have more tools to pursue organised crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Home Affairs Minister Karen Andrews said.
The government moved 60 amendments to the legislation in the lower house in response to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) report from earlier this month.
The amendments included enhanced oversight powers, reviews in several years time by the Independent National Security Legislation Monitor and the PJCIS, the sunsetting of the powers after five years, and strengthened protections for third parties and journalists.
The amendments meet 23 of the PJCIS’s 33 recommendations, while the government has agreed to implement several others through a broader reform of intelligence surveillance powers.
But it rejected the national security committee’s call for a higher threshold in the issuing of warrants in terms of the crimes they can be applied for, and for warrants to only be approved by a judge, rather than a member of the Administrative Appeals Tribunal.
Several Labor members raised concerns with this and echoed others raised by members of the civil and digital rights sector, as did government members of the PJCIS, but all eventually voted to pass the legislation.
The bill was rejected by the Greens, which said the legislation is another step on the “road to a surveillance state”.
The PJCIS had recommended that the type of crimes the warrants could be issued for be narrowed to those relating to offences against the security of the Commonwealth, offences against humanity, serious drug, weapons and criminal association offences, and money laundering and cybercrime.
Currently, the broad new powers can be granted to combat a swathe of crimes, far further than the terrorism and other offences the government has pointed to in order to justify the need for the legislation.
But the government instead raised the threshold for issuing the warrants to them being “reasonably necessary and proportionate”, up from “justifiable and proportionate”.
Labor had wanted this to go even further, calling on changes to require the warrants only be issued for “serious offences”.
Shadow assistant minister for immigration Andrew Giles said the government is “mischaracterising the breadth of the new powers”.
“It is obviously much easier to justify the introduction of such powers by focusing on the most serious types of crime. No-one would argue with that in respect of crimes like child abuse and exploitation, and terrorism,” Mr Giles said.
“But it is important that we engage in the more difficult task of justifying the introduction of extraordinary powers by reference to how the powers could actually be used.”
The amendments “go a long way” to ensuring the powers can only be used to combat serious crime, but don’t go far enough, multiple Labor MPs said.
Shadow assistant minister for cybersecurity Tim Watts said the warrants should only apply to serious offences.
“This would be an important constraint on the use of these new warrant powers and would limit their application to offences that carry at least a maximum of seven years’ jail and other specified offences,” Mr Watts said.
“While these powers do have international precedent, they also carry inherent risks. As currently drafted, the substance of this bill does not match the government’s rhetoric.”
Liberal MP Tim Wilson, a member of the PJCIS, broke ranks to criticise the government in not adopting all of the committee’s recommendations.
“I’ll be frank…and say that my preference would be more consistent with that of the committee. That’s why we made those recommendations,” Mr Wilson said.
“I will not die in a ditch over them, because the purpose of the legislation is more important than the threshold, but I think the threshold test around warrants and their application, particularly with the new powers, is something that we as a Parliament need to review.”
Despite these concerns, Labor offered support for the legislation in both houses, ensuring its quick passage.
Mr Giles said the new warrants give “extraordinary” powers to authorities, and appropriate safeguards need to be in place.
“Labor supports this bill. It’s an important bill which addresses very significant and worrying gaps in the legislative framework so as to better enable the AFP and the [Australian Criminal Intelligence Commission] to collect intelligence, conduct investigations, and disrupt and prosecute the most serious of crimes in an evolving environment,” Mr Giles said.
“The process of the Parliament here has produced a bill that meets the very serious challenges required to respond to, with appropriate safeguards in place, some of which will require all of us to maintain our attention on their operation and adequacy.”
Mr Watts blasted the government’s handling of the legislation.
“It’s indicative of this government’s record in this place to rush through legislation on national security matters with little regard for process, particularly with national security legislation or even with more technical legislation,” he said.
“While we support the bill, Labor members of the PJCIS do think … safeguards in this bill could go further, particularly in relation to the offences this bill applies to.”
The Greens voted against the legislation in both houses, with Senator Lidia Thorpe unsuccessfully moving a number of amendments.
“Really disappointed to see Labor and Liberal both vote in favour to increase police powers of online surveillance. We tried to make this bill better and include human rights protections for innocent people, but the Greens were outvoted by the major parties,” Senator Thorpe tweeted.
“New warrants allow police to monitor online activity without accusing us of a crime. Take over our accounts and edit our data…making the AFP judge, jury and executioner is not how we deliver justice in this country.”
Crossbench senator Rex Patrick also attempted to amend the legislation, raising concerns that the bill had been “dropped on the Senate in the very last minutes”.
The post ‘Extraordinary’ hacking powers pass Parliament appeared first on InnovationAus.
This post was originally published on InnovationAus.
Nearly 40,000 people whose data was compromised in a massive Service NSW data breach last year will never receive official notification about the incident because of the type of data involved and the agency’s policy to deliver “personalised” notices through the post.
In a NSW Budget Estimates hearing on Wednesday, officials from Service NSW confirmed about 103,000 people’s information was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April last year.
But more than a year later, nearly 40 per cent of people impacted have not been contacted.
The agency’s chief executive Damon Rees said Service NSW had successfully contacted 63,500 of the people who had their data compromised. This was done through the post because Service NSW had advice that other forms of contact like phone or email would create further risks and because letters offered more “personalised” advice.
“[Registered letters] also effectively meant that a customer was signing for their own notification, and therefore we were able to provide a greater level of more personalised advice there,” Mr Rees said.
Letters were primarily sent via registered post, requiring the affected person to prove their identity and sign for the letter. However, thousands of letters were returned and Service NSW conducted a round of data matching with Transport NSW to obtain more current addresses and tried again.
Mr Rees said ultimately about 18,500 letters were unable to be delivered with registered post. A final round saw new non-registered letters sent to this group advising them to contact the agency.
“We weren’t able to personalise those final round mails in the same way,” Mr Rees said.
“But if you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000.”
The Service NSW chief said the nature of the data involved in the breach also played a “heavy role” in the agency’s ability to identify people impacted.
Because the breach came through email accounts rather than a core system, it was difficult for the agency to correlate the information which had been compromised with individual people, according to Mr Rees.
“That meant the information that was extracted was highly unstructured in its nature. So it could be content within an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” he said.
“So the unstructured nature of that meant that actually the level of information that was able to be extracted and our ability to correlate that information and recognise [certain individuals was difficult].”
A damming NSW parliamentary inquiry and report into government cyber security triggered by the incident recommended an overhaul of cyber security strategy and policies, including formal notification procedures for data breaches and a stronger mandate for Cyber Security NSW.
The government is yet to respond to report but launched a new cyber strategy in May. Department of Customer Service officials were unable to answer several questions on the report’s recommendations at the Budget Estimates hearing on Wednesday, taking many on notice and confirming a formal government response to the report is expected soon.
The post Forty per cent of Service NSW data breach victims not notified appeared first on InnovationAus.
This post was originally published on InnovationAus.
Businesses large and small, across a broad swathe of the Australian economy will be affected by new legislation which sets out to protect critical infrastructure and as such, industry bodies have a key role to play ensuring their members take the necessary steps to be compliant.
This was one of the key insights to emerge from a discussion on the new legislation between Fergus Hanson, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI); Derek Fittler, ANZ head of Verizon Business Group; and InnovationAus publisher, Corrie McLeod as part of the Age of Trust podcast series.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 defines a much wider section of the Australian economy as critical infrastructure than the current legislation. Communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology and the defence industry are all included within the bill’s definition of industries responsible for critical infrastructure.
Mr Hanson said businesses in these sectors that are not subject to current critical infrastructure legislation would have a huge task ahead of them to become compliant with the new bill when it becomes law, and should be looking to their industry bodies for help.
“They really need to be talking to their peak industry bodies to understand how this is going to apply to them and taking a look at the legislation, because there’s positive obligations on them, and consequences for non-compliance,” he said. “If you are in any of those 11 industry sectors and you’re a reasonable-sized player, you should be getting on the phone to your industry body and having a chat about how this works or reaching out to the Department of Home Affairs to understand what your obligations are, and taking a look at the legislation.
“For industries that don’t normally think about cybersecurity, it’s going to be a big shift, because their systems are not going to be up to scratch. And, they’re going to have to do quite a bit of heavy lifting to get up to speed.”
Mr Fittler said industry bodies also had a role to play bringing together individual businesses in each sector to ensure an effective response to the requirements of the new legislation: “Organisations like ASPI, providers like Verizon, member organisations that operate in those sectors, all have a responsibility to work together to engage with government, and to learn and understand the steps and changes that will need to be taken.”
He said organisations that would be covered by the bill should not wait until it becomes law but should start working immediately to beef up their cybersecurity. “If you’re on the list, you need to be considering, identifying and understanding where you are in terms of your cyber maturity. There are many in the sectors included in the remit of the legislation that need to take some immediate steps to start that journey.
“You should be doing a stocktake and identifying where are you today: what is your cyber maturity, what are your risks. There is more education to be done, there’s more identification of risk, and, and ultimately, there will be need to be more resources spent and allocated towards addressing and responding to the threats we face.”
Mr Hanson said organisations in some sectors — typically banking and telecommunications — have a long established and sophisticated approach to cybersecurity, but others, that the legislation will apply to, should be cautious as to what lessons they could draw from such businesses.
“If you’re not a very mature industry, and you’re looking at the banking sector, or telecommunications, you might freak out at the number of staff required and the cost involved. So you probably wouldn’t want to benchmark yourself against a bank, but it could provide a lot of insights into how you could structure your cybersecurity and the types of capability you are going to need.”
Mr Fittler agreed: “They have some very significant capability and have been quite adept at sharing information within industry, and increasingly with government. That two-way flow within your community and with government is part of a cultural change that will need to happen as part of the legislation coming into force.”
The Age of Trust podcast series was produced as a partnership between Verizon Business Group and InnovationAus.
The post Key role for industry in critical infrastructure regime appeared first on InnovationAus.
This post was originally published on InnovationAus.
Data breaches arising from ransomware incidents increased by 24 per cent in the first half of the year, prompting Australia’s Privacy Commissioner to warn that such attacks “are a significant cyber threat” that may be under-reported.
The Office of the Australian Information Commissioner (OAIC) received 446 data breach notifications from January to June this year, according to its latest notifiable data breaches report, with 43 per cent resulting from cyber security incidents. Of the 445 total breaches, 46 were from ransomware, up from 37 notifications in the last reporting period.
Since the notifiable data breaches scheme began in February 2018, health service providers and the finance industry have consistently reported the most data breaches compared to any other industry sector. In the first half of this year, that trend remained the same, with health service providers reporting 85 data breaches. The second largest source of notifications was from the finance sector with 57 followed by legal, accounting and management services with 35, and the Australian government and the insurance sector with 34 breaches each.
The rise in ransomware attacks comes as the federal government considers implementing a mandatory ransomware reporting scheme, where organisations that pay criminals to recover their files would be required to report this activity to the government. No government bill exists yet, but Labor’s Tim Watts is separately pushing his own that would require the same thing.
Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.
“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.
“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”
Australian security expert Troy Hunt, who runs the popular haveibeenpwned.com website, said ransomware had been around for decades, with the PC Cyborg Trojan in 1989 considered among the first. What had resulted in a rise in its use in recent times was a change in the business model of criminal enterprises and the way they had begun monetising stolen data.
“I think one of the main driving factors is just simply return on investment,” Mr Hunt said of ransomware. “It’s just proven to be an enormously efficient way of monetising malicious software because, unfortunately, it does make good business sense to pay [a ransom].”
Another reason it was becoming more popular was because of the types of ultimatums criminals were issuing to victims, resulting in new income streams.
“It’s no longer just a ransom in terms of attacks against availability, where your files are locked and you need to pay for a key, but it’s also ransom with the threat of disclosure [of the stolen data].”
One other “alarming” way criminals were pivoting, Mr Hunt said, was by not only demanding ransoms from companies attacked but by using personal information inside a data breach to demand ransoms from individuals whose data has been stolen. Vastaamo, a now-bankrupted Finland-based private psychotherapy practice, was the target of such an attack, where patients were contacted and asked to pay ransoms or else have their private patient files published.
Mr Hunt said he expected sectors that remained at the top of the reporting list to be there because they were “heavily regulated” industries that were used to their reporting obligations under the law. This didn’t necessarily mean that they were the industries most impacted by known breaches, he said.
In the first half of the year, the OAIC was also notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. There were 35 notifications of social engineering or impersonation fraud during the reporting period.
“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.
“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.
“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”
In May, Home Affairs secretary Mike Pezzullo said he believed it was “likely” a mandatory ransomware reporting scheme would be rolled out soon.
“I think…most advanced economies are at a point, whereby some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo told a Senate Estimates hearing.
While human error breaches decreased after a significant increase last reporting period, Commissioner Falk said entities need to remain alert to this risk, particularly the Australian Government where 74 per cent of breaches fell into this category.
The post Ransomware rise a concern: Privacy Commissioner appeared first on InnovationAus.
This post was originally published on InnovationAus.
Opinion: When I started in tech journalism more than a decade ago in 2010, I revealed that the federal government was considering introducing metadata retention. The changes meant select data about Australians’ web histories would be stored and logged for two years.
The controversial laws were shelved by Labor when it was in power but eventually, after a change of government and a further push by law enforcement, a bill was passed in 2015. The wedge needed to push a hesitant Labor opposition into supporting them was the December 2014’s Lindt Cafe siege in Sydney’s CBD.
“Your chances that your data will be viewed by law enforcement is low,” AFP Assistant Commissioner Tim Morris said at the time. “Those with nothing to hide have nothing to fear.”
This was despite law enforcements agencies making more than 300,000 applications for our metadata each year, without a warrant.
Since then, we’ve seen Canberra, at the request of police, spy agencies and intellectual property rights holders, chip away at the lack of regulation of multiple internet technologies.
This has included requiring assistance to pry open encrypted smart devices or scrambled messages; blocking of websites to do with pirated movies or music; restricting access to Interpol’s “worst of the worst” list via a then relatively unused telecommunications law (sub-section 313 of the telco act), to a present debate on critical infrastructure and whether the government should be given the power to allow its spy agencies to take control of computer networks of companies it deems manage such infrastructure (in the event of a cyber intrusion or to defend against one).
A separate bill currently before Parliament would give more powers to federal police and the Australian Criminal Intelligence Commission to access computers and networks of those suspected of conducting criminal activity online. This has prompted concerns about innocent people who might get swept up in it and a perceived lack of proper judicial oversight.
As part of the new “identify and disrupt” bill, new network activity warrants would allow authorities to hack into devices and networks of groups of individuals suspected of taking part in criminal activity online when their identities are not known. A new warrant would also allow the disruption of data through modification and deletion “to frustrate the commission of serious offences”, and new account takeover warrants would also be introduced.
Amid all this, we’ve also seen multiple cases of abuse of data by law enforcement. The check-in apps each state has been using during the COVID pandemic? Queensland thought it’d be a great idea to use that data to investigate a reported theft of an officer’s gun and Taser from a regional pub despite assurances it would only be used for contact tracing purposes.
Where there’s data, the temptation by third parties to access it will always be there.
The same state government also used metadata to access the private information of cadets to determine whether they were sleeping with one another or faking sick days.
Queensland – I’m not sure what it is about this state and privacy – was also among the first to start taking advantage of the data trail left behind by smart public transport travel cards, not just to find criminals, but to track down witnesses of crimes who may not necessarily wish to talk.
Back in 1997, former US president Bill Clinton said the internet “should be a place where government makes every effort … not to stand in the way, to do no harm”. But he hastened to add that “a hands-off approach to electronic commerce must not mean indifference when it comes to raising and protecting children.”
This brings me to Apple’s latest move – to identify photos uploaded to its online storage service iCloud that match against known child abuse imagery.
It has all the hallmarks of being a smartly designed technology and does seem to have been created with some privacy mechanisms in mind. For example, it uses a “hashing” algorithm of known abuse material to identify imagery on people’s accounts and will only then alert Apple reviewers when an undisclosed threshold of images is reached.
But it rightly has privacy advocates worried about what could come next. What starts off as a technology trained to search for a “worst of the worst” list of images could soon become used to search for other types of content stored on people’s phones. Another feature allows parents to have naked or sexually explicit imagery blurred on a child’s phones.
“All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children’s, but anyone’s accounts,” the Electronic Frontiers Foundation wrote. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change.”
Apple says it will reject government advances, but laws are laws.
Scope creep seems to be one of the main concerns often raised by privacy advocates, but one which is frequently ignored by politicians, rarely addressed properly in legislation and often relegated to explanatory memorandums that describe a bill and its “intention”.
One example of website blocking scope creep is Australia’s tertiary regulator, which is now seeking telcos to restrict access to a site allegedly used by students for cheating.
What I think all of this signals is that we’re entering a new age of the internet where further regulation will become commonplace, and corporations will be leaned on by governments to enact new policies rather than governments necessarily creating new laws to force change.
We have seen this already with YouTube, Twitter and Facebook enacting bans following the spread of misinformation and online conspiracies. Rather than following laws, the companies are attempting to meet community and government standards and expectations. It’s voluntary regulation without new laws.
Mostly, I think changes that encroach more on an individual’s privacy will become accepted, especially if convenience continues to be a priority over privacy.
But will users boycott Apple over its latest photo move? Probably not. Until trust is broken or there’s a further erosion of their privacy, they won’t. But by then it might be too late.
The post Expect more web regulation after Apple’s photo move appeared first on InnovationAus.
This post was originally published on InnovationAus.
Home Affairs Secretary Michael Pezzullo says government has serious concerns with the security posture of global cloud computing giants like Amazon and Microsoft, and warned tightening data sovereignty requirements in Australia will “not be attractive” to them.
On Thursday, in response to large cloud providers’ protests about proposed critical infrastructure legislation, the top security bureaucrat fired back, saying their business model was creating risks for government.
Mr Pezzullo said the multinational cloud companies typically want “very few strictures” so they can continue a business model which relies on moving data around the world to minimise costs but often sacrificed security.
“The ability of certain adversaries, some of whom are state adversaries, some of whom are criminal adversaries, to penetrate that data…is of deep concern to government,” Mr Pezzullo told a joint security committee.
He said this was a legitimate commercial model for cloud providers but could be at odds with Australia’s national interest when government-held data was involved. The federal government leans heavily on leading US cloud providers which collect hundreds of millions in government tenders.
“We’ve stated that [concern] very bluntly and directly to that sector,” Mr Pezzullo said.
“Because the Commonwealth Government itself has not been satisfied about the security of that data, both in terms of where it’s hosted and how it’s routed.”
The Home Affairs chief said the government has bound itself to a data certification project which would “toughen the strictures” on the cloud industry when dealing with government held data.
Last year, then-services minister Stuart Robert flagged the government was considering sovereign cloud requirements following a backlash against US company Amazon hosting data collected by the COVIDSafe contact tracing app.
In June, Mr Robert, who retained responsibilities for whole-of-government data and digital policy, announced three Australian data centre providers had been certified to store sensitive data locally under the government’s new Hosting Certification Framework.
The framework requires data and digital service providers engaged by government to use highly secure systems, and for the highest level of certifications to enable the Government to specify and enact ownership and control conditions that are not lowered at any time. It is designed to help agencies to mitigate against supply chain and data centre ownership risks.
For cloud providers the framework means they may only receive certification for certain facilities in Australia.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the official Hosting Certification Framework said.
Mr Pezzullo said the tightening data requirements being led by Mr Robert, made the Australian government an “exemplar” but would mean challenges for multinational cloud providers.
“What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.
“Because how they make their money is, frankly, by moving the data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity.
“And that’s a that’s a perfect illustration of the tension here between the private commercial interest and the public interest.”
The post Cloud giants’ security a ‘deep concern’ to govt appeared first on InnovationAus.
This post was originally published on InnovationAus.
The Department of Education, Skills and Employment has handed more than $4 million worth of contracts to local firms to probe its cyber defences this year, as part of a surge in government cyber work for private contractors.
It follows a critical report from the Auditor General into the department’s cyber defences, and its commitment to improve them.
North Security Digital, Partner Consulting Group, CyberCX and Ionize – each Australian owned and Canberra based – all received contracts, which are each worth $1.1 million and run for the current financial year.
A spokesperson for the Department of Education, Skills and Employment (DESE) said the work was for an assessment of cyber defences and advice.
“The contracts are for the provision of specialist cyber security services including cyber security risk and vulnerability assessments, technical security advice and penetration testing services,” the spokesperson told InnovationAus.
A single approach to market established the group of four service providers, but their contract will operate independently to the others.
“This enables the department to source the most appropriate and available skills from one or more of the vendors to undertake the services required at the time it is needed,” the spokesperson said.
The work follows an Audit Office report earlier this year that found the DESE had not implemented basic mandatory cyber resilience measures. DESE agreed to improve its cyber security by monitored compliance during a set time frame, which was endorsed by the department’s executive board.
The contracts cap off a healthy two months for the four firms, which won several other cyber contracts and extensions of existing agreements with government entities.
In the last two months, CyberCX, which is headed by the former head of the Australian Cyber Security Centre Alastair MacGibbon, has won $3 million of new work and another $5.5 million from a Digital Transformation Agency contract extension.
North Security Digital has won new and extended work from the government since June worth nearly $2.7 million
Ionize has won smaller contracts in the same period but many more of them, landing more than $4 million worth of new and extended work in the last two months.
Partner consulting group received contracts and extensions worth more than $1.5 million since June, including a long running contract from DESE being amended a fourth time and now worth nearly 10 times the original contract amount.
The post Education embarks on $4m cyber probe appeared first on InnovationAus.
This post was originally published on InnovationAus.