How well is Australia prepared for cyber threats in 2022 and beyond?

Powered By

Digital pickpockets, organised criminals and state-based actors are an increasing source of headaches for government, and public and private sector entities.

The Australian Cyber Security Centre (ACSC), which monitors and provides advice on cyber threats, received more than 67,500 reports during the 2020-21 financial year. On average, this equates to a cyberattack every eight minutes. Self-reported losses for one year totalled $33 billion.

Keeping on top of these threats and combating organised crime and state-based actors seeking to harm Australia are key priorities for the Parliamentary Joint Committee on Intelligence and Security.

Senator James Paterson, the committee’s chairman, says we don’t know the actual number of cybersecurity attacks Australian entities face because there’s no mandatory reporting regime. He hopes a proposed law will fill that gap.

“The ACSC believes there is a significant underestimation of the number of attacks we face,” Paterson says. “That’s a full spectrum of things from ransomware attacks an individual might face on their mobile phone or e-mail to full-on attempts to take down our major corporate entities, including critical infrastructure providers.

“It costs our economy tens of billions of dollars a year that we know of, but it’s probably far more than that. It’s a very serious threat. Unfortunately, all the data shows it’s growing exponentially and it grew particularly rapidly during the COVID-19 period.”

The ACSC’s report notes that about a quarter of the reported cases of cybercrime involves critical infrastructure. “The coronavirus pandemic continued to expand the boundaries of Australia’s computer networks, pushing corporate systems into homes across the nation as a large percentage of the workforce shifted to remote working arrangements,” the report says.

“The speed at which this occurred saw many organisations rapidly deploy new remote networking solutions, sometimes to the detriment of their cybersecurity.”

Paterson says there’s a great concern about how state-based actors and other players seek to target critical infrastructure. Legislation before federal parliament will expand the number of sectors regarded as part of critical infrastructure from four to 11.

“That covers everything from electricity, water, gas, telecommunication, banking and finance, ports, roads, rail, airports and even the supply chains for our supermarkets, whether that’s for medical supplies or food that we need,” Paterson says. “Those are the sectors the government has identified would be critical to our nation and without which we would be severely internally disabled.

“They will be absolute priorities for the government in terms of underpinning them and undergirding them with strong cybersecurity and mitigating the risk of these attacks and the damage from these attacks.”

Phishing and ransomware

Bad actors use various techniques to try and sneak into systems to pinch company or government secrets and steal identities or funds. One method reported to the ACSC used during the pandemic is ‘phishing’ or ‘spearphishing’. Phishing is a technique used to take information that enables an individual to steal someone’s digital identity.

“[Spear phishing] emails were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials for access to COVID-related information or services. Criminal and state actors also targeted the healthcare sector,” the ACSC report says.

“State actor activity was probably motivated by access to intellectual property or sensitive information about Australia’s response to COVID-19, while criminals sought to leverage critical services to increase the motivation of victims to pay ransoms.”

The growth of ransomware threats is also a concern for many Australian organisations. “This increase has been associated with an increasing willingness of criminals to extort money from particularly vulnerable and critical elements of society,” the report says. “Ransom demands by cybercriminals ranged from thousands to millions of dollars, and their access to dark web tools and services improved their capabilities.”

One ransomware attack targeting a Victorian public health institution in March 2021 hit four facilities and caused delays in elective surgery. “Ransomware attacks on an Australian media company and JBS Foods further demonstrated a move by cybercriminals away from low-level ransomware operations towards extracting hefty ransoms from large or high-profile organisations,” the ACSC report says.

“To increase the likelihood of ransoms being paid, cybercriminals would encrypt networks and also exfiltrate data, then threaten to publish stolen information on the internet.”

Staff providing access for malicious actors

Improving systems to minimise the chance of getting a nasty surprise from a bad or malicious actor is one thing but Ammar Barghouty, a cyber security expert with The Soufan Group, says organisations can’t afford to ignore poor staff behaviour, too.

Barghouty says bad actors don’t necessarily need technical expertise to penetrate a company’s internal system. They just need to find a way of convincing somebody on the inside to open a digital door – knowingly or unknowingly – to get inside and run amuck. “Properly configuring everything will reduce your risks tremendously but I think the big elephant in the room is the people,” Barghouty says. “It’s probably an underrated threat. It’s the person on the inside that will let you in.”

One of the ways this can happen, Barghouty says, is when an individual researches details of employees on the internet and, for example, finds out their interests to engage with them online. An e-mail enticing somebody to look at a website linked to a specific interest a malicious actor has discovered on social media might be all it takes for someone to gain entry into a corporation’s systems.

Another major cyber threat is disinformation. One causing particular concern for Paterson and Barghouty is the development of ‘deepfakes’, or synthetic media, where realistic vision of politicians and celebrities are doctored to make them look like they had done something they never did.

Paterson says the synthetic media phenomenon could create a situation where an international conflict occurs if a ‘deepfake’ can’t be disproven quickly enough.

“It isn’t difficult to imagine how dangerous it could be at a time of heightened geopolitical tension,” Paterson says. “For example, a fake public statement by a US president or Chinese premier about conflict with one another could have spill-over effects if it wasn’t able to be quickly and easily disproven.”