Australians should not be under any illusion. The risk of cyber attack at a personal, government and corporate level poses a security threat greater than any Australia has experienced. It is far greater than we faced during the darkest period of the Cold War in the mid-1950s. We are today at war again. A cyber war.
And we face this threat in an environment where many individuals and organisations have no idea of the extent of the risks we face, let alone how to mitigate them. These risks include:
• At the citizen level, the wholesale theft of financial assets, theft of identity, ransom/blackmail, manipulation of public thinking, falsification of information, the denial of service to banking facilities, telecommunications and the internet.
• The theft of data held in corporate and government servers, including intellectual property, government secrets or confidential personal data. But the risk is not just this information being stolen today. A Trojan digital spy may be installed in networks that will continually send confidential data to a nefarious party or just lie there as a “sleeper” to be activated in the future.
• The loss of control of or disruption to critical infrastructure assets such as telecommunications, public utilities, mining and agriculture.
The consequences of an attack resulting in one or more of these risks materialising is huge.
The federal government’s updated Cyber Security Strategy 2020 and overhaul of relevant legislation is just the start of what is required to mitigate the cyber risk this country faces. The potential economic cost is estimated in the government’s strategy paper. “One expert analysis of cyber incidents targeting small, medium and large Australian businesses can cost the economy up to $29bn per year, or 1.9 per cent of Australia’s GDP,” it states, adding: “A four-week interruption to digital infrastructures resulting from a significant cyber incident would cost the economy $30bn (1.5 per cent of GDP) and around 163,000 jobs.”
It is not rocket science to understand that a total attack by a rogue nation could decimate us economically and render us instantly defenceless.
A cyber-attack originates remotely by simply pressing a key on a keyboard from a location that could be thousands of kilometres away. Never before have we combated an enemy without physical presence, and in the future the use of artificial intelligence techniques will only make cyber-attacks more dangerous and destructive.
Ransomware is perhaps the most known and the most prevalent form of cyber-attack. It can be used for financial gain, an act of terrorism or by rogue nation states to create havoc.
In 2017, a rogue group called NotPetya smashed thousands of corporate networks around the world, costing these organisations billions of dollars. This was not about financial gain, it was just to prove the ability to massively disrupt global digital networks. It was originally thought to be a ransomware attack, but was later traced to a Russian military unit.
But corporations aren’t the only ones at risk. We recently saw a cyber attack that commentators have called “the Pearl Harbor of American IT”. Supposedly “secure” government agencies such as the US Treasury, US Department of Homeland Security, US Department of Commerce, the Pentagon, and the National Nuclear Security Administration were compromised during the most destructive cyber attack yet. Known as the “SolarWinds hack”, this was a global supply chain attack with no precedent in terms of damage done. An update on SolarWinds software was infiltrated and, when downloaded, the perpetrators were able to steal user IDs, passwords, financial information and even some of Microsoft’s source code. It commenced in March last year and was not discovered until December. Its impact will take years to calculate.
Our defences against cyber attacks can best be described as spasmodic, haphazard and as effective as a cavalry charge in WWI against machine guns. But much can be done. And it needs to be led by the federal government. The government’s cyber security strategy proposes a good start for a strategic plan but the proposed funding program (totalling $1.67bn over 10 years) is inadequate to address the threat we face. At the very least we need a budget of $500m a year. This will be an expensive but necessary burden.
There is a huge bonus for this investment. A government focus on cyber security would be the impetus for establishing Australia as a global leader in this area and create the engine for growing a substantial sovereign cyber security industry. It would spawn university placements, research and development and would create thousands of jobs.
We need an independent government agency responsible for cyber security. At present this responsibility rests partly within the Department of Home Affairs and Defence under the Australian Signals Directorate. It needs to be an independent agency under either Home Affairs or Prime Minister and Cabinet. Its charter would include:
• Ensuring public, corporate and government awareness of the cyber threats we face.
• Establishing minimum standards and sovereignty requirements for critical IT infrastructure, preventing the risk of eavesdropping and placement of Trojan horses.
• Establishing cyber security standards and rule-setting to ensure encryption of both data at rest and data in motion.
• Establishing a cyber threat audit standard for corporates and governments.
• Establishing minimum training requirements for cyber security and digital personnel.
• Ensuring the funding of tertiary education programs for getting cyber experts trained.
• Establishing minimum mandatory standards for cyber security for corporates, government and organisations in critical infrastructure industries with penalties and public disclosure if not met.
• Reporting to parliament annually as to how it has met its statutory obligations and the compliance with its standards and rules by government and major corporates and critical infrastructure providers.
• Providing advice and assistance to AUSTRAC, the AFP, state police organisations, major financial and education institutions, critical infrastructure and R&D centres to ensure that major cyber theft is detected and punished.
To meet the cyber challenge we are facing will require an acknowledgment of the massive task ahead, the appropriate funding and resourcing by government, and the co-operation of government, corporates and infrastructure providers. Anything less will lead to disaster.
Francis Galbally. Founder and chairman of Senetas Corporation, a leading developer of encryption security services.
For more information please contact us.