radiofree.asia

Category: cyber security

  • Cyber security across local councils is ‘disjointed and under-resourced’

    In the wake of the coronavirus (Covid-19) pandemic, we’ve been spending more time online. As a result, more of our personal data is also online. There’s also been an increase in certain kinds of cyber attacks since the start of the pandemic. According to an Interpol report, cybercriminals are beginning to target “corporations, governments and critical infrastructure”.

    And this is affecting councils in the UK too. Because, as reported by Alex Scroxton in ComputerWeekly.com, Freedom of Information (FoI) requests show:

    UK councils reported more than 700 data breaches to the Information Commissioner’s Office (ICO) during 2020

    But the damage is not limited to councils. Because a number of healthcare providers have also been hit by similar data breaches.

    Damage done

    The FoIs were disclosed to security services provider Redscan. In Scroxton’s article, he explained:

    Redscan received responses from over 60% (265 of 398) of borough, district, unitary and county councils in England, Scotland, Wales and Northern Ireland,

    The security company found evidence that UK local government cyber security is “by and large, disjointed and under-resourced”. And responsibility for local government rests with central government. According to a report commissioned by the Local Government Association (LGA), as of 2020, “local authorities will have faced a reduction to core funding from the Government of nearly £16 billion over the preceding decade”. Meanwhile the data of private citizens is at risk.

    So these are real concerns. Because according to Redscan’s chief technology officer Mark Nicholls:

    Every council has thousands of citizens depending on its services daily. Going offline due to a cyber attack can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks.

    However, according to Nicholls:

    While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.

    So because data held by councils is at risk from cybercriminals, people need assurances that their data is safe.

    Previous attacks on councils

    Unfortunately, data breaches are far from uncommon. As reported by The Canary in June 2020, a subsidiary of Kent County Council, Kent Commercial Services (KCS), was hit by a ransomware attack. The attackers sent KCS a ransom note demanding £800k in Bitcoins.

    Ransomware is software used by cybercriminals to gain access to information on computers. The criminals ensure the computer is inaccessible so they can steal, delete, or encrypt that information. Cybercriminals then ask the computer user to pay a ransom to get the information back.

    In February 2020, Redcar and Cleveland Council suffered a similar attack to KCS. That meant over 135,000 UK residents didn’t have access to online public services for almost one week. That included services related to social care and housing complaints. According to ComputerWeekly.com 10 councils, including Redcar and Cleveland, reported disruption to daily operations in 2020 as a result of a breach or ransomware attack.

    Attacks on healthcare

    In May, an Edinburgh mental health clinic was hit by a phishing scam. The scammers were able to access email addresses. Also in May, “a gaping security hole” was discovered in the NHS’ vaccination booking website. This “hole” could have been used “to find out whether someone has received a jab”.

    On 14 May this year, the Irish Health Service Executive (HSE) also suffered a ransomware attack. The Irish government says it didn’t pay a ransom. However, the HSE chief executive estimated the attack could have a human costs as well as a cost of around €0.5bn.

    Protect our data

    These data breaches and attacks on councils and healthcare reveal how vulnerable personal data can be. It also highlights that in a world of increasing online presence, we need to be extra vigilant about where and with whom we share our data. But ultimately, the onus of ensuring local councils are fully resourced to manage our data is on the government.

    Featured image via Unsplash – FLY:D

    By Peadar O'Cearnaigh

    This post was originally published on The Canary.

  • Data sovereignty issues are complex but critical

    Sovereignty issues have shifted into the spotlight across a number of sectors in Australia due to the supply chain challenges wrought by the COVID-19 pandemic.

    This should raise important questions for local businesses not just about physical supply chains, but where and how critical data is stored.

    Australian businesses and executives need a better understanding of data sovereignty and the issues around storing data through a foreign company. And the federal government has an important role to play in this mission, Dekko Secure chief executive officier Jacqui Nelson said.

    According to Ms Nelson, more Australian companies need to consider these issues and to actively investigate and understand how their data is stored and what laws in other jurisdictions can be applied to it.

    Jacqui Nelson
    F Dekko Secure chief executive officer Jacqui Nelson

    “Organisations need to start thinking about sovereignty as a policy goal. The Big Tech players have a role to play but there also needs to be a focus on Australia’s own local capability,” Ms Nelson said.

    “As an Australian company I comply with all laws, but once we host on a different server owned by a foreign country, that data is subject to that country’s laws as well. While I understand that, currently we’re seeing some organisations that don’t get it.”

    Dekko Secure is an Australian cybersecurity firm founded in 2015. It offers technology that replaces high-risk electronic exchanges such as video conferencing, file sharing, email and chat with a new standard in privacy.

    Its main products include DekkoVault, a secure document and file-sharing service, and DekkoLynx, a recently-launched service for confidential video meetings between government departments at the “protected” level, as well as for use by other organisations handling highly sensitive information, such as law firms.

    Both of these Dekko products use end-to-end encryption.

    Dekko currently stores its data in Australian-based data centres running Microsoft Azure. Ms Nelson said she wants to also utilise Australian providers such as Vault Cloud or AU Cloud, but this will become more practical when these offerings are more established, and there is more knowledge of data sovereignty among clients.

    The government should work with local players and their clients to educate them on these issues, Ms Nelson said.

    “With heightened focus on our national security posture, it makes sense for government to work with local companies to be able to provide those services,” she said.

    “It’s about access to the right talent to help providers scale. Establishing local sovereignty that competes at scale is tough without very deep support from the government.”

    “Starting at the bottom of the chain is always better than trying to fix it at the other end.”

    The government also has a role to play in educating the private sector on the importance of these issues, she said.

    “I don’t think enough people in the private sector actually know the right questions to ask in relation to where their data is being housed. There’s a huge education piece that needs to be worked on,” Ms Nelson said.

    “For me the biggest challenge is getting the message out to organisations that they really need to up their questions of their providers. They need to not just accept they’ve got data centres here and that they’re secure, but they need to deeply understand which parts of the channel are secure and where the vulnerable points are.”

    This discussion should start with understanding what data sovereignty actually means, she said.

    “There are challenges around the word sovereignty – it’s a little bit like security, it means so many things to so many people,” Ms Nelson said. “The devil is always in the detail and there’s a challenge in communicating it with customers.”

    “COVID and changes in the geopolitical landscape have pushed the conversation to a much broader audience, but in the private sector there is some confusion about what sovereignty means in this space.”

    With the federal government preparing to pass new critical infrastructure laws which will expand security requirements to a range of new sectors, now is an important time for Australian businesses to consider their own data sovereignty.

    “It captures places like education for example, where sovereignty hasn’t really ever played into their thinking. Now around vaccines and COVID, those conversations are starting to be elevated, we’re hearing a lot more noise from those industries,” Ms Nelson said

    Dekko Secure, an Australian owned and operated technology company that provides industry-leading end-to-end encryption. This article was produced in partnership with Dekko Secure as part of the Connect with Confidence sponsored content series by Dekko Secure and InnovationAus.

    The post Data sovereignty issues are complex but critical appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Labor introduces ransomware notification bill

    Labor has called on the federal government to urgently support its legislation introducing a mandatory ransomware notification scheme which “lays the foundation” for enforcement actions against cyber attacks.

    Shadow assistant minister for cyber security Tim Watts on Monday morning introduced a private members’ bill to the House of Representatives which would launch a scheme requiring organisations to notify the Australian Cyber Security Centre (ACSC) if they are planning to make a ransomware payment.

    This information would then be used to inform Australian authorities and policymaking in the space.

    Tim Watts

    The scheme would function in a similar way to the existing mandatory data breach notification scheme, which has been in place since early 2018.

    The Coalition is already reportedly considering such a scheme, with Home Affairs secretary Mike Pezzullo saying he believes it is “likely” that it would be rolled out soon.

    Speaking in Parliament, Mr Watts said the legislation would mark a first step in government action to combat the growing threat of ransomware attacks.

    “With this bill, Labor is showing the political leadership on cyber security policy that has been missing since the election of this Prime Minister,” Mr Watts said.

    “Such a scheme would be a policy foundation for a coordinated government response to the threat of ransomware, providing actionable threat intelligence to inform law enforcement, diplomacy and offensive cyber operations. There is an urgent need for this bill. Mandatory reporting of ransomware payments is far from a silver bullet for this national security problem but it’s an important first step.”

    The Opposition said there is “no reason” for the government to not support the bill, and called on it to list it for debate “as a matter of priority” when Parliament returns in August.

    The bill would establish a mandatory reporting requirement for Commonwealth entities, state or territory agencies, and corporations or payments who are making a payment in response to a ransomware attack.

    “This will allow our signals intelligence and law enforcement agencies to collect actionable intelligence on where this money is going so they can track and target the responsible criminal groups,” Mr Watts said.

    “And it will help others in the private sector by providing de-identified actionable threat intelligence that they can use to defend their networks. Importantly, it will give us a fuller picture of ransomware attacks in Australia and the scale of the threat.”

    The legislation defines a ransomware attack as “when an unauthorised person accesses, modifies or impairs data and demands payment to repair or undo damage or prevent the publication of data”.

    Small businesses with annual turnover under $10 million will be exempt from the scheme, as would sole traders, unincorporated entities and charities.

    The entities will have to notify the ACSC of key details about the ransomware attack, the attacker and the payment to be made, including the cryptocurrency wallet details, the amount of the payment and the indicators of a compromise.

    Failure to notify the ACSC will result in a penalty under the new regime.

    The information will be held by the ACSC and shared in a de-identified way with the private sector through the threat-sharing platform, and will also be used by law enforcement and to inform policy making and track the effectiveness of policy responses.

    Mr Watts said Australia has reached a “crisis point” on ransomware attacks, pointing to several recent events, including this month against JWS meats, which eventually paid an $11 million ransom payment to the attackers.

    These ransomware attacks are an “intolerable burden on Australian organisations” and represent a “significant national security threat”, Mr Watts said.

    “The current trajectory of these attacks, and the traditional response to them – asking organisations to implement an ever-increasing uplift in cyber resilience – is inefficient and not sustainable,” he said.

    Last week the federal government launched a new public awareness campaign around the threat of ransomware, centred mostly on what companies can do to protect from these attacks and make it harder for cyber criminals.

    It is also considering implementing a mandatory reporting scheme on ransomware, according to Mr Pezzullo, as an extension to the 2020 Cyber Security Strategy.

    “I think we’re at a point, most advanced economies are at a point, where by some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo said in a Senate Estimates hearing last month.

    The post Labor introduces ransomware notification bill appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Time to ‘release the hounds’ on ransomware gangs

    Labor has called on the federal government to get on the cyber offensive and “release the hounds” on global ransomware gangs following a series of high profile cyber-attacks against Australian companies and hospitals.

    Last week Australia’s largest meat processor JBS Foods was forced to shut down its local operations for a day following a ransomware attack against the global company that the US government has said originated from a Russian criminal organisation.

    Days later, the US Department of Justice confirmed that it would be upping its investigations of ransomware attacks to a similar level as terrorism.

    Speaking in Parliament last week, shadow cybersecurity minister Tim Watts said these events should be a wake-up call for the government, and reiterated his calls for a national ransomware strategy.

    “It’s a timely reminder of the economic cost of the scourge of ransomware – it’s a jobs and investment destroyer when the economy can least afford it. It also highlighted the urgent need for the Morrison government to adopt a national ransomware strategy to combat these attacks,” Mr Watts said.

    “The JBS Foods barbeque stopper should be a wake-up call for the Morrison government to finally take responsibility.”

    Tim Watts

    Mr Watts said the government should be proactive in its fight against ransomware gangs, and its spy agencies should be actively trying to disrupt these organisations.

    In Senate Estimates last week it was revealed that the Australian Signals Directorate (ASD) did not take any offensive operations against those responsible for the cyber-attack on Nine, despite appearing to know who was behind it.

    “As part of a national ransomware strategy, the Morrison government needs to get serious about using its signals capability to disrupt cybercriminals and deter attacks on Australian targets,” he said.

    “To date, these ransomware crews have been able to target Australian organisations with impunity. No wonder we’ve seen these attacks increasing in their scale and frequency. In general, the position of the Morrison government is not to tell us or the cybercriminals targeting Australia what they are doing to disrupt them. A secret deterrent is no deterrent at all.”

    The ASD should create a “target list” of the top 10 ransomware groups targeting Australia and ramp up efforts to disrupt their operations, he said.

    “The scourge of ransomware has become an intolerable burden on our nation – a $1 billion annual burden, collectively. It’s time that we said enough is enough. It’s time to release the hounds on these ransomware crews,” Mr Watts said.

    “Ransomware groups should fear the consequences of being added to ASD’s targeting list. We need to end the age of impunity for ransomware attacks and teach these ransomware groups that there are consequences for targeting Australian organisations with ransomware attacks and that these attacks are not worth the potential benefits.

    “The Morrison government has left Australian governments, businesses and community groups to combat these international ransomware groups for too long,” Mr Watts said.

    “It’s time it took responsibility, did its job and developed a national ransomware strategy. These groups are the modern day pirates, and it’s time we treated them that way.”

    Mr Watts also recently called for the government to implement a mandatory ransomware notification scheme, with businesses or individuals to report details of an attack to government agencies. At Senate Estimates last month, Home Affairs secretary Mike Pezzullo confirmed it was “likely” that such a scheme would be introduced.

    The post Time to ‘release the hounds’ on ransomware gangs appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • 30 NGOs call on Google to drop plan for a Cloud region in Saudi Arabia

    Groups call on Google to drop out of Saudi project over human rights concerns

    © Getty Images

    The Hill of 26 May 2021 reports that a coalition of more than 30 human rights and digital privacy rights groups called on Google to abandon its plans to establish a Google Cloud region in Saudi Arabia over concerns about human rights violations.

    The groups, which include Amnesty International, Human Rights Watch and PEN America, wrote in their letter that Saudi Arabia’s record of tamping down on public dissent and its justice system that “flagrantly violates due process” made it unsafe for Google to set up a “cloud region” in the kingdom.

    While Google publishes how it handles government requests for customer information and reports when requests are made through formal channels, there are numerous potential human rights risks of establishing a Google Cloud region in Saudi Arabia that include violations of the rights to privacy, freedom of expression and association, non-discrimination, and due process,” the groups said. See also: https://humanrightsdefenders.blog/2019/03/08/saudi-arabia-for-first-time-openly-criticized-in-un-human-rights-council/

    The letter also pointed to Saudi authorities who have routinely sought to identify anonymous online dissenters and spy on Saudi citizens through digital surveillance. The groups also pointed to how they themselves are believed to have been put under surveillance by the Saudi government.

    “Google has a responsibility to respect human rights, regardless of any state’s willingness to fulfill its own human rights obligations,” the letter continued, pointing to Google’s statement in which it expressed its commitment to human rights and to “improve the lives of as many people as possible.”

    In order to address these concerns, the groups called on Google to conduct a “robust, thorough human rights due diligence process” and to “draw red lines around what types of government requests concerning Cloud regions it will not comply with” due to human rights concerns.

    “The Saudi government has demonstrated time and again a flagrant disregard for human rights, both through its own direct actions against human rights defenders and its spying on corporate digital platforms to do the same,” the letter read. “We fear that in partnering with the Saudi government, Google will become complicit in future human rights violations affecting people in Saudi Arabia and the Middle East region.”

    https://thehill.com/policy/technology/555597-groups-call-on-google-to-drop-out-of-saudi-project-over-human-rights

    This post was originally published on Hans Thoolen on Human Rights Defenders and their awards.

  • China, Singapore line up for dumped CSIRO seL4 team

    The world-leading Australian research team dumped by the CSIRO’s Data61 last week is in the acquisition sights of a large Chinese company and the Singapore Government’s R&D agency.

    The two potential buyers have moved quickly to register their interest in acquiring the Trusted Systems team responsible for the extremely hard to hack seL4 microkernel.

    NASDAQ-listed Chinese electric vehicle manufacturer Li Auto and Singapore’s research and science agency A*STAR are both understood to have expressed interest in buying the Trusted Systems team, which had been supported by the CSIRO for more than a decade.

    The science agency’s digital arm Data61 last week revealed it will stop funding the world-renowned Trusted Systems team, because it no longer fits the CSIRO’s strategy, which is increasingly focused on artificial intelligence.

    cybersecurity electronics
    World-class: Buyers from China and Singapore want to buy a CSIRO seL4 security team dumped by the agency

    Some Trusted Systems team members will be moved to AI projects while others are expected to lose their jobs in a broader restructure of Data61 that will see 70 positions lost.

    It is unclear how CSIRO will deliver its outstanding commercial contracts that rely on seL4 knowledge.

    The agency said it will work to smooth the transition but did not respond to requests for comment on the potential Trusted Systems buyers.

    “CSIRO will work to minimise any impacts on partners or stakeholders as we implement the changes,” a spokesperson for the CSIRO told InnovationAus.

    The seL4 microkernel claims to be the world’s most highly assured operating system kernel. It works by creating an ironclad separation between software systems to prevent unauthorised access.

    Work will continue on the open source seL4 through an independent foundation set up last year, but the group needs secure base funding to operate and support the seL4 technology.

    But two potential overseas buyers have already emerged. According to people involved in the project, Li Auto, a Chinese electric vehicle manufacturer and Singapore’s research and science agency A*STAR have expressed interest in acquiring the Trusted Systems team.

    The Chinese manufacturer is believed to be interested in taking over the entire Trusted Systems team and setting up a research and development lab in Australia. The A*STAR offer is less certain but it is likely the agency would want to onshore the talent to Singapore.

    A*STAR and the CSIRO already worked together, including a $2.2m joint program on food health and safety program, and a 2019 collaboration on machine learning.

    In disbanding the Trusted Systems team last week, the CSIRO said seL4 was now a mature technology that is “well supported” outside the organisation.

    But Trusted Systems team members, including UNSW Scientia Professor Dr Gernot Heiser, said they were disappointed support had been pulled from the world leading security team.

    “Here is an absolutely recognised world class, world leading asset that’s unique in its composition and its track record and ability to do outstanding research, that’s being abandoned and destroyed,” Dr Heiser told InnovationAus on Friday.

    The post China, Singapore line up for dumped CSIRO seL4 team appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • NSW launches cyber strategy to fill industry gaps

    One year after the flagship NSW Government delivery site at Service NSW was breached, the state has unveiled a cybersecurity strategy that puts industry development and capability-building in cyber at the centre of government tech policy.

    The sector-wide cybersecurity strategy is an acknowledgment of the importance of bringing together industry policy in relation to cyber with government resilience in relation to cyber.

    The thinking is that a focus on building a strong local cyber industry inevitably leads to improved cyber skills, cyber capability and ultimately the resiliency of cyber infrastructure – including in government.

    The strategy is focused on four key commitment including improved state government cyber resilience, industry assistance to help NSW cyber businesses to grow, uplifting the cyber security workforce and skills, and supporting cyber research and innovation.

    Sydney traffic busy lights
    Bright lights, cyber city: NSW has unveiled an industry-centric cyber strategy

    NSW Digital Minister Victor Dominello claimed NSW was already leading the nation in the cybersecurity sector. Improving cyber resilience across the economy required the involvement of all sectors – citizens, businesses, government, and researchers. But government needed to lead.

    “Increasing overall cybersecurity resilience is about ensuring the safety and security of citizens and communities online. Government is absolutely pivotal to this as part of its overall responsibility to protect its citizens,” Mr Dominello said.

    “In a post COVID-19 environment, we need to adapt our way of living and working to embrace the digital future,” he said.

    “Our post COVID-19 ‘new normal’ will bring incredible opportunities as we adapt to greater reliance on connectivity, remote working and importance of data.

    “It is important that the NSW Government maximizes the state’s existing capabilities and develops the local cybersecurity industry into a globally competitive, innovative ecosystem that drives economic growth.”

    The NSW government has spent the last year working through its cybersecurity structures following a breach at Service NSW.

    A parliamentary inquiry into the breach released earlier this year recommended an overhaul of cyber practices – including the strengthening of the mandate and resources of Cybersecurity NSW, and moving the agency from the Department of Customer Service to Premier and Cabinet.

    NSW is also set to become the first Australian state or territory to introduce a mandatory data breach notification scheme, following a serious cyber incident last year.

    But it is the recognition of the direct link between the strength of the local cyber industry and overall cyber resilience across the economy – including government – that is most interesting about this strategy. And the industry development initiatives recognise that link.

    NSW Jobs and Investment Minister Stuart Ayres said the state would partner with the cyber sector to grow the local industry, leverage academic strengths, and to drive international competitiveness.

    “Under this strategy, Investment NSW will establish a NSW Cyber Hub, delivering a range of initiatives to accelerate the growth of NSW cyber businesses, maintain and attract the right talent to create the fluid, dynamic workforce needed to address skills gaps,” Mr Ayres said.

    “NSW already has an incredible depth of talent however we need to continue to foster, cultivate and grow this pipeline to ensure our industry thrives. This strategy builds on our strengths whilst seeking to grow new ones and will help the NSW digital economy thrive.”

    “The export opportunities for cybersecurity industry is enormous. From Bondi to Broken Hill, cybersecurity businesses can export to any location around the world from any city or town in NSW.”

    The public consultation and industry engagement finished in late 2020. The new strategy replaces the existing NSW Cyber Security Strategy and the NSW Cyber Industry Development Strategy, combining both into one overarching cyber security strategy.

    The post NSW launches cyber strategy to fill industry gaps appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Ransomware and phishing drive data breach spike

    Phishing and ransomware attacks spiked in the last year leading to a growing number of data breaches, according to analysis of more than 29,000 security incidents.

    Australian governments and businesses were among 83 organisations to contribute to Verizon’s latest Data Breach Investigations Report, now in its 14th iteration.

    The latest report found 5,258 of the incidents analysed, or around 18 per cent, resulted in a confirmed data breach.

    The analysis found a human element is present in almost every breach, and most involve users’ credentials. Financial services and health organisations were heavily targeted, in line with incidents reported to Australia’s mandatory notifiable data breach scheme last year.

    Phishing was present in 36 per cent of the breaches analysed by Verizon, up from 25 per cent last year. The presence of ransomware in breaches also doubled in the last year, and is now used in one in ten data breaches, according to the report.

    Phishing and ransomware are leading to more data breaches, according to new analysis.

    More than 1,000 data breaches were reported to Australia’s Privacy Commissioner last year, as part  of a mandatory reporting scheme for large companies and government agencies.

    In 2020, the government unveiled a $1.7 billion cybersecurity strategy that focuses on protecting essential infrastructure from cyber-attacks, improving the resilience of businesses and uplifting community awareness of cybersecurity.

    However, the policy has been criticised by the Opposition for not addressing ransomware, and a dedicated strategy for the growing threat is yet to be developed in Australia.

    The Verizon report breaks down global regions, showing many APAC breaches were caused by Financially motivated attackers phishing employees for credentials, and then using those stolen creds to gain access to mail accounts and web application servers.

    Lead author of the Verizon report, Alex Pinto, said sweeping and revolutionary solutions for data breaches aren’t realistic and mitigation must be straightforward.

    “The truth is that, whilst organisations should prepare to deal with exceptional circumstances, the foundation of their defences should be built on strong fundamentals – addressing and mitigating the threats most pertinent to them.”

    Verizon Business chief executive officer Tami Erwin said the COVID-19 pandemic had a “profound” on the security challenges organisations are facing, and cloud technologies are creating new risks.

    “As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures,” she said.

    The post Ransomware and phishing drive data breach spike appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Cybersecurity now the number one business risk

    Cyber risk, the likelihood of data loss or business disruption resulting from a cyber-attack, is now seen by Australian organisations as one of the biggest risks they face, according to Alastair MacGibbon, chief strategy officer at CyberCX and former head of the Australian Cyber Security Centre.

    “Cybersecurity is now number one or two on any organisation’s risk register – public or private,” Mr MacGibbon said.

    The increased awareness of the danger that cyber threats pose to their operations is leading to a shift in responsibility for cybersecurity from IT departments to other parts of organisations, according to privileged access management specialists CyberArk’s senior vice-president for identity security, Barak Feldman.

    CyberArk
    Clockwise from top left: Thomas Fikentscher, James Riley, Alastair MacGibbon, and Barack Feldman

    Goodbye CISO, hello BISO

    Mr Feldman suggested a new role was emerging, that of business information security officer.

    “We believe that security means taking more responsibility for the risk to the organisation, educating internally on awareness and how to prepare for a situation, and how to respond to it,” he said.

    “Not just responding technically, but even how to respond to the media and different elements of a security attack.”

    Mr MacGibbon said the increased focus on cybersecurity at board level had been rapid, with boards now showing a much more mature understanding of and response to cyber risk. Using traditional business risk language has helped boards to understand the impact of a cyber threat.

    “Now most boards understand that what they’re dealing with is the concept of ‘cyber risk management’ and how resilient they are to cyber events,” Mr MacGibbon said.

    “They recognise those events are likely to occur, an Assumed Breach Mindset, and it’s a more mature conversation than we were having at the launch of Australia’s first National Cybersecurity Strategy in April 2016.”

    The increasing integration of operational technology with IT was also a factor in shifting responsibility for cybersecurity.

    “We’re seeing a huge trend on the operational technologies side –manufacturing plants can work faster with more data analytics with remote access,” said Mr Feldman.

    “I don’t need to go to the plant anymore, I can control it remotely and collect data on how fast I’m manufacturing my product, and so on. So that means the ownership is starting to be delegated into the business owners.”

    Mr MacGibbon agreed, but suggested this was not a popular view. “I don’t believe chief security officers in organisation should report into an IT function because I don’t think that creates the right balance to have a proper risk discussion.”

    Both cybersecurity experts were joined by CyberArk’s ANZ Regional Director Thomas Fikentscher for the final Security in Transformation episode of the Bridging the Cyber Divide podcast series.

    Leaders and laggards

    Mr Fikentscher suggested that this trend has still yet to make an impact in many traditional sectors, and that their tardiness was increasing the risk for the more advanced organisations that are become connected in order to leverage benefits.

    “Some of the industries that have been in this space for a longer period of time, like the banking industry, have their house in order,” he said.

    “But, they are concerned about business connectivity, the wider ecosystem and how they secure that ecosystem as they open up their systems to accelerate digital transformation. For example, to allow people to have a view into the last 10 years of claims management.

    “Then you go to other industries, which might fall under the new Critical Infrastructure Bill [the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which will increase the scope of what is deemed to be critical infrastructure] like the food industry or the transport industry,” Mr Fikentscher said.

    “Cyber risk management is something that is very new to them, and they need to start from the beginning and create a philosophy of how they attack that particular problem.”

    It’s an ill wind…

    And, unfortunate as the increase in cyberthreats is, Mr Fikentscher said it was having a positive impact by pushing many organisations to elevate cybersecurity to board level. “There are more cyber incidents, and that’s painful, but at the same time it wakes people up and focusses their minds on a very important element of their business.

    “And, that’s not just happening in IT, it is reverberating through the business functions into the boardroom, and all of a sudden, people are starting to get things done.”

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

     

    The post Cybersecurity now the number one business risk appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Expert cyber cohort call out on ransomware

    Aggressive nationally and internationally coordinated strategies are needed to tackle the growing threat of ransomware, according to an expert taskforce that included the US, UK and Canadian government cyber agencies.

    Australia was not part of the taskforce and the federal government is yet to develop a national ransomware strategy, leading to calls from Labor that Australia is being left behind.

    A coalition of global experts assembled by business group, the Institute for Security and Technology (IST), on Thursday released a strategic framework for combatting ransomware, which has quickly grown into a “serious national security threat and a public health and safety concern”.

    “This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government,” the IST report said.

    hacker
    A coordinated international response is needed to the growing threat of ransomware.

    The framework calls for coordinated global action to deter and disrupt ransomware attacks, and help organisations prepare for attacks and respond to them. According to the report, ransomware victims paid attackers more than US$350 million last year, more than triple the amount in 2019, and the average downtime from an attack was three weeks.

    “The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity,” the IST report said.

    The number one goal of the framework proposed by the group is to deter ransomware attacks through a “nationally and internationally coordinated, comprehensive strategy” which would be led by the US.

    Labor has welcomed the report but says it highlights Australia’s increasingly isolated position of not prioritising the threat of ransomware at a national level.

    The Australian Cyber Security Centre has said that ransomware is the “highest threat” facing Australian businesses and governments in the cyber domain. But the government’s 2020 national cybersecurity strategy mentions it only twice; once in quoting a submission to the report and once advising where victims can report it.

    In March, a government advisory group released a report on ransomware urging businesses to implement basic cyber security. But it did not include any recommendations for government or any calls for new policies.

    Earlier this month, Australia signed a new communiqué with Five Eyes partners which included a commitment to share lessons on ransomware and, where possible, align national policies, public messaging and industry engagement.

    The Opposition released its own ransomware discussion paper in February and called for a dedicated national strategy.

    In response to the IST report, shadow minister for Home Affairs Kristina Keneally and shadow assistant minister for cybersecurity Tim Watts said the government is being left behind on ransomware.

    “While our major security partners are recognising the need for a plan to tackle this billion-dollar scourge plaguing business, we have yet to hear the Morrison Government’s strategy to address this critical threat to Australia’s economy and society,” a joint statement said.

    “Just in the last week we’ve seen ransomware attacks on two Brisbane hospitals and a Geelong secondary school. This followed the major ransomware attack on the Nine Network last month.”

    The IST’s ransomware taskforce included cyber industry leaders, academics, and representatives from the UK National Crime Agency, US Cybersecurity and Infrastructure Security Agency, US Federal Bureau of Investigation, U.S. Secret Service and the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit.

    The post Expert cyber cohort call out on ransomware appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt gives IT resellers $7M for SME cyber support

    A cohort of “trusted” companies will share in $6.9 million in federal government grants to support SME cyber awareness and resilience, with nearly 40 per cent of the money going to channel partners.

    Charities, a university and the peak caravanning group also received funding to help SMEs build cyber awareness and “promote action”.

    But more than $2.7 million of the grants will go to IT Connexion, Loyal IT Solutions, CyberCX, Real World Technology Solutions, First Focus IT and Concept Data, to develop various cyber awareness and support training initiatives.

    Two of the biggest grants went to cyber services providers CyberCX and Real World Technology Solutions, which each received the maximum $750,000 on offer.

    city data
    The government has provided $6.9 million in grants to support SMEs cyber awareness and reillience.

    CyberCX is the private sector venture of former head of the Australian Cyber Security Centre and Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon. It has received funding for a ‘Cyber123 for SME’ program.

    Real World Technology Solutions is an IT services provider for SMEs and not-for-profits. Its grant will be used to support cyber security resilience within small-to-medium, charity & indigenous businesses.

    Business support charity the Murray Hume Business Enterprise Centre also received the maximum $750,000, while the Queensland Chamber Of Commerce And Industry received $738,500 for its cyber security accreditation program.

    The grants are part of the Cyber Security Business Connect and Protect Program, which provides funding to trusted organisations that give business advice to SMEs to raise their cyber risk awareness, promote action to address the risks, and support SME uplift to best cyber practices.

    Applications closed in November last year with successful applicants revealed last week and announced Tuesday by the government.

    “SMEs make up 99 per cent of all Australian businesses and employ about half our workforce, so it is essential to our economy and national security that SMEs continue to expand and improve their digital capabilities in a secure way,” Industry Minister Christian Porter said.

    “The assistance provided through this grant program will support businesses in recognising cyber risks and opportunities, particularly in the wake of the strong digital uptake during the COVID-19 pandemic.”

    Business support groups and consultants in the Hunter Region, Wodonga, Brisbane and Darwin will also get funding.

    The Western Sydney University will receive $754,920 to develop its Oz Cybersecurity Aid Centre and online call line in conjunction four New South Wales cybersecurity companies.

    Caravan Industry Association Of Australia received $364,500 for cyber awareness training in Australia’s caravan and camping industry.

    The 14 successful applicants and their funding are:

    • IT Connexion – $250,000 for Cyber Security Awareness Training
    • Loyal I.T. Solutions – $456,258 for Cyber Secure Central Coast!
    • CyberCX – $750,000 for Cyber123 for SME
    • Real World Technology Solutions – $750,000 for Cyber Security resilience within SMB, Charity & Indigenous Businesses
    • First Focus IT – $339,780 to Develop & deliver a cyber security education package for SME C-suite
    • Concept Data – $188,721 for a South Australian Business Cyber Security Advisory Service
    • Murray Hume Business Enterprise Centre Limited – $750,000 for a Business Enterprise Cyber Secure initiative.
    • Hunter Business Centre – $349,40 for a Cyber Security Culture Program for Regional SMEs
    • Queensland Chamber Of Commerce And Industry – $738,500 for a Cyber Security Accreditation Program
    • Business Enterprise Centre (Darwin Region) – $219,596 for its CyberSafe program
    • Belmont Business Enterprise Centre – $274,900 for cyber security training and mentoring
    • The Project Lab – $641,434.00 for CyberUP for SMEs
    • Western Sydney University – $745,920 for its Oz Cybersecurity Aid Centre
    • Caravan Industry Association Of Australia – $364,500 for cyber awareness training in the camping and caravan industry

    The post Govt gives IT resellers $7M for SME cyber support appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • What the EH Holden can teach us about cybersecurity

    The World Economic Forum recently pointed out that cyberattacks rank first among global human-caused risks and this year, it’s expected cybercrime will cost the world US $11.4 million each minute. Let that sink in for one moment.

    It’s no wonder cybersecurity has emerged as one of the hottest topics for Australian boardrooms – especially in the context of accelerated digitisation and prolific cybercriminal activity driven by Covid-19.

    At the same time, geo-political pressures on Australia to adopt internationally recognised cybersecurity standards and build safer critical infrastructure are growing.

    An increase in cybersecurity is needed. Yet, no matter what we do, the stats keep showing more successful attacks, more data breaches, and more system compromises.

    roads interchange connections
    Road to nowhere: What the big selling EH Holden can tell us about cybersecurity

    What are we missing?

    To quote the immortal words of Albert Einstein, “the definition of insanity is doing the same thing over and over again and expecting different results.”

    For years we’ve been adding more security layers on top of each other, and on top of systems not organically designed to be secure, in the hope that one day we’ll reduce our vulnerabilities. Yet, the issue gets bigger each day.

    Those security layers, while needed, only help us keep up with the rising complexity of the threat landscape, not get on top – or ahead – of it.

    Something else needs to be done to drive a different outcome. It won’t happen overnight, but it is critical we change what we’re doing, as well as our overall cybersecurity thinking.

    Are we repeating the same mistakes over again?

    As a nation we understand the importance of ramping up cybersecurity however, on the whole, we still have a relatively passive posture towards it.

    What we’ve done so far is much like car safety before the 1970s; investing resources in making driving safer by insisting people pass driving tests, fining drivers for bad behaviour, while also adding road speed limits, stop signs, and traffic lights.

    When it comes to cyber, we’ve continuously focused on user awareness, user access control, traffic monitoring, protecting endpoint devices, data networks and computing infrastructure.

    While those have their place, just like driver training and licensing plays a role in road safety today, they do not shift the cyber-incident needle materially. Governments, organisations and people are still having more fatal accidents – in a cyber sense.

    In the same way car safety needed to go deeper in the 60s, so too does our cybersecurity approach.

    Embedded safety learnings from the EH Holden days

    Auto industry lessons from the past may teach us how to fundamentally improve safety and remove the roadblocks from our current ineffective cybersecurity approach.

    Prior to the 1970s, there was a direct correlation between the number of cars registered and the number of road fatalities. This was despite safety features being available on many vehicles as premium options, mandatory licensing of drivers, and investment in better road signage and infrastructure, which is very similar to what we’re seeing in cybersecurity today.

    Then something changed. Car ownership exploded in Australia – a large part of it driven by the EH Holden which would become one of the most successful cars Holden ever built – very much like today’s accelerated digitisation of our economy.

    In just a few years every family owned a car (Holden produced more than 256,959 EH models in 18 months), the road toll proportionally rose, and it became apparent a change was needed to improve auto safety.

    It took years, but government and manufacturers finally realised that safety needed to be embedded into every car if they were to reduce the community cost and reputational damage of car related deaths.

    From the late 1960s until today, we’ve seen both the legislative and industrial embedding of safety features into the vehicles themselves.

    Starting with mandates on the likes of seat belts, collapsible steering columns, and airbags, to later manufacturers proactively embedding advanced safety features such as ESC, adaptive cruise control, and anti-collision systems (manufacturers came to realise it was good for business).

    This took safety out of the hands of the drivers and road conditions.

    Embedded security lessons for cyber

    We need a new approach that doesn’t expect every person who attends cybersecurity awareness training to be the cybersecurity equivalent of Lewis Hamilton.

    Often when it comes to digital systems, it’s the data itself we are trying to protect from accidental or deliberate damage to its confidentiality, integrity or availability.

    Some data-dependent organisations today – very (very) few though – have recognised the need for embedding security and have invested in digital systems that are fundamentally different in their approach. These systems codify security using data encryption, anonymisation, and access controls. They no longer rely solely on user behaviour or computing infrastructure.

    If we want to protect our digital economy we need to stop thinking of cybersecurity as a user problem, or as something that can be fixed through infrastructure. We need to start embedding it in digital business processes and systems.

    Just like the EH Holden had the potential to be much safer, all the tools for embedding safety into digital systems and data platform already exist – the missing piece is the realisation and will by industry and government to re-think, re-frame our cybersecurity strategy: it’s time to embed, not add on.

    Brian Grant is ANZ Director for Digital Security at Thales

    The post What the EH Holden can teach us about cybersecurity appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • DFAT cyber engagement strategy launched

    Australia has pledged $37.5 million to its regional neighbours to sure up their cyber defences and will seek to establish a new global agreement on responsible cyber behaviour, as part of a new international engagement strategy launched Wednesday by the government.

    Labor has criticised the plan for being months behind schedule, failing to support local institutions, and lacking “real action”.

    Developed by DFAT last year but only launched on Wednesday due to Foreign Affairs Minister Marise Payne’s “scheduling” issues, the International Cyber and Critical Technology Engagement Strategy outlines Australia’s plans to use cyber and critical technology in a “more dynamic and contested regional environment”.

    Marise Payne has launched Australia’s  International Cyber and Critical Technology Engagement Strategy, originally scheduled to be released last year.

    The original 2017 cyber engagement strategy has been expanded to include “critical technologies”, defined as technologies that have the capacity to significantly enhance or threaten national interests. They include things like AI, 5G IoT, quantum computing and synthetic biology as well as cyber security, according to the strategy.

    “Countries and companies at the cutting edge of innovation in these critical technologies often promote values that are at odds with our own,” Minister Payne writes in the new document’s forward.

    The three pillars of the strategy are values, security, and prosperity. Australia will pursue, support, and oppose efforts to undermine them, according to the plan.

    The strategy will be used to guide Australia’s international engagement “across cyber and critical technology issues” in the hopes of leveraging technological innovation while avoiding the risks it creates.

    As part of the strategy, the government announced a package of measures to support regional neighbours to build and maintain their own cyber resilience.

    Australia will co-sponsor a proposal to establish a new United Nations Program of Action for Responsible State Behaviour in Cyberspace. All UN members already agree the Charter of the UN in its entirety is applicable in cyberspace, but the Australian government will push for a new dedicated cyber behaviour program.

    Australia’s flagship Cyber Cooperation Program, established in 2016 to support the cyber resilience of countries in Southeast Asia and Pacific, has also been rebranded Cyber and Critical Tech Cooperation Program and will receive an “additional $20.5 million” in funding.

    But the program will drop pacific nations, which will now receive cyber support separately, including $17 million announced Wednesday to strengthen their capabilities and resilience.

    The government said it will also support partnerships between Australian and Indian universities through an Australia-India Cyber and Critical Technology Partnership program.

    “The Strategy’s aims, to strengthen national security, protect our democracy and sovereignty, promote economic growth, and pursue international peace and stability, are founded in Australia’s national interests,” Foreign Affairs Minister Marise Payne said in a statement.

    The Opposition have questioned the plan, however, saying it fails to support Australian institutions or show “real leadership”.

    A joint statement from Shadow Minister for Foreign Affairs Penny Wong and Shadow Assistant Minister for Cybersecurity Tim Watts said, “Many of Australia’s most significant social and economic opportunities, as well as geostrategic and security challenges, are currently unfolding through the prism of cyber and critical technologies.

    “Yet Australian industries and institutions have been left to go it alone. The strategy does not propose any new actions by the Morrison Government to tackle the billion-dollar wave of ransomware attacks Australian business are facing from international cybercrime groups.”

    Mr Watts last month told Parliament a lack of leadership on cybersecurity from the Morrison Government, including declining to attribute or seriously address major attacks publicly was putting Australians at risk.

    Labor has also released its own ransomware strategy which includes calls for diplomatic cooperation on practical measures to address global cybercrime. The party also wants democratic institutions considered critical infrastructure.

    In the joint statement, Mr Watts and Ms Wong said the latest engagement strategy represented more risky rhetoric and lacked practical measures.

    “In her speech launching the strategy, the Foreign Minister referenced cyber-attacks on the Australian Parliament and political parties, declaring that ‘attacks on democracy cannot go unchallenged’.

    “But the Morrison Government has never taken any action to challenge those responsible for the 2019 cyber-attacks on the Australian Parliament, nor has it publicly attributed responsibility — despite all its tough talk.”

    The post DFAT cyber engagement strategy launched appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Australia blames Russia for SolarWinds attack

    Australia has officially attributed the SolarWinds cyber attack to Russia and has committed to helping the US in holding the nation “to account” for the incident.

    Overnight US President Joe Biden signed an Executive Order declaring a national emergency to deal with the threat of Russia’s foreign interference, including “malicious cyber-enabled activities”.

    In a joint statement released late Thursday, Foreign Affairs Minister Marise Payne, Defence Minister Peter Dutton and Home Affairs Minister Karen Andrews condemned Moscow for a “harmful cyber campaign” against US firm SolarWinds.

    “Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security and public safety. Australia condemns such behaviour,” the Ministers said.

    “Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector.”

    Marise Payne joined the Defence and Home Affairs Ministers in attributing the SolarWinds attack to Russia. Image: Ron Przysucha/United States Department of State.

    SolarWinds is a major IT firm that provides software to large companies and governments. A massive cybersecurity attack on the company spread to its clients last year and is believed to have exposed sensitive information held by the US government, including data of the US military and White House.

    Hackers from Russia were suspected almost immediately when the attack was first reported by Reuters in December last year. US security agencies first accused the Russian government of orchestrating the SolarWinds attack in January.

    But the attack was not officially attributed to the state actor until Thursday in a joint advisory from US intelligence firms that named Russian Foreign Intelligence Service actors APT29, Cozy Bear, and The Dukes as being supported by the Kremlin.

    US President Joe Biden also signed an Executive Order on Thursday condemning the Russian government’s foreign interference, including meddling in US elections and the facilitation of “malicious cyber-enabled activities against the United States and its allies and partners”.

    President Biden’s order includes a host of sanctions against Russia, escalating tensions between the superpowers.

    “The United States is not ready to come to terms with the objective reality that there is a multipolar world that excludes American hegemony,” a Russian government spokeswoman said.

    “We have repeatedly warned the United States about the consequences of its hostile steps, which dangerously increase the degree of confrontation between our countries.

    “A response to sanctions is inevitable.”

    The Australian government joined international partners in supporting the US to combat the SolarWinds incident in its joint statement on attack.

    “Australia welcomes private sector and government responders’ efforts around the world to expose and mitigate this threat and uphold the international norms of responsible behaviour in cyberspace,” the statement said.

    The post Australia blames Russia for SolarWinds attack appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Funding-starved National Archives struggles with cyber resilience

    The National Archives of Australia is struggling to maintain cyber resilience as the agency battles budget and staff cuts that are also putting important records at risk and slowing the work of researchers.

    But the government has rejected the idea the agency is under resourced, as it mulls major reforms recommend in a damming internal review of the National Archives handed to it more than a year ago.

    Significant vulnerabilities were identified by the ANAO in its 2018 review of the National Archives’ cyber resilience, which triggered the development of a cyber resilience framework and supporting plan.

    A subsequent, wider review of the agency in 2020 found implementation of the cyber strategy had been slowed by “funding pressures” and more resources were needed.

    The National Archives has warned it is struggling with cyber resilience

    The National Archives has lost between five and nine million dollars in funding each year for the last five years through government savings measures and increases to “efficiency dividends”.

    During Senate Estimates on Wednesday, National Archives director-general David Fricker answered questions about the review, which the government is yet to respond to despite receiving it more than a year ago.

    Mr Fricker confirmed  the agency was struggling with resourcing pressures which forced two rounds of redundancies since 2014 and limited upgrades of technology.

    The pressures are manifesting in three immediate areas of concern, according to the Archives director general.

    “The [three] areas where we are feeling the most pressure at the moment are maintaining our cyber resilience – so investments in our cyber security capability – [and] the preservation of records at risk … and keeping up with the demand for declassification of records,” Mr Fricker said.

    Mr Fricker explained there are many unique records at risk because of the format they are stored on. He said the agency needs to invest tens of millions of dollars more in technology and staffing to safely migrate and protect the records, which include indigenous cultural artefacts.

    Losing the records would constitute a breach of the Archives Act, a key concern raised by the internal review.

    Mr Fricker said resourcing pressures were also contributing to delays in assessing and releasing archives to researchers with a backlog now sitting at more than 20,000 applications.

    Despite the evidence presented, Assistant Minister to the Attorney-General Amanda Stoker rejected questions from Labor Senator Raff Ciccone about resourcing pressures compromising the National Archives, which is mandated to preserve records.

    “I don’t accept that they are in breach of the [Archives] Act. If there is evidence of that I will be interested in it. But I don’t accept the premise that the Archives are being starved [of funding],” Senator Stoker said.

    “They receive a considerable amount of resources annually for their important work.”

    Senator Stoker said the delay on a government response to the 2020 review was due to the significant changes it proposes for the National Archives. She said implementing “some version” of the recommendations would cost more than $200 million.

    She declined to set a date for the government’s response but said it can be expected by the end of the year.

    The post Funding-starved National Archives struggles with cyber resilience appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt signs Five Eyes ransomware pledge

    In anticipation of international borders reopening , Australia has recommitted to collaborating with its Five Eyes counterparts on migration, foreign interference, child exploitation and cybercrime – including the growing threat of ransomware which received a new dedicated agreement.

    In one of her first major moves as Home Affairs Minister, Karen Andrew’s met virtually with her Ministerial counterparts from the US, UK, New Zealand and Canada last week.

    “Cooperation with our trusted partners is critical to keeping Australians safe, particularly in the face of the ongoing COVID-19 pandemic,” Mrs Andrews said in a statement on Friday.

    “By working together and leveraging our collective knowledge and experiences we can better respond to threats here at home.”

    Karen Andrews
    Karen Andrews and Five Eyes countries pledge to work together on global challenges.

    The countries signed a new communiqué which includes commitments to share best practices on “innovative and effective border and migration measures” in response to the pandemic, countering foreign interference in academia and research and development, a global approach to combatting cybercrime and ransomware, and a feasibility study on a shared dataset for law enforcement agencies combatting child exploitation.

    “The whole world is eager to open up again, but it’s essential that we do it in a way that’s safe and sustainable,” Mrs Andrews said.

    “The development of international standards and best practice will be critical to ensure the resumption of large-scale international travel in the future.”

    A dedicated statement was issued for how the countries expect to tackle the growing threat of ransomware which was noted as a criminal threat but also a risk to national security, critical infrastructure and governments.

    Five Eyes countries committed to sharing lessons on ransomware and, where possible, aligning national policies, public messaging and industry engagement.

    The group also pledged to address the “underlying factors” of the issue, including reducing the public’s exposure to ransomware.

    Australia has identified the threat of ransomware most recently in a government advisory group report which urges Australian businesses to implement basic cybersecurity practices but includes no recommendations for governments or policies.

    The Opposition criticised the report and released its own paper calling for the government to develop a National Ransomware Strategy and take actions to reduce the attractiveness of Australian businesses for hackers.

    The final commitment in the Five Eyes agreement is to continue the global fight against child exploitation and abuse. The pandemic and new technologies are compounding the problem, the group said in the agreement which includes committing to a new feasibility study on a “specific combined dataset for use by our law enforcement agencies”.

    Five Eyes countries are also asking for more from the tech companies which provide the digital services perpetrators routinely exploit. While the agreement supports “strong encryption” and a collaborative approach between government and industry, Australia’s representative attacked social media companies and their encrypted services.

    “We all have a role to play in tackling this horrific behaviour, including technology companies who are neglecting their social responsibility to protect children online. Their use of end-to-end encryption is putting children’s safety at risk and precludes lawful access to data,” Ms Andrews said in her statement.

    “Our Government will continue to work with our trusted partners to pressure technology companies to address public safety challenges by building their systems and platforms with safety front of mind.”

    The post Govt signs Five Eyes ransomware pledge appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Procurement policy holds cyber startups back

    Australia’s cybersecurity startups have matured to a point where many have global potential. But a lack of support from the federal government in both policy and procurement is holding the sector back, according to a Melbourne cyber accelerator.

    CyRise chief executive Scott Handsaker says beyond the government’s AustCyber growth centre there is little in the way of support for early stage cyber companies.

    “Outside of that [AustCyber], the strategy from the Australian Government in not really focused on entrepreneurship,” Mr Handsaker told InnovationAus.

    “They don’t really see it as critical, which I think is wrong.”

    Cyber security industry policy
    Government procurement policy is getting in the way of startup growth

    The Australian government’s $1.7 billion cybersecurity strategy unveiled last year has been criticised for its lack of support for local industry.

    The vast majority of funding for the strategy had already been announced and is re-appropriated from the Defence budget. It provides little attention to the local cyber sector including no incentives for startups and tech companies.

    Experts have also pushed for a less fragmented approach to Australia’s cyber policies that sees cybersecurity as a national interest rather than a national security issue.

    CyRise was founded in 2017 through a partnership between Deakin University and global tech service firm NTT. The accelerator provides funding and support to cyber statups in exchange for a small equity stake, and has typically focused on early stage Australian companies in its four previous cohorts.

    Mr Handsaker, whose accelerator received support from the Victorian government to get started but now operates independently, says it is critical to support local cyber companies early on as their first customer is typically the hardest to get.

    A risk averse culture from the federal government, however, means large cyber multinationals get most of the work, leaving the procurement lever unpulled, according to Mr Handsaker.

    “From a government’s perspective, typically, they’re going to go with a really large company — often that’s a multinational company — so that they can feel confident and safe their services are going to be delivered. And that’s not always the case.”

    “… There’s enormous opportunity to drive innovation by using a procurement lever. At the moment, federally, whatever they’re doing it’s not working.”

    There is a similar challenge for cyber startups trying to work with risk averse large corporates in Australia, according to Mr Handsaker, who says big companies are typically more open to smaller partners in the UK, Israel and the UK.

    CyRise seeks to address the reluctance through the network partnerships it provides its cohorts, including the latest round announced this week.

    The accelerator is taking on board five companies ranging from drone security to developer skills in its fifth and latest cohort. CyRise invests $50,000 into each team and provides a 14 week program. The companies are:

    • Dronesec: a cyber-uav firm providing security and threat intelligence for drones and drone operations.
    • Safestack: The startup’s academy trains developers, testers, analysts and architects in security skills to design, build and deploy secure, high quality software at speed.
    • Cyamast: an Australian cybersecurity technology and analytics company that has developed a new approach to asset visibility and anomaly detection for connected devices.
    • Byte25: a network monitoring solution providing comprehensive visibility of network security, performance and end user experience.
    • Traild: an AI-driven security product that patrols the payment workflow to protect businesses from business email compromise, insider fraud, supplier fraud and other threats.

    “The quality of the teams just continues to rise,” said Mr Handsaker.

    “100 per cent of the teams coming into the program have existing revenue, with more than half having customers spread across multiple countries.”

    The post Procurement policy holds cyber startups back appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt’s global cyber strategy delayed by ‘busy’ parliament

    The government is still yet to publish Australia’s 2020 international cyber engagement strategy, four months past its scheduled release and three and a half years on from the inaugural strategy.

    The strategy is currently with the government for consideration, but has apparently been accepted and is already informing Australia’s international cyber relations. Its absence has prompted renewed concerns from the Opposition about the “disarray” of Australia’s cybersecurity policies.

    The International Cyber Engagement Strategy was developed and launched by the Department of Foreign Affairs and Trade in 2017 along with the appointment of Dr Tobias Feakin as the Ambassador for Cyber Affairs and Critical Technology.

    The strategy is intended to guide global and regional engagement across the full range of Australia’s interests in cyber affairs and is scheduled to be revisited every three years to adjust its settings.

    2020 Cybersecurity strategy
    An international engagement strategy for Australia’s cyber affairs remains unpublished months after its scheduled release.

    A new 2020 strategy has been with government for consideration since last year and was scheduled to be launched at the end of the final Parliament sitting week in December.

    During Senate Estimates last month, Dr Feakin said the new strategy is already informing a range of ongoing work by DFAT but a “particularly busy parliamentary activity week” last year meant a “short postponement” to the official launch was necessary.

    “We’re in discussions about a suitable date,” Dr Feakin told the Estimates hearing.

    Foreign Affairs Minister Marise Payne said that she had delayed the launch because of “timing and the scheduling issues”.

    A DFAT spokesperson confirmed the updated strategy is now in use but did not respond to questions on when it will be launched or when it was first provided to government.

    “The International Cyber and Critical Technology Engagement Strategy continues to inform DFAT’s active program of international engagement in pursuit of a safe, secure and prosperous Australia, Indo-Pacific and world,” the spokesperson told InnovationAus.

    The work influenced by the unpublished strategy includes the recent launch of a Quad Critical and Emerging Technology Working Group, following a March meeting of the US, Japan, Australia and India, as well as DFAT’s ongoing work to “build the cyber resilience of regional partners”, according to the spokesperson.

    Shadow Assistant Minister for Cyber Security Tim Watts said the response from the department official and the Minister for Foreign Affairs during Estimates last month highlighted the “the disarray that is cybersecurity policy in the Morrison Government”.

    “It seems incredible that an important government strategy has been sitting in a drawer gathering dust for four months because the Minister is too ‘busy’ to launch it,” Mr Watts told InnovationAus.

    “Australians deserve better than these excuses when it comes to an issue as critical as cyber security.”

    First developed in 2017, Australia’s International Cyber Engagement Strategy was broadened to include critical technology in the 2020 update.

    Public submissions for to the 2020 strategy closed in June 2020 and included stakeholder input from academics, civil society groups, Big Tech and cyber companies among 31 submissions. DFAT also engaged with 18 Commonwealth departments on the new strategy, which supersedes the 2017 plan.

    Since the strategy was originally scheduled to be released last year, a series of high profile international cyber attacks have occurred, including the Microsoft Exchange exploit which led to a breach of Western Australia’s parliamentary email network and a SolarWinds software exploit which provided attackers access to US government networks.

    While China and Russia have been the respective suspects of the two incidents, Australia has yet to attribute either cyber attack. Dr Feakin told Estimates DFAT’s increasing preference is to make attributions in partnership with allies, but the department was yet to go through any multilateral attribution processes.

    The post Govt’s global cyber strategy delayed by ‘busy’ parliament appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt’s global cyber strategy delayed by ‘busy’ parliament

    The government is still yet to publish Australia’s 2020 international cyber engagement strategy, four months past its scheduled release and three and a half years on from the inaugural strategy.

    The strategy is currently with the government for consideration, but has apparently been accepted and is already informing Australia’s international cyber relations. Its absence has prompted renewed concerns from the Opposition about the “disarray” of Australia’s cybersecurity policies.

    The International Cyber Engagement Strategy was developed and launched by the Department of Foreign Affairs and Trade in 2017 along with the appointment of Dr Tobias Feakin as the Ambassador for Cyber Affairs and Critical Technology.

    The strategy is intended to guide global and regional engagement across the full range of Australia’s interests in cyber affairs and is scheduled to be revisited every three years to adjust its settings.

    2020 Cybersecurity strategy
    An international engagement strategy for Australia’s cyber affairs remains unpublished months after its scheduled release.

    A new 2020 strategy has been with government for consideration since last year and was scheduled to be launched at the end of the final Parliament sitting week in December.

    During Senate Estimates last month, Dr Feakin said the new strategy is already informing a range of ongoing work by DFAT but a “particularly busy parliamentary activity week” last year meant a “short postponement” to the official launch was necessary.

    “We’re in discussions about a suitable date,” Dr Feakin told the Estimates hearing.

    Foreign Affairs Minister Marise Payne said that she had delayed the launch because of “timing and the scheduling issues”.

    A DFAT spokesperson confirmed the updated strategy is now in use but did not respond to questions on when it will be launched or when it was first provided to government.

    “The International Cyber and Critical Technology Engagement Strategy continues to inform DFAT’s active program of international engagement in pursuit of a safe, secure and prosperous Australia, Indo-Pacific and world,” the spokesperson told InnovationAus.

    The work influenced by the unpublished strategy includes the recent launch of a Quad Critical and Emerging Technology Working Group, following a March meeting of the US, Japan, Australia and India, as well as DFAT’s ongoing work to “build the cyber resilience of regional partners”, according to the spokesperson.

    Shadow Assistant Minister for Cyber Security Tim Watts said the response from the department official and the Minister for Foreign Affairs during Estimates last month highlighted the “the disarray that is cybersecurity policy in the Morrison Government”.

    “It seems incredible that an important government strategy has been sitting in a drawer gathering dust for four months because the Minister is too ‘busy’ to launch it,” Mr Watts told InnovationAus.

    “Australians deserve better than these excuses when it comes to an issue as critical as cyber security.”

    First developed in 2017, Australia’s International Cyber Engagement Strategy was broadened to include critical technology in the 2020 update.

    Public submissions for to the 2020 strategy closed in June 2020 and included stakeholder input from academics, civil society groups, Big Tech and cyber companies among 31 submissions. DFAT also engaged with 18 Commonwealth departments on the new strategy, which supersedes the 2017 plan.

    Since the strategy was originally scheduled to be released last year, a series of high profile international cyber attacks have occurred, including the Microsoft Exchange exploit which led to a breach of Western Australia’s parliamentary email network and a SolarWinds software exploit which provided attackers access to US government networks.

    While China and Russia have been the respective suspects of the two incidents, Australia has yet to attribute either cyber attack. Dr Feakin told Estimates DFAT’s increasing preference is to make attributions in partnership with allies, but the department was yet to go through any multilateral attribution processes.

    The post Govt’s global cyber strategy delayed by ‘busy’ parliament appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Danger lurks in organisations’ hunger for data

    Organisations across the board are slow to recognise that the data that is now fundamental to their operations has also opened them up to huge risks and vulnerabilities.

    As a result, companies are failing to factor in basic data protection and cyber security infrastructure into their decision making at the highest levels.

    The costly consequences of organisations’ appetite for data without implementing adequate safeguards have been evident in legislative penalties imposed by various governments on some of the world’s biggest corporations for failing to protect customer data and privacy.

    Mike Trovato, James Riley, Thomas Fikentscher
    Bridging the Cyber Divide: Mike Trovato, James Riley, Thomas Fikentscher

    In the Navigating Privacy and Law episode of the Bridging the Cyber Divide series, Mike Trovato, managing director of Information Integrity Solutions and lead security advisor and Internal Consulting Group’s global practice leader for cybersecurity, said the past year had seen Google fined €50m by the French regulator, and the UK regulator fined British Airways £183m and Marriott International £99m.

    “It was good to see regulation having some teeth,” he said. “It got everyone’s attention and is getting people to take this more seriously, and to take important actions with respect to privacy and security.”

    Meanwhile, competitive pressures and opportunities are driving organisations to gather more and more data. Thomas Fikentscher, regional director ANZ, at CyberArk, said organisations were struggling to put in place the policies and procedures needed to handle the data being collected to serve business initiatives.

    “Organisations need to find a way to shift their revenues online, but that comes with risk. They must collect a lot of data, and not just personal data. The problem is that they can only use that data for certain purposes, for example can they share it with their supply chain?

    “That part of the equation is not properly set into policies and measured against certain standards around privacy, data security and data access. It’s an area where we need to have a lot more discussion; where there are many more risks that need to be measured and need to be managed.”

    Mr Trovato said compliance with data regulations was now one of the biggest challenges facing businesses – the danger has gone beyond simply a failure of compliance to represent an existential threat to organisations.

    “The compliance issue is multifaceted and complex – it’s difficult to overlay it onto an organisation,” he said. “And there is a broad set of issues around shared risk – where what I do in my organisation can impact your organisation, and so forth. We’re really looking at an entire ecosystem.”

    He said consumers had a right to expect businesses to do more to protect their personal data. “We have the expectation of safe vehicles and safe aeroplanes and so forth. But for some reason, in the area of information technology (IT), we expect the consumer to take a significant responsibility in managing the safety of our products. I think the world of IT has to do better.”

    Mr Fikentscher said organisations had been slow to implement security commensurate with the risks created by their hunger for data.

    “We’re still in catch up mode,” he said. “Organisations want to move ahead, because of the business opportunity.

    “Retail organisations, for example, collect a huge amount of data – they’re giving out loyalty cards, trying to understand who you are, what are your preferences, and monitoring your behaviour when they offer you certain things. They’re collecting all this information because it’s all about creating new digital experiences.”

    He said that by doing that, and by being more reliant on the technology, they are creating an increasing amount of risk for their businesses, because a single breach – that gives someone access to that data – can severely disrupt them.

    According to Mr Fikentscher, the data security and liability should be standing items on every company’s monthly board meeting.

    “Security considerations should be part of digital transformation initiatives from the beginning, but it is still not front of mind for most people. Revenue is the driving factor, but revenue could be severely compromised if they don’t get cyber security right.”

    Mike Trovato meanwhile said his own investigations had revealed many examples of very poor data security.

    “I’ve gone into organisations and tried to see if they are leaking personal information, or if I can obtain it through an attack. Almost every organisation fails both those tests. We need to do a much, much better job to protect information.”

    There are some signs of progress, according to Mr Trovato. “We are seeing organisations that are a bit more forward thinking and doing some good privacy-by-design work, leveraging legislation. For example, the legislation around the Commonwealth COVID app is probably the strongest privacy legislation in the world.”

    A key pillar to Australia developing a robust cyber security industry is the mechanisms used to rigorously protect citizen data and information, both at a public and private level.

    The increased reporting and disclosure of data breaches and identifiable information, locally and globally, has kept a focus on data privacy but there’s a lot more work that needs to be done.

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post Danger lurks in organisations’ hunger for data appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • NSW readies state overhaul of cyber defences

    A NSW parliamentary inquiry has recommended an overhaul of the state government’s cybersecurity strategy and a review of its cyber policies in the wake of a serious data breach that resulted from cyber risks being ignored.

    Nearly a year after a cyberattack on Service NSW that allowed hackers to access millions of internal documents, the incident is yet to be fully addressed.

    Risky data practices have continued and thousands of NSW citizens whose data was involved were not notified. The breach is expected to cost the service agency at least $30 million.

    The incident may have been prevented had the agency addressed the cyber risks it identified a year earlier, according to a NSW Upper House inquiry that has now called for structural changes.

    NSW Parliament
    NSW Parliament: An inquiry has made recommendations about cyber defences

    Recommendations include strengthening the mandate and resourcing of Cybersecurity NSW, including moving the function from the Department of Customer Service to the Department of Premier and Cabinet.

    Doing so would provide much needed independence from the state’s service providers, the inquiry found.

    Of “urgent” importance is the establishment of a mandatory data breach notification scheme applicable to all NSW agencies and its contracted service providers, and a formal process for assisting people affected by a data breach, the committee said.

    Currently neither measure exists in the state, an absence that contributed to enablement and poor handling of the Service NSW data breach that sparked the inquiry.

    “The committee found that this attack was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” Committee Chair Tara Moriarty wrote in the report foreword.

    “Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”

    A targeted phishing attack on the service agency in March and April last year compromised data of more than 100,000 people when attackers gained access to Service NSW employee email accounts.

    It took Service NSW three weeks to verify the incident and notify the minister. It took months more to notify users of Service NSW whose data had been exposed. And nearly a year after the incident, 20 per cent to 30 per cent of those affected had still not been notified.

    A review of the incident by the NSW Auditor General in December found it was “unclear” why Service NSW had not effectively mitigated the risk prior to the breach.

    Service NSW identified risks including a lack of multifactor authentication a year prior to the breach and had committed to addressing them in 2019 but failed to do so until after major incident in 2020.

    “Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the Auditor General concluded. “It continues to use business processes that pose a risk to the privacy of personal information.”

    Service NSW chief executive Damon Rees told the parliamentary inquiry in February the agency has continued to use at least one high risk practice – sending personal information via email – as it worked on more secure alternative. But he insisted many of the risks have now been mitigated.

    Other recommendations from the inquiry include a review of the “responsibility and resourcing” of the NSW privacy watchdog; more work from the government with industry to develop a cybersecurity skills framework; more clarity on cyber standards including mandatory ones for government agencies; investigating ways to improve the security of IoT devices; a strategy for improving the cyber safety of citizens; and more support to local councils to enhance their cyber capabilities.

    The Committee also recommended the NSW government develop a strategy to enhance sovereign cyber security capability by building the local industry and establishing principles for procuring services onshore.

    The post NSW readies state overhaul of cyber defences appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • A cyber-savvy nation through reskilling

    So great is the shortage of cybersecurity skills in Australia that organisations have no hope of recruiting the people they need and must instead resort to casting a wider net and training suitable candidates with the skills needed to combat the growing threats they now face.

    That’s the view of Professor Richard Buckland, professor in cybercrime cyberwar and cyberterror at the School of Computer Science and Engineering at the University of New South Wales (UNSW) and director of SECedu, the Australian Cybersecurity Education Network.

    In Scaling Cyber Skills, an episode of the Bridging the Cyber Divide video series produced as a partnership between InnovationAus and CyberArk, Prof Buckland said there were 600 students undertaking cybersecurity training at UNSW – a twelvefold increase in five years – and all already had jobs to go to.

    CyberArk
    Nationwide reskilling: Bruce Nixon, James Riley and Richard Buckland on cyber skills

    “I get people all the time saying, ‘Can you give me your best students, I’ve got buckets of money,’ and I have to say, ‘I can’t even give you my worst students – they’re already gobbled up even before they graduate’,” he said.

    A report published last month by RMIT and Deloitte Access Economics estimated that 87 per cent of jobs in Australia required digital skills, and the country needed 156,000 new technology workers to keep pace with the rapid transformation of businesses.

    An even greater shortage was identified by AlphaBeta in a study commissioned by AWS. It estimated Australia would need an additional 6.5 million newly skilled and reskilled digital workers by 2025, a 79 per cent increase.

    A more precise measure of the shortage of cybersecurity skills, by both skill and location, is provided by CyberSeek, a tool created by cybersecurity company CyberCX and the Australian Cyber Security Growth Network, AustCyber. It has developed a heatmap that show cybersecurity job openings in Australia by location and specialisation.

    It says from October 2019 to September 2020 there were 4,500 openings for IT security specialists, but only 4,100 workers currently employed in those positions, “an annual talent shortfall of 400 workers for cybersecurity’s largest job”, and that there were “11,700 additional openings requesting cybersecurity-related skills, and employers struggling to find workers who possess them”.

    Train up to fill cyber positions

    Prof Buckland recommended employers should seek to meet their cybersecurity skill needs by training up suitable employees. He said graduates from cybersecurity courses were not necessarily ideal cybersecurity employees: “There is a lot we can teach them theoretically, but cybersecurity is a discipline, a profession. There is no better way of becoming finished than being trained by someone who is an expert in the field under a sort of apprenticeship model.”

    Bruce Nixon, partner manager lead, Australia and New Zealand with privileged access management company CyberArk, agreed. He said organisations had to resort to identifying and training suitable candidates, and technology could enable those people to become more effective quicker.

    “You have to think outside the square in terms of how you’re going to actually establish the skill set,” he said.

    “You need to incorporate a training mentality – you might not necessarily find that perfect person in the industry – and we can provide enablement tools that will make it easier to find someone with domain expertise and evolve them into having those very specialist skills.”

    Subsidy for cyber training proposed

    However, Mr Nixon acknowledged that this approach would not work for smaller enterprises that did not have the domain expertise, the budget, or the need for full-time IT people. He canvassed the idea of the government “providing cybersecurity training free-of-charge to the mid-market and to small enterprises to allow them to consume high-quality training”.

    He is not alone. The Australian Government recently announced the Cyber Security Skills Partnership Innovation Fund, with grants of between A$250,000 and $3 million, “to improve the quality and availability of cyber security professionals through training”.

    This prompted a call for a program that would subsidise training for SMEs, which would raise the general level of cybersecurity understanding among the wider workforce.

    Prof Buckland said digital technology was now so pervasive that everyone needed some level of competence in cybersecurity, and UNSW had several initiatives towards this goal.

    “We’re teaching our law students cyber, and lawyers are teaching some of our cyber students about cyber law,” he said. “We’ve created our courses so that everyone can take them, and insert them into their degrees within UNSW. We also run free courses in basic cyber literacy.”

    The speed with which the cyber security landscape is changing has put constant pressure on the availability of skilled cyber professionals. With borders now closed to skilled migration and any boost to the experienced employees not likely to come from overseas in the next 12 months at least, how does Australia find the skills required for the future of work and addressing the current shortage of skills?

    The Bridging the Cyber Divide series is produced as a partnership between InnovationAus and CyberArk.

    The post A cyber-savvy nation through reskilling appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Govt fails to meet own cyber standards: ANAO

    None of the government entities recently examined by an Australian National Audit Office review have fully implemented the mandatory cyber security risk mitigation strategies developed eight years ago to safeguard the information they hold.

    The mandatory mitigation strategies are basic: application whitelisting, patching applications, restricting administrative privileges, and patching operating systems.

    Two of the entities that had self-assessed full implementation for one or more of the mandatory mitigation strategies – the Department of the Prime Minister and Cabinet and the Attorney-General’s department – did so inaccurately in the 2018/19 financial year.

    The Prime Minister’s department claimed full implementation of the four strategies at the time, but the audit office has discovered it had not fully implemented the mitigation strategy for restricting administrative privileges.

    Parliament
    Massive problem: Auditor General says government failed to meet its own cybersecurity standards

    The opposition says the report is damming and reveals the exposure of sensitive information across government agencies.

    The Australian National Audit Office (ANAO) late on Friday afternoon released its findings from an audit of nine government entities, including the three with responsibilities for the whole-of-government cyber security policy and support.

    The Attorney-General’s Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all examined.

    The Department of Home Affairs and the Australian Signals Directorate were also included in the review, but their cyber mitigation strategies were not assessed.

    All the entities examined by the Auditor General have agreed to its recommendations to improve cyber resilience.

    But those with the most responsibility – the ASD, Home Affairs and the AGD – have only “noted” the recommendation to introduce more accountability for implementation of cyber security requirements, arguing that is a task for the government and regulators.

    The findings reveal a failure to accurately self-assess the implementation of critical mitigation strategies in some entities and a majority reporting “Ad hoc” or “Developing” maturity levels of cyber mitigation.

    None of the three entities examined for cyber resilience – the PM&C, AGD and the Future Fund – were considered either cyber secure or cyber resilient by the Auditor General.

    Since 2013 the Australian government has mandated the implementation of at least the “Top Four” cyber mitigation strategies by non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF) and its revised Policy 10.

    Only 24 per cent of non-corporate Commonwealth entities were compliant with the mandatory Top Four mitigation strategies in ANAO performance audits since 2014.

    There are a further four that are strongly encouraged, making up the “Essential Eight” mitigation strategies.

    But several audits have revealed low levels of compliance with even the mandatory four, leading to the Auditor General being asked to conduct another audit on the effectiveness of the PSPF self-assessment and reporting requirements, as well as the responsible agencies’ role in improving compliance.

    According to an audit released on latest review, “The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective and did not fully meet the mandatory requirements of PSPF Policy 10”.

    The poor levels of compliance come despite warnings from Australian cyber and spy agencies that malicious cyberattacks are increasing in frequency, scale and sophistication.

    In the last financial year Australian government entities reported 436 cyber security incidents to the Australian Signals Directorate.

    In December a government-led parliamentary committee called for annual reviews to be conducted into the cyber resilience of Commonwealth entities flagging the same lack of compliance highlighted by the Auditor General.

    Shadow assistant minister for communications and cybersecurity Tim Watts said the report showed the Morrison government is failing to “do the basics” on cybersecurity.

    “How can the Morrison Government claim any credibility on cyber security when it can’t even implement its own cyber security standards across government?” Mr Watts told InnovationAus.

    “These are some of our most sensitive government departments. It’s not good enough that they are left exposed.

    “Once again we see the Morrison Government loves a cyber security media event, but isn’t there for the delivery.”

    The post Govt fails to meet own cyber standards: ANAO appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Hastie urges unity to combat rising cyber threats

    Assistant Defence Minister Andrew Hastie and the head of the Australian Cyber Security Centre (ACSC) have called on Australia’s cybersecurity community to unite against growing threats as more people go online, including criminals and state-based actors.

    The ACSC is increasingly turning to industry partners to mitigate cyber risks as it deals with more than 60,000 reports of cybercrime each year, and acknowledges more upgrades are needed to improve its “already stretched” support service.

    Speaking at the Australian Information Security Association (AISA) conference in Canberra on Tuesday, Mr Hastie said Australia’s sovereignty depended on its ability to thwart cyber-attacks, and it required government, industry and academia working “hand in glove”.

    Parliament
    Cyber alerts: Andrew Hastie has called for industry to come together to address threats

    “Cyber is the new battlefield, and whether we like it or not, we’re all joined in an online contest to preserve our personal security but also our digital sovereignty as a country.

    “And we cannot be complacent. It is essential we consider cyber security when we talk about Australia’s national security, our innovation and prosperity. And a major cyber-attack would have a devastating impact on our economy, our security and our sovereignty.”

    Mr Hastie told delegates it is also important to adopt proper cyber hygiene, including the current push to “mainstream” risk mitigation strategies like multifactor authentication.

    The Australian government consulted with 1,400 cyber stakeholders through its business led industry advisory panel in 2019. The recommendations informed a $1.67 billion 2020 Cyber Security Strategy to be delivered over 10 years.

    A subsequent Industry Advisory Committee, also led by big business, has been tasked with guiding the implementation of the strategy. The committee’s first report into ransomware and the basic steps business can take to mitigate risks was criticised by the opposition as a “missed opportunity” that lacked government policy and instead put pressure on the business community.

    The debate around Australia’s approach comes as cyberattacks increase in frequency, scale and sophistication.

    According to Mr Hastie, cyber criminals and state-based actors are focused on the “irresistible targets” of digital supply chains, with Australian cyber agencies now receiving more than 60,000 cybercrime reports a year.

    “We must combine our knowledge and our expertise as well as our unique insights and capabilities to detect and respond to this broad and evolving threat landscape,” Mr Hastie said.

    Head of the ACSC, Abigail Bradshaw, said her organisation is working to increase industry partnerships, and the size of its partnership program has more than doubled since she arrived in March last year.

    The increased collaboration is evolving the way the ACSC delivers advice to Australians, according to Ms Bradshaw, who noted the current approach is encountering hurdles as the organisation deals with a cybercrime report on average once every eight minutes.

    We’re preparing to initiate new call centre arrangements to expand our already stretched 24 hour watch force to enhance cybersecurity assistance the ACSC provides to all Australians, and with a specific focus on some of those most vulnerable to the small to medium enterprise sector.

    The cyber organisation is also currently working on a “significant evolution” to its cyber threat sharing platform. An updated “bidirectional” platform will be able to share emerging threats between the ACSC and Australian public and private organisations at “machine speed and scale”.

    The post Hastie urges unity to combat rising cyber threats appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Vic privacy breach of vulnerable youth data

    A youth case worker stood down from a Victorian health department service provider on suspicion of accessing child pornography continued to access sensitive information about clients for months afterwards, according to a data breach inquiry into the incident.

    Failings in the department’s privacy protections meant the man – who was also subject to a separate investigation into an alleged child sex offence – had unauthorised access to the personal information of dozens of vulnerable people for more than a year, according to the report which found “serious” contraventions of Victorian privacy principals by the department.

    Details of the incident, which occurred between 2017 and 2018, have been revealed in a report into the data breach by the Victorian Information Commissioner, which held back the report due to separate police investigations and a trial of the former case worker.

    Parliament House Melbourne, VIC
    Spring Street: Melbourne rocked by privacy breach of vulnerable youth data

    The man, named as ‘B’ in the report, was employed by a service provider contracted by Victoria’s Department of Health and Human Services (DHHS), now known as Department of Fairness, Families and Housing.

    B worked for over a year for the service provider, which was administering the DHHS’s Finding Solutions program, a Victorian government early intervention initiative to keep young people and families out of the child protection and out-of-home care systems.

    In that role B had access to the DHHS maintained Client Relationship Information System for Service Providers (CRISSP). Records held in CRISSP include names, addresses, DOBs, relationships, case notes, and any history of sexual abuse or exploitation.

    The man ceased working for the service provider around September 2017 but his access to CRISSP was not revoked despite formal procedures requiring so.

    About five months later police found child pornography on a laptop owned by B but could not prove it belong to him because of multiple user accounts on the computer. Police told the DHHS that they had “serious concerns about B’s access to vulnerable and at-risk children”, according to the report into the data breach.

    By then B was working for another youth service provider, also managed by the DHHS but via a separate division. The DHHS notified the provider of B’s suspected access to child pornography and he was stood down.

    However, the DHHS did not discuss B’s access to the CRISSP system as he had not required it in the new role. He was able to continue accessing the records until October 2018 when a staff members from two service providers noticed B had accessed their clients’ files.

    When notified, the DHHS revoked B’s access, more than a year after it should have been when he left the original service provider. By then, though, B had had accessed CRISSP 260 times

    involving 27 clients. B also conducted 150 searches of the client record system, on each occasion accessing the personal and sometimes sensitive information of vulnerable people.

    On Thursday Victoria’s information commissioner released his report into the data breach, finding both the DHHS and the service provider that initially provided B access to the CRISSP had failed to take reasonable steps to protect personal information in the records system.

    “The [Privacy and Data] Deputy Commissioner found that both DHHS and the [contracted service provider] contravened the [Information Privacy Principles] and issued a compliance notice against DHHS,” Victorian Information Commissioner Sven Bluemmel wrote in the report.

    The service provider has already implemented the privacy watchdog’s recommendations while the DHHS is on schedule to complete all the specified actions required by the compliance notice.

    Under the compliance notice the DHHS must:
    • Implement a risk tiering framework for contracted service providers delivering the Finding Solutions program
    • Update and simplify its contractual framework and guidance material for CRISSP
    • develop training that is specifically directed at the information security and privacy obligations of systems administrators and organisation authorities
    • implement a procedure to periodically check the currency of user lists for CRISSP

    Commissioner Bluemmel said the finding shows public sector organisations can’t outsource their privacy responsibilities.

    “Outsourcing arrangements cannot be ‘set and forget’.”

    “When a government agency shares personal information and system access with its contractors, the agency retains both a legal and a moral duty to protect the personal information it collects, uses, holds, and discloses. Government organisations can outsource the management of a program, but they cannot outsource this responsibility.”

    The post Vic privacy breach of vulnerable youth data appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Ransomware report a ‘missed opportunity’: Watts

    A government advisory group’s report on ransomware calling on Australian businesses to implement basic cybersecurity practices to mitigate risks is a “missed opportunity”.

    The Cyber Security Strategy Industry Advisory Committee, formed late last year and dominated by big business, released a report on Wednesday outlining the threat posed by ransomware, and the basic steps businesses can take to mitigate the risks.

    In contrast to a paper on the ransomware scourge released by the Opposition last month, the government’s expert committee does not include any recommendations for government or any calls for new policies. Rather, it focuses on what businesses should be doing, such as implementing the Essential Eight baseline features.

    Cyber threats: A government expert panel has no recommendations for ransomware policy

    The recommendations include basic steps such as multi-factor authentication, regularly updating software, training staff in cybersecurity, data lifecycle management, backing up data and built-in security features.

    The report has been backed by Home Affairs minister Peter Dutton, who is responsible for cybersecurity, saying businesses should move to implement the recommendations quickly.

    “Cyber criminals continue to see Australian businesses as an attractive target and ransomware is a particularly disruptive form of cyber-attack that can have devastating impacts,” Mr Dutton said.

    “The good news is that many ransomware attacks can be avoided by implementing basic cybersecurity controls and I urge businesses to take the time to review the advisory committee’s advice.

    The Labor discussion paper, released by shadow assistant minister for cybersecurity Tim Watts, instead calls on the government to develop a National Ransomware Strategy and take actions to reduce the attractiveness of Australian businesses for hackers.

    The advisory committee’s ransomware report “falls short of acknowledging the scale of the $1 billion problem”, Mr Watts said.

    “Instead of using the opportunity to launch a debate about the role government can play in shaping the calculus of ransomware gangs sizing up Australian organisations, the Morrison government continues its approach of playing the blame game,” Mr Watts said.

    “It’s not good enough to tell businesses to defend themselves by ‘locking their doors’ to cyber-criminal gangs. The Morrison government must do more to actively tackle the ransomware threat and develop a National Ransomware Strategy.”

    The committee, which originally offered recommendations on the development of the 2020 cybersecurity strategy, has been criticised for being dominated by big business interests, although representatives from some smaller cyber firms have since been added.

    The committee is chaired by Telstra chief executive Andrew Penn, and includes representatives from NBN Co, Northrop Grumman Australia, PwC and Macquarie Group. It also includes AUCloud chair Cathie Reid and FibreSense chair Bevan Slattery.

    The 14-page paper warned ransomware is one of the “most immediate, highest-impact cyber threats to Australia”, and said that Australian businesses can’t be complacent, and must take action and understand their legal and regulatory obligations around the issue.

    Along with the Essential Eight mitigation strategies, the committee also called for companies to ensure boards are aware of the risk and actively addressing it, and that cyber insurance isn’t relied upon as a strategy in itself.

    “Ransomware is one of Australia’s fastest growing threats as business spends more and more time participating in the digital economy,” Mr Penn said.

    “There are countless businesses that are attacked every day in Australia, and, in some cases, those victims could have prevented or minimised the financial loss and emotional impact they faced through the use of simple cybersecurity controls and employee education.

    “This paper is an important contribution to helping Australian businesses understand the risks of ransomware and prepare accordingly by drawing from the committee’s diverse experience.”

    Mr Watts’ ransomware paper instead focused on what actions the federal government could take to mitigate the risk and make Australia a less attractive target for malicious cyber actors.

    These policy recommendations included increased law enforcement, targeted international sanctions, offensive cyber actions and the regulation of ransom payments.

    “Ransomware is a jobs and investment destroyer at a time when the nation can least afford it. We need a new approach. It’s past time the Morrison government developed a comprehensive national ransomware strategy,” Mr Watts said.

    The post Ransomware report a ‘missed opportunity’: Watts appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • SAFEnet concerned Jakarta’s virtual police unit may create ‘Orwellian state’

    Asia Pacific Report

    The Southeast Asia Freedom of Expression Network (SAFEnet) – an institution concerned with freedom of expression in the digital world – has criticised Indonesia’s newly established virtual police (VP) unit formed under the national police headquarters that is tasked with monitoring the activities of netizens.

    The programme, the brainchild of Indonesian police chief General Listyo Sigit Prabowo, was formed to prevent indictments under the Information and Electronic Transaction Law (UU ITE).

    SAFEnet executive director Damar Juniarto is concerned however that instead of providing a sense of security the virtual police would in fact give rise to new fears.

    The reason being that virtual police officers would intrude too far into the private lives of citizens in the digital sphere.

    “This will instead give rise to new fears, where the police can appear at any time in citizen’s private [digital] space,” said Juniarto when contacted by CNN Indonesia last week.

    Juniarto said that it was if the virtual police were reviving an Orwellian state. The term Orwellian state refers to a system and public situation that is anti-freedom and anti-openness and is taken from a fictional work by author and journalist George Orwell.

    One of the criteria for an Orwellian state is when the state continuously monitors what is being done by its citizens.

    ‘Correcting’ citizens
    In such a situation, continued Juniarto, the state can directly correct citizens who are deemed to be in error. Instead of feeling protected, people will in fact feel threatened and fearful.

    “Even without this direct police presence, people are already afraid of the threat of the UU ITE [being used against them], never mind with methods such as this,” he said.

    Not only that, Juniarto emphasised that the virtual police negate the space for people to defend themselves if a posting on the internet is deemed to be hate speech or violate the ITE Law.

    The virtual police, according to Juniarto, would in fact negate the judicial process so people would only have one option – to obey or be punished.

    Juniarto revealed that the virtual police’s presence have already turned people’s discussions in digital space into something has to be treated or cured. He is also concerned that they would destroy the climate of discussion and debate on digital media.

    “So the VP needs to be corrected so their implementation prioritises education, not appearing as a figure which wants to punish disobedient citizens,” said Juniarto.

    Earlier this week, the police officially launched the virtual police unit to monitor potential violations of the ITE Law on the internet.

    Healthy cyber world
    According to national police spokesperson Inspector General Argo Yuwono, the virtual police’s presence in digital space is a form of maintaining security and public order so that activities in the cyber world can be clean, healthy and productive.

    “Through the virtual police, the police will provide education and notifications if what is written is a criminal violation, request that it not be written again and be deleted,” Yuwono told journalists.

    According to Yuwono, the virtual police had already sent warnings to three accounts recently. One of the accounts had posted a picture with the caption “Don’t forget I’m a thief”.

    “Virtual police alert. Warning 1. The content on your Twitter account uploaded on February 21, 2021, at 3.15 pm local time has the potential to be criminal hate speech.

    “In order to avoid further legal proceedings you are asked to make a correction to the social media content after you have received this message. Salam Presisi [predictability, responsibility, transparency, justice],” said Yuwono reading out the contents of the warning.

    Translated by James Balowski for IndoLeft News. The original title of the article was “SAFEnet Kritik Aksi Virtual Police Terobos Ruang Privat Warga”.

    This post was originally published on Asia Pacific Report.

  • Govt must help business tackle ransomware

    Maksim Yakubets cuts quite the figure driving his custom fluoro camouflage Lamborghini through the streets of Moscow.

    According to indictments filed in the United States, Yakubet could live this lifestyle thanks to his role in the international ransomware gang, ‘Evil Corp’, which is estimated to have extorted about US$100m ($128m) from businesses and individuals around the world.

    The United States sanctions payments of ransoms to Evil Corp, but there is no equivalent restriction in Australia.

    In fact, despite ransomware being described by the Australian Cyber Security Centre as the biggest cyber threat facing Australia, there’s no dedicated government strategy for tackling this rapidly growing crime that brings in big bucks for international criminals at the expense of Australian businesses and consumers.

    Ransom guy: Evil Corp’s Maksim Yakubets on the streets of Moscow Photo credit: UK National Crime Agency

    Australia has recently seen high impact ransomware campaigns against high profile targets like Toll Group, Bluescope Steel, Lion, Spotless, Regis Healthcare, Law in Order, and regional Victorian hospitals.

    The Australian government does not currently collect statistics about the impact of ransomware, but analysis by security firm Emsisoft in 2020 estimated its total annual cost to the nation at a minimum of US$270 million (AU$348 million) and a best estimate of US$1.1 billion (AU$1.4 billion).

    The rapidly growing costs of successful attacks on targeted entities – in downtime, remediation, ransoms and supply chain interruptions – combined with the growing costs to all organisations of defending themselves against these attacks is an unsustainable burden on the nation.

    Ransomware is a jobs and investment destroyer at a time when the nation can least afford it.

    While individual organisations will always have the primary responsibility for taking the necessary steps to protect their IT systems from cyber threats, too often, blaming the victim becomes a cover for government inaction.

    It is past time that the Morrison government developed a dedicated National Ransomware Strategy that actively sought to reduce the number of ransomware attacks targeting Australia.

    The evolution of ransomware gangs into sophisticated, well-resourced organised crime groups presents both a challenge and an opportunity.

    The emergence of so called ‘big game hunting’ ransomware gangs that carefully research and select their targets to maximise the returns of attacks has increased the costs of ransomware.

    But this sophistication has also created the opportunity for new government strategies aimed at deterring these attacks.

    We know from interviews with these gang members and from the advertisements they post seeking affiliates that these gangs are aware of the differences in security practices, regulations and law enforcement practices in different nations. We can use this to our advantage as a nation.

    A National Ransomware Strategy that sought to increase the costs and reduce the returns of ransomware campaigns against Australian organisations, could send a message to ransomware gangs that Australian targets aren’t worth the effort.

    As the United States has done with Evil Corp and Mr Yakubets, one of the policy levers government could use as part of such a strategy is regulating the payment of ransoms.

    Ransom payments are the life blood or ransomware campaigns. More payments beget more attacks. On the other hand, if Australia became known as a jurisdiction where it was hard to get paid, ransomware gangs may choose to select targets elsewhere.

    In recent months, the former Directors of both the US Cybersecurity and Infrastructure Security Agency and the UK National Cyber Security Centre, have each called for the serious consideration of banning ransom payments in their respective countries.

    Australia should have this debate too as part of a broader discussion about the potential tools available to government to convince ransomware gangs that there’s no return on investment from targeting Australian organisations.

    Labor has released a discussion paper that canvases a range of tools government could employ as part of a National Ransomware Strategy to shape the target selection of ransomware gangs and ultimately to reduce the number of attacks targeting Australian organisations.

    None of the potential interventions identified in Labor’s discussion paper are silver bullets. But the threat of ransomware isn’t going anywhere soon and the government cannot leave it to Australian organisations to confront this challenge alone.

    It is time the Morrison Government took this threat seriously and developed a National Ransomware Strategy.

    Tim Watts is Labor’s Shadow Assistant Minister for Cyber Security and the federal Member for Gellibrand.

    The post Govt must help business tackle ransomware appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • Cyber CRC backs ‘extraordinary’ AFP hacking powers

    The government-funded cybersecurity research centre has thrown its support behind the proposed “extraordinary” new hacking powers for the Australian Federal Police, its position that is at odds with human rights, civil liberties and digital rights groups, as well as a group of Senators who have all raised significant concerns about the new laws.

    In a submission to government, the Cyber Security Cooperative Research Centre (CSCRC) said the Identify and Disrupt Bill, which hands sweeping new powers to the AFP and the Australian Crime and Intelligence Commission (ACIC) to hack into the devices and networks of suspected criminals, is proportionate, appropriate and safe.

    This is despite the Human Rights Law Centre labelling the powers “absurdly broad” and disproportionate, the NSW Council of Civil Liberties saying they are an “abuse of power” and a group of bipartisan Senators questioning a lack of focus on privacy, no judicial oversight and the potential for innocent people to be impacted.

    Rachel Falk
    Support: Cyber Security CRC chief executive officer Rachael Falk. Photo Credit YouTube

    The Identify and Disrupt Bill was quietly introduced to Parliament late last year and quickly referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry.

    The legislation introduces three new warrants for the AFP and ACIC to “disrupt” the data of suspected criminals, access their devices and networks and take over their accounts covertly.

    While the government says its focus is on “online serious crimes” including child abuse and terrorism, the warrants will also be accessible for any crime carrying a three-year jail sentence, which include theft, fraud, tax evasion and forgery.

    In a submission to the PJCIS inquiry, CSCRC chief executive Rachael Falk offered full support for the new hacking powers.

    “While the powers authorised under the bill are undoubtedly extraordinary, the CSCRC submits they are proportionate and appropriate in relation to the threats posed,” Ms Falk said in the submission.

    “Furthermore, to ensure such extraordinary powers are not misused, exploited or subject to ‘legislative creep’, the bill contains a number of key safeguards and protections,” she said.

    “It presents a clear opportunity for Australia to ensure domestic laws are properly aligned with digital perpetrated activities, allowing lawful access to data and devices where it is appropriate to do so.”

    Ms Falk did however say that the government needs to better define and refine the crimes the new powers will apply to.

    “Under the Crimes Act such a threshold does cover a wide range of offences, so consideration should be given within the legislation to clearly specify types of crime to which the mechanisms set out in the bill could apply,” she said.

    “The CSCRC submits that if offences that would and would not be captured under the regime were clearly carved out, it would serve to allay fears of misuse of the warrants for less serious crimes and perceptions of legislative creep.”

    Ms Falk also rejected the arguments that the new powers would jeopardise the privacy of Australians.

    “An absolute right to privacy can never exist and there must always be exceptions, especially when it comes to maintaining the common good. There is no doubt that the criminal activities the bill is designed to capture all fall under such an exception,” she said.

    “The CSCRC contends that while privacy is valuable it must have limitations and these limitations must correlate with the social contract all members of the community enter into, upon which modern democracies like Australia’s are built.”

    Ms Falk has previously supported the government’s controversial COVIDSafe contact tracing app, arguing that Australians readily hand over more significant data to the likes of Facebook than what was required by the trouble-plagued app.

    The CSCRC chief has also staunchly supported the federal government’s moves to undermine encryption and assist intelligence and law enforcement authorities in accessing encrypted communications.

    In its submission, the Human Rights Law Centre painted a very different picture of the proposed powers, saying they have a “disproportionate scope” that do not have adequate safeguards.

    “Australia lacks a robust human rights framework that would provide adequate protection against the abuse of the powers contained in this bill. In the absence of those safeguards, the HRLC cannot endorse the expansion of the already-considerable powers possessed by the AFP and ACIC to intrude on the privacy of Australians,” the HRLC submission said.

    The law centre said the proposed network activity warrants, which would allow authorities to hack into the networks of suspected offenders without even needing to know their identities, needed to be “substantially redrafted” in order to “prevent their application to individuals that have no involvement in the commission or facilitation of a relevant offence”.

    The current legislation defines an “electronically linked group of individuals” as two or more people using the same electronic service or communicating electronically.

    This could lead to a situation where a relevant offence being committed on a messaging service like WhatsApp making every user of the service around the world a member of a “criminal network of individuals” under the new powers.

    “On a broad, but not unreasonable, interpretation of these definitions, the effect is that a person who visits the same website as a person engaging in conduct facilitating or constituting a relevant offence is in a ‘criminal network of individuals’,” the submission said.

    “This is regardless of whether the website or communication bears any relation to the offence, or whether the individuals have any knowledge of, involvement in, or connection to the offence.”

    The proposed powers are “absurdly broad”, the HRLC said.

    “It effectively means that, where a person engages in a relevant offence, every other user of any website they access or app that is installed on their phone could potentially have their data accessed, changed or deleted, without their knowledge, consent or opportunity to object,” it said.

    “Not only does this seriously impact the privacy and freedom of expression of individuals with little or no connection to the offending conduct or target individual, it opens up vast swathes of online activity to monitoring by law enforcement without sufficient safeguards to prevent abuse. Even on a narrower interpretation, these provisions still offer expansive scope.”

    The NSWCCL said that the new powers are “next in an accelerating wave, strengthening the powers of the state without any humility about the cumulative erosion of democratic freedoms they entail”.

    “This bill builds on this ominous trend and takes it to a new level, providing unprecedented new powers for law enforcement to interfere and ‘disrupt’ communications of citizens without effective restraint. The abuse of power this bill enables will happen. Enough is enough,” the NSWCCL submission said.

    A coalition of digital rights and civil liberties organisations said that the powers amount to “state-authorised hacking”.

    A bipartisan group of Senators have also raised a number of concerns with the legislation, particularly in regard to a lack of privacy safeguards and judicial oversight and the potential for innocent people to also be impacted by them.

    The post Cyber CRC backs ‘extraordinary’ AFP hacking powers appeared first on InnovationAus.

    This post was originally published on InnovationAus.

  • IoT Alliance to launch first-ever security guides

    The Internet of Things Alliance Australia (IoTAA) will unveil Australia’s first ever IoT Security Awareness Guides during a special webinar event on Wednesday morning covering the trinity of security, safety and privacy.

    Enex TestLab managing director and IoTAA Cyber Security Workstream chair Matt Tett said the Alliance would release two guides, the first aimed at users – whether retail consumers or business organisations – and the second aimed a IoT device-makers and software developers.

    “These are very simple guides. They’re not guidelines or frameworks or standards,” Mr Tett told InnovationAus. “It is eight to 10 pages with eight to ten tips on some of the traps and pitfalls that people need to think about in terms of IoT security, safety and privacy.”

    city data
    Plain-talking IoT cyber guides: The IoT Alliance is set to release the first ever awareness guide

    “We’re not trying to put people off from digitising their world, but we certainly do want them to start learning what to look out for before they actually buy a product, and how to better protect themselves before they put into their environment,” he said.

    “[The guide] aims to deliver actionable outcomes without spreading fear, uncertainty and doubt. It’s vendor neutral; we’re not saying go out and buy this thing or that thing.”

    “The tips are all low-cost, easy to apply and takes them to the next rung on the security ladder,” Mr Tett said.

    The guides will be launch through a special webinar event from 11am on Wednesday 24. You can register for the free event here.

    IOTAA chief executive Frank Zeichner says the guides are being released as the proliferation of devices across the network continues to accelerate.

    SecurityToday researchers report that there are 127 new IoT devices connected to the web every second and experts estimate there were approximately 31 billion IoT device installations in 2020,” Mr Zeichner said.

    “The figures were staggering to begin with, and we have seen firsthand how the pandemic has expedited the adoption of IoT devices, by consumers and industry alike.”

    Matt Tett said the second of the guides was aimed at IoT producers, whether they are a small developer or multinational.

    “Again, it’s eight to 10 pages with tips on what they can do to really commence the process of embedding, safety and privacy by design into their IoT,” he said.

    “This is rather than falling into the same pitfalls that ICT is in, where they are always trying to bolt security on retrospectively and continually fall over themselves in exposing consumers to security hazards.”

    IoTAA’s Frank Zeichner and Matt Tett will both make presentation to the webinar. Other speakers include Accenture’s managing director for communications, media and technology Eric Bruzek; Department of Home Affairs assistant secretary for technology policy Jill Ogden; Office of the eSafety Commissioner director Julia Fossi; ACANN chief executive Teresa Corbin; and AustCyber’s WA Innovation Hub director Dr Ian Martinus.

    You can register here for the free Internet of Things Security Awareness Guide launch.

    The post IoT Alliance to launch first-ever security guides appeared first on InnovationAus.

    This post was originally published on InnovationAus.