Australia’s peak industry advisory body on cyber security has warned government agencies urgently need to lift their game to set a better example for business and consumers, listing the toughening of public sector systems as the key priority for the immediate future.
The newly released Cyber Security Industry Advisory Committee (CSIAC) Annual Report 2022 reveals the Australian Signals Directorate (ASD) whacked a blocked 180,000 “unique known malicious domain names across government agencies” under new powers to protect official systems.
The blocks come as part of the recently introduced Protected Domain Name Service (AUPDNS) for government agencies, which blocks known ‘bad’ domains or malicious actors.
The revelation and report come against the backdrop of Labor moving to rapidly recast the Morrison government’s $10 billion, decade-long strategy contained in the last Budget that left both industry and agencies pondering how Treasury could calculate the threat landscape so far into the future.
The release of the highly-anticipated report comes fortuitously after home affairs minister Clare O’Neill’s revelation of a major cyber shake-up, the details of which are yet to be released.
Notably, it welcomes the proposed reset, especially the elevation to the cabinet of a specific cybersecurity portfolio, even if some of the blanks still need to be filled in.
“As Australia continues to navigate an increasingly complex cyber threat landscape, now is the appropriate time to refresh and expand from the 2020 Australian Cyber Security Strategy and the Committee looks forward to continuing to work to work with government to support effective, resilient, and agile cyber security outcomes for Australian communities and businesses,” the CSIAC report says.
“We therefore applaud the Cyber Security Minister’s decision to shape a broader National Cyber Strategy through this lens; a step which will be critical to building and protecting Australia’s sovereign capability.”
Two of the CSIAC’s most influential members are also returning to the Defence realm.
Protocol niceties are squared away but there are some notable areas of serious concern scattered among the wider checklist of good cyber deeds and actions. The CSIAC found all, so far, delivered good value for money.
“Much has been achieved since the Strategy was launched in 2020 as outlined in this report and the Committee’s 2021 Annual Report. However, notwithstanding the many initiatives launched by Government, there are areas where progress has either been insufficient or needs to be accelerated and improved,” the report says.
At the top of the room for improvement list is “Hardening Australian Government IT Systems”
“So far under the Strategy, the Government has been significantly focussed on what business needs to do to improve its cyber defences. It is also important that government makes progress to harden its own systems and cyber defences,” the CSIAC report cautions.
“In asking Australians and Australian businesses to support the Strategy, government needs to be role-modelling cyber best practice in its own operations, while also improving the security of increasingly digital government service delivery.”
The long and grinding road to implementing ASD’s Essential Eight cybersecurity by many commonwealth and state agencies has repeatedly been flagged by oversight agencies, including the Australian National Audit Office, which has documented the difficulty of the security-uplift exercise.
Conversely, there is visible progress in other areas where telecommunications interception laws have been toughened to allow the blocking of industrialised malicious traffic directed at Australia.
“On 25 November 2021, the Telecommunications (Interception and Access) Amendment (2021 Measures No. 1) Regulations 2021 came into effect, clarifying that telecommunication providers can deploy threat blocking technology to identity and block malicious SMS scams at scale on their own networks,” the report notes.
“Telstra blocked more than 200 million scam SMS in the three months up to 31 July 2022, and currently blocks 1,500 scam SMS per minute by leveraging the legislative amendments.”
Unsurprisingly, much of that traffic is an attempt to fleece people of money via a range of scams activated by pulling down malicious software, or just plain trickery.
The CSIAC report places Business Email Compromise “now the most financially impactful kind of cybercrime in Australia.”
“Although instances of BEC [Business Email Compromise] are also almost certainly underreported, the ACSC Annual Cyber Threat Report 2020-21 advised Australians lost $81.45 million to BEC in the 2020-21 financial year. From 1 January 2022 to 30 June 2022 there have been over 2,300 suspected BEC incidents reported to ReportCyber.”
That figure compares to online payment card fraud in Australia of $442 million in the 12 months to 30 June 2021, as calculated by AusPayNet, a whopping annual rise of 12.3% that is sheeted back to merchants but isn’t mentioned in the report.
:
How government can help combat cyber threats to critical infrastructure
Any feedback or news tips? Here’s where to contact the relevant team.