How vulnerable is Australia’s identity data?

| May 7, 2018

There is general consensus among the government, civil society and industry sectors that data is a critical asset in our lives. Everything from knowing the weather in the morning to reading the news and checking emails is based on an underlying assumption about reliability.

In short, we assume that the data, in whatever form it may be, is accessible, accurate and verifiable.

Data is central not only to our personal lives, but to the functioning of society and government. Every nation is sitting on a goldmine of data, from health records to immigration, intelligence and defence data.

Yet, there’s an inherent risk in putting so much trust into an asset that is highly vulnerable. The broad spectrum of cyberattacks and technological advancements in cybersecurity highlight how easily our dependence on reliable data can be shattered.

Data is a vulnerable and critical asset. There are four key examples that highlight how it can be manipulated and abused by cyber warfare and information operations. As outlined in the Australian Signal Directorate’s Information security manual, it’s important to have an understanding of the cyber threat environment and of malicious cyber actors to best mitigate such threats.

Firstly, data can be stolen. The practice of stealing information through cyber espionage is well-established in military and intelligence operations.

In one example of state-sponsored cyber espionage, millions of government officials’ fingerprints, social security numbers and personal and financial were stolen from the US Office for Personnel Management. China is also active in cyber espionage, for example obtaining military documents and sensitive information from the Philippines government.

Secondly, data can be made inaccessible or restricted. Cyber sabotage attacks information for financial gain or to create chaos and disruption. The WannaCry ransomware attacks of 2017 were a recent example.

The virus encrypted files and demanded that a ransom be paid for the data to be decrypted. Various governmental institutions and companies were affected by the attackBritain’s National Health Service couldn’t access its health records and had to cancel non-urgent operations.

Denial of service (DDoS) attacks are also commonly used against government websites to disrupt services and restrict public access to government information.

There have been DDoS attacks on government websites in ThailandIndia and Luxembourg, among others. Even NATO’s website has been affected. The Digital Attack Map tracks the top daily DDoS attacks globally and highlights the scope of the problem.

Thirdly, the reliability of information has been compromised by fake news and disinformation. Deliberately disseminating false information is a form of cyber-enabled influence operation, the deliberate attempt to influence decisions and opinions. The most blatant example has been the alleged interference by Russia in the 2016 US elections. China also has a hand in influence operations in Taiwan.

Finally, data is vulnerable due to the systems on which it is stored. Cyberattacks on critical infrastructure is a tool of cyber warfare. As we saw in Atlanta, cyberattacks can cause an entire city to come to a standstill. As a Forbes article rightly pointed out, we must recognise the threat posed by cyberattacks not only to critical infrastructure services, but also to democratic and governmental continuity.

Attacks on critical infrastructure, particularly energy systems, are increasingly common. The world’s biggest oil company—Saudi Aramco—was hit by a malware attack in 2012 that successfully wiped data from approximately 35,000 computers and caused the company to temporarily suspend oil sales.

Ukraine’s energy sector was also the target of a cyberattack—attributed to Russia in 2015—that caused power outages to more than 225,000 citizens.

These vulnerabilities threaten the continuity of certain functions within society. The question then arises: can the continuity of our digital national identity also be threatened? Data collections such as our immigration, birth, death and marriage records, parliamentary records and court rulings are the evidence of who we are as a nation.

If such assets were stolen, destroyed or manipulated, would we have a point of truth to fall back on? As Anne Lyons argues, our digital national identity assets are vulnerable to manipulation.

We should take a leaf from Estonia’s book. Estonia is the only country to have fully realised the vulnerability of its critical governmental data and taken action to ensure its protection. Estonia is creating an overseas ‘data embassy’ in Luxembourg to store its government data.

The idea is that if Estonia suffered a catastrophic attack, either physical or cyber, the essence of Estonian government, history and society wouldn’t be lost. This initiative safeguards Estonia’s critical data by storing that data in different, geographically distributed locations.

Although Australia hasn’t been targeted on a large scale as yet, we haven’t been completely immune either. Most (in)famously was the DDoS attack during the 2016 census, causing the ABS website to crash and delivering a significant blow to the reputation of both the Australian Bureau of Statistics and to the Australian government.

Some years earlier, the group Anonymous subjected the Australian Parliament (APH) and a senator’s website to DDoS attacks, shutting down the APH website for 50 minutes.

It is no secret that data is a target of cyber warfare. That vulnerability threatens our national security. Understanding the constantly evolving cyber threat environment and the tools of cyber warfare should make clear the importance of protecting critical data. As the threats expand, so too should our ideas of what data we need to protect.

The Australian government needs to ensure that our critical national identity assets are protected from manipulation, falsification or destruction to ensure the reliability of the data that underpins our democracy, governance and national security.

This piece was published by The Strategist.

SHARE WITH:
Melissa Liberatore

Melissa Liberatore joined ASPI in January 2018 as a Research Intern. Melissa has a Bachelor of Arts degree from Monash University, completing French, Japanese and Linguistics studies. Melissa is currently completing a double Master of International Relations and Journalism at Monash University.

One Comment

  1. Rocky

    May 10, 2018 at 12:08 pm

    While the rest of your article is well argued and timely, it needs saying that the DDoS “attack” on the Census wasn’t really a DDoS attack in any meaningful sense – it was the front-end connections to the DB overwhelming the servers and this being misinterpreted as an “attack.”

    While the ABS and IBM were still in excuse mode they told the press it was all to do with DDoS, when in reality it was just really bad planning (really!), and poor risk and incident management. There may have been a small DDoS attempt, but if so it really had nothing to do with the failure of the online Census.

    Ignore all the press you read in the first few days after Censusgate, and talk to people who worked on the subsequent investigation into what went wrong.