Victoria’s Stonnington City Council is the latest Australian organisation to fall prey to a cyber incident, forcing systems offline and some staff to take annual leave while the issue is resolved.
Services taken offline following the incident include payments and the council’s ePlanning portal, with an “international agent” suspected of being involved.
City of Stonnington council in Victoria.
In a statement, the council said it had experienced “an IT issue on 27 August”.
“Some systems have been disabled while the issue is being investigated and resolved,” the council said. “Essential services delivered by council remain operational.”
CEO Jacqui Weatherill said the council’s technology team was working to keep the community connected to the council and “keep our data safe” while it resolves the issue.
“Our priority is to ensure our customer’s data is kept secure, our workforce can be as productive as possible, and our customers remain connected,” Ms Weatherill said.
“Essential services remain operational and, if any residents do require assistance, Council staff are available via our customer service number.
“We ask our customers to remain patient, understanding and supportive as we resolve this issue.”
In a subsequent interview with 7 News, Ms Weatherill said that “an international agent has come and infiltrated our systems”. A council spokesperson confirmed this to InnovationAus, but said that systems weren’t shut down as a result of the attack but rather as a proactive measure to investigate what was found over the weekend during routine maintenance.
Asked if it was ransomware, the spokesperson said it was unclear and that council was conducting “a complete investigation” to find out.
The council was working with the Victorian Department of Premier and Cabinet and other state and federal agencies to resolve the issue, as well as with its cyber insurance partner.
Stonnington is in Melbourne’s south-east and includes the suburbs of Armadale, Glen Iris, Kooyong, Malvern, Malvern East, Prahran, South Yarra, Toorak and Windsor.
The council joins a slew of Australian organisations subjected to cyber attacks in recent months, including South Australian welfare agency Uniting Communities, NSW Health, and Nine Entertainment Company, broadcaster of Channel Nine and publisher of The Sydney Morning Herald, the Australian Financial Review and The Age.
Legislation handing “extraordinary” new hacking powers to Australian authorities has sailed through Parliament with support from the Opposition, despite the government not implementing some of the recommendations from the national security committee.
The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday.
Hackers?: The Australian Federal Police are in line for sweeping new powers to hack.
Three new warrants will be introduced under the legislation, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks to identify them and take over their accounts.
“Under our changes the AFP will have more tools to pursue organised crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Home Affairs Minister Karen Andrews said.
The government moved 60 amendments to the legislation in the lower house in response to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) report from earlier this month.
The amendments included enhanced oversight powers, reviews in several years time by the Independent National Security Legislation Monitor and the PJCIS, the sunsetting of the powers after five years, and strengthened protections for third parties and journalists.
The amendments meet 23 of the PJCIS’s 33 recommendations, while the government has agreed to implement several others through a broader reform of intelligence surveillance powers.
But it rejected the national security committee’s call for a higher threshold in the issuing of warrants in terms of the crimes they can be applied for, and for warrants to only be approved by a judge, rather than a member of the Administrative Appeals Tribunal.
Several Labor members raised concerns with this and echoed others raised by members of the civil and digital rights sector, as did government members of the PJCIS, but all eventually voted to pass the legislation.
The bill was rejected by the Greens, which said the legislation is another step on the “road to a surveillance state”.
The PJCIS had recommended that the type of crimes the warrants could be issued for be narrowed to those relating to offences against the security of the Commonwealth, offences against humanity, serious drug, weapons and criminal association offences, and money laundering and cybercrime.
Currently, the broad new powers can be granted to combat a swathe of crimes, far further than the terrorism and other offences the government has pointed to in order to justify the need for the legislation.
But the government instead raised the threshold for issuing the warrants to them being “reasonably necessary and proportionate”, up from “justifiable and proportionate”.
Labor had wanted this to go even further, calling on changes to require the warrants only be issued for “serious offences”.
Shadow assistant minister for immigration Andrew Giles said the government is “mischaracterising the breadth of the new powers”.
“It is obviously much easier to justify the introduction of such powers by focusing on the most serious types of crime. No-one would argue with that in respect of crimes like child abuse and exploitation, and terrorism,” Mr Giles said.
“But it is important that we engage in the more difficult task of justifying the introduction of extraordinary powers by reference to how the powers could actually be used.”
The amendments “go a long way” to ensuring the powers can only be used to combat serious crime, but don’t go far enough, multiple Labor MPs said.
Shadow assistant minister for cybersecurity Tim Watts said the warrants should only apply to serious offences.
“This would be an important constraint on the use of these new warrant powers and would limit their application to offences that carry at least a maximum of seven years’ jail and other specified offences,” Mr Watts said.
“While these powers do have international precedent, they also carry inherent risks. As currently drafted, the substance of this bill does not match the government’s rhetoric.”
Liberal MP Tim Wilson, a member of the PJCIS, broke ranks to criticise the government in not adopting all of the committee’s recommendations.
“I’ll be frank…and say that my preference would be more consistent with that of the committee. That’s why we made those recommendations,” Mr Wilson said.
“I will not die in a ditch over them, because the purpose of the legislation is more important than the threshold, but I think the threshold test around warrants and their application, particularly with the new powers, is something that we as a Parliament need to review.”
Despite these concerns, Labor offered support for the legislation in both houses, ensuring its quick passage.
Mr Giles said the new warrants give “extraordinary” powers to authorities, and appropriate safeguards need to be in place.
“Labor supports this bill. It’s an important bill which addresses very significant and worrying gaps in the legislative framework so as to better enable the AFP and the [Australian Criminal Intelligence Commission] to collect intelligence, conduct investigations, and disrupt and prosecute the most serious of crimes in an evolving environment,” Mr Giles said.
“The process of the Parliament here has produced a bill that meets the very serious challenges required to respond to, with appropriate safeguards in place, some of which will require all of us to maintain our attention on their operation and adequacy.”
Mr Watts blasted the government’s handling of the legislation.
“It’s indicative of this government’s record in this place to rush through legislation on national security matters with little regard for process, particularly with national security legislation or even with more technical legislation,” he said.
“While we support the bill, Labor members of the PJCIS do think … safeguards in this bill could go further, particularly in relation to the offences this bill applies to.”
The Greens voted against the legislation in both houses, with Senator Lidia Thorpe unsuccessfully moving a number of amendments.
“Really disappointed to see Labor and Liberal both vote in favour to increase police powers of online surveillance. We tried to make this bill better and include human rights protections for innocent people, but the Greens were outvoted by the major parties,” Senator Thorpe tweeted.
“New warrants allow police to monitor online activity without accusing us of a crime. Take over our accounts and edit our data…making the AFP judge, jury and executioner is not how we deliver justice in this country.”
Crossbench senator Rex Patrick also attempted to amend the legislation, raising concerns that the bill had been “dropped on the Senate in the very last minutes”.
Nearly 40,000 people whose data was compromised in a massive Service NSW data breach last year will never receive official notification about the incident because of the type of data involved and the agency’s policy to deliver “personalised” notices through the post.
In a NSW Budget Estimates hearing on Wednesday, officials from Service NSW confirmed about 103,000 people’s information was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April last year.
Service NSW suffered a massive data breach in 2020.
But more than a year later, nearly 40 per cent of people impacted have not been contacted.
The agency’s chief executive Damon Rees said Service NSW had successfully contacted 63,500 of the people who had their data compromised. This was done through the post because Service NSW had advice that other forms of contact like phone or email would create further risks and because letters offered more “personalised” advice.
“[Registered letters] also effectively meant that a customer was signing for their own notification, and therefore we were able to provide a greater level of more personalised advice there,” Mr Rees said.
Letters were primarily sent via registered post, requiring the affected person to prove their identity and sign for the letter. However, thousands of letters were returned and Service NSW conducted a round of data matching with Transport NSW to obtain more current addresses and tried again.
Mr Rees said ultimately about 18,500 letters were unable to be delivered with registered post. A final round saw new non-registered letters sent to this group advising them to contact the agency.
“We weren’t able to personalise those final round mails in the same way,” Mr Rees said.
“But if you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000.”
The Service NSW chief said the nature of the data involved in the breach also played a “heavy role” in the agency’s ability to identify people impacted.
Because the breach came through email accounts rather than a core system, it was difficult for the agency to correlate the information which had been compromised with individual people, according to Mr Rees.
“That meant the information that was extracted was highly unstructured in its nature. So it could be content within an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” he said.
“So the unstructured nature of that meant that actually the level of information that was able to be extracted and our ability to correlate that information and recognise [certain individuals was difficult].”
A damming NSW parliamentary inquiry and report into government cyber security triggered by the incident recommended an overhaul of cyber security strategy and policies, including formal notification procedures for data breaches and a stronger mandate for Cyber Security NSW.
The government is yet to respond to report but launched a new cyber strategy in May. Department of Customer Service officials were unable to answer several questions on the report’s recommendations at the Budget Estimates hearing on Wednesday, taking many on notice and confirming a formal government response to the report is expected soon.
Businesses large and small, across a broad swathe of the Australian economy will be affected by new legislation which sets out to protect critical infrastructure and as such, industry bodies have a key role to play ensuring their members take the necessary steps to be compliant.
This was one of the key insights to emerge from a discussion on the new legislation between Fergus Hanson, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI); Derek Fittler, ANZ head of Verizon Business Group; and InnovationAus publisher, Corrie McLeod as part of the Age of Trust podcast series.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 defines a much wider section of the Australian economy as critical infrastructure than the current legislation. Communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology and the defence industry are all included within the bill’s definition of industries responsible for critical infrastructure.
Mr Hanson said businesses in these sectors that are not subject to current critical infrastructure legislation would have a huge task ahead of them to become compliant with the new bill when it becomes law, and should be looking to their industry bodies for help.
“They really need to be talking to their peak industry bodies to understand how this is going to apply to them and taking a look at the legislation, because there’s positive obligations on them, and consequences for non-compliance,” he said. “If you are in any of those 11 industry sectors and you’re a reasonable-sized player, you should be getting on the phone to your industry body and having a chat about how this works or reaching out to the Department of Home Affairs to understand what your obligations are, and taking a look at the legislation.
“For industries that don’t normally think about cybersecurity, it’s going to be a big shift, because their systems are not going to be up to scratch. And, they’re going to have to do quite a bit of heavy lifting to get up to speed.”
Mr Fittler said industry bodies also had a role to play bringing together individual businesses in each sector to ensure an effective response to the requirements of the new legislation: “Organisations like ASPI, providers like Verizon, member organisations that operate in those sectors, all have a responsibility to work together to engage with government, and to learn and understand the steps and changes that will need to be taken.”
He said organisations that would be covered by the bill should not wait until it becomes law but should start working immediately to beef up their cybersecurity. “If you’re on the list, you need to be considering, identifying and understanding where you are in terms of your cyber maturity. There are many in the sectors included in the remit of the legislation that need to take some immediate steps to start that journey.
“You should be doing a stocktake and identifying where are you today: what is your cyber maturity, what are your risks. There is more education to be done, there’s more identification of risk, and, and ultimately, there will be need to be more resources spent and allocated towards addressing and responding to the threats we face.”
Mr Hanson said organisations in some sectors — typically banking and telecommunications — have a long established and sophisticated approach to cybersecurity, but others, that the legislation will apply to, should be cautious as to what lessons they could draw from such businesses.
“If you’re not a very mature industry, and you’re looking at the banking sector, or telecommunications, you might freak out at the number of staff required and the cost involved. So you probably wouldn’t want to benchmark yourself against a bank, but it could provide a lot of insights into how you could structure your cybersecurity and the types of capability you are going to need.”
Mr Fittler agreed: “They have some very significant capability and have been quite adept at sharing information within industry, and increasingly with government. That two-way flow within your community and with government is part of a cultural change that will need to happen as part of the legislation coming into force.”
The Age of Trust podcast series was produced as a partnership between Verizon Business Group and InnovationAus.
Data breaches arising from ransomware incidents increased by 24 per cent in the first half of the year, prompting Australia’s Privacy Commissioner to warn that such attacks “are a significant cyber threat” that may be under-reported.
The Office of the Australian Information Commissioner (OAIC) received 446 data breach notifications from January to June this year, according to its latest notifiable data breaches report, with 43 per cent resulting from cyber security incidents. Of the 445 total breaches, 46 were from ransomware, up from 37 notifications in the last reporting period.
Privacy Commissioner Angelene Falk.
Since the notifiable data breaches scheme began in February 2018, health service providers and the finance industry have consistently reported the most data breaches compared to any other industry sector. In the first half of this year, that trend remained the same, with health service providers reporting 85 data breaches. The second largest source of notifications was from the finance sector with 57 followed by legal, accounting and management services with 35, and the Australian government and the insurance sector with 34 breaches each.
The rise in ransomware attacks comes as the federal government considers implementing a mandatory ransomware reporting scheme, where organisations that pay criminals to recover their files would be required to report this activity to the government. No government bill exists yet, but Labor’s Tim Watts is separately pushing his own that would require the same thing.
Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.
“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.
“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”
Australian security expert Troy Hunt, who runs the popular haveibeenpwned.com website, said ransomware had been around for decades, with the PC Cyborg Trojan in 1989 considered among the first. What had resulted in a rise in its use in recent times was a change in the business model of criminal enterprises and the way they had begun monetising stolen data.
“I think one of the main driving factors is just simply return on investment,” Mr Hunt said of ransomware. “It’s just proven to be an enormously efficient way of monetising malicious software because, unfortunately, it does make good business sense to pay [a ransom].”
Another reason it was becoming more popular was because of the types of ultimatums criminals were issuing to victims, resulting in new income streams.
“It’s no longer just a ransom in terms of attacks against availability, where your files are locked and you need to pay for a key, but it’s also ransom with the threat of disclosure [of the stolen data].”
One other “alarming” way criminals were pivoting, Mr Hunt said, was by not only demanding ransoms from companies attacked but by using personal information inside a data breach to demand ransoms from individuals whose data has been stolen. Vastaamo, a now-bankrupted Finland-based private psychotherapy practice, was the target of such an attack, where patients were contacted and asked to pay ransoms or else have their private patient files published.
Mr Hunt said he expected sectors that remained at the top of the reporting list to be there because they were “heavily regulated” industries that were used to their reporting obligations under the law. This didn’t necessarily mean that they were the industries most impacted by known breaches, he said.
In the first half of the year, the OAIC was also notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. There were 35 notifications of social engineering or impersonation fraud during the reporting period.
“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.
“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.
“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”
In May, Home Affairs secretary Mike Pezzullo said he believed it was “likely” a mandatory ransomware reporting scheme would be rolled out soon.
“I think…most advanced economies are at a point, whereby some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo told a Senate Estimates hearing.
While human error breaches decreased after a significant increase last reporting period, Commissioner Falk said entities need to remain alert to this risk, particularly the Australian Government where 74 per cent of breaches fell into this category.
Opinion: When I started in tech journalism more than a decade ago in 2010, I revealed that the federal government was considering introducing metadata retention. The changes meant select data about Australians’ web histories would be stored and logged for two years.
The controversial laws were shelved by Labor when it was in power but eventually, after a change of government and a further push by law enforcement, a bill was passed in 2015. The wedge needed to push a hesitant Labor opposition into supporting them was the December 2014’s Lindt Cafe siege in Sydney’s CBD.
“Your chances that your data will be viewed by law enforcement is low,” AFP Assistant Commissioner Tim Morris said at the time. “Those with nothing to hide have nothing to fear.”
This was despite law enforcements agencies making more than 300,000 applications for our metadata each year, without a warrant.
Since then, we’ve seen Canberra, at the request of police, spy agencies and intellectual property rights holders, chip away at the lack of regulation of multiple internet technologies.
This has included requiring assistance to pry open encrypted smart devices or scrambled messages; blocking of websites to do with pirated movies or music; restricting access to Interpol’s “worst of the worst” list via a then relatively unused telecommunications law (sub-section 313 of the telco act), to a present debate on critical infrastructure and whether the government should be given the power to allow its spy agencies to take control of computer networks of companies it deems manage such infrastructure (in the event of a cyber intrusion or to defend against one).
A separate bill currently before Parliamentwould give more powers to federal police and the Australian Criminal Intelligence Commission to access computers and networks of those suspected of conducting criminal activity online. This has prompted concerns about innocent people who might get swept up in it and a perceived lack of proper judicial oversight.
As part of the new “identify and disrupt” bill, new network activity warrants would allow authorities to hack into devices and networks of groups of individuals suspected of taking part in criminal activity online when their identities are not known. A new warrant would also allow the disruption of data through modification and deletion “to frustrate the commission of serious offences”, and new account takeover warrants would also be introduced.
Amid all this, we’ve also seen multiple cases of abuse of data by law enforcement. The check-in apps each state has been using during the COVID pandemic? Queensland thought it’d be a great idea to use that data to investigate a reported theft of an officer’s gun and Taser from a regional pub despite assurances it would only be used for contact tracing purposes.
Where there’s data, the temptation by third parties to access it will always be there.
The same state government also used metadata to access the private information of cadets to determine whether they were sleeping with one another or faking sick days.
Queensland – I’m not sure what it is about this state and privacy – was also among the first to start taking advantage of the data trail left behind by smart public transport travel cards, not just to find criminals, but to track down witnesses of crimes who may not necessarily wish to talk.
Back in 1997, former US president Bill Clinton said the internet “should be a place where government makes every effort … not to stand in the way, to do no harm”. But he hastened to add that “a hands-off approach to electronic commerce must not mean indifference when it comes to raising and protecting children.”
This brings me to Apple’s latest move – to identify photos uploaded to its online storage service iCloud that match against known child abuse imagery.
It has all the hallmarks of being a smartly designed technology and does seem to have been created with some privacy mechanisms in mind. For example, it uses a “hashing” algorithm of known abuse material to identify imagery on people’s accounts and will only then alert Apple reviewers when an undisclosed threshold of images is reached.
But it rightly has privacy advocates worried about what could come next. What starts off as a technology trained to search for a “worst of the worst” list of images could soon become used to search for other types of content stored on people’s phones. Another feature allows parents to have naked or sexually explicit imagery blurred on a child’s phones.
“All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children’s, but anyone’s accounts,” the Electronic Frontiers Foundation wrote. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change.”
Scope creep seems to be one of the main concerns often raised by privacy advocates, but one which is frequently ignored by politicians, rarely addressed properly in legislation and often relegated to explanatory memorandums that describe a bill and its “intention”.
One example of website blocking scope creep is Australia’s tertiary regulator, which is now seeking telcos to restrict access to a site allegedly used by students for cheating.
What I think all of this signals is that we’re entering a new age of the internet where further regulation will become commonplace, and corporations will be leaned on by governments to enact new policies rather than governments necessarily creating new laws to force change.
We have seen this already with YouTube, Twitter and Facebook enacting bans following the spread of misinformation and online conspiracies. Rather than following laws, the companies are attempting to meet community and government standards and expectations. It’s voluntary regulation without new laws.
Mostly, I think changes that encroach more on an individual’s privacy will become accepted, especially if convenience continues to be a priority over privacy.
But will users boycott Apple over its latest photo move? Probably not. Until trust is broken or there’s a further erosion of their privacy, they won’t. But by then it might be too late.
Home Affairs Secretary Michael Pezzullo says government has serious concerns with the security posture of global cloud computing giants like Amazon and Microsoft, and warned tightening data sovereignty requirements in Australia will “not be attractive” to them.
Mr Pezzullo said the multinational cloud companies typically want “very few strictures” so they can continue a business model which relies on moving data around the world to minimise costs but often sacrificed security.
“The ability of certain adversaries, some of whom are state adversaries, some of whom are criminal adversaries, to penetrate that data…is of deep concern to government,” Mr Pezzullo told a joint security committee.
Sovereign data
He said this was a legitimate commercial model for cloud providers but could be at odds with Australia’s national interest when government-held data was involved. The federal government leans heavily on leading US cloud providers which collect hundreds of millions in government tenders.
“We’ve stated that [concern] very bluntly and directly to that sector,” Mr Pezzullo said.
“Because the Commonwealth Government itself has not been satisfied about the security of that data, both in terms of where it’s hosted and how it’s routed.”
The Home Affairs chief said the government has bound itself to a data certification project which would “toughen the strictures” on the cloud industry when dealing with government held data.
Last year, then-services minister Stuart Robert flagged the government was considering sovereign cloud requirements following a backlash against US company Amazon hosting data collected by the COVIDSafe contact tracing app.
In June, Mr Robert, who retained responsibilities for whole-of-government data and digital policy, announced three Australian data centre providers had been certified to store sensitive data locally under the government’s new Hosting Certification Framework.
The framework requires data and digital service providers engaged by government to use highly secure systems, and for the highest level of certifications to enable the Government to specify and enact ownership and control conditions that are not lowered at any time. It is designed to help agencies to mitigate against supply chain and data centre ownership risks.
For cloud providers the framework means they may only receive certification for certain facilities in Australia.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the official Hosting Certification Framework said.
Mr Pezzullo said the tightening data requirements being led by Mr Robert, made the Australian government an “exemplar” but would mean challenges for multinational cloud providers.
“What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.
“Because how they make their money is, frankly, by moving the data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity.
“And that’s a that’s a perfect illustration of the tension here between the private commercial interest and the public interest.”
The Department of Education, Skills and Employment has handed more than $4 million worth of contracts to local firms to probe its cyber defences this year, as part of a surge in government cyber work for private contractors.
It follows a critical report from the Auditor General into the department’s cyber defences, and its commitment to improve them.
North Security Digital, Partner Consulting Group, CyberCX and Ionize – each Australian owned and Canberra based – all received contracts, which are each worth $1.1 million and run for the current financial year.
A spokesperson for the Department of Education, Skills and Employment (DESE) said the work was for an assessment of cyber defences and advice.
“The contracts are for the provision of specialist cyber security services including cyber security risk and vulnerability assessments, technical security advice and penetration testing services,” the spokesperson told InnovationAus.
A single approach to market established the group of four service providers, but their contract will operate independently to the others.
“This enables the department to source the most appropriate and available skills from one or more of the vendors to undertake the services required at the time it is needed,” the spokesperson said.
Four Canberra based cyber firms have each received more than $1 million to help DESE with its cyber defences
The work follows an Audit Office report earlier this year that found the DESE had not implemented basic mandatory cyber resilience measures. DESE agreed to improve its cyber security by monitored compliance during a set time frame, which was endorsed by the department’s executive board.
The contracts cap off a healthy two months for the four firms, which won several other cyber contracts and extensions of existing agreements with government entities.
In the last two months, CyberCX, which is headed by the former head of the Australian Cyber Security Centre Alastair MacGibbon, has won $3 million of new work and another $5.5 million from a Digital Transformation Agency contract extension.
North Security Digital has won new and extended work from the government since June worth nearly $2.7 million
Ionize has won smaller contracts in the same period but many more of them, landing more than $4 million worth of new and extended work in the last two months.
Partner consulting group received contracts and extensions worth more than $1.5 million since June, including a long running contract from DESE being amended a fourth time and now worth nearly 10 times the original contract amount.
What do bushfires and cyber threats have in common? They are both a fact of life; they are both likely to get worse; and we won’t be able to stop either from happening – so we need to be better prepared and to minimise their impact. In short, we need greater resilience.
The issues of resilience against bushfires and cyber threats came together in an Age of Trust podcast with Rear Admiral Lee Goddard CSC, RAN, head of partnership ecosystem, government relations and operations at the Minderoo Foundation and Rob Le Busque, the regional vice-president Asia Pacific at Verizon.
The Minderoo Foundation is a philanthropic organisation that “takes on tough, persistent issues with the potential to drive massive change”. One of those challenges is “to lift Australia to be the global leader in fire and flood resilience by 2025”.
Resilience is key: Rear Admiral Lee Goddard, Corrie McLeod and Rob Le Busque
Mr Goddard said national initiatives to build resilience against bushfires were very much in catch-up mode: “We need to do much more, and we need to do it quickly – we need to be using the collective to find innovative solutions.”
He introduced the idea of “pre-resilience”. In the case of bushfire preparedness, this means using the off-season to “make sure every part of our society, from the technology to the behavioural to the human aspects, are resilient and ready for further disruptions to come”.
While there is no off-season for cyber threats, Mr Le Busque said pre-resilience equated to preparedness, but this often fell short of what was required.
“Preparation is everything. It is really your first line of defence from cybercriminals and a large-scale hacking event,” he said.
“A concept we talk about a lot is ‘you never rise to the occasion’. When the pressure’s on, you default to your level of training and preparedness.
“You need to be conscious of the balance between the level of preparation, and the processes and systems you have set up to respond. You need to make sure these represent more than just compliance and are actually actionable programs and systems.”
He added that often, when Verizon is called in to help an organisation respond to a cyber event, they find processes and systems for recovery exist, but they simply don’t work.
“They haven’t been tested,” he said. “Then you see a level of disorganisation that adds to the disruption they are already suffering from.”
The devastating 2019/20 bushfires and, more recently COVID-19, have shown up shortcomings in Australia’s resilience, and the topic is now garnering much attention.
Mr Goddard, who is a rear admiral in the Australian Navy Reserve with a 34 years of full-time Navy service, said there needed to be an increased focus on the resilience of Australia’s infrastructure.
“Our ability collectively to really understand where our critical infrastructure is, its vulnerabilities and how we quickly replace it has been an Achilles heel,” he said. “At the Minderoo Foundation, we are working through, and with, partners to identify this.
“You only know how resilient some of your infrastructure is when the disaster happens. So, you need to really test it: critical communication hubs, critical resource hubs, critical infrastructure that supports dealing with the hazard.”
He said Minderoo’s fire and flood resilience initiative chief executive of Adrian Turner – the former chief executive at CSIRO’s Data61 – was “focusing on data harmonisation and national data coordination to provide knowledge to support better decision-making and information sharing to enable leaders at all levels to really understand where the critical infrastructure is and where the critical weaknesses are in the system”.
However, the resilience of critical infrastructure is now garnering considerable attention. There is legislation before Parliament designed to improve the security and resilience of Australia’s critical infrastructure that greatly increases the scope of what is seen as ‘critical infrastructure’.
In the wake of the bushfires, policy think-tanks Global Access Partners and the Institute for Integrated Economic Research – Australia along with Gravity iLabs set up the GAP Taskforce on National Resilience, a group of 40 representatives from business, government, academia, the not-for-profit sector and the community brought together to “discuss ways to make Australia more resilient to future economic, strategic and environmental threats”.
Australia has a number of resilience-related challenges that go well beyond our border. These increased vulnerabilities mean we need to deliver more effective solutions at greater speed. The disruption of the last 18 months has driven revolutionary change, and we in turn must be revolutionary innovators that ask questions and solve problems no one else has thought of.
The Age of Trust podcast series has been produced as a partnership between Verizon Business Group and InnovationAus.com.
Uber breached 1.2 million Australian customers’ privacy when it failed to protect their data from a cyber attack in 2016, the Privacy Commissioner has determined after a three and a half year investigation which encountered “jurisdictional issues”.
Names, email addresses, drivers licence numbers, and location data were stolen in the attack, and Uber paid the cyber criminals to destroy the data through its bug bounty program rather than disclosing the breach responsibly.
The ride hailing giant will only have to make modest remedies, however, including reviewing its data governance and security programs with external experts and implementing their advice within a year.
But the Privacy Commissioner insists the decision sends a clear message that companies must protect Australians’ data even when it is processed overseas. The lengthy investigation has also demonstrated the “jurisdictional issues” which have made pursuing multinationals difficult.
Uber breached Australian privacy law in an incident affecting 57 million users.
The watchdog’s investigation ran for more than three years, which is understood to be due to the complex, cross-jurisdiction nature of the case, which was also expanded several times.
The breach occurred in 2016 when attackers gained access to the credentials of an Uber employee, giving them access to data stored by Amazon Web Services, including unencrypted files. Attackers downloaded the files which related to around 57 million individuals worldwide, including 1.2 million Australians.
Uber became aware of the breach almost immediately because the attackers emailed the company demanding payment. Uber paid the attackers US$100,000 through a bug bounty program, which is supposed to be used for good faith disclosures of vulnerabilities, not extortion.
The tech giant says it obtained written assurances from the attackers they had destroyed the data.
Uber did not formally investigate the breach with external cyber experts until nearly a year later, and said the investigation found no evidence the data had been misused.
The company then went public and contacted some of the drivers whose data had been compromised but not riders.
The Office of the Australian Information Commissioner (OAIC) began an investigation shortly after the public disclosure in late 2017. It made a determination late last month, more than three and a half years later.
The case was considered complex and important because it dealt with a breach by the US parent of the Uber company operating in Australia, which is actually Dutch.
Uber had argued because the US company was used to process the data off-shore, the breach it suffered was not subject to Australian privacy law.
But Australian Australian Information Commissioner and Privacy Commissioner Angelene Falk, who made the determination, said she was satisfied both Uber had an “Australian link” at the time of the breach and were required to comply with the Privacy Act.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Ms Falk said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
The investigation dragged out because of the inclusion of the Dutch-based Uber company operating in Australia, which was added to the probe in 2019 and the US parent’s argument it was not subject to Australian privacy law, an OAIC spokesperson told InnovationAus.
“The Uber determination demonstrates the complex jurisdictional issues that can arise in applying the Privacy Act 1988 in its current form to multinational corporate structures and data flows…The US-based entity argued it was not subject to the Privacy Act, and so a formal determination was necessary to address the privacy breach. This also required extensive investigation to establish the OAIC’s jurisdiction in this matter,” the spokesperson said.
“The existing test for establishing jurisdiction is complex, and the Australian Government’s current review of the Privacy Act is an opportunity to address this issue. The OAIC’s submission to the review proposes amendments to ensure we can more easily address the privacy risks to Australians whose personal information is held by multinational companies based overseas.”
Ms Falk said her determination made clear the responsibilities of global corporations responsibilities under Australian privacy law.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she said.
Ms Falk determined Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to de-identify or destroy the data as required.
They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles, according tot the watchdog.
Ms Falk ordered Uber to prepare, implement and maintain a data retention and destruction policy, an information security program, and incident response plan that complies with Australian privacy law.
The company must also use independent experts to review and report on the policies and there implementation, and report the findings to the OAIC.
A spokesperson for Uber said the company has made several technical upgrades and security certifications, and policy and leadership changes since the 2016 breach.
“We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” the spokesperson told InnovationAus.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
Australia has formally attributed the Microsoft Exchange software cyber-attack to China, joining Five Eyes allies and others in condemning what they say is a state sponsored attack which affected an estimated 30,000 organisations globally.
The public attribution is rare but not unprecedented, with Australia having previously named Iran, China, North Korea, and Russia for other cyber attacks.
The latest explicit attribution to China – Australia’s first since 2015 – was not accompanied by sanctions, but experts say it could be a precursor to them if attacks continue.
On Tuesday, Home Affairs Minister Karen Andrews said Australia had worked with allies to gain a “very high” confidence that China’s Ministry of State Security exploited vulnerabilities in the Microsoft software to target thousands of networks and computers around the world, including in Australia.
She said these vulnerabilities were used to “exploit the private sector for illicit gain”. Beijing has rejected the claims, accusing Australia of hypocrisy.
Home Affairs Minister Karren Andrews. Photo: NASA/Aubrey Gemignani
Ms Andrews said the attribution was made because it was in Australia’s interest to do so but acknowledged there would be repercussions from Australia’s biggest trading partner.
“We are aware that there are serious implications for any attribution that is made to any nation, but we also will not compromise our position on sovereignty, and national security,” Ms Andrews said.
“And in this instance, along with our partner nations, we needed to call out this malicious cyber attack.”
While no sanctions were announced, Ms Andrews said China won’t get away with the attack “scot-free” because it has suffered serious reputational damage from the attribution.
Australia has previously attributed cyberattacks to Iran, North Korea, and Russia, as well as to China in 2011 and 2015. But the government resisted naming China as the nation behind a wave of cyber incidents last year and an attack on the Parliament in 2019, despite security agencies reportedly believing Beijing was the culprit.
The federal government’s cyber advisory panel last year recommended there should be clearer consequences for malicious actors found to be targeting Australian businesses and governments. The industry panel, dominated by telco and led by Telstra chief Andy Penn, said there should be more of a willingness to publicly attribute these attacks.
Public attribution is used sparingly because of the difficulties in proving a nation state is directly responsible and because attacks typically need to cross a cyber “red line” to warrant it, according to Australian Information Security Association chair Damien Manuel.
“[Attribution] is almost like a diplomatic warning of ‘don’t go any further because then there’ll be other consequences’…Often attribution can be used as a diplomatic sort of blunt tool to put a country on notice,” Mr Manuel told InnovationAus.
Mr Manuel, also Director of Deakin University’s Cyber Research and Solution Centre, said the Australian government will be carefully monitoring China’s response to the attribution and whether the attacks continue to determine if sanctions and tariffs are warranted.
Just hours after Australia’s official attribution, the Chinese embassy in Canberra issued a statement rejecting the “groundless accusation” of the Australian government, accusing it of “parroting the rhetoric of the US” and engaging in its own eavesdropping.
“What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’,” a spokesperson for the Chinese Embassy said.
“As a victim of cyber attacks, China always firmly opposes cyber attacks and cyber theft in all forms, and calls on countries to advance dialogue and cooperation to safeguard cyber security.”
Attribution is also often a trade or diplomatic tactic, Mr Manuel said, and Australia is deploying it at a time when its relations with China are at their lowest point in years.
“China will make certain claims about Australia and Australia will make certain claims about China. This is a kind of balancing act,” he told InnovationAus prior to the Chinese embassy statement.
“There are red lines, obviously, where from a political perspective we don’t want countries to cross. And if they do cross them, that tends to be when they will call it out specifically. And that draws different sort of pressures. It becomes political pressure, social pressure trading pressure as well.”
The immediate damage for China will be relatively low, according to former National Security Adviser and head of the Australian Cyber Security Centre Alastair MacGibbon.
He told ABC Radio the retaliations to these types of attacks are typically “quite muted” because it is so difficult to prove the exact provenance of attacks and to hold foreign individuals responsible.
“The reality is consequences for China will be pretty low, but I think there’s an important moral message here,” Mr MacGibbon said, pointing to the unprecedented involvement of Japan and NATO in an attribution to China.
“That shows us the significance of the body of evidence and the global nature of this particular activity. So it is a significant day.”
Mr MacGibbon, now chief strategy officer at private firm CyberCX, said the Microsoft Exchange attacks attributed to China had crossed a “significant line” of cyber espionage norms because China had used private contractors to exploit the vulnerability, who then made personal gains through cybercrimes.
“China has used contractors to carry out what you would suggest is a legitimate state-based espionage activity. We may not like it but it’s kind of what nations do to each other,” he said.
“And those contractors have then, for their own gain, carried out activities in parallel to what they were doing for the Chinese government.”
New Zealand’s cyber security agency believes China has been behind numerous hack attacks spanning years.
The government joined Western allies and Japan in calling out Beijing for so-called state-sponsored hacks, including a major incursion in February when Microsoft email servers were targeted.
The US has charged four Chinese nationals — three security officials and one contract hacker — with targeting dozens of companies and government agencies in the United States and overseas under the cover of a tech company.
“What we do is when we see malicious cyber activity on New Zealand networks, that may be through our own capabilities that we have to help protect New Zealand networks or it may be something that’s reported to us, we look at the malware that’s used,” Government Communications Security Bureau Director-General Andrew Hampton told RNZ Checkpoint.
“We look at how the actor behaves. We look at who they might be targeting and what they do if they get onto a network.
“That allows us to build a bit of a picture of who the actor is. We then compare that with information that we receive, often from our intelligence partners who are also observing such activity.
“That allows us to make an assessment, and it’s always a probability assessment about who the actor is.
The APT 40 group
“In this case, because of the amount of information we’ve been able to access both from our own capabilities and from our partners, we’ve got a reasonably high level of confidence that the actor who we’ve seen undertaking this campaign over a number of years, and in particular, who was responsible for the Microsoft Exchange compromise, was the APT 40 group — Advanced Persistent Threat Group 40 — which has been identified as associated with the Chinese Ministry of State Security.
The RNZ National live stream. Video: Checkpoint
“The actors here are state sponsored actors rather than what we would normally define as a criminal group. What we’re seeing here is a state sponsored actor likely to be motivated by a desire to steal information.”
Hampton said there was a blurring of lines between what a state agency does, and what a criminal group does.
“Some of the technical capabilities that previously only state organisations had, have now got into the hands of criminal groups.
“Also what we’ve seen in a range of countries is individuals who may work part-time in a government intelligence agency, and then may work part-time in a criminal enterprise. Or they may have previously worked in a state intelligence agency and are now out by themselves but still have links links back to the state.
“We don’t know the full detail of the nature of the relationship, but what we do know is the Ministry of State Security in China, for example, is a very large organisation with many thousands of of employees.
“So they are big organisations with people on their payroll but they also would have connections with other individuals and organisations.
Information shared with criminals
“Something else worth noting with regard to this most recent compromise involving the Microsoft Exchange, what we saw there is once the Ministry of State Security actors had identified the vulnerability and exploited it, they then shared that information with a range of other actors, including criminal groups, so they too could exploit it.
“This is obviously a real concern to see this type of behaviour occurring,” Hampton said.
All evidence showed the cyber attacks were all originating from mainland China, Hampton told Checkpoint.
He said such attacks would be aimed at stealing data or possibly positioning themselves on a system to be able to access information in the future.
“A common tactic we see, unfortunately, is there may be a vulnerability in a system,” Hampton said.
“It could be a generic vulnerability across all users of that particular system, and a malicious actor may become aware of that vulnerability, so they would use that to get onto the network.
“That doesn’t mean they will then start exfiltrating data from day one or something like that. They may just want to to sit there in the event that at some point in the future they may want to start doing that.
Malicious actors
“This exploitation of known vulnerabilities is a real concern. This is why all organisations need to keep their security patches up to date, because what can happen is you can have malicious actors use technology to scan whole countries to see who hasn’t updated their patches.
“They then use that vulnerability to get on the network and they may not do anything with it for some time. Or they might produce a list of all the organisations, say, in New Zealand who haven’t updated their patches.
“Then they make a decision – okay these are the four to five we want to further exploit.”
This article is republished under a community partnership agreement with RNZ.
Ransomware attacks will only get worse for Australia without strategic domestic efforts to thwart it, according to a new report which warns a “policy vacuum” has made the nation an “attractive market” for cyber attackers.
The Australian Strategic Policy Institute report follows a spate of ransomware attacks in Australia and across the world, which have crippled services and infrastructure while costing organisations millions of dollars.
The latest report from ASPI said much more will be needed in Australia to combat the growing threat of ransomware, part of a $1 trillion “tsunami” of cybercrime.
“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” the report said.
“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.”
Written by Cyber Security Cooperative Research Centre chief executive Rachael Falk and colleague Anne-Louise Brown, the ASPI report suggests several domestic policy levers to thwart ransomware attackers, which typically operate from foreign countries.
“Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response,” it said.
The report’s policy recommendations include a mandatory notice scheme, a dedicated cross-departmental taskforce also involving state and territory representatives, greater clarity about the legality of ransomware payments, more transparency when attacks do occur, expanding the official alert system of the Australian Cyber Security Centre (ACSC), education programs to improve public and the business understanding, and tax, procurement and subsidy measures to incentivise cybersecurity uplift.
On the same day the federal government funded ASPI’s report was released, Home Affairs minister Karen Andrews launched a discussion paper on regulatory reforms and voluntary incentives to strengthen cyber security across the economy.
The paper estimates the cost of cyber security incidents to the Australian economy is $29 billion per year, or 1.9 per cent of GDP.
“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Minister Andrews said.
Labor said the ASPI report echoes its continued calls for a ransomware strategy and a notification scheme.
“By contrast, while the Morrison government never misses an opportunity for a dramatic press conference on cyber security it’s missed every opportunity to take the basic actions needed to combat this threat,” said shadow assistant minister for cyber security Tim Watts, who introduced a private members bill for a notification scheme last month which is yet to be listed for debate.
“Instead it’s simply played the blame game, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.
“Australian businesses and the workers they employ need a government that understands organisational IT security is only part of the response to the threat of ransomware.”
The ASPI report concludes there is a key role for government to play in tackling ransomware but the problem is a shared responsibility.
“While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support,” it said.
A renowned US cybersecurity expert has put weight behind calls for a mandatory ransomware payment notification scheme in Australia and said the country’s election administration system should be considered critical infrastructure.
Cybersecurity expert and former United States Cybersecurity and Infrastructure Security Agency chief Chris Krebs appeared at a Parliamentary Joint Committee on Intelligence and Security on Friday, where he backed calls for organisations being required to report to authorities when they have made a ransomware payment.
Mr Krebs said a notification scheme would help authorities understand the scale of the problem and collect valuable intelligence on incidents.
“We have to get to the denominator of ransomware attacks, and the easiest way to do that is to require ransomware victims to make a notification to the government…if you’re going to be engaging [in a] transaction with a ransomware group, that needs to be notified,” Mr Krebs told the inquiry, which is reviewing current and proposed critical infrastructure legislation.
“The second [reason] is if you’re going to make the payment we also want to make sure the information, specifically the wallet to which the ransomware payment is going, can be tracked by law enforcement and intelligence officials to light up the economy.”
Former US Cybersecurity chief Chris Kreb. Image: Department of Homeland Security/Tara Molle
Home Affairs Minister Karen Andrews told a business event shortly after that the government is “open to exploring” a mandatory reporting scheme but added it must follow an increased awareness of the problem.
The Department of Home Affairs is reportedly considering a notification scheme, with secretary Mike Pezzullo saying he believes it is “likely” one would be rolled out soon.
Following Mr Krebs evidence on Friday, Labor’s Mr Watts issued a statement calling for the government to urgently list his bill for debate when Parliament returns in August.
“The Minister said when taking on the role in March cyber security was a ‘priority’ for her. It’s time we saw some real action,” Mr Watts said.
“Ransomware is completely out of control in 2021. There has been an onslaught of attacks that threaten Australian jobs including JBS Foods, our biggest meat producer, the Nine Network, and multiple hospitals.”
The US expert also called for Australia to consider election administration as critical infrastructure. Mr Kerbs was fired by the-US President Donald Trump in 2020 for refuting his claims the 2020 presidential election was fraudulent.
“I think there are elements of the election administration function that should absolutely be considered critical infrastructure, and that is the administration element,” he said.
“That’s the systems, the machines, the counting process, the protocols around it — I think it’s, at least in the US, a step too far to call the political parties themselves as part of the infrastructure, but they do have certainly a contribution and a piece involvement.”
The PJCIS is currently considering legislation which would see more Australian sectors considered “critical infrastructure”, including communications and data storage and processing.
Mr Krebs said bad actors have been effective in disrupting elections with disinformation campaigns and “perception hacks”.
“Those are the more pervasive, much harder to debunk, because there’s an asymmetry of the adversary,” he said.
“Even if it’s domestic, it’s still an adversary, in this case, [a] domestic actor that is trying to undermine confidence in the process for their own outcomes.”
The changes to critical national infrastructure regulation in relation to cyber security will need a coordinated, Australia-wide communications campaign that embraces small and medium sized companies in order to carry maximum impact.
Email security and cyber resilience specialists Mimecast’s country manager Nick Lennon says changes to critical national infrastructure legislation in Australia is a positive step forward. The regulation of cyber risks is a good thing and will ultimately lift cyber standards across the economy. In order effect change, there needs to be a complete commitment across all levels of government and private sectors, as without the necessary changes, there is the potential risk for considerable socioeconomic impact.
The new regulations are ultimately a way of introducing standards to manage cyber risks in Australia, just as financial reporting requirements and audits through regulations have been a way to manage financial risks across the economy.
Changes to the critical national infrastructure regulations will result in the introduction of minimum standards. The key to its roll-out in the early stages will be in a mass communications campaign that reaches the small and medium-sized companies that will be ‘captured’ by the new legislation.
Mimecast country manager Nick Lennon
“The critical national infrastructure changes effectively introduce ‘table stakes’ – or minimum standards – for companies, to enable them to participate in the new economy and the new environment,” Mr Lennon said. “That’s a positive thing and it really should be promoted.”
“This is regulation catching up in cyber, and supporting modern businesses to operate effectively in the current environment.”
“Longer term, it is easy to see a world where cyber security is regulated in the same way that the accounting and financial services industry is stood up today.
“So, we are obliged to check and report our [financial] books every 12 months, and we have multiple government agencies that analyse the quality of that information, to make sure that there’s transparency and due diligence around these organisations so they are able to trade appropriately,” he said.
In the same way government financial regulation is an effective measure to ensure the financial services sector meets and exceeds global standards, Australia’s new cyber regulations needs to be in lockstep with other countries to meet our obligations as global citizens in terms of cyber security standards. These new cyber regulations are about creating clear standards that enable trust across the systems of the economy, allowing customers and businesses to invest in one another. This is the same scenario that underscored the introduction of standard financial reporting, Mr Lennon said.
The key in cyber would be to make these new standards “more visible, more accessible and more in your face.”
“It is easy to envisage a world where organisations are reporting on their cybersecurity standards in a similar manner to how they are considering their financial auditing in today’s terms,” Mr Lennon said.
“So the question becomes, how does a small to medium-sized organisation consider what that means to them? And how do they meet or exceed those standards that are being asked of them around positive security objectives and the processes associated with reporting cybersecurity event. Of note the private sector has asked what will it cost businesses to meet the new cybersecurity standards, and where will that cost burden lie?”
It is a complex communications challenge, but not dissimilar to issues that governments have helped solve effectively in the past with national and coordinated campaigns. Think Slip, Slop Slap or the ongoing anti-smoking campaigns or any number of health campaigns. These aim at registering a broad community and individual benefit for action.
This can work with cyber.
Mr Lennon points to Mimecast’s own authoritative State of Email Security 2021 report for the numbers that illustrate the massive scale of cybersecurity problems across the economy.
In Australia, the report found that an incredible 64 per cent of companies had experienced some form of business disruption through ransomware in the past year, a massive increase from the 48 per cent reported in the previous year.
Of those companies, 54 per cent paid the ransom. And of the companies that paid a ransom, 76 per cent recovered their data, but 24 per cent paid and never recovered their data – a true nightmare scenario for any business. In terms of downtime, there is a big impact, with the report revealing that business disruption caused an average of 4 days of downtime, and for 26 per cent of businesses it was one week or more. This downtime can greatly impact our supply chains and the economy, and underscores the immediacy of protecting our critical national infrastructure.
“If you do the maths on that, you find that the scale of the ransomware ‘industry’ is massive. And that fact is not as well publicised as it should be in terms of communicating why regulation through changes to the critical national infrastructure legislation is so important,” Mr Lennon said.
This article was produced in partnership with Mimecast as a member of the InnovationAus Leadership Council.
On 3 July 2021, a new interactive online platform by Forensic Architecture, supported by Amnesty International and the Citizen Lab, maps for the first time the global spread of the notorious spyware Pegasus, made by cyber-surveillance company NSO Group.
‘Digital Violence: How the NSO Group Enables State Terror’ documents digital attacks against human rights defenders around the world, and shows the connections between the ‘digital violence’ of Pegasus spyware and the real-world harms lawyers, activists, and other civil society figures face. NSO Group is the worst of the worst in selling digital burglary tools to players who they are fully aware actively and aggressively violate the human rights of dissidents, opposition figures, and journalists. Edward Snowden, President of Freedom of the Press Foundation.
NSO Group is a major player in the shadowy surveillance industry. The company’s Pegasus spyware has been used in some of the most insidious digital attacks on human rights defenders. When Pegasus is surreptitiously installed on a person’s phone, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls and contacts. For my earlier posts on NSO see: https://humanrightsdefenders.blog/tag/nso-group/
“The investigation reveals the extent to which the digital domain we inhabit has become the new frontier of human rights violations, a site of state surveillance and intimidation that enables physical violations in real space,” said Shourideh C. Molavi, Forensic Architecture’s Researcher-in-Charge.
Edward Snowden narrates an accompanying video series which tell the stories of human rights activists and journalists targeted by Pegasus. The interactive platform also includes sound design by composer Brian Eno. A film about the project by award-winning director Laura Poitras will premiere at the 2021 Cannes Film Festival later this month.
The online platform is one of the most comprehensive databases on NSO-related activities, with information about export licenses, alleged purchases, digital infections, and the physical targeting of activists after being targeted with spyware, including intimidation, harassment, and detention. The platform also sheds light on the complex corporate structure of NSO Group, based on new research by Amnesty International and partners.
“For years, NSO Group has shrouded its operations in secrecy and profited from working in the shadows. This platform brings to light the important connections between the use of its spyware and the devastating human rights abuses inflicted upon activists and civil society,” said Danna Ingleton, Deputy Director of Amnesty Tech.
Amnesty International’s Security Lab and Citizen Lab have repeatedly exposed the use of NSO Group’s Pegasus spyware to target hundreds of human rights defenders across the globe. Amnesty International is calling on NSO Group to urgently take steps to ensure that it does not cause or contribute to human rights abuses, and to respond when they do occur. The cyber-surveillance must carry out adequate human rights due diligence and take steps to ensure that human rights defenders and journalists do not continue to become targets of unlawful surveillance.
In October 2019, Amnesty International revealed that Moroccan academic and activist, Maati Monjib’s phone had been infected with Pegasus spyware. He continues to face harassment by the Moroccan authorities for his human rights work. In December 2020, Maati Monjib was arbitrarily detained before being released on parole on 23 March 2021.
Maati Monjib, tells his story in one of the short films, and spoke of the personal toll following the surveillance, “The authorities knew everything I said. I was in danger. Surveillance is very harming for the psychological wellbeing of the victim. My life has changed a lot because of all these pressures.”
Amnesty International is calling for all charges against Maati to be dropped, and the harassment against him and his family by the Moroccan authorities to end.
The Department of Defence has funded three more Australian universities for their work with a US counterpart on cybersecurity research that could one day benefit defence forces.
$3 million of the department’s emerging technology fund will be shared by researchers at the University of Melbourne, Macquarie University and the University of Newcastle for their joint project to develop autonomous cyber security systems.
The work is exploring how cyber bots can learn from and form teams with each other and humans to combat cyber threats.
A cohort of Australian and US universities led by the University of Melbourne has received $3 million to research cyber bots
The project also involves the University of Wisconsin and the funds will come via the Australia—US Multidisciplinary University Research Initiative, a nine-year $25 million program to fund Australian and US universities’ joint projects on areas of high priority for Defence.
The program is part of Defence’s Next Generation Technologies Fund’s (NGTF).
The NGTF was established in 2016 with $600 million to back research and development of technology for the “future Defence force after next” over ten years. It was topped up last year to $1.2 billion and extended to 2030.
InnovationAus can reveal less than $220 million from the NGTF has been allocated so far including the latest universities projects, meaning around 18 per cent of funds have been used, more than a third of the way into the projected lifespan.
“As at 31 May 2021, the NGTF has funded a total of 282 activities worth $211 million. This includes both completed and active arrangements,” A department of Defence spokesperson told InnovationAus.
The latest project to be funded is the joint cyber initiative between the University of Melbourne, Macquarie University, the University of Newcastle and the University of Wisconsin.
The project aims to develop autonomous cyber security systems through “robust and effective teaming of bots and humans”.
“The joint project, led in Australia by the University of Melbourne, will explore how cyber bots can learn and form teams, either amongst themselves or with humans, to counter cyber threats,” Department of Defence chief science engagement and impact division Dr Kershaw said.
“Improved security through cyber autonomy is critical for Defence’s future in highly challenging and adverse environments.”
Last week, the Department of Defence announced it had funded quantum technology and 3D printing projects through the same program, with $4 million being shared by teams from Griffith University, the University of Technology Sydney, the University of New South Wales, and the University of Sydney.
The Department of Defence is still seeking research and development proposals from Australian universities and small to medium enterprises to support Defence capability, and has urged universities to take advantage of the “hug opportunity” to partner with the well funded department.
Australia needs to make “dramatically greater investments” in cybersecurity education and sovereign capability in order to become a more effective cyber power, according to a report by the International Institute for Strategic Studies.
The International Institute for Strategic Studies (IISS) released its report on the cyber capabilities and powers of 15 countries this week.
It ranked these countries across three tiers, with Australia placed on the second level, with “world-leading strengths” in some of the categories, but struggles in others, especially around skills, education and commercialisation.
The global report also called out failings in cyber controls in Australian government departments and agencies and the need for better coordination at a federal level.
The IISS has called on Australia to “dramatically” increase its cyber investment
“For Australia to become a more effective cyber power, it will need to make dramatically greater investments in cyber-related tertiary education and carve out a more viable sovereign cyber capability,” the IISS report said.
The report found that the federal government’s 2020 Cyber Security Strategy helped to “significantly improve” its cybersecurity guidance for all sectors, but there are still “significant weaknesses in the government’s own practices”, with “considerable recalcitrance on the part of government agencies when it comes to upgrading their cybersecurity”.
In terms of skills, the previous 2016 strategy didn’t have enough funding to make any real impact, the report found, and in last year’s iteration the government opted for “radical” new visa programs to attract talent from overseas.
But funding is still an issue here, according to IISS.
“But Australian universities’ response to the new opportunities and demand for cybersecurity education could not match the government’s ambition, particularly since the government wasn’t prepared to invest sufficient funds,” the report said.
The 2020 strategy included about $50 million in funding for workforce development, education and community initiatives.
“But this is unlikely to give universities much incentive because the government prefers community and business-based solutions,” the IISS report said.
This funding included a $26.5 million Skills Partnership Innovation Fund, with the first round of grants opened in February to “improve the quality and availability of cybersecurity professionals through training”.
The funding package also included $6.3 million for the Australian Cyber Security Centre to grow education skills, $14.9 million for Questacon and $2.5 million to improve data on cybersecurity skills shortages.
More leadership and funding is required from the federal government, it said.
“Australia has moved towards a more coherent policy and legislative framework for cybersecurity and resilience, but the changes need to be reflected in better governmental coordination and more consistent use of standardised tools,” it said.
“The country has not yet made adequate investments to defend against the most serious potential threats. Its providers of critical national infrastructure appear not to have a sufficient understanding of the risks and the situations is aggravated by a shortage of personnel with the relevant skills, including at board level.”
Funding and skills is also an issue in terms of Australia’s developing offensive cyber capability.
“In terms of resources and available personnel, Australia does not match the capabilities of its senior allies,” it said.
“In common with all other states, the biggest constraint on Australia’s offensive cyber capability may well be the limited extent of its national skills base and pipeline.”
In the report, the IISS also took aim at Australia’s long-running commercialisation struggles, pointing out that despite being among the top countries in the world in terms of average internet usage and companies engaged in e-commerce, it falls outside the top 10 in terms of innovation, competitiveness and cybersecurity.
“Since the turn of the century, Australia’s digital economy has mostly stood still in relative terms – for example, its information industries share of total global value added hardly increased between 2006 and 2016,” it said.
“There is a mismatch between its innovation inputs, in which it ranked 13th in the world in 2020, and its innovation outputs, in which it ranked only 31st. Overall, Australia has a modest capability to assess the security implications of imported technologies, with the best capabilities concentrated largely in government and in several larger corporations.”
Fresh questions for the security services have been raised after it emerged Foreign Secretary Dominic Raab’s private mobile number has been available online for a number of years.
The discovery came weeks after it was revealed Prime Minister Boris Johnson’s phone number was freely available on the internet for more than a decade.
The Foreign Office said on Tuesday Raab’s number and other private information was swiftly removed once the department was made aware of the oversight.
Since 2010
The Guardian, which first reported the number’s availability after being notified by a reader, said it appeared to have been online since before he became an MP in 2010.
A Foreign Office spokesperson said:
Private information was wrongly retained online, before the Foreign Secretary’s appointment.
Once we were made aware, we had it removed immediately. Most of it was out of date, and no security was compromised.
In April it emerged that Johnson’s number remained on the bottom of an online press release from when he was shadow higher education minister in 2006.
That disclosure – by the Popbitch gossip newsletter – prompted concerns that Johnson had left himself vulnerable to covert activity by hostile states.
The Prime Minister had already been reportedly told by Civil Service head Simon Case to change his number, because it was too widely known from his career as a journalist.
Risk
Former UK national security adviser lord Ricketts told the Guardian:
The wide availability of Mr Raab’s personal phone number must increase the risk that other states, or even criminal gangs, have been able to eavesdrop on his calls.
It also means that anyone who happens to have had his phone number … is able to lobby the foreign secretary, bypassing the official channels which everyone else has to use.
Anyone taking on a role as sensitive as this should in their own interests pay as much attention to online as to physical security.
Concerns have also been raised over senior Government figures’ use of WhatsApp.
Former Downing Street aide Dominic Cummings has published a series of exchanges on the messaging network, showing it was used to co-ordinate elements of the coronavirus pandemic response.
As chief executive of the Cyber Security Cooperative Research Centre, Canberra-based Rachael Falk has been one of the most clear-eyed and articulate advocates for building cyber capability across the Australian economy.
Ms Falk arrived in the cybersecurity sector via an early career in the law and then telecommunications. She spent 15 years at Telstra in roles that included National Security Advisor and general manager of cyber influence.
The Cyber Security CRC is somewhat of a newcomer to the federal government’s Cooperative Research Centre program, with Ms Falk joining as founding CEO three years ago.
The cybersecurity “landscape” has changed quite radically during those three years. Certainly issues of sovereign capability and supply chains have taken on new meaning since COVID-19, as well as cloud services and data sovereignty, the government’s treatment of encryption services and even definitions and obligations under critical infrastructure protection laws.
In this episode of the Commercial Disco podcast, Rachael Falk talks about the challenges of building domestic cyber capability and the role of the CRC in creating the top-end skills that can underpin a healthy and growing Australian cyber industry.
The CRCs bring together like-minded partners from industry, academia and government to work together to solve problems and in doing so to create research translation and commercialisation outcomes.
As a horizontal industry that touches on literally all parts of the modern economy, the global market for cyber products and services is clearly massive with a growth rate that outstrips others.
The CRC is geared toward commercialisation, and has processes in place to ensure that the “commercialisable” parts of a project are identified early, and that the various parties involved in the project can recognise and agree on the pathways to commercialisation.
Building Australian cyber products and services based on research partnerships is key to lifting national capability, Ms Falk said. It is not enough to simply buy product from overseas. Creating and building solutions to problems through top end research provides an unmatched capability uplift that results in both a more secure Australian economy but creates access to valuable global chains.
While recognising that Australian companies can’t do everything, and that local firms have not been able to build at the scale of multinational suppliers in some areas there is a recognition that local companies have been able to fill niches and participate in global supply chains that are valuable to the economy and to the nations security.
“There has been this recognition that it’s a broad church and that we need all the players [domestic and multinational]. That to me has been one of the biggest shifts of the past three years,” Ms Falk said.
Building capability: Cybersecurity CRC chief executive Rachael Falk
“When you’re designing and making widgets here and you’re investing in people here, you’re [also] building capability here,” she said.
This is a great interview for anyone looking for a 20 minute snapshot of the local cybersecurity sector.
The Cyber Security CRC is funded through to 2024 and it will be up to its member participants and discussions with the government on what the future holds beyond that. There is no suggestion that the organisation will not continue beyond that date.
It is a measure of how serious the sector is taken that the Cyber Security CRC – which is effectively a modest-sized not-for-profit – boasts a board of directors that looks more like an ASX 200 company.
The board includes former ASIO and ASIS director general David Irvine, Business Council of Australia CEO Jennifer Westacott, the Australian Signals Directorate’s ACSC chief Abigail Bradshaw, Nuix founder Eddie Sheehy, Cisco Systems global chief of nation cyber security officers Greg Thomas, Deakin University deputy vice-chancellor Prof Julie Owens, QBE director John Green, and Commonwealth Bank director Anne Templeman-Jones.
The Cyber Security CRC is chaired by former ACT senator Kate Lundy. Ms Falk is also on the board.
In the wake of the coronavirus (Covid-19) pandemic, we’ve been spending more time online. As a result, more of our personal data is also online. There’s also been an increase in certain kinds of cyber attacks since the start of the pandemic. According to an Interpol report, cybercriminals are beginning to target “corporations, governments and critical infrastructure”.
And this is affecting councils in the UK too. Because, as reported by Alex Scroxton in ComputerWeekly.com, Freedom of Information (FoI) requests show:
UK councils reported more than 700 data breaches to the Information Commissioner’s Office (ICO) during 2020
But the damage is not limited to councils. Because a number of healthcare providers have also been hit by similar data breaches.
Damage done
The FoIs were disclosed to security services provider Redscan. In Scroxton’s article, he explained:
Redscan received responses from over 60% (265 of 398) of borough, district, unitary and county councils in England, Scotland, Wales and Northern Ireland,
The security company found evidence that UK local government cyber security is “by and large, disjointed and under-resourced”. And responsibility for local government rests with central government. According to a report commissioned by the Local Government Association (LGA), as of 2020, “local authorities will have faced a reduction to core funding from the Government of nearly £16 billion over the preceding decade”. Meanwhile the data of private citizens is at risk.
So these are real concerns. Because according to Redscan’s chief technology officer Mark Nicholls:
Every council has thousands of citizens depending on its services daily. Going offline due to a cyber attack can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks.
However, according to Nicholls:
While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.
So because data held by councils is at risk from cybercriminals, people need assurances that their data is safe.
Previous attacks on councils
Unfortunately, data breaches are far from uncommon. As reported by The Canary in June 2020, a subsidiary of Kent County Council, Kent Commercial Services (KCS), was hit by a ransomware attack. The attackers sent KCS a ransom note demanding £800k in Bitcoins.
Ransomware is software used by cybercriminals to gain access to information on computers. The criminals ensure the computer is inaccessible so they can steal, delete, or encrypt that information. Cybercriminals then ask the computer user to pay a ransom to get the information back.
In February 2020, Redcar and Cleveland Council suffered a similar attack to KCS. That meant over 135,000 UK residents didn’t have access to online public services for almost one week. That included services related to social care and housing complaints. According to ComputerWeekly.com 10 councils, including Redcar and Cleveland, reported disruption to daily operations in 2020 as a result of a breach or ransomware attack.
Attacks on healthcare
In May, an Edinburgh mental health clinic was hit by a phishing scam. The scammers were able to access email addresses. Also in May, “a gaping security hole” was discovered in the NHS’ vaccination booking website. This “hole” could have been used “to find out whether someone has received a jab”.
On 14 May this year, the Irish Health Service Executive (HSE) also suffered a ransomware attack. The Irish government says it didn’t pay a ransom. However, the HSE chief executive estimated the attack could have a human costs as well as a cost of around €0.5bn.
Protect our data
These data breaches and attacks on councils and healthcare reveal how vulnerable personal data can be. It also highlights that in a world of increasing online presence, we need to be extra vigilant about where and with whom we share our data. But ultimately, the onus of ensuring local councils are fully resourced to manage our data is on the government.
Sovereignty issues have shifted into the spotlight across a number of sectors in Australia due to the supply chain challenges wrought by the COVID-19 pandemic.
This should raise important questions for local businesses not just about physical supply chains, but where and how critical data is stored.
Australian businesses and executives need a better understanding of data sovereignty and the issues around storing data through a foreign company. And the federal government has an important role to play in this mission, Dekko Secure chief executive officier Jacqui Nelson said.
According to Ms Nelson, more Australian companies need to consider these issues and to actively investigate and understand how their data is stored and what laws in other jurisdictions can be applied to it.
F Dekko Secure chief executive officer Jacqui Nelson
“Organisations need to start thinking about sovereignty as a policy goal. The Big Tech players have a role to play but there also needs to be a focus on Australia’s own local capability,” Ms Nelson said.
“As an Australian company I comply with all laws, but once we host on a different server owned by a foreign country, that data is subject to that country’s laws as well. While I understand that, currently we’re seeing some organisations that don’t get it.”
Dekko Secure is an Australian cybersecurity firm founded in 2015. It offers technology that replaces high-risk electronic exchanges such as video conferencing, file sharing, email and chat with a new standard in privacy.
Its main products include DekkoVault, a secure document and file-sharing service, and DekkoLynx, a recently-launched service for confidential video meetings between government departments at the “protected” level, as well as for use by other organisations handling highly sensitive information, such as law firms.
Both of these Dekko products use end-to-end encryption.
Dekko currently stores its data in Australian-based data centres running Microsoft Azure. Ms Nelson said she wants to also utilise Australian providers such as Vault Cloud or AU Cloud, but this will become more practical when these offerings are more established, and there is more knowledge of data sovereignty among clients.
The government should work with local players and their clients to educate them on these issues, Ms Nelson said.
“With heightened focus on our national security posture, it makes sense for government to work with local companies to be able to provide those services,” she said.
“It’s about access to the right talent to help providers scale. Establishing local sovereignty that competes at scale is tough without very deep support from the government.”
“Starting at the bottom of the chain is always better than trying to fix it at the other end.”
The government also has a role to play in educating the private sector on the importance of these issues, she said.
“I don’t think enough people in the private sector actually know the right questions to ask in relation to where their data is being housed. There’s a huge education piece that needs to be worked on,” Ms Nelson said.
“For me the biggest challenge is getting the message out to organisations that they really need to up their questions of their providers. They need to not just accept they’ve got data centres here and that they’re secure, but they need to deeply understand which parts of the channel are secure and where the vulnerable points are.”
This discussion should start with understanding what data sovereignty actually means, she said.
“There are challenges around the word sovereignty – it’s a little bit like security, it means so many things to so many people,” Ms Nelson said. “The devil is always in the detail and there’s a challenge in communicating it with customers.”
“COVID and changes in the geopolitical landscape have pushed the conversation to a much broader audience, but in the private sector there is some confusion about what sovereignty means in this space.”
With the federal government preparing to pass new critical infrastructure laws which will expand security requirements to a range of new sectors, now is an important time for Australian businesses to consider their own data sovereignty.
“It captures places like education for example, where sovereignty hasn’t really ever played into their thinking. Now around vaccines and COVID, those conversations are starting to be elevated, we’re hearing a lot more noise from those industries,” Ms Nelson said
Dekko Secure, an Australian owned and operated technology company that provides industry-leading end-to-end encryption. This article was produced in partnership with Dekko Secure as part of the Connect with Confidence sponsored content series by Dekko Secure and InnovationAus.
Labor has called on the federal government to urgently support its legislation introducing a mandatory ransomware notification scheme which “lays the foundation” for enforcement actions against cyber attacks.
Shadow assistant minister for cyber security Tim Watts on Monday morning introduced a private members’ bill to the House of Representatives which would launch a scheme requiring organisations to notify the Australian Cyber Security Centre (ACSC) if they are planning to make a ransomware payment.
This information would then be used to inform Australian authorities and policymaking in the space.
Tim Watts
The scheme would function in a similar way to the existing mandatory data breach notification scheme, which has been in place since early 2018.
The Coalition is already reportedly considering such a scheme, with Home Affairs secretary Mike Pezzullo saying he believes it is “likely” that it would be rolled out soon.
Speaking in Parliament, Mr Watts said the legislation would mark a first step in government action to combat the growing threat of ransomware attacks.
“With this bill, Labor is showing the political leadership on cyber security policy that has been missing since the election of this Prime Minister,” Mr Watts said.
“Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyber operations. There is an urgent need for this bill. Mandatory reporting of ransomware payments is far from a silver bullet for this national security problem but it’s an important first step.”
The Opposition said there is “no reason” for the government to not support the bill, and called on it to list it for debate “as a matter of priority” when Parliament returns in August.
The bill would establish a mandatory reporting requirement for Commonwealth entities, state or territory agencies, and corporations or payments who are making a payment in response to a ransomware attack.
“This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Mr Watts said.
“And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”
The legislation defines a ransomware attack as “when an unauthorised person accesses, modifies or impairs data and demands payment to repair or undo damage or prevent the publication of data”.
Small businesses with annual turnover under $10 million will be exempt from the scheme, as would sole traders, unincorporated entities and charities.
The entities will have to notify the ACSC of key details about the ransomware attack, the attacker and the payment to be made, including the cryptocurrency wallet details, the amount of the payment and the indicators of a compromise.
Failure to notify the ACSC will result in a penalty under the new regime.
The information will be held by the ACSC and shared in a de-identified way with the private sector through the threat-sharing platform, and will also be used by law enforcement and to inform policy making and track the effectiveness of policy responses.
Mr Watts said Australia has reached a “crisis point” on ransomware attacks, pointing to several recent events, including this month against JWS meats, which eventually paid an $11 million ransom payment to the attackers.
These ransomware attacks are an “intolerable burden on Australian organisations” and represent a “significant national security threat”, Mr Watts said.
“The current trajectory of these attacks, and the traditional response to them – asking organisations to implement an ever-increasing uplift in cyber resilience – is inefficient and not sustainable,” he said.
Last week the federal government launched a new public awareness campaign around the threat of ransomware, centred mostly on what companies can do to protect from these attacks and make it harder for cyber criminals.
It is also considering implementing a mandatory reporting scheme on ransomware, according to Mr Pezzullo, as an extension to the 2020 Cyber Security Strategy.
“I think we’re at a point, most advanced economies are at a point, where by some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo said in a Senate Estimates hearing last month.
Labor has called on the federal government to get on the cyber offensive and “release the hounds” on global ransomware gangs following a series of high profile cyber-attacks against Australian companies and hospitals.
Last week Australia’s largest meat processor JBS Foods was forced to shut down its local operations for a day following a ransomware attack against the global company that the US government has said originated from a Russian criminal organisation.
Days later, the US Department of Justice confirmed that it would be upping its investigations of ransomware attacks to a similar level as terrorism.
“It’s a timely reminder of the economic cost of the scourge of ransomware – it’s a jobs and investment destroyer when the economy can least afford it. It also highlighted the urgent need for the Morrison government to adopt a national ransomware strategy to combat these attacks,” Mr Watts said.
“The JBS Foods barbeque stopper should be a wake-up call for the Morrison government to finally take responsibility.”
Tim Watts
Mr Watts said the government should be proactive in its fight against ransomware gangs, and its spy agencies should be actively trying to disrupt these organisations.
In Senate Estimates last week it was revealed that the Australian Signals Directorate (ASD) did not take any offensive operations against those responsible for the cyber-attack on Nine, despite appearing to know who was behind it.
“As part of a national ransomware strategy, the Morrison government needs to get serious about using its signals capability to disrupt cybercriminals and deter attacks on Australian targets,” he said.
“To date, these ransomware crews have been able to target Australian organisations with impunity. No wonder we’ve seen these attacks increasing in their scale and frequency. In general, the position of the Morrison government is not to tell us or the cybercriminals targeting Australia what they are doing to disrupt them. A secret deterrent is no deterrent at all.”
The ASD should create a “target list” of the top 10 ransomware groups targeting Australia and ramp up efforts to disrupt their operations, he said.
“The scourge of ransomware has become an intolerable burden on our nation – a $1 billion annual burden, collectively. It’s time that we said enough is enough. It’s time to release the hounds on these ransomware crews,” Mr Watts said.
“Ransomware groups should fear the consequences of being added to ASD’s targeting list. We need to end the age of impunity for ransomware attacks and teach these ransomware groups that there are consequences for targeting Australian organisations with ransomware attacks and that these attacks are not worth the potential benefits.
“The Morrison government has left Australian governments, businesses and community groups to combat these international ransomware groups for too long,” Mr Watts said.
“It’s time it took responsibility, did its job and developed a national ransomware strategy. These groups are the modern day pirates, and it’s time we treated them that way.”
The Hill of 26 May 2021 reports that a coalition of more than 30 human rights and digital privacy rights groups called on Google to abandon its plans to establish a Google Cloud region in Saudi Arabia over concerns about human rights violations.
The groups, which include Amnesty International, Human Rights Watch and PEN America, wrote in their letter that Saudi Arabia’s record of tamping down on public dissent and its justice system that “flagrantly violates due process” made it unsafe for Google to set up a “cloud region” in the kingdom.
“While Google publishes how it handles government requests for customer information and reports when requests are made through formal channels, there are numerous potential human rights risks of establishing a Google Cloud region in Saudi Arabia that include violations of the rights to privacy, freedom of expression and association, non-discrimination, and due process,” the groups said. See also: https://humanrightsdefenders.blog/2019/03/08/saudi-arabia-for-first-time-openly-criticized-in-un-human-rights-council/
The letter also pointed to Saudi authorities who have routinely sought to identify anonymous online dissenters and spy on Saudi citizens through digital surveillance. The groups also pointed to how they themselves are believed to have been put under surveillance by the Saudi government.
“Google has a responsibility to respect human rights, regardless of any state’s willingness to fulfill its own human rights obligations,” the letter continued, pointing to Google’s statement in which it expressed its commitment to human rights and to “improve the lives of as many people as possible.”
In order to address these concerns, the groups called on Google to conduct a “robust, thorough human rights due diligence process” and to “draw red lines around what types of government requests concerning Cloud regions it will not comply with” due to human rights concerns.
“The Saudi government has demonstrated time and again a flagrant disregard for human rights, both through its own direct actions against human rights defenders and its spying on corporate digital platforms to do the same,” the letter read. “We fear that in partnering with the Saudi government, Google will become complicit in future human rights violations affecting people in Saudi Arabia and the Middle East region.”
The world-leadingAustralian research team dumped by the CSIRO’s Data61 last week is in the acquisition sights of a large Chinese company and the Singapore Government’s R&D agency.
The two potential buyers have moved quickly to register their interest in acquiring the Trusted Systems team responsible for the extremely hard to hack seL4 microkernel.
NASDAQ-listed Chinese electric vehicle manufacturer Li Auto and Singapore’s research and science agency A*STAR are both understood to have expressed interest in buying the Trusted Systems team, which had been supported by the CSIRO for more than a decade.
The science agency’s digital arm Data61 last week revealed it will stop funding the world-renowned Trusted Systems team, because it no longer fits the CSIRO’s strategy, which is increasingly focused on artificial intelligence.
World-class: Buyers from China and Singapore want to buy a CSIRO seL4 security team dumped by the agency
Some Trusted Systems team members will be moved to AI projects while others are expected to lose their jobs in a broader restructure of Data61 that will see 70 positions lost.
It is unclear how CSIRO will deliver its outstanding commercial contracts that rely on seL4 knowledge.
The agency said it will work to smooth the transition but did not respond to requests for comment on the potential Trusted Systems buyers.
“CSIRO will work to minimise any impacts on partners or stakeholders as we implement the changes,” a spokesperson for the CSIRO told InnovationAus.
The seL4 microkernel claims to be the world’s most highly assured operating system kernel. It works by creating an ironclad separation between software systems to prevent unauthorised access.
Work will continue on the open source seL4 through an independent foundation set up last year, but the group needs secure base funding to operate and support the seL4 technology.
But two potential overseas buyers have already emerged. According to people involved in the project, Li Auto, a Chinese electric vehicle manufacturer and Singapore’s research and science agency A*STAR have expressed interest in acquiring the Trusted Systems team.
The Chinese manufacturer is believed to be interested in taking over the entire Trusted Systems team and setting up a research and development lab in Australia. The A*STAR offer is less certain but it is likely the agency would want to onshore the talent to Singapore.
A*STAR and the CSIRO already worked together, including a $2.2m joint program on food health and safety program, and a 2019 collaboration on machine learning.
In disbanding the Trusted Systems team last week, the CSIRO said seL4 was now a mature technology that is “well supported” outside the organisation.
But Trusted Systems team members, including UNSW Scientia Professor Dr Gernot Heiser, said they were disappointed support had been pulled from the world leading security team.
“Here is an absolutely recognised world class, world leading asset that’s unique in its composition and its track record and ability to do outstanding research, that’s being abandoned and destroyed,” Dr Heiser told InnovationAus on Friday.
One year after the flagship NSW Government delivery site at Service NSW was breached, the state has unveiled a cybersecurity strategy that puts industry development and capability-building in cyber at the centre of government tech policy.
The sector-wide cybersecurity strategy is an acknowledgment of the importance of bringing together industry policy in relation to cyber with government resilience in relation to cyber.
The thinking is that a focus on building a strong local cyber industry inevitably leads to improved cyber skills, cyber capability and ultimately the resiliency of cyber infrastructure – including in government.
The strategy is focused on four key commitment including improved state government cyber resilience, industry assistance to help NSW cyber businesses to grow, uplifting the cyber security workforce and skills, and supporting cyber research and innovation.
Bright lights, cyber city: NSW has unveiled an industry-centric cyber strategy
NSW Digital Minister Victor Dominello claimed NSW was already leading the nation in the cybersecurity sector. Improving cyber resilience across the economy required the involvement of all sectors – citizens, businesses, government, and researchers. But government needed to lead.
“Increasing overall cybersecurity resilience is about ensuring the safety and security of citizens and communities online. Government is absolutely pivotal to this as part of its overall responsibility to protect its citizens,” Mr Dominello said.
“In a post COVID-19 environment, we need to adapt our way of living and working to embrace the digital future,” he said.
“Our post COVID-19 ‘new normal’ will bring incredible opportunities as we adapt to greater reliance on connectivity, remote working and importance of data.
“It is important that the NSW Government maximizes the state’s existing capabilities and develops the local cybersecurity industry into a globally competitive, innovative ecosystem that drives economic growth.”
The NSW government has spent the last year working through its cybersecurity structures following a breach at Service NSW.
A parliamentary inquiry into the breach released earlier this year recommended an overhaul of cyber practices – including the strengthening of the mandate and resources of Cybersecurity NSW, and moving the agency from the Department of Customer Service to Premier and Cabinet.
NSW is also set to become the first Australian state or territory to introduce a mandatory data breach notification scheme, following a serious cyber incident last year.
But it is the recognition of the direct link between the strength of the local cyber industry and overall cyber resilience across the economy – including government – that is most interesting about this strategy. And the industry development initiatives recognise that link.
NSW Jobs and Investment Minister Stuart Ayres said the state would partner with the cyber sector to grow the local industry, leverage academic strengths, and to drive international competitiveness.
“Under this strategy, Investment NSW will establish a NSW Cyber Hub, delivering a range of initiatives to accelerate the growth of NSW cyber businesses, maintain and attract the right talent to create the fluid, dynamic workforce needed to address skills gaps,” Mr Ayres said.
“NSW already has an incredible depth of talent however we need to continue to foster, cultivate and grow this pipeline to ensure our industry thrives. This strategy builds on our strengths whilst seeking to grow new ones and will help the NSW digital economy thrive.”
“The export opportunities for cybersecurity industry is enormous. From Bondi to Broken Hill, cybersecurity businesses can export to any location around the world from any city or town in NSW.”
The public consultation and industry engagement finished in late 2020. The new strategy replaces the existing NSW Cyber Security Strategy and the NSW Cyber Industry Development Strategy, combining both into one overarching cyber security strategy.
Phishing and ransomware attacks spiked in the last year leading to a growing number of data breaches, according to analysis of more than 29,000 security incidents.
Australian governments and businesses were among 83 organisations to contribute to Verizon’s latest Data Breach Investigations Report, now in its 14th iteration.
The latest report found 5,258 of the incidents analysed, or around 18 per cent, resulted in a confirmed data breach.
The analysis found a human element is present in almost every breach, and most involve users’ credentials. Financial services and health organisations were heavily targeted, in line with incidents reported to Australia’s mandatory notifiable data breach scheme last year.
Phishing was present in 36 per cent of the breaches analysed by Verizon, up from 25 per cent last year. The presence of ransomware in breaches also doubled in the last year, and is now used in one in ten data breaches, according to the report.
Phishing and ransomware are leading to more data breaches, according to new analysis.
More than 1,000 data breaches were reported to Australia’s Privacy Commissioner last year, as part of a mandatory reporting scheme for large companies and government agencies.
In 2020, the government unveiled a $1.7 billion cybersecurity strategy that focuses on protecting essential infrastructure from cyber-attacks, improving the resilience of businesses and uplifting community awareness of cybersecurity.
However, the policy has been criticised by the Opposition for not addressing ransomware, and a dedicated strategy for the growing threat is yet to be developed in Australia.
The Verizon report breaks down global regions, showing many APAC breaches were caused by Financially motivated attackers phishing employees for credentials, and then using those stolen creds to gain access to mail accounts and web application servers.
Lead author of the Verizon report, Alex Pinto, said sweeping and revolutionary solutions for data breaches aren’t realistic and mitigation must be straightforward.
“The truth is that, whilst organisations should prepare to deal with exceptional circumstances, the foundation of their defences should be built on strong fundamentals – addressing and mitigating the threats most pertinent to them.”
Verizon Business chief executive officer Tami Erwin said the COVID-19 pandemic had a “profound” on the security challenges organisations are facing, and cloud technologies are creating new risks.
“As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures,” she said.
Cyber risk, the likelihood of data loss or business disruption resulting from a cyber-attack, is now seen by Australian organisations as one of the biggest risks they face, according to Alastair MacGibbon, chief strategy officer at CyberCX and former head of the Australian Cyber Security Centre.
“Cybersecurity is now number one or two on any organisation’s risk register – public or private,” Mr MacGibbon said.
The increased awareness of the danger that cyber threats pose to their operations is leading to a shift in responsibility for cybersecurity from IT departments to other parts of organisations, according to privileged access management specialists CyberArk’s senior vice-president for identity security, Barak Feldman.
Clockwise from top left: Thomas Fikentscher, James Riley, Alastair MacGibbon, and Barack Feldman
Goodbye CISO, hello BISO
Mr Feldman suggested a new role was emerging, that of business information security officer.
“We believe that security means taking more responsibility for the risk to the organisation, educating internally on awareness and how to prepare for a situation, and how to respond to it,” he said.
“Not just responding technically, but even how to respond to the media and different elements of a security attack.”
Mr MacGibbon said the increased focus on cybersecurity at board level had been rapid, with boards now showing a much more mature understanding of and response to cyber risk. Using traditional business risk language has helped boards to understand the impact of a cyber threat.
“Now most boards understand that what they’re dealing with is the concept of ‘cyber risk management’ and how resilient they are to cyber events,” Mr MacGibbon said.
“They recognise those events are likely to occur, an Assumed Breach Mindset, and it’s a more mature conversation than we were having at the launch of Australia’s first National Cybersecurity Strategy in April 2016.”
The increasing integration of operational technology with IT was also a factor in shifting responsibility for cybersecurity.
“We’re seeing a huge trend on the operational technologies side –manufacturing plants can work faster with more data analytics with remote access,” said Mr Feldman.
“I don’t need to go to the plant anymore, I can control it remotely and collect data on how fast I’m manufacturing my product, and so on. So that means the ownership is starting to be delegated into the business owners.”
Mr MacGibbon agreed, but suggested this was not a popular view. “I don’t believe chief security officers in organisation should report into an IT function because I don’t think that creates the right balance to have a proper risk discussion.”
Mr Fikentscher suggested that this trend has still yet to make an impact in many traditional sectors, and that their tardiness was increasing the risk for the more advanced organisations that are become connected in order to leverage benefits.
“Some of the industries that have been in this space for a longer period of time, like the banking industry, have their house in order,” he said.
“But, they are concerned about business connectivity, the wider ecosystem and how they secure that ecosystem as they open up their systems to accelerate digital transformation. For example, to allow people to have a view into the last 10 years of claims management.
“Then you go to other industries, which might fall under the new Critical Infrastructure Bill [the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which will increase the scope of what is deemed to be critical infrastructure] like the food industry or the transport industry,” Mr Fikentscher said.
“Cyber risk management is something that is very new to them, and they need to start from the beginning and create a philosophy of how they attack that particular problem.”
It’s an ill wind…
And, unfortunate as the increase in cyberthreats is, Mr Fikentscher said it was having a positive impact by pushing many organisations to elevate cybersecurity to board level. “There are more cyber incidents, and that’s painful, but at the same time it wakes people up and focusses their minds on a very important element of their business.
“And, that’s not just happening in IT, it is reverberating through the business functions into the boardroom, and all of a sudden, people are starting to get things done.”
The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.
Aggressive nationally and internationally coordinated strategies are needed to tackle the growing threat of ransomware, according to an expert taskforce that included the US, UK and Canadian government cyber agencies.
Australia was not part of the taskforce and the federal government is yet to develop a national ransomware strategy, leading to calls from Labor that Australia is being left behind.
A coalition of global experts assembled by business group, the Institute for Security and Technology (IST), on Thursday released a strategic framework for combatting ransomware, which has quickly grown into a “serious national security threat and a public health and safety concern”.
“This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government,” the IST report said.
A coordinated international response is needed to the growing threat of ransomware.
The framework calls for coordinated global action to deter and disrupt ransomware attacks, and help organisations prepare for attacks and respond to them. According to the report, ransomware victims paid attackers more than US$350 million last year, more than triple the amount in 2019, and the average downtime from an attack was three weeks.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity,” the IST report said.
The number one goal of the framework proposed by the group is to deter ransomware attacks through a “nationally and internationally coordinated, comprehensive strategy” which would be led by the US.
Labor has welcomed the report but says it highlights Australia’s increasingly isolated position of not prioritising the threat of ransomware at a national level.
The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and governments in the cyber domain. But the government’s 2020 national cybersecurity strategy mentions it only twice; once in quoting a submission to the report and once advising where victims can report it.
In March, a government advisory group released a report on ransomware urging businesses to implement basic cyber security. But it did not include any recommendations for government or any calls for new policies.
Earlier this month, Australia signed a new communiqué with Five Eyes partners which included a commitment to share lessons on ransomware and, where possible, align national policies, public messaging and industry engagement.
In response to the IST report, shadow minister for Home Affairs Kristina Keneally and shadow assistant minister for cybersecurity Tim Watts said the government is being left behind on ransomware.
“While our major security partners are recognising the need for a plan to tackle this billion-dollar scourge plaguing business, we have yet to hear the Morrison Government’s strategy to address this critical threat to Australia’s economy and society,” a joint statement said.
“Just in the last week we’ve seen ransomware attacks on two Brisbane hospitals and a Geelong secondary school. This followed the major ransomware attack on the Nine Network last month.”
The IST’s ransomware taskforce included cyber industry leaders, academics, and representatives from the UK National Crime Agency, US Cybersecurity and Infrastructure Security Agency, US Federal Bureau of Investigation, U.S. Secret Service and the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit.
