Legislation allowing the government to take control of a company’s network as a “last resort” in the event of a cyberattack has sailed through the lower house despite a group of tech heavyweights labelling it “highly problematic”. The critical infrastructure bill was debated in the House of Representatives on Wednesday afternoon, with the Coalition moving…
Home Affairs Minister Karen Andrews likened proposed changes to the Critical Infrastructure Bill to the fire codes and building regulations that are in place to protect people and assets from fires – saying the nation is facing clear threats from ransomware and cyber attacks. Responding to the concerns of three global technology industry associations about…
A group of international technology associations, including the Australian Information Industry Association, have written to Home Affairs Minister Karen Andrews with concerns about government fast-tracking parts of the Critical Infrastructure Bill. The Washington DC-based Information Technology Industry Council, the Cyber Coalition and the AIIA have urged government not to fast-track troubling provisions of the Security…
The federal government will introduce tougher penalties for ransomware criminals and a mandatory incident reporting scheme for large businesses that suffer an attack under a new ransomware action plan released Wednesday. The plan follows a series of high-profile ransomware attacks and warnings the risks to local companies had been growing in an Australian policy vacuum….
Victoria’s COVID-19 digital vaccine certificates are “woefully insecure” and “very easy” to forge in just minutes, according to a number of developers and cryptography experts who have criticised the lack of a national standard for this service. The Victorian Government this week announced the integration of vaccine certification into the Services Victoria QR code check-in…
The Greens and the Australian Lawyers Alliance are pushing for COVID-19 contact tracing check-in data to be used only for health reasons, following successful attempts by law-enforcement authorities in some states to access the data and fears it could be used in legal proceedings. It follows the Australian Privacy Commissioner telling InnovationAus in September that…
You don’t need to reach for an over-priced report from a Big Four consultancy to understand that cyber-related supply chain risk resides predominantly among Australia’s small and medium sized businesses. This is a reality, if only because of the nation’s disproportionately large numbers of SMBs compared to similar advanced economies. Some 97 per cent of…
The Victorian government is set to significantly broaden its cybersecurity priorities to “proactively” assist businesses and individuals to protect themselves and embark on a large-scale uplift program as part of a new five-year strategy. An update to the state’s first ever cybersecurity strategy covering 2016 to 2020, Victoria’s new plan sets out a four-year timeframe…
Ransomware is the biggest cyber threat facing businesses today, the national cyber agency has warned, as new statistics show the digital extortion method is now reported more than once a day in Australia. The Australian Cyber Security Centre’s annual threat report released on Wednesday revealed 67,500 cybercrime reports to the government agency last financial year…
Opinion: More than half of the Australian population is currently in lockdown due to COVID-19 and are rolling up their sleeves and getting their second COVID-19 vaccination. As a result, they are hoping for greater freedom through their government-endorsed vaccination certificate available through the myGov portal. And therein lies a significant problem – not with…
Victoria’s Stonnington City Council is the latest Australian organisation to fall prey to a cyber incident, forcing systems offline and some staff to take annual leave while the issue is resolved.
Services taken offline following the incident include payments and the council’s ePlanning portal, with an “international agent” suspected of being involved.
City of Stonnington council in Victoria.
In a statement, the council said it had experienced “an IT issue on 27 August”.
“Some systems have been disabled while the issue is being investigated and resolved,” the council said. “Essential services delivered by council remain operational.”
CEO Jacqui Weatherill said the council’s technology team was working to keep the community connected to the council and “keep our data safe” while it resolves the issue.
“Our priority is to ensure our customer’s data is kept secure, our workforce can be as productive as possible, and our customers remain connected,” Ms Weatherill said.
“Essential services remain operational and, if any residents do require assistance, Council staff are available via our customer service number.
“We ask our customers to remain patient, understanding and supportive as we resolve this issue.”
In a subsequent interview with 7 News, Ms Weatherill said that “an international agent has come and infiltrated our systems”. A council spokesperson confirmed this to InnovationAus, but said that systems weren’t shut down as a result of the attack but rather as a proactive measure to investigate what was found over the weekend during routine maintenance.
Asked if it was ransomware, the spokesperson said it was unclear and that council was conducting “a complete investigation” to find out.
The council was working with the Victorian Department of Premier and Cabinet and other state and federal agencies to resolve the issue, as well as with its cyber insurance partner.
Stonnington is in Melbourne’s south-east and includes the suburbs of Armadale, Glen Iris, Kooyong, Malvern, Malvern East, Prahran, South Yarra, Toorak and Windsor.
The council joins a slew of Australian organisations subjected to cyber attacks in recent months, including South Australian welfare agency Uniting Communities, NSW Health, and Nine Entertainment Company, broadcaster of Channel Nine and publisher of The Sydney Morning Herald, the Australian Financial Review and The Age.
Legislation handing “extraordinary” new hacking powers to Australian authorities has sailed through Parliament with support from the Opposition, despite the government not implementing some of the recommendations from the national security committee.
The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday.
Hackers?: The Australian Federal Police are in line for sweeping new powers to hack.
Three new warrants will be introduced under the legislation, allowing authorities to “disrupt” the data of suspected offenders, access their devices and networks to identify them and take over their accounts.
“Under our changes the AFP will have more tools to pursue organised crime gangs to keep drugs off our street and out of our community, and those who commit the most heinous crimes against children,” Home Affairs Minister Karen Andrews said.
The government moved 60 amendments to the legislation in the lower house in response to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) report from earlier this month.
The amendments included enhanced oversight powers, reviews in several years time by the Independent National Security Legislation Monitor and the PJCIS, the sunsetting of the powers after five years, and strengthened protections for third parties and journalists.
The amendments meet 23 of the PJCIS’s 33 recommendations, while the government has agreed to implement several others through a broader reform of intelligence surveillance powers.
But it rejected the national security committee’s call for a higher threshold in the issuing of warrants in terms of the crimes they can be applied for, and for warrants to only be approved by a judge, rather than a member of the Administrative Appeals Tribunal.
Several Labor members raised concerns with this and echoed others raised by members of the civil and digital rights sector, as did government members of the PJCIS, but all eventually voted to pass the legislation.
The bill was rejected by the Greens, which said the legislation is another step on the “road to a surveillance state”.
The PJCIS had recommended that the type of crimes the warrants could be issued for be narrowed to those relating to offences against the security of the Commonwealth, offences against humanity, serious drug, weapons and criminal association offences, and money laundering and cybercrime.
Currently, the broad new powers can be granted to combat a swathe of crimes, far further than the terrorism and other offences the government has pointed to in order to justify the need for the legislation.
But the government instead raised the threshold for issuing the warrants to them being “reasonably necessary and proportionate”, up from “justifiable and proportionate”.
Labor had wanted this to go even further, calling on changes to require the warrants only be issued for “serious offences”.
Shadow assistant minister for immigration Andrew Giles said the government is “mischaracterising the breadth of the new powers”.
“It is obviously much easier to justify the introduction of such powers by focusing on the most serious types of crime. No-one would argue with that in respect of crimes like child abuse and exploitation, and terrorism,” Mr Giles said.
“But it is important that we engage in the more difficult task of justifying the introduction of extraordinary powers by reference to how the powers could actually be used.”
The amendments “go a long way” to ensuring the powers can only be used to combat serious crime, but don’t go far enough, multiple Labor MPs said.
Shadow assistant minister for cybersecurity Tim Watts said the warrants should only apply to serious offences.
“This would be an important constraint on the use of these new warrant powers and would limit their application to offences that carry at least a maximum of seven years’ jail and other specified offences,” Mr Watts said.
“While these powers do have international precedent, they also carry inherent risks. As currently drafted, the substance of this bill does not match the government’s rhetoric.”
Liberal MP Tim Wilson, a member of the PJCIS, broke ranks to criticise the government in not adopting all of the committee’s recommendations.
“I’ll be frank…and say that my preference would be more consistent with that of the committee. That’s why we made those recommendations,” Mr Wilson said.
“I will not die in a ditch over them, because the purpose of the legislation is more important than the threshold, but I think the threshold test around warrants and their application, particularly with the new powers, is something that we as a Parliament need to review.”
Despite these concerns, Labor offered support for the legislation in both houses, ensuring its quick passage.
Mr Giles said the new warrants give “extraordinary” powers to authorities, and appropriate safeguards need to be in place.
“Labor supports this bill. It’s an important bill which addresses very significant and worrying gaps in the legislative framework so as to better enable the AFP and the [Australian Criminal Intelligence Commission] to collect intelligence, conduct investigations, and disrupt and prosecute the most serious of crimes in an evolving environment,” Mr Giles said.
“The process of the Parliament here has produced a bill that meets the very serious challenges required to respond to, with appropriate safeguards in place, some of which will require all of us to maintain our attention on their operation and adequacy.”
Mr Watts blasted the government’s handling of the legislation.
“It’s indicative of this government’s record in this place to rush through legislation on national security matters with little regard for process, particularly with national security legislation or even with more technical legislation,” he said.
“While we support the bill, Labor members of the PJCIS do think … safeguards in this bill could go further, particularly in relation to the offences this bill applies to.”
The Greens voted against the legislation in both houses, with Senator Lidia Thorpe unsuccessfully moving a number of amendments.
“Really disappointed to see Labor and Liberal both vote in favour to increase police powers of online surveillance. We tried to make this bill better and include human rights protections for innocent people, but the Greens were outvoted by the major parties,” Senator Thorpe tweeted.
“New warrants allow police to monitor online activity without accusing us of a crime. Take over our accounts and edit our data…making the AFP judge, jury and executioner is not how we deliver justice in this country.”
Crossbench senator Rex Patrick also attempted to amend the legislation, raising concerns that the bill had been “dropped on the Senate in the very last minutes”.
Nearly 40,000 people whose data was compromised in a massive Service NSW data breach last year will never receive official notification about the incident because of the type of data involved and the agency’s policy to deliver “personalised” notices through the post.
In a NSW Budget Estimates hearing on Wednesday, officials from Service NSW confirmed about 103,000 people’s information was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April last year.
Service NSW suffered a massive data breach in 2020.
But more than a year later, nearly 40 per cent of people impacted have not been contacted.
The agency’s chief executive Damon Rees said Service NSW had successfully contacted 63,500 of the people who had their data compromised. This was done through the post because Service NSW had advice that other forms of contact like phone or email would create further risks and because letters offered more “personalised” advice.
“[Registered letters] also effectively meant that a customer was signing for their own notification, and therefore we were able to provide a greater level of more personalised advice there,” Mr Rees said.
Letters were primarily sent via registered post, requiring the affected person to prove their identity and sign for the letter. However, thousands of letters were returned and Service NSW conducted a round of data matching with Transport NSW to obtain more current addresses and tried again.
Mr Rees said ultimately about 18,500 letters were unable to be delivered with registered post. A final round saw new non-registered letters sent to this group advising them to contact the agency.
“We weren’t able to personalise those final round mails in the same way,” Mr Rees said.
“But if you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000.”
The Service NSW chief said the nature of the data involved in the breach also played a “heavy role” in the agency’s ability to identify people impacted.
Because the breach came through email accounts rather than a core system, it was difficult for the agency to correlate the information which had been compromised with individual people, according to Mr Rees.
“That meant the information that was extracted was highly unstructured in its nature. So it could be content within an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” he said.
“So the unstructured nature of that meant that actually the level of information that was able to be extracted and our ability to correlate that information and recognise [certain individuals was difficult].”
A damming NSW parliamentary inquiry and report into government cyber security triggered by the incident recommended an overhaul of cyber security strategy and policies, including formal notification procedures for data breaches and a stronger mandate for Cyber Security NSW.
The government is yet to respond to report but launched a new cyber strategy in May. Department of Customer Service officials were unable to answer several questions on the report’s recommendations at the Budget Estimates hearing on Wednesday, taking many on notice and confirming a formal government response to the report is expected soon.
Businesses large and small, across a broad swathe of the Australian economy will be affected by new legislation which sets out to protect critical infrastructure and as such, industry bodies have a key role to play ensuring their members take the necessary steps to be compliant.
This was one of the key insights to emerge from a discussion on the new legislation between Fergus Hanson, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI); Derek Fittler, ANZ head of Verizon Business Group; and InnovationAus publisher, Corrie McLeod as part of the Age of Trust podcast series.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 defines a much wider section of the Australian economy as critical infrastructure than the current legislation. Communications, data storage and processing, financial services and markets, water and sewerage, energy, health care and medical, higher education and research, food and grocery, transport, space technology and the defence industry are all included within the bill’s definition of industries responsible for critical infrastructure.
Mr Hanson said businesses in these sectors that are not subject to current critical infrastructure legislation would have a huge task ahead of them to become compliant with the new bill when it becomes law, and should be looking to their industry bodies for help.
“They really need to be talking to their peak industry bodies to understand how this is going to apply to them and taking a look at the legislation, because there’s positive obligations on them, and consequences for non-compliance,” he said. “If you are in any of those 11 industry sectors and you’re a reasonable-sized player, you should be getting on the phone to your industry body and having a chat about how this works or reaching out to the Department of Home Affairs to understand what your obligations are, and taking a look at the legislation.
“For industries that don’t normally think about cybersecurity, it’s going to be a big shift, because their systems are not going to be up to scratch. And, they’re going to have to do quite a bit of heavy lifting to get up to speed.”
Mr Fittler said industry bodies also had a role to play bringing together individual businesses in each sector to ensure an effective response to the requirements of the new legislation: “Organisations like ASPI, providers like Verizon, member organisations that operate in those sectors, all have a responsibility to work together to engage with government, and to learn and understand the steps and changes that will need to be taken.”
He said organisations that would be covered by the bill should not wait until it becomes law but should start working immediately to beef up their cybersecurity. “If you’re on the list, you need to be considering, identifying and understanding where you are in terms of your cyber maturity. There are many in the sectors included in the remit of the legislation that need to take some immediate steps to start that journey.
“You should be doing a stocktake and identifying where are you today: what is your cyber maturity, what are your risks. There is more education to be done, there’s more identification of risk, and, and ultimately, there will be need to be more resources spent and allocated towards addressing and responding to the threats we face.”
Mr Hanson said organisations in some sectors — typically banking and telecommunications — have a long established and sophisticated approach to cybersecurity, but others, that the legislation will apply to, should be cautious as to what lessons they could draw from such businesses.
“If you’re not a very mature industry, and you’re looking at the banking sector, or telecommunications, you might freak out at the number of staff required and the cost involved. So you probably wouldn’t want to benchmark yourself against a bank, but it could provide a lot of insights into how you could structure your cybersecurity and the types of capability you are going to need.”
Mr Fittler agreed: “They have some very significant capability and have been quite adept at sharing information within industry, and increasingly with government. That two-way flow within your community and with government is part of a cultural change that will need to happen as part of the legislation coming into force.”
The Age of Trust podcast series was produced as a partnership between Verizon Business Group and InnovationAus.
Data breaches arising from ransomware incidents increased by 24 per cent in the first half of the year, prompting Australia’s Privacy Commissioner to warn that such attacks “are a significant cyber threat” that may be under-reported.
The Office of the Australian Information Commissioner (OAIC) received 446 data breach notifications from January to June this year, according to its latest notifiable data breaches report, with 43 per cent resulting from cyber security incidents. Of the 445 total breaches, 46 were from ransomware, up from 37 notifications in the last reporting period.
Privacy Commissioner Angelene Falk.
Since the notifiable data breaches scheme began in February 2018, health service providers and the finance industry have consistently reported the most data breaches compared to any other industry sector. In the first half of this year, that trend remained the same, with health service providers reporting 85 data breaches. The second largest source of notifications was from the finance sector with 57 followed by legal, accounting and management services with 35, and the Australian government and the insurance sector with 34 breaches each.
The rise in ransomware attacks comes as the federal government considers implementing a mandatory ransomware reporting scheme, where organisations that pay criminals to recover their files would be required to report this activity to the government. No government bill exists yet, but Labor’s Tim Watts is separately pushing his own that would require the same thing.
Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.
“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.
“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”
Australian security expert Troy Hunt, who runs the popular haveibeenpwned.com website, said ransomware had been around for decades, with the PC Cyborg Trojan in 1989 considered among the first. What had resulted in a rise in its use in recent times was a change in the business model of criminal enterprises and the way they had begun monetising stolen data.
“I think one of the main driving factors is just simply return on investment,” Mr Hunt said of ransomware. “It’s just proven to be an enormously efficient way of monetising malicious software because, unfortunately, it does make good business sense to pay [a ransom].”
Another reason it was becoming more popular was because of the types of ultimatums criminals were issuing to victims, resulting in new income streams.
“It’s no longer just a ransom in terms of attacks against availability, where your files are locked and you need to pay for a key, but it’s also ransom with the threat of disclosure [of the stolen data].”
One other “alarming” way criminals were pivoting, Mr Hunt said, was by not only demanding ransoms from companies attacked but by using personal information inside a data breach to demand ransoms from individuals whose data has been stolen. Vastaamo, a now-bankrupted Finland-based private psychotherapy practice, was the target of such an attack, where patients were contacted and asked to pay ransoms or else have their private patient files published.
Mr Hunt said he expected sectors that remained at the top of the reporting list to be there because they were “heavily regulated” industries that were used to their reporting obligations under the law. This didn’t necessarily mean that they were the industries most impacted by known breaches, he said.
In the first half of the year, the OAIC was also notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. There were 35 notifications of social engineering or impersonation fraud during the reporting period.
“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.
“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.
“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”
In May, Home Affairs secretary Mike Pezzullo said he believed it was “likely” a mandatory ransomware reporting scheme would be rolled out soon.
“I think…most advanced economies are at a point, whereby some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo told a Senate Estimates hearing.
While human error breaches decreased after a significant increase last reporting period, Commissioner Falk said entities need to remain alert to this risk, particularly the Australian Government where 74 per cent of breaches fell into this category.
Opinion: When I started in tech journalism more than a decade ago in 2010, I revealed that the federal government was considering introducing metadata retention. The changes meant select data about Australians’ web histories would be stored and logged for two years.
The controversial laws were shelved by Labor when it was in power but eventually, after a change of government and a further push by law enforcement, a bill was passed in 2015. The wedge needed to push a hesitant Labor opposition into supporting them was the December 2014’s Lindt Cafe siege in Sydney’s CBD.
“Your chances that your data will be viewed by law enforcement is low,” AFP Assistant Commissioner Tim Morris said at the time. “Those with nothing to hide have nothing to fear.”
This was despite law enforcements agencies making more than 300,000 applications for our metadata each year, without a warrant.
Since then, we’ve seen Canberra, at the request of police, spy agencies and intellectual property rights holders, chip away at the lack of regulation of multiple internet technologies.
This has included requiring assistance to pry open encrypted smart devices or scrambled messages; blocking of websites to do with pirated movies or music; restricting access to Interpol’s “worst of the worst” list via a then relatively unused telecommunications law (sub-section 313 of the telco act), to a present debate on critical infrastructure and whether the government should be given the power to allow its spy agencies to take control of computer networks of companies it deems manage such infrastructure (in the event of a cyber intrusion or to defend against one).
A separate bill currently before Parliamentwould give more powers to federal police and the Australian Criminal Intelligence Commission to access computers and networks of those suspected of conducting criminal activity online. This has prompted concerns about innocent people who might get swept up in it and a perceived lack of proper judicial oversight.
As part of the new “identify and disrupt” bill, new network activity warrants would allow authorities to hack into devices and networks of groups of individuals suspected of taking part in criminal activity online when their identities are not known. A new warrant would also allow the disruption of data through modification and deletion “to frustrate the commission of serious offences”, and new account takeover warrants would also be introduced.
Amid all this, we’ve also seen multiple cases of abuse of data by law enforcement. The check-in apps each state has been using during the COVID pandemic? Queensland thought it’d be a great idea to use that data to investigate a reported theft of an officer’s gun and Taser from a regional pub despite assurances it would only be used for contact tracing purposes.
Where there’s data, the temptation by third parties to access it will always be there.
The same state government also used metadata to access the private information of cadets to determine whether they were sleeping with one another or faking sick days.
Queensland – I’m not sure what it is about this state and privacy – was also among the first to start taking advantage of the data trail left behind by smart public transport travel cards, not just to find criminals, but to track down witnesses of crimes who may not necessarily wish to talk.
Back in 1997, former US president Bill Clinton said the internet “should be a place where government makes every effort … not to stand in the way, to do no harm”. But he hastened to add that “a hands-off approach to electronic commerce must not mean indifference when it comes to raising and protecting children.”
This brings me to Apple’s latest move – to identify photos uploaded to its online storage service iCloud that match against known child abuse imagery.
It has all the hallmarks of being a smartly designed technology and does seem to have been created with some privacy mechanisms in mind. For example, it uses a “hashing” algorithm of known abuse material to identify imagery on people’s accounts and will only then alert Apple reviewers when an undisclosed threshold of images is reached.
But it rightly has privacy advocates worried about what could come next. What starts off as a technology trained to search for a “worst of the worst” list of images could soon become used to search for other types of content stored on people’s phones. Another feature allows parents to have naked or sexually explicit imagery blurred on a child’s phones.
“All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children’s, but anyone’s accounts,” the Electronic Frontiers Foundation wrote. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change.”
Scope creep seems to be one of the main concerns often raised by privacy advocates, but one which is frequently ignored by politicians, rarely addressed properly in legislation and often relegated to explanatory memorandums that describe a bill and its “intention”.
One example of website blocking scope creep is Australia’s tertiary regulator, which is now seeking telcos to restrict access to a site allegedly used by students for cheating.
What I think all of this signals is that we’re entering a new age of the internet where further regulation will become commonplace, and corporations will be leaned on by governments to enact new policies rather than governments necessarily creating new laws to force change.
We have seen this already with YouTube, Twitter and Facebook enacting bans following the spread of misinformation and online conspiracies. Rather than following laws, the companies are attempting to meet community and government standards and expectations. It’s voluntary regulation without new laws.
Mostly, I think changes that encroach more on an individual’s privacy will become accepted, especially if convenience continues to be a priority over privacy.
But will users boycott Apple over its latest photo move? Probably not. Until trust is broken or there’s a further erosion of their privacy, they won’t. But by then it might be too late.
Home Affairs Secretary Michael Pezzullo says government has serious concerns with the security posture of global cloud computing giants like Amazon and Microsoft, and warned tightening data sovereignty requirements in Australia will “not be attractive” to them.
Mr Pezzullo said the multinational cloud companies typically want “very few strictures” so they can continue a business model which relies on moving data around the world to minimise costs but often sacrificed security.
“The ability of certain adversaries, some of whom are state adversaries, some of whom are criminal adversaries, to penetrate that data…is of deep concern to government,” Mr Pezzullo told a joint security committee.
Sovereign data
He said this was a legitimate commercial model for cloud providers but could be at odds with Australia’s national interest when government-held data was involved. The federal government leans heavily on leading US cloud providers which collect hundreds of millions in government tenders.
“We’ve stated that [concern] very bluntly and directly to that sector,” Mr Pezzullo said.
“Because the Commonwealth Government itself has not been satisfied about the security of that data, both in terms of where it’s hosted and how it’s routed.”
The Home Affairs chief said the government has bound itself to a data certification project which would “toughen the strictures” on the cloud industry when dealing with government held data.
Last year, then-services minister Stuart Robert flagged the government was considering sovereign cloud requirements following a backlash against US company Amazon hosting data collected by the COVIDSafe contact tracing app.
In June, Mr Robert, who retained responsibilities for whole-of-government data and digital policy, announced three Australian data centre providers had been certified to store sensitive data locally under the government’s new Hosting Certification Framework.
The framework requires data and digital service providers engaged by government to use highly secure systems, and for the highest level of certifications to enable the Government to specify and enact ownership and control conditions that are not lowered at any time. It is designed to help agencies to mitigate against supply chain and data centre ownership risks.
For cloud providers the framework means they may only receive certification for certain facilities in Australia.
“In such cases, providers will only be able to use the certified data centre facilities (certified data centre facilities arrangements) that satisfy the certification level required by agencies,” the official Hosting Certification Framework said.
Mr Pezzullo said the tightening data requirements being led by Mr Robert, made the Australian government an “exemplar” but would mean challenges for multinational cloud providers.
“What we would have in mind here, I suspect, to be very candid, would not be attractive necessarily to those companies,” Mr Pezzullo said.
“Because how they make their money is, frankly, by moving the data around to the cheapest car park of data, which has the lowest regard for security but the highest regard to data as a commodity.
“And that’s a that’s a perfect illustration of the tension here between the private commercial interest and the public interest.”
The Department of Education, Skills and Employment has handed more than $4 million worth of contracts to local firms to probe its cyber defences this year, as part of a surge in government cyber work for private contractors.
It follows a critical report from the Auditor General into the department’s cyber defences, and its commitment to improve them.
North Security Digital, Partner Consulting Group, CyberCX and Ionize – each Australian owned and Canberra based – all received contracts, which are each worth $1.1 million and run for the current financial year.
A spokesperson for the Department of Education, Skills and Employment (DESE) said the work was for an assessment of cyber defences and advice.
“The contracts are for the provision of specialist cyber security services including cyber security risk and vulnerability assessments, technical security advice and penetration testing services,” the spokesperson told InnovationAus.
A single approach to market established the group of four service providers, but their contract will operate independently to the others.
“This enables the department to source the most appropriate and available skills from one or more of the vendors to undertake the services required at the time it is needed,” the spokesperson said.
Four Canberra based cyber firms have each received more than $1 million to help DESE with its cyber defences
The work follows an Audit Office report earlier this year that found the DESE had not implemented basic mandatory cyber resilience measures. DESE agreed to improve its cyber security by monitored compliance during a set time frame, which was endorsed by the department’s executive board.
The contracts cap off a healthy two months for the four firms, which won several other cyber contracts and extensions of existing agreements with government entities.
In the last two months, CyberCX, which is headed by the former head of the Australian Cyber Security Centre Alastair MacGibbon, has won $3 million of new work and another $5.5 million from a Digital Transformation Agency contract extension.
North Security Digital has won new and extended work from the government since June worth nearly $2.7 million
Ionize has won smaller contracts in the same period but many more of them, landing more than $4 million worth of new and extended work in the last two months.
Partner consulting group received contracts and extensions worth more than $1.5 million since June, including a long running contract from DESE being amended a fourth time and now worth nearly 10 times the original contract amount.
What do bushfires and cyber threats have in common? They are both a fact of life; they are both likely to get worse; and we won’t be able to stop either from happening – so we need to be better prepared and to minimise their impact. In short, we need greater resilience.
The issues of resilience against bushfires and cyber threats came together in an Age of Trust podcast with Rear Admiral Lee Goddard CSC, RAN, head of partnership ecosystem, government relations and operations at the Minderoo Foundation and Rob Le Busque, the regional vice-president Asia Pacific at Verizon.
The Minderoo Foundation is a philanthropic organisation that “takes on tough, persistent issues with the potential to drive massive change”. One of those challenges is “to lift Australia to be the global leader in fire and flood resilience by 2025”.
Resilience is key: Rear Admiral Lee Goddard, Corrie McLeod and Rob Le Busque
Mr Goddard said national initiatives to build resilience against bushfires were very much in catch-up mode: “We need to do much more, and we need to do it quickly – we need to be using the collective to find innovative solutions.”
He introduced the idea of “pre-resilience”. In the case of bushfire preparedness, this means using the off-season to “make sure every part of our society, from the technology to the behavioural to the human aspects, are resilient and ready for further disruptions to come”.
While there is no off-season for cyber threats, Mr Le Busque said pre-resilience equated to preparedness, but this often fell short of what was required.
“Preparation is everything. It is really your first line of defence from cybercriminals and a large-scale hacking event,” he said.
“A concept we talk about a lot is ‘you never rise to the occasion’. When the pressure’s on, you default to your level of training and preparedness.
“You need to be conscious of the balance between the level of preparation, and the processes and systems you have set up to respond. You need to make sure these represent more than just compliance and are actually actionable programs and systems.”
He added that often, when Verizon is called in to help an organisation respond to a cyber event, they find processes and systems for recovery exist, but they simply don’t work.
“They haven’t been tested,” he said. “Then you see a level of disorganisation that adds to the disruption they are already suffering from.”
The devastating 2019/20 bushfires and, more recently COVID-19, have shown up shortcomings in Australia’s resilience, and the topic is now garnering much attention.
Mr Goddard, who is a rear admiral in the Australian Navy Reserve with a 34 years of full-time Navy service, said there needed to be an increased focus on the resilience of Australia’s infrastructure.
“Our ability collectively to really understand where our critical infrastructure is, its vulnerabilities and how we quickly replace it has been an Achilles heel,” he said. “At the Minderoo Foundation, we are working through, and with, partners to identify this.
“You only know how resilient some of your infrastructure is when the disaster happens. So, you need to really test it: critical communication hubs, critical resource hubs, critical infrastructure that supports dealing with the hazard.”
He said Minderoo’s fire and flood resilience initiative chief executive of Adrian Turner – the former chief executive at CSIRO’s Data61 – was “focusing on data harmonisation and national data coordination to provide knowledge to support better decision-making and information sharing to enable leaders at all levels to really understand where the critical infrastructure is and where the critical weaknesses are in the system”.
However, the resilience of critical infrastructure is now garnering considerable attention. There is legislation before Parliament designed to improve the security and resilience of Australia’s critical infrastructure that greatly increases the scope of what is seen as ‘critical infrastructure’.
In the wake of the bushfires, policy think-tanks Global Access Partners and the Institute for Integrated Economic Research – Australia along with Gravity iLabs set up the GAP Taskforce on National Resilience, a group of 40 representatives from business, government, academia, the not-for-profit sector and the community brought together to “discuss ways to make Australia more resilient to future economic, strategic and environmental threats”.
Australia has a number of resilience-related challenges that go well beyond our border. These increased vulnerabilities mean we need to deliver more effective solutions at greater speed. The disruption of the last 18 months has driven revolutionary change, and we in turn must be revolutionary innovators that ask questions and solve problems no one else has thought of.
The Age of Trust podcast series has been produced as a partnership between Verizon Business Group and InnovationAus.com.
Uber breached 1.2 million Australian customers’ privacy when it failed to protect their data from a cyber attack in 2016, the Privacy Commissioner has determined after a three and a half year investigation which encountered “jurisdictional issues”.
Names, email addresses, drivers licence numbers, and location data were stolen in the attack, and Uber paid the cyber criminals to destroy the data through its bug bounty program rather than disclosing the breach responsibly.
The ride hailing giant will only have to make modest remedies, however, including reviewing its data governance and security programs with external experts and implementing their advice within a year.
But the Privacy Commissioner insists the decision sends a clear message that companies must protect Australians’ data even when it is processed overseas. The lengthy investigation has also demonstrated the “jurisdictional issues” which have made pursuing multinationals difficult.
Uber breached Australian privacy law in an incident affecting 57 million users.
The watchdog’s investigation ran for more than three years, which is understood to be due to the complex, cross-jurisdiction nature of the case, which was also expanded several times.
The breach occurred in 2016 when attackers gained access to the credentials of an Uber employee, giving them access to data stored by Amazon Web Services, including unencrypted files. Attackers downloaded the files which related to around 57 million individuals worldwide, including 1.2 million Australians.
Uber became aware of the breach almost immediately because the attackers emailed the company demanding payment. Uber paid the attackers US$100,000 through a bug bounty program, which is supposed to be used for good faith disclosures of vulnerabilities, not extortion.
The tech giant says it obtained written assurances from the attackers they had destroyed the data.
Uber did not formally investigate the breach with external cyber experts until nearly a year later, and said the investigation found no evidence the data had been misused.
The company then went public and contacted some of the drivers whose data had been compromised but not riders.
The Office of the Australian Information Commissioner (OAIC) began an investigation shortly after the public disclosure in late 2017. It made a determination late last month, more than three and a half years later.
The case was considered complex and important because it dealt with a breach by the US parent of the Uber company operating in Australia, which is actually Dutch.
Uber had argued because the US company was used to process the data off-shore, the breach it suffered was not subject to Australian privacy law.
But Australian Australian Information Commissioner and Privacy Commissioner Angelene Falk, who made the determination, said she was satisfied both Uber had an “Australian link” at the time of the breach and were required to comply with the Privacy Act.
“We need to ensure that in future Uber protects the personal information of Australians in line with the Privacy Act,” Ms Falk said.
“The matter also raises complex issues around the application of the Privacy Act to overseas-based companies that outsource the handling of Australians’ personal information to other companies within their corporate group.”
The investigation dragged out because of the inclusion of the Dutch-based Uber company operating in Australia, which was added to the probe in 2019 and the US parent’s argument it was not subject to Australian privacy law, an OAIC spokesperson told InnovationAus.
“The Uber determination demonstrates the complex jurisdictional issues that can arise in applying the Privacy Act 1988 in its current form to multinational corporate structures and data flows…The US-based entity argued it was not subject to the Privacy Act, and so a formal determination was necessary to address the privacy breach. This also required extensive investigation to establish the OAIC’s jurisdiction in this matter,” the spokesperson said.
“The existing test for establishing jurisdiction is complex, and the Australian Government’s current review of the Privacy Act is an opportunity to address this issue. The OAIC’s submission to the review proposes amendments to ensure we can more easily address the privacy risks to Australians whose personal information is held by multinational companies based overseas.”
Ms Falk said her determination made clear the responsibilities of global corporations responsibilities under Australian privacy law.
“Australians need assurance that they are protected by the Privacy Act when they provide personal information to a company, even if it is transferred overseas within the corporate group,” she said.
Ms Falk determined Uber companies breached the Privacy Act 1988 by not taking reasonable steps to protect Australians’ personal information from unauthorised access and to de-identify or destroy the data as required.
They also failed to take reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles, according tot the watchdog.
Ms Falk ordered Uber to prepare, implement and maintain a data retention and destruction policy, an information security program, and incident response plan that complies with Australian privacy law.
The company must also use independent experts to review and report on the policies and there implementation, and report the findings to the OAIC.
A spokesperson for Uber said the company has made several technical upgrades and security certifications, and policy and leadership changes since the 2016 breach.
“We welcome this resolution to the 2016 data incident. We learn from our mistakes and reiterate our commitment to continue to earn the trust of users,” the spokesperson told InnovationAus.
“We are confident that these changes in security and governance will address the determination made by the OAIC, and will work with a third-party assessor to implement any further changes required.”
Australia has formally attributed the Microsoft Exchange software cyber-attack to China, joining Five Eyes allies and others in condemning what they say is a state sponsored attack which affected an estimated 30,000 organisations globally.
The public attribution is rare but not unprecedented, with Australia having previously named Iran, China, North Korea, and Russia for other cyber attacks.
The latest explicit attribution to China – Australia’s first since 2015 – was not accompanied by sanctions, but experts say it could be a precursor to them if attacks continue.
On Tuesday, Home Affairs Minister Karen Andrews said Australia had worked with allies to gain a “very high” confidence that China’s Ministry of State Security exploited vulnerabilities in the Microsoft software to target thousands of networks and computers around the world, including in Australia.
She said these vulnerabilities were used to “exploit the private sector for illicit gain”. Beijing has rejected the claims, accusing Australia of hypocrisy.
Home Affairs Minister Karren Andrews. Photo: NASA/Aubrey Gemignani
Ms Andrews said the attribution was made because it was in Australia’s interest to do so but acknowledged there would be repercussions from Australia’s biggest trading partner.
“We are aware that there are serious implications for any attribution that is made to any nation, but we also will not compromise our position on sovereignty, and national security,” Ms Andrews said.
“And in this instance, along with our partner nations, we needed to call out this malicious cyber attack.”
While no sanctions were announced, Ms Andrews said China won’t get away with the attack “scot-free” because it has suffered serious reputational damage from the attribution.
Australia has previously attributed cyberattacks to Iran, North Korea, and Russia, as well as to China in 2011 and 2015. But the government resisted naming China as the nation behind a wave of cyber incidents last year and an attack on the Parliament in 2019, despite security agencies reportedly believing Beijing was the culprit.
The federal government’s cyber advisory panel last year recommended there should be clearer consequences for malicious actors found to be targeting Australian businesses and governments. The industry panel, dominated by telco and led by Telstra chief Andy Penn, said there should be more of a willingness to publicly attribute these attacks.
Public attribution is used sparingly because of the difficulties in proving a nation state is directly responsible and because attacks typically need to cross a cyber “red line” to warrant it, according to Australian Information Security Association chair Damien Manuel.
“[Attribution] is almost like a diplomatic warning of ‘don’t go any further because then there’ll be other consequences’…Often attribution can be used as a diplomatic sort of blunt tool to put a country on notice,” Mr Manuel told InnovationAus.
Mr Manuel, also Director of Deakin University’s Cyber Research and Solution Centre, said the Australian government will be carefully monitoring China’s response to the attribution and whether the attacks continue to determine if sanctions and tariffs are warranted.
Just hours after Australia’s official attribution, the Chinese embassy in Canberra issued a statement rejecting the “groundless accusation” of the Australian government, accusing it of “parroting the rhetoric of the US” and engaging in its own eavesdropping.
“What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’,” a spokesperson for the Chinese Embassy said.
“As a victim of cyber attacks, China always firmly opposes cyber attacks and cyber theft in all forms, and calls on countries to advance dialogue and cooperation to safeguard cyber security.”
Attribution is also often a trade or diplomatic tactic, Mr Manuel said, and Australia is deploying it at a time when its relations with China are at their lowest point in years.
“China will make certain claims about Australia and Australia will make certain claims about China. This is a kind of balancing act,” he told InnovationAus prior to the Chinese embassy statement.
“There are red lines, obviously, where from a political perspective we don’t want countries to cross. And if they do cross them, that tends to be when they will call it out specifically. And that draws different sort of pressures. It becomes political pressure, social pressure trading pressure as well.”
The immediate damage for China will be relatively low, according to former National Security Adviser and head of the Australian Cyber Security Centre Alastair MacGibbon.
He told ABC Radio the retaliations to these types of attacks are typically “quite muted” because it is so difficult to prove the exact provenance of attacks and to hold foreign individuals responsible.
“The reality is consequences for China will be pretty low, but I think there’s an important moral message here,” Mr MacGibbon said, pointing to the unprecedented involvement of Japan and NATO in an attribution to China.
“That shows us the significance of the body of evidence and the global nature of this particular activity. So it is a significant day.”
Mr MacGibbon, now chief strategy officer at private firm CyberCX, said the Microsoft Exchange attacks attributed to China had crossed a “significant line” of cyber espionage norms because China had used private contractors to exploit the vulnerability, who then made personal gains through cybercrimes.
“China has used contractors to carry out what you would suggest is a legitimate state-based espionage activity. We may not like it but it’s kind of what nations do to each other,” he said.
“And those contractors have then, for their own gain, carried out activities in parallel to what they were doing for the Chinese government.”
New Zealand’s cyber security agency believes China has been behind numerous hack attacks spanning years.
The government joined Western allies and Japan in calling out Beijing for so-called state-sponsored hacks, including a major incursion in February when Microsoft email servers were targeted.
The US has charged four Chinese nationals — three security officials and one contract hacker — with targeting dozens of companies and government agencies in the United States and overseas under the cover of a tech company.
“What we do is when we see malicious cyber activity on New Zealand networks, that may be through our own capabilities that we have to help protect New Zealand networks or it may be something that’s reported to us, we look at the malware that’s used,” Government Communications Security Bureau Director-General Andrew Hampton told RNZ Checkpoint.
“We look at how the actor behaves. We look at who they might be targeting and what they do if they get onto a network.
“That allows us to build a bit of a picture of who the actor is. We then compare that with information that we receive, often from our intelligence partners who are also observing such activity.
“That allows us to make an assessment, and it’s always a probability assessment about who the actor is.
The APT 40 group
“In this case, because of the amount of information we’ve been able to access both from our own capabilities and from our partners, we’ve got a reasonably high level of confidence that the actor who we’ve seen undertaking this campaign over a number of years, and in particular, who was responsible for the Microsoft Exchange compromise, was the APT 40 group — Advanced Persistent Threat Group 40 — which has been identified as associated with the Chinese Ministry of State Security.
The RNZ National live stream. Video: Checkpoint
“The actors here are state sponsored actors rather than what we would normally define as a criminal group. What we’re seeing here is a state sponsored actor likely to be motivated by a desire to steal information.”
Hampton said there was a blurring of lines between what a state agency does, and what a criminal group does.
“Some of the technical capabilities that previously only state organisations had, have now got into the hands of criminal groups.
“Also what we’ve seen in a range of countries is individuals who may work part-time in a government intelligence agency, and then may work part-time in a criminal enterprise. Or they may have previously worked in a state intelligence agency and are now out by themselves but still have links links back to the state.
“We don’t know the full detail of the nature of the relationship, but what we do know is the Ministry of State Security in China, for example, is a very large organisation with many thousands of of employees.
“So they are big organisations with people on their payroll but they also would have connections with other individuals and organisations.
Information shared with criminals
“Something else worth noting with regard to this most recent compromise involving the Microsoft Exchange, what we saw there is once the Ministry of State Security actors had identified the vulnerability and exploited it, they then shared that information with a range of other actors, including criminal groups, so they too could exploit it.
“This is obviously a real concern to see this type of behaviour occurring,” Hampton said.
All evidence showed the cyber attacks were all originating from mainland China, Hampton told Checkpoint.
He said such attacks would be aimed at stealing data or possibly positioning themselves on a system to be able to access information in the future.
“A common tactic we see, unfortunately, is there may be a vulnerability in a system,” Hampton said.
“It could be a generic vulnerability across all users of that particular system, and a malicious actor may become aware of that vulnerability, so they would use that to get onto the network.
“That doesn’t mean they will then start exfiltrating data from day one or something like that. They may just want to to sit there in the event that at some point in the future they may want to start doing that.
Malicious actors
“This exploitation of known vulnerabilities is a real concern. This is why all organisations need to keep their security patches up to date, because what can happen is you can have malicious actors use technology to scan whole countries to see who hasn’t updated their patches.
“They then use that vulnerability to get on the network and they may not do anything with it for some time. Or they might produce a list of all the organisations, say, in New Zealand who haven’t updated their patches.
“Then they make a decision – okay these are the four to five we want to further exploit.”
This article is republished under a community partnership agreement with RNZ.
Ransomware attacks will only get worse for Australia without strategic domestic efforts to thwart it, according to a new report which warns a “policy vacuum” has made the nation an “attractive market” for cyber attackers.
The Australian Strategic Policy Institute report follows a spate of ransomware attacks in Australia and across the world, which have crippled services and infrastructure while costing organisations millions of dollars.
The latest report from ASPI said much more will be needed in Australia to combat the growing threat of ransomware, part of a $1 trillion “tsunami” of cybercrime.
“A current policy vacuum makes Australia an attractive market for these attacks, and ransomware is a problem that will only get worse unless a concerted and strategic domestic effort to thwart the attacks is developed,” the report said.
“Developing a strategy now is essential. Not only are Australian organisations viewed as lucrative targets due to their often low cybersecurity posture, but they’re also seen as soft targets.”
Written by Cyber Security Cooperative Research Centre chief executive Rachael Falk and colleague Anne-Louise Brown, the ASPI report suggests several domestic policy levers to thwart ransomware attackers, which typically operate from foreign countries.
“Such action is essential because the grim reality is that, when it comes to ransomware, prevention is the best response,” it said.
The report’s policy recommendations include a mandatory notice scheme, a dedicated cross-departmental taskforce also involving state and territory representatives, greater clarity about the legality of ransomware payments, more transparency when attacks do occur, expanding the official alert system of the Australian Cyber Security Centre (ACSC), education programs to improve public and the business understanding, and tax, procurement and subsidy measures to incentivise cybersecurity uplift.
On the same day the federal government funded ASPI’s report was released, Home Affairs minister Karen Andrews launched a discussion paper on regulatory reforms and voluntary incentives to strengthen cyber security across the economy.
The paper estimates the cost of cyber security incidents to the Australian economy is $29 billion per year, or 1.9 per cent of GDP.
“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security,” Minister Andrews said.
Labor said the ASPI report echoes its continued calls for a ransomware strategy and a notification scheme.
“By contrast, while the Morrison government never misses an opportunity for a dramatic press conference on cyber security it’s missed every opportunity to take the basic actions needed to combat this threat,” said shadow assistant minister for cyber security Tim Watts, who introduced a private members bill for a notification scheme last month which is yet to be listed for debate.
“Instead it’s simply played the blame game, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.
“Australian businesses and the workers they employ need a government that understands organisational IT security is only part of the response to the threat of ransomware.”
The ASPI report concludes there is a key role for government to play in tackling ransomware but the problem is a shared responsibility.
“While there’s no doubt that organisations must take responsibility for ensuring that their cybersecurity posture is up to scratch, there are practical and easily implementable steps the government can take to provide clarity, guidance and support,” it said.
A renowned US cybersecurity expert has put weight behind calls for a mandatory ransomware payment notification scheme in Australia and said the country’s election administration system should be considered critical infrastructure.
Cybersecurity expert and former United States Cybersecurity and Infrastructure Security Agency chief Chris Krebs appeared at a Parliamentary Joint Committee on Intelligence and Security on Friday, where he backed calls for organisations being required to report to authorities when they have made a ransomware payment.
Mr Krebs said a notification scheme would help authorities understand the scale of the problem and collect valuable intelligence on incidents.
“We have to get to the denominator of ransomware attacks, and the easiest way to do that is to require ransomware victims to make a notification to the government…if you’re going to be engaging [in a] transaction with a ransomware group, that needs to be notified,” Mr Krebs told the inquiry, which is reviewing current and proposed critical infrastructure legislation.
“The second [reason] is if you’re going to make the payment we also want to make sure the information, specifically the wallet to which the ransomware payment is going, can be tracked by law enforcement and intelligence officials to light up the economy.”
Former US Cybersecurity chief Chris Kreb. Image: Department of Homeland Security/Tara Molle
Home Affairs Minister Karen Andrews told a business event shortly after that the government is “open to exploring” a mandatory reporting scheme but added it must follow an increased awareness of the problem.
The Department of Home Affairs is reportedly considering a notification scheme, with secretary Mike Pezzullo saying he believes it is “likely” one would be rolled out soon.
Following Mr Krebs evidence on Friday, Labor’s Mr Watts issued a statement calling for the government to urgently list his bill for debate when Parliament returns in August.
“The Minister said when taking on the role in March cyber security was a ‘priority’ for her. It’s time we saw some real action,” Mr Watts said.
“Ransomware is completely out of control in 2021. There has been an onslaught of attacks that threaten Australian jobs including JBS Foods, our biggest meat producer, the Nine Network, and multiple hospitals.”
The US expert also called for Australia to consider election administration as critical infrastructure. Mr Kerbs was fired by the-US President Donald Trump in 2020 for refuting his claims the 2020 presidential election was fraudulent.
“I think there are elements of the election administration function that should absolutely be considered critical infrastructure, and that is the administration element,” he said.
“That’s the systems, the machines, the counting process, the protocols around it — I think it’s, at least in the US, a step too far to call the political parties themselves as part of the infrastructure, but they do have certainly a contribution and a piece involvement.”
The PJCIS is currently considering legislation which would see more Australian sectors considered “critical infrastructure”, including communications and data storage and processing.
Mr Krebs said bad actors have been effective in disrupting elections with disinformation campaigns and “perception hacks”.
“Those are the more pervasive, much harder to debunk, because there’s an asymmetry of the adversary,” he said.
“Even if it’s domestic, it’s still an adversary, in this case, [a] domestic actor that is trying to undermine confidence in the process for their own outcomes.”
The changes to critical national infrastructure regulation in relation to cyber security will need a coordinated, Australia-wide communications campaign that embraces small and medium sized companies in order to carry maximum impact.
Email security and cyber resilience specialists Mimecast’s country manager Nick Lennon says changes to critical national infrastructure legislation in Australia is a positive step forward. The regulation of cyber risks is a good thing and will ultimately lift cyber standards across the economy. In order effect change, there needs to be a complete commitment across all levels of government and private sectors, as without the necessary changes, there is the potential risk for considerable socioeconomic impact.
The new regulations are ultimately a way of introducing standards to manage cyber risks in Australia, just as financial reporting requirements and audits through regulations have been a way to manage financial risks across the economy.
Changes to the critical national infrastructure regulations will result in the introduction of minimum standards. The key to its roll-out in the early stages will be in a mass communications campaign that reaches the small and medium-sized companies that will be ‘captured’ by the new legislation.
Mimecast country manager Nick Lennon
“The critical national infrastructure changes effectively introduce ‘table stakes’ – or minimum standards – for companies, to enable them to participate in the new economy and the new environment,” Mr Lennon said. “That’s a positive thing and it really should be promoted.”
“This is regulation catching up in cyber, and supporting modern businesses to operate effectively in the current environment.”
“Longer term, it is easy to see a world where cyber security is regulated in the same way that the accounting and financial services industry is stood up today.
“So, we are obliged to check and report our [financial] books every 12 months, and we have multiple government agencies that analyse the quality of that information, to make sure that there’s transparency and due diligence around these organisations so they are able to trade appropriately,” he said.
In the same way government financial regulation is an effective measure to ensure the financial services sector meets and exceeds global standards, Australia’s new cyber regulations needs to be in lockstep with other countries to meet our obligations as global citizens in terms of cyber security standards. These new cyber regulations are about creating clear standards that enable trust across the systems of the economy, allowing customers and businesses to invest in one another. This is the same scenario that underscored the introduction of standard financial reporting, Mr Lennon said.
The key in cyber would be to make these new standards “more visible, more accessible and more in your face.”
“It is easy to envisage a world where organisations are reporting on their cybersecurity standards in a similar manner to how they are considering their financial auditing in today’s terms,” Mr Lennon said.
“So the question becomes, how does a small to medium-sized organisation consider what that means to them? And how do they meet or exceed those standards that are being asked of them around positive security objectives and the processes associated with reporting cybersecurity event. Of note the private sector has asked what will it cost businesses to meet the new cybersecurity standards, and where will that cost burden lie?”
It is a complex communications challenge, but not dissimilar to issues that governments have helped solve effectively in the past with national and coordinated campaigns. Think Slip, Slop Slap or the ongoing anti-smoking campaigns or any number of health campaigns. These aim at registering a broad community and individual benefit for action.
This can work with cyber.
Mr Lennon points to Mimecast’s own authoritative State of Email Security 2021 report for the numbers that illustrate the massive scale of cybersecurity problems across the economy.
In Australia, the report found that an incredible 64 per cent of companies had experienced some form of business disruption through ransomware in the past year, a massive increase from the 48 per cent reported in the previous year.
Of those companies, 54 per cent paid the ransom. And of the companies that paid a ransom, 76 per cent recovered their data, but 24 per cent paid and never recovered their data – a true nightmare scenario for any business. In terms of downtime, there is a big impact, with the report revealing that business disruption caused an average of 4 days of downtime, and for 26 per cent of businesses it was one week or more. This downtime can greatly impact our supply chains and the economy, and underscores the immediacy of protecting our critical national infrastructure.
“If you do the maths on that, you find that the scale of the ransomware ‘industry’ is massive. And that fact is not as well publicised as it should be in terms of communicating why regulation through changes to the critical national infrastructure legislation is so important,” Mr Lennon said.
This article was produced in partnership with Mimecast as a member of the InnovationAus Leadership Council.
On 3 July 2021, a new interactive online platform by Forensic Architecture, supported by Amnesty International and the Citizen Lab, maps for the first time the global spread of the notorious spyware Pegasus, made by cyber-surveillance company NSO Group.
‘Digital Violence: How the NSO Group Enables State Terror’ documents digital attacks against human rights defenders around the world, and shows the connections between the ‘digital violence’ of Pegasus spyware and the real-world harms lawyers, activists, and other civil society figures face. NSO Group is the worst of the worst in selling digital burglary tools to players who they are fully aware actively and aggressively violate the human rights of dissidents, opposition figures, and journalists. Edward Snowden, President of Freedom of the Press Foundation.
NSO Group is a major player in the shadowy surveillance industry. The company’s Pegasus spyware has been used in some of the most insidious digital attacks on human rights defenders. When Pegasus is surreptitiously installed on a person’s phone, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls and contacts. For my earlier posts on NSO see: https://humanrightsdefenders.blog/tag/nso-group/
“The investigation reveals the extent to which the digital domain we inhabit has become the new frontier of human rights violations, a site of state surveillance and intimidation that enables physical violations in real space,” said Shourideh C. Molavi, Forensic Architecture’s Researcher-in-Charge.
Edward Snowden narrates an accompanying video series which tell the stories of human rights activists and journalists targeted by Pegasus. The interactive platform also includes sound design by composer Brian Eno. A film about the project by award-winning director Laura Poitras will premiere at the 2021 Cannes Film Festival later this month.
The online platform is one of the most comprehensive databases on NSO-related activities, with information about export licenses, alleged purchases, digital infections, and the physical targeting of activists after being targeted with spyware, including intimidation, harassment, and detention. The platform also sheds light on the complex corporate structure of NSO Group, based on new research by Amnesty International and partners.
“For years, NSO Group has shrouded its operations in secrecy and profited from working in the shadows. This platform brings to light the important connections between the use of its spyware and the devastating human rights abuses inflicted upon activists and civil society,” said Danna Ingleton, Deputy Director of Amnesty Tech.
Amnesty International’s Security Lab and Citizen Lab have repeatedly exposed the use of NSO Group’s Pegasus spyware to target hundreds of human rights defenders across the globe. Amnesty International is calling on NSO Group to urgently take steps to ensure that it does not cause or contribute to human rights abuses, and to respond when they do occur. The cyber-surveillance must carry out adequate human rights due diligence and take steps to ensure that human rights defenders and journalists do not continue to become targets of unlawful surveillance.
In October 2019, Amnesty International revealed that Moroccan academic and activist, Maati Monjib’s phone had been infected with Pegasus spyware. He continues to face harassment by the Moroccan authorities for his human rights work. In December 2020, Maati Monjib was arbitrarily detained before being released on parole on 23 March 2021.
Maati Monjib, tells his story in one of the short films, and spoke of the personal toll following the surveillance, “The authorities knew everything I said. I was in danger. Surveillance is very harming for the psychological wellbeing of the victim. My life has changed a lot because of all these pressures.”
Amnesty International is calling for all charges against Maati to be dropped, and the harassment against him and his family by the Moroccan authorities to end.
The Department of Defence has funded three more Australian universities for their work with a US counterpart on cybersecurity research that could one day benefit defence forces.
$3 million of the department’s emerging technology fund will be shared by researchers at the University of Melbourne, Macquarie University and the University of Newcastle for their joint project to develop autonomous cyber security systems.
The work is exploring how cyber bots can learn from and form teams with each other and humans to combat cyber threats.
A cohort of Australian and US universities led by the University of Melbourne has received $3 million to research cyber bots
The project also involves the University of Wisconsin and the funds will come via the Australia—US Multidisciplinary University Research Initiative, a nine-year $25 million program to fund Australian and US universities’ joint projects on areas of high priority for Defence.
The program is part of Defence’s Next Generation Technologies Fund’s (NGTF).
The NGTF was established in 2016 with $600 million to back research and development of technology for the “future Defence force after next” over ten years. It was topped up last year to $1.2 billion and extended to 2030.
InnovationAus can reveal less than $220 million from the NGTF has been allocated so far including the latest universities projects, meaning around 18 per cent of funds have been used, more than a third of the way into the projected lifespan.
“As at 31 May 2021, the NGTF has funded a total of 282 activities worth $211 million. This includes both completed and active arrangements,” A department of Defence spokesperson told InnovationAus.
The latest project to be funded is the joint cyber initiative between the University of Melbourne, Macquarie University, the University of Newcastle and the University of Wisconsin.
The project aims to develop autonomous cyber security systems through “robust and effective teaming of bots and humans”.
“The joint project, led in Australia by the University of Melbourne, will explore how cyber bots can learn and form teams, either amongst themselves or with humans, to counter cyber threats,” Department of Defence chief science engagement and impact division Dr Kershaw said.
“Improved security through cyber autonomy is critical for Defence’s future in highly challenging and adverse environments.”
Last week, the Department of Defence announced it had funded quantum technology and 3D printing projects through the same program, with $4 million being shared by teams from Griffith University, the University of Technology Sydney, the University of New South Wales, and the University of Sydney.
The Department of Defence is still seeking research and development proposals from Australian universities and small to medium enterprises to support Defence capability, and has urged universities to take advantage of the “hug opportunity” to partner with the well funded department.
Australia needs to make “dramatically greater investments” in cybersecurity education and sovereign capability in order to become a more effective cyber power, according to a report by the International Institute for Strategic Studies.
The International Institute for Strategic Studies (IISS) released its report on the cyber capabilities and powers of 15 countries this week.
It ranked these countries across three tiers, with Australia placed on the second level, with “world-leading strengths” in some of the categories, but struggles in others, especially around skills, education and commercialisation.
The global report also called out failings in cyber controls in Australian government departments and agencies and the need for better coordination at a federal level.
The IISS has called on Australia to “dramatically” increase its cyber investment
“For Australia to become a more effective cyber power, it will need to make dramatically greater investments in cyber-related tertiary education and carve out a more viable sovereign cyber capability,” the IISS report said.
The report found that the federal government’s 2020 Cyber Security Strategy helped to “significantly improve” its cybersecurity guidance for all sectors, but there are still “significant weaknesses in the government’s own practices”, with “considerable recalcitrance on the part of government agencies when it comes to upgrading their cybersecurity”.
In terms of skills, the previous 2016 strategy didn’t have enough funding to make any real impact, the report found, and in last year’s iteration the government opted for “radical” new visa programs to attract talent from overseas.
But funding is still an issue here, according to IISS.
“But Australian universities’ response to the new opportunities and demand for cybersecurity education could not match the government’s ambition, particularly since the government wasn’t prepared to invest sufficient funds,” the report said.
The 2020 strategy included about $50 million in funding for workforce development, education and community initiatives.
“But this is unlikely to give universities much incentive because the government prefers community and business-based solutions,” the IISS report said.
This funding included a $26.5 million Skills Partnership Innovation Fund, with the first round of grants opened in February to “improve the quality and availability of cybersecurity professionals through training”.
The funding package also included $6.3 million for the Australian Cyber Security Centre to grow education skills, $14.9 million for Questacon and $2.5 million to improve data on cybersecurity skills shortages.
More leadership and funding is required from the federal government, it said.
“Australia has moved towards a more coherent policy and legislative framework for cybersecurity and resilience, but the changes need to be reflected in better governmental coordination and more consistent use of standardised tools,” it said.
“The country has not yet made adequate investments to defend against the most serious potential threats. Its providers of critical national infrastructure appear not to have a sufficient understanding of the risks and the situations is aggravated by a shortage of personnel with the relevant skills, including at board level.”
Funding and skills is also an issue in terms of Australia’s developing offensive cyber capability.
“In terms of resources and available personnel, Australia does not match the capabilities of its senior allies,” it said.
“In common with all other states, the biggest constraint on Australia’s offensive cyber capability may well be the limited extent of its national skills base and pipeline.”
In the report, the IISS also took aim at Australia’s long-running commercialisation struggles, pointing out that despite being among the top countries in the world in terms of average internet usage and companies engaged in e-commerce, it falls outside the top 10 in terms of innovation, competitiveness and cybersecurity.
“Since the turn of the century, Australia’s digital economy has mostly stood still in relative terms – for example, its information industries share of total global value added hardly increased between 2006 and 2016,” it said.
“There is a mismatch between its innovation inputs, in which it ranked 13th in the world in 2020, and its innovation outputs, in which it ranked only 31st. Overall, Australia has a modest capability to assess the security implications of imported technologies, with the best capabilities concentrated largely in government and in several larger corporations.”
Fresh questions for the security services have been raised after it emerged Foreign Secretary Dominic Raab’s private mobile number has been available online for a number of years.
The discovery came weeks after it was revealed Prime Minister Boris Johnson’s phone number was freely available on the internet for more than a decade.
The Foreign Office said on Tuesday Raab’s number and other private information was swiftly removed once the department was made aware of the oversight.
Since 2010
The Guardian, which first reported the number’s availability after being notified by a reader, said it appeared to have been online since before he became an MP in 2010.
A Foreign Office spokesperson said:
Private information was wrongly retained online, before the Foreign Secretary’s appointment.
Once we were made aware, we had it removed immediately. Most of it was out of date, and no security was compromised.
In April it emerged that Johnson’s number remained on the bottom of an online press release from when he was shadow higher education minister in 2006.
That disclosure – by the Popbitch gossip newsletter – prompted concerns that Johnson had left himself vulnerable to covert activity by hostile states.
The Prime Minister had already been reportedly told by Civil Service head Simon Case to change his number, because it was too widely known from his career as a journalist.
Risk
Former UK national security adviser lord Ricketts told the Guardian:
The wide availability of Mr Raab’s personal phone number must increase the risk that other states, or even criminal gangs, have been able to eavesdrop on his calls.
It also means that anyone who happens to have had his phone number … is able to lobby the foreign secretary, bypassing the official channels which everyone else has to use.
Anyone taking on a role as sensitive as this should in their own interests pay as much attention to online as to physical security.
Concerns have also been raised over senior Government figures’ use of WhatsApp.
Former Downing Street aide Dominic Cummings has published a series of exchanges on the messaging network, showing it was used to co-ordinate elements of the coronavirus pandemic response.
As chief executive of the Cyber Security Cooperative Research Centre, Canberra-based Rachael Falk has been one of the most clear-eyed and articulate advocates for building cyber capability across the Australian economy.
Ms Falk arrived in the cybersecurity sector via an early career in the law and then telecommunications. She spent 15 years at Telstra in roles that included National Security Advisor and general manager of cyber influence.
The Cyber Security CRC is somewhat of a newcomer to the federal government’s Cooperative Research Centre program, with Ms Falk joining as founding CEO three years ago.
The cybersecurity “landscape” has changed quite radically during those three years. Certainly issues of sovereign capability and supply chains have taken on new meaning since COVID-19, as well as cloud services and data sovereignty, the government’s treatment of encryption services and even definitions and obligations under critical infrastructure protection laws.
In this episode of the Commercial Disco podcast, Rachael Falk talks about the challenges of building domestic cyber capability and the role of the CRC in creating the top-end skills that can underpin a healthy and growing Australian cyber industry.
The CRCs bring together like-minded partners from industry, academia and government to work together to solve problems and in doing so to create research translation and commercialisation outcomes.
As a horizontal industry that touches on literally all parts of the modern economy, the global market for cyber products and services is clearly massive with a growth rate that outstrips others.
The CRC is geared toward commercialisation, and has processes in place to ensure that the “commercialisable” parts of a project are identified early, and that the various parties involved in the project can recognise and agree on the pathways to commercialisation.
Building Australian cyber products and services based on research partnerships is key to lifting national capability, Ms Falk said. It is not enough to simply buy product from overseas. Creating and building solutions to problems through top end research provides an unmatched capability uplift that results in both a more secure Australian economy but creates access to valuable global chains.
While recognising that Australian companies can’t do everything, and that local firms have not been able to build at the scale of multinational suppliers in some areas there is a recognition that local companies have been able to fill niches and participate in global supply chains that are valuable to the economy and to the nations security.
“There has been this recognition that it’s a broad church and that we need all the players [domestic and multinational]. That to me has been one of the biggest shifts of the past three years,” Ms Falk said.
Building capability: Cybersecurity CRC chief executive Rachael Falk
“When you’re designing and making widgets here and you’re investing in people here, you’re [also] building capability here,” she said.
This is a great interview for anyone looking for a 20 minute snapshot of the local cybersecurity sector.
The Cyber Security CRC is funded through to 2024 and it will be up to its member participants and discussions with the government on what the future holds beyond that. There is no suggestion that the organisation will not continue beyond that date.
It is a measure of how serious the sector is taken that the Cyber Security CRC – which is effectively a modest-sized not-for-profit – boasts a board of directors that looks more like an ASX 200 company.
The board includes former ASIO and ASIS director general David Irvine, Business Council of Australia CEO Jennifer Westacott, the Australian Signals Directorate’s ACSC chief Abigail Bradshaw, Nuix founder Eddie Sheehy, Cisco Systems global chief of nation cyber security officers Greg Thomas, Deakin University deputy vice-chancellor Prof Julie Owens, QBE director John Green, and Commonwealth Bank director Anne Templeman-Jones.
The Cyber Security CRC is chaired by former ACT senator Kate Lundy. Ms Falk is also on the board.
