WHEN a cyber attack in Estonia brought the country to its knees, hackers didn’t just target government websites, but also banks, universities and newspapers.
The 2007 attack was so bad, the country had to block off all international web traffic. Suddenly the “most wired country in Europe” was cut off from the rest of the world.
The willingness of countries to use cyber operations to “seriously impede or embarrass” organisations and governments is a new approach acknowledged in a new report by the Australian Cyber Security Centre.
While the centre said it had previously believed cyber attacks against Australia would likely target critical infrastructure, government networks or military capabilities or in the lead-up to conflict, recent overseas incidents reveal a new approach.
“Some of these events have occurred outside conflict, and have set precedents for how states may seek to use cyber operations to generate effects that could have a potentially significant impact,” the report said.
“Where coercion, economic damage or embarrassment is the goal, the potential targets of cyber attack may include major industries, critical infrastructure, political entities, the media, the financial sector and other sectors considered important to Australia’s economy and identity.”
In the case of Estonia, it’s suspected Russian-backed hackers launched denial-of-service attacks as a protest against the Estonian government’s removal of the Bronze Soldier monument in Tallinn, a Soviet war monument erected in 1947.
Professor Greg Austin, an expert in cyber security research from UNSW Canberra, said the Estonian example highlighted how attacks on private organisations could have serious consequences.
“When Russian hackers attacked Estonia, it brought the country to its knees because it had no defence against attacks against banks and financial transactions,” he said.
“If this happened in Australia, whose responsibility is that?”
As the 2016 Threat Report released today revealed, Australia would have trouble defending such an attack on private assets such as banks, transport or even supermarkets.
“Banking, transportation, logistics of supermarkets — most of us depend on a computerised system to deliver food from other parts of Australia,” Prof Austin said.
“Groceries from across Australia and the world are managed by computer systems.
“We don’t eat without a functioning and secure computerised system these days.”
The report revealed between July 2015 and June this year, a total of 14,804 cyber security incidents affected Australian businesses and 418 of them involved systems of national interest.
Energy and communications sectors had the highest number of compromised systems, the banking and financial services and communications sectors had the highest denial-of-service activity, and the energy and mining/resources sectors received the highest number of malicious emails.
Prof Austin said the number of incidents was probably on the low side given most private sector problems were never reported.
“Australians have to understand, as this report encourages us to understand, that cyber space is not worry free,” he said. “We have to secure data and systems.”
WE NEED A CYBER MILITIA
Prof Austin believes Australia needs its own ‘cyber militia’ of people trained to defend against cyber attacks that could function in a similar way to the Army Reserves, who are trained about 40 days a year and only deployed when the need arises.
He said other countries like the US or UK already had reserve forces like this in place.
“Everybody agrees, including me, that an extreme cyber attack on Australia is highly unlikely (in the next five years) but we do need the capability against an extreme threat if and when they do emerge,” he said.
The US has declared a national emergency due to continued cyberattacks for two years in a row and Prof Austin said this reflected the seriousness with which the US treated the threat against it.
The report suggests Australia had not yet been subjected to a cyber attack, an incident it defined as one that seriously compromised national security, stability or economic prosperity, adding “the effects of a cyber attack could not possibly have gone unnoticed”.
But Prof Austin is not so sure.
“There is room to question that. If the US has been subject to such attacks, it’s hard to believe that we also haven’t been subject to such attacks that have succeeded.”
WE’RE ALREADY VULNERABLE
The report said there were 1095 serious cyber security incidents directed against Australian government systems in the 18 months to June 30. It found foreign states represented the greatest level of threat to Australian government networks.
“That’s a lot of attempted attacks,” Prof Austin said. “Governments with the most capability are regularly targeting (other) government facilities and somebody got lucky with the Bureau of Meteorology.”
Prof Austin said the “incident” involving the Bureau Of Meteorology, which the report attributed to the work of a foreign intelligence service, showed there were a number of deficiencies in the department’s set-up.
“We have to presume that almost all government departments in Australia are vulnerable in the same way as BOM to a sophisticated cyber attack,” he said.
In the case of the BOM, hackers managed to install malicious software and steal sensitive documents. They also tried to access other government departments through the BOM.
The report acknowledged: “Security controls in place were insufficient to protect the network from more common threats associated with cybercrime”.
While the spying has been blamed on China, the government has not made it clear who was responsible. Prof Austin said it was likely aimed at collecting a range of economic and military intelligence from a variety of sensitive sources.
“What is 100 per cent certain is countries like Russia, China and US undertake cyber espionage against Australia because they have been caught doing it to other countries,” he said.
Prof Austin believes the government almost certainly knows who was responsible for the BOM attack but just didn’t want to say, partly because it was hard to get watertight proof and partly because it didn’t want to get into a slanging match about who engaged in cyber espionage.
In the US, agencies even operate on the assumption that systems have been compromised, Prof Austin said.
For those worried about their Census data, Prof Austin said it was already possible to link personal data to people’s identities from information available from organisations like Medicare or departments issuing driver's licences.
“It’s already too late to think about closing that gate, we’re already vulnerable.”
The report said it was unlikely that terrorists would be able to compromise a secure network and deliver a significant effect for at least the next two to three years.
But Prof Austin believes this could be an “unwise assessment”.
“It doesn’t take anyone two or three years to build capability if they have money and technical experts,” he said.
“They could do it in a short time with no warning and you wouldn’t necessarily have any warning,” he said.
Prof Austin said Islamic State was known to be consolidating its cyber attack capability.
“It’s under intense military pressure at the moment so is unlikely to succeed but as if it loses on the battlefield it may look for other avenues of attack,” he said.
GAPS IN THE SYSTEM
Prof Austin said the 2016 Threat Report had shown gaps in the system and had set out for the first time, specific case studies of specific attacks against government departments.
“It’s a groundbreaking report and every Australian should read it because it reveals for the first time, in graphic detail, the scale of the threat and the level of response capability across the country.”
He said the case studies were important because until now, the government had adopted a low profile when it came to cyber threats, especially compared to the US and UK.
“It’s a big step forward in government openness to build community awareness,” he said.
When asked what may have provoked this change, he said: “The seriousness of the threat and its intensity is increasing,” he said.
He said the government had also reviewed its cyber security strategy for the first time in five years and this may have showed a need for greater engagement with the private sector and community.
“Some criticised the previous threat report for not giving a strong enough picture of the threat,” he said. “We need to quicken our pace significantly.”
Reading between the lines of the report, he said it was clear Australia did not have the capability nationally to protect the civil sector, and government departments did not have capability for “advanced cyber security”.
Several universities have set up cyber facilities in the past year including UNSW Canberra, Australian National University and Macquarie University, and when asked whether universities were seeking to fill that gap, Prof Austin said he hoped the government and uni sector worked together more to develop education for cyber security and research.
“It’s a slow process that definitely needs a lot more money and a lot more determination.
“The threats in cyber space are significant and the Australian government is moving in the right direction to better equip us to defend against them,” he said. “But Australia, like other countries has a long way to go.”