Tackling the growing threats to Australia’s cyber security
Self-reported financial losses from cybercrime run into the millions. The Australian Cyber Security Centre (ACSC) puts the figure for 2019-20 at $316 million. However, the total cost to Australian businesses could be many times that, with one private sector estimate suggesting it could be as high as $29 billion, about 1.9% of GDP.
Whatever the true economic cost, there is no doubt cybercrime is putting our national security at risk.
The Strengthening Australia’s cyber security regulations and incentives report released by the Department of Home Affairs last year states that “actors of all levels of sophistication are exploiting basic vulnerabilities in Australian networks and smart devices”.
The report, part of Australia’s Cyber Security Strategy 2020, calls for a more resilient digital economy and for stronger incentives for Australian businesses to invest in cyber security.
“If no action is taken, the costs and consequences of cyber security incidents are likely to rise over time as more economic activity moves online and the number of connected devices grows,” it says. “COVID-19 is just one factor driving this.”
Time for a ‘national clean pipes policy’
“We believe that Australia should adopt a national ‘clean pipes’ policy to reduce the economic impacts of cyber security incidents,” says Sarah Sloan, head of government affairs and public policy, ANZ at Palo Alto Networks.
“This would see Australia harden its national defences and address these threats at scale via leveraging the ability of telecommunications and internet service providers (ISPs) to detect and stop cyber attacks in real time.
“This approach recognises that the vast majority of cyber attacks in Australia leverage Australian ISP or telco infrastructure. A key advantage of clean pipes is that it brings advanced, scalable protection to an ISP’s entire customer base, which is particularly important to the majority of customers, who lack the skills and resources to provide for their own security – such as SMEs as well as everyday Australians.
“To ensure the necessary level of security capabilities, clean pipes would be delivered by ISPs in collaboration with industry partners.”
Attacks becoming more frequent
Cyber security incidents are increasing in frequency, scale and sophistication, and are a threat to Australia’s economic prosperity and national interests.
Phishing and spear phishing are the most common methods employed by cyber criminals to harvest personal information or user credentials to gain access to networks, or to distribute malware. Other threats include malicious insiders and supply chain compromises. Any element of a supply chain can be targeted, including people, software and hardware.
“A key pillar of the Commonwealth government’s 2020 Cyber Security Strategy is improving the cyber security posture of critical infrastructure entities via a series of reforms – including the introduction of the Security Legislation Amendment (Critical Infrastructure) Bill 2020,” Sloan says.
“Palo Alto Networks supports the Commonwealth government’s commitment to enhancing the cyber security posture of its critical infrastructure sectors. Around the world, we have seen a growing range of cyber security threats levelled against critical infrastructure, including the recent high-profile SolarWinds, Exchange and Colonial Pipeline attacks.
“The bill, which is currently before the federal parliament, contains a range of important measures, including but not limited to looking at how critical infrastructure entities manage risks across cyber, supply chains, physical and personnel security.”
A more strategic cyber defence approach
In 2019, the World Economic Forum rated data fraud or theft and cyber attacks as the fourth and fifth most likely business risks. Further, the COVID-19 pandemic has accelerated the uptake of technology and increased exposure to cyber security risks.
According to the ACSC, in the 2019-20 financial year, ransomware posed the highest cyber security threat as it requires minimal technical expertise, is low-cost and can result in significant impacts to a business.
In 2020, among the large corporations that reportedly suffered the effects of ransomware attacks were Toll Group (January and May), logistics company Henning Harders (March), Bluescope Steel (May), budgeting service MyBudget (May) and food and beverage company Lion (June).
“We know that the third-party partners, suppliers and service providers can be attack vectors into government entities,” says Greg Clarkson, chief executive of Network Overdrive.
“Therefore, the Commonwealth government can do at least three things: firstly, develop strategies for how government departments can work together in a collective cyber defence framework, with a particular focus on strategy needs to develop a framework that will provide real-time attack information and not just cautionary threat advice.
“The reality is that [a real-time update on] attacks and potential breaches trumps all reactive methods.
“Secondly, they could also extend that collective cyber defence approach to essential services and arm’s-length extensions of government departments, which are often targeted as back channels into government systems.
“And finally, they could appropriately fund the cyber maturity of third-party organisations, to bring them up to the latest standards of defence and prevent soft entry points for attackers.”
In 2020, the ACSC received 65,617 cybercrime incident reports via ReportCyber, a 33% increase over 2017 figures (49,238 cybercrime reports). It also received 2223 cyber security incident reports, an 86% increase on 2017 figures.
Last year, a cybercrime report was made every 10 minutes to the ACSC.
“The United States is leading the way in adopting a collective defence approach to cyber security and more recently Singapore has also embraced this philosophy,” Clarkson says.
“This strategy enables organisations to stay a step ahead of threats and to have a better opportunity to defend their networks through real-time intelligence sharing and collaboration across industries and sectors.”
The key with government departments, especially one on the scale of the Department of Defence, is to move quickly, and to be able to respond succinctly to any fast-rising issues.
“The technological challenge when it comes to cyber security is really about complexity compounded by the inability to move fast,” says Ian Yip, CEO of Avertro. “These are complex organisations by necessity, which makes for an environment that is difficult to defend.
“Unfortunately, they are lumbered with bureaucracy and processes that make change difficult, meaning the segment of industry that needs to move fastest is notoriously one of the slowest.”
According to the International Telecommunication Union’s latest Global Cybersecurity Index, Australia ranks 12th in the world for cyber security, behind countries such as Estonia, Malaysia, Lithuania, India and Turkey.
“While most understand that the department rightfully has checks and balances in place to reduce their overall risk exposure, there does need to be more bidirectional collaboration with other parts of industry for the benefit of the Australian cyber security ecosystem,” Yip says.
“We need to stop taking a compliance-first approach to managing cyber security. We can only be resilient as a society when all organisations use a holistic, risk-based, strategic, top-down approach to managing their cyber security performance.”
Inside Defence, opportunities, challenges and new pacts
- The AUKUS agenda: domestic and international partnership implications beyond submarines
- AUKUS sets Australia on a new strategic path in the Indo-Pacific
- The complex challenges of Australia’s maritime defence
- Australia’s balancing act between our biggest trading partner and our most important ally
- $2m dollar funding boost, extension a boon for international projects
- Defence in $100m push to build sovereign capabilities
- The need for speed
- We want to build nuclear submarines, but what about everything else we have to build?
- Why we should be more vigilant about terrorism
- Tackling the growing threats to Australia’s cyber security