Security focus: Australia mooting new strategy after rise in breaches

The Australian government intends to update its strategy and response to cyber security issues, as Australian firms and institutions continue to get hit by high-profile attacks.
The paper, entitled ‘Australia’s 2020 Cyber Security Strategy: A call for views,’ asks respondents for their views on the current cyber threat environment and which threats they think the government should focus on. It also asks how government and businesses can “sensibly” increase the security, quality, and effectiveness of cybersecurity and digital offerings; if the regulatory environment is appropriate; and whether there are any functions currently performed by government that could be performed by the private sector. The paper proposes a ‘trusted marketplace’ for security-related products and services, and asks for feedback on how to increase trust in IT supply chains.
It presents grim statistics on the scale of the problem, highlighting that AUD2.3 billion was stolen by criminals from Australian consumers in 2017, with 53,474 reports received by the Australian Cybercrime Online Reporting Network (ACORN) in FY2017-18, and 64,528 in FY2018-19. Between April 2018 and March 2019, 964 data breach notifications were made under the Notifiable Data Breaches scheme, with 60% being malicious or criminal attacks.

“Despite making strong progress against the goals set in 2016, the threat environment has changed significantly and we need to adapt our approach to improve the security of business and the community.” Minister for Home Affairs Peter Dutton

The current strategy dates from April 2016, and was aimed at defending Australia from attacks by organised criminals and state-sponsored attackers. In the intervening years, the government has undertaken a number of initiatives:

  • opened the Australian Cyber Security Centre
  • establish Join Cyber Security Centres in five capital cities
  • launched
  • appointed an Ambassador for Cyber Affairs
  • supported businesses through the Australian Cyber Security Growth Network and the Landing Pad Program
  • invested AUD50 in the Cyber Security Co-operative Research Centre
  • invested in training and education by supporting centres of excellence at the University of Melbourne and Edith Cowan University.

But the threats continue to rise.
On 1 October 2019, for example, it was reported that seven hospitals and health service providers in Australia were forced to shut down some, or all, of their systems after being hit by ransomware attacks.

“Hospitals have isolated and disconnected a number of systems such as the internet to quarantine the infection,” with the isolation leading to the full shut down of multiple systems, including but not limited to patient records, booking, and management systems. “Where practical, hospitals are reverting to manual systems to maintain their services.” Advisory from Victoria’s Department of Premier and Cabinet

In unrelated news, Australia’s New South Wales Police charged an IT contractor with 15 offences related to a cyber attack on Landmark White, a property management firm, which led to the loss of 170,000 data records, including customer and valuation data. In January 2019, Landmark White discovered that its customer records had been posted on the dark web and so alerted authorities and customers and suspended trading. The company estimates it lost AUD7 million from the incident plus the cost of upgrading its security measures.
While the Australian National University (ANU) revealed it had been subjected to a cyber attack that resulted in the loss of 19 years’ worth of data. ANU vice-chancellor Brian Schmidt said: “Our forensic investigation found the data breach was the work of a highly sophisticated actor using a targeted spear phishing email that did not require the affected staff member to download an attachment or click on the link. It is shocking in its sophistication.”
This initiative by the Australian government shows that they continue to recognise that even with all of the new cyber-related departments and individuals, there is a requirement for both public and private sector to collaborate against these sophisticated white collar and cyber-attacks. The mixture of cyber actors involved in the these attacks continues to demonstrate that organisations need to look internally for the ‘Insider’, both malicious and unintentional, as well as the external actors using advanced targeting methods.
However, despite the Australian focus on cyber security, Home Affairs Minister Peter Dutton, along with his counterparts in the UK, US, Canada and New Zealand, has urged Facebook not to implement end-to-end encryption. He has accused Facebook of protecting paedophiles and is demanding that it create backdoors for law enforcers to access encrypted content.
“These companies are really pushing back, but we’ve got to stand up to them,” he reportedly told 2GB radio. “The number of cases where this child abuse material is being shared online – there are groups where paedophiles are meeting online, protected by these companies – it can’t stand.”
Facebook and other industry commentators have pointed out that creating lawful backdoors completely undermines the security of legitimate users of their services.
This all comes after The Guardian newspaper revealed in July 2019 that Australian authorities had already requested assistance to spy on users five times since the controversial new Telecommunications and Assistance Act had been brought in (December 2018) – two notices to the ombudsman were received from the NSW Police, on 25 March and 9 April, and three from the federal police, on 9 and 12 April and 3 May.