Australia must stand up to cyber assault

| November 20, 2022

Australia has been suffering a long death by a thousand cuts.

We’ve had cybercriminals slowly bleeding our companies by forcing them to pay ransoms. We’ve had nation states stealing our intellectual property, robbing future generations of prosperity. We’ve had escalating attacks on our information ecosystem, undermining the integrity of our democracy.

And we’ve had countries infiltrating our critical infrastructure, posing a latent threat that can be activated when needed. We’ve seen it happening and talked about it and taken some incremental measures to try to address the situation, but things have never seemed bad enough to warrant decisive action.

With war returning to Europe and the spate of high-profile cyber incidents here in Australia, has the situation finally become bad enough to act?

Consider the dramatic change in circumstances we’ve experienced. A year ago, Europeans would have proudly thought of themselves as living in a haven of peace.

Today, a plucky Ukraine is all that is protecting them from an even greater calamity on their continent and they are pondering the risk of nuclear war. In our own region, China’s president-for-life Xi Jinping has committed himself to a ‘no limits’ partnership with a Russian regime that stands for the complete rejection of established international borders.

In case anyone was in any doubt about the risks China poses in our region, the outgoing head of the Australian Secret Intelligence Service, Paul Symon, gave a very rare public speech this month warning that there were some ‘very alarming signs’ in Asia and the Indo-Pacific.

On the prospect of war, he said that ‘history won’t be kind to us if we’re underprepared’ and that it would be hard to be ‘overprepared for conflict’.

Beyond the threat posed by authoritarian states willing to destroy the international order, there’s also a persistent threat from cybercriminals, the human parasites of the 21st century.

The damage they can cause has reached absurd proportions. The recent Optus hack saw what could be a single criminal threaten around half the adult Australian population with the spectre of identity fraud.

The Medibank data theft was just as big and involved the release of information that for some customers might be so sensitive that it could be life-threatening.

With the head of Australia’s secret intelligence agency imploring us to be ‘overprepared for conflict’ as we witness single individuals hold half the population hostage and rogue regimes upend the global order, we have finally reached a point where decisive action is both required both for and by the public.

In this context, news that Minister for Home Affairs Clare O’Neil is preparing a new national cyber strategy is immensely timely.

The minister has been vocal in both calling out lax cybersecurity from companies that have been breached and telegraphing that she intends to take forceful action to ensure we are not the soft target we are at present. It’s action we should all embrace.

There are a multitude of things we can do now to better protect ourselves. The biggest challenges are company motivation to take action and governments’ ability to make tough decisions.

For example, to protect ourselves against ransomware gangs, the policy action most needed is to ban ransom payments (with very few exceptions). A ban would, in a very short period, see Australia abandoned as a target for ransomware gangs because they would be wasting time for no payoff.

As we’ve seen in the Medibank case—where the company refused to pay the ransom—this is not an easy decision to make. For a few months during the phase-in period, companies that are hit would need a lot of support to stay afloat as they work to overcome the attacks.

In some cases, like Medibank, highly sensitive records could be released. But the payoff of a ban would be a boon for citizens’ physical safety and privacy and save companies billions.

Protecting ourselves against nation states is tricker. They have more resources, are more determined, are more secretive, and target a broader breadth of organisations. State actors like China are targeting the private sector and academia (for example, to steal intellectual property) as well as government.

But we can still do a lot more to harden our defences. After the Optus and Medibank attacks, there should not be a board in Australia that isn’t actively interrogating its cybersecurity posture and whether it has a suitable level of cybersecurity expertise represented among its directors.

Because even if the prospect of having the company brand trashed is insufficient motivation, there is every prospect they will be called on to do more to secure themselves in the coming months and years, as the minister is foreshadowing.

But there’s also a need for government intervention to align incentives. At present, a company that has data stolen by a nation state, instead of a cybercriminal, might see it as a bonus because the nation-state actor won’t ask them to pay a ransom. But the damage to the national interest from the data theft could be far worse than anything a cybercriminal might do with the data or charge for it.

The incentives for companies and universities to protect some sensitive datasets of use to nation states are not yet adequate.

Then there is government uplift. Report after report from the national auditor shows that federal government departments are not match fit for protecting critical government data from cyberattackers. Fixing government security is going to be very expensive and require the government to send the very clear message to department heads that this is a top priority.

For government (and industry), cybersecurity should be made a leadership responsibility, just like all other aspects of organisational culture through which performance is judged and for which there are real consequences for negligence.

As we enter this extremely challenging security environment, cybersecurity is going to take on even greater importance. Failure to put in place protections for citizens wouldn’t be tolerated in other fields of security, so why should we continue to excuse inaction in cyberspace?

We must seize the opportunity presented by this challenge to make some tough and bold decisions.

This article was published by The Strategist.