Toll Group, BlueScope and Service NSW have all fallen victim to cyber criminals in recent days. The government and industry need to sharpen their response.
In a year already marred by natural and biological crises, cyber security failures remain a critical threat.
Government agencies and big Australian companies have fallen victim to cyber attacks with unprecedented visibility.
Industry and government need to understand why we are more exposed, what we can learn from recent national security events, and how to build a more cyber-resilient nation.
The increased reporting of cyber incidents among big Australian companies has been noticeable. Toll Group, the Melbourne based global logistics company, has been hit twice by ransomware attacks, in January by MailTo and last week by Nefilim.
Over the past week, cyber incidents have affected government agency ServiceNSW, steel maker BlueScope, and a financial services company, MyBudget.
These organisations present an attractive target for hackers, whether a nation-state interested in a strategic asset, or a cyber-criminal group looking to make an easy buck. This is just the tip of the iceberg; many organisations fail to report cyber breaches, or worse, do not know about them.
The recent attacks are revealing in several ways. We are more used to seeing prominent US organisations being the victims of big cyber incidents, for example, Google or Equifax. Although Australian organisations have always had cyber vulnerabilities, the increase in large attacks since mid-2019 shows we are increasingly visible and attractive to cyber attackers.
The data is patchy but we have observed an increase in attacks and a rise in the penetration of networks and targeting of confidential information.
One prevalent "kill chain" technique involves the compromise of weak remote access channels and the deployment of ransomware. This can shut down a company’s operations while incident responders desperately try to restore systems, identify the source and prevent future intrusions.
More sophisticated and destructive attacks involve the compromise of user computers, quiet traversal of networks and exfiltration or manipulation of confidential data.
Cyber criminals have exploited the pandemic and there has been a noticeable rise in COVID-19-related phishing scams. Attackers take advantage of people’s anxieties, tricking them into clicking on malicious links, delivered under the guise of urgent health updates or government support.
Health and medical research facilities have also proved attractive targets. The Australian Cyber Security Centre identified that "advanced persistent threat" actors, a term often associated with nation-state adversaries, are targeting the health sector. Just last week, the FBI officially cited Chinese government-backed groups of such activities.
The work-from-home phenomenon has also made us more vulnerable. The rapid uptake of often unfamiliar technologies such as video conferencing software and VPNs has left workforces exposed.
IT departments have increased connectivity, often without sufficient attention given to the security impact. When an entire workforce is remotely accessing your network, it’s harder to spot an attacker.
Perimeters of our networks have expanded from offices to homes. We have seen increased attacks seeking to reconfigure home routers, intercept internet traffic and inject malware capable of stealing passwords and confidential information.
The rise in the number of employees using their own devices (BYOD) has led to the spillage of confidential files across home networks and personal devices, making it extremely difficult for organisations to control sensitive information.
As we emerge from the pandemic, it is important to remember that cyber security remains an existential threat.
Cyber-attack capabilities already exist to crash a car, stop a pacemaker, disable a home security system, shut down a hospital, make an industrial control system explode or switch off an entire power grid. There are organisations and nation-states with this capability.
As the cyber threat becomes more complex and pernicious, governments and industry are failing to respond with sufficient urgency and sophistication.
Nor are they adequately communicating the problem to the public. We know that many Australian organisations are weak targets, and cyber-attack tools are prolific across the internet. The genie can’t be put back into the bottle.
Despite the increased investment, education and awareness following former prime minister Malcolm Turnbull’s 2016 Cyber Security Strategy, industry, government and individuals are still struggling to identify and manage cyber security risks, but things are improving.
Boardrooms are better educating themselves on cyber risk and how to manage it at the enterprise level. Governments are investing in cyber research, increasing guidance on cyber practices and technical issues, and facilitating information exchange between industry and government.
More action is needed. Most current policies focus too narrowly on data breach notification responsibilities. To improve cyber security governance, policies must target executive accountability and create incentives to build-in security to improve not just confidentiality, but the integrity of data and systems, as well as their availability.
This risk that a key piece of critical infrastructure or internet-enabled device will result in death is now too big to ignore. In these uncertain times, strong cyber security practices are more important than ever. We must enhance our sovereign capability.