Cybersecurity ‘crowded pitch’ creates complexity
The protection of data held by governments and individuals has become a task involving a large number of entities – a situation that often creates more problems than it solves.
Professor John Blaxland from the Australian National University said it’s a crowded pitch that can lead to the creation of silos at all different levels of government if it is not properly managed.
Blaxland said that the newly announced role of a coordinator for cybersecurity – a role that will be nestled in Home Affairs – is one way of helping ensure that all of the organisations involved in a fast-moving, complex area with domestic and international implications are working together effectively.
He said that there were various bodies such as the Australian Signals Directorate, Australian Security Intelligence Organisation, AUSTRAC and the eSafety Commissioner that cover cybersecurity in addition to the various defence force equivalents that deal with similar issues and information warfare.
These domestic bodies are not simply trying to swat away digital threats at home. They are liaising with their international counterparts in various jurisdictions — not just in the Five Eyes countries — to ensure that contemporary cybersecurity practices are adopted in Australia.
“It is a fast-moving feast. There is a lot of collaboration, cross-pollination, and a lot of swapping notes,” said Blaxland, who’s written a new book called Revealing Secrets that looks at the history of Australian signals intelligence.
“They have workshops. They have seminars. They update each other on threats, threat capability, software development, and technological breakthroughs in responding to the cyber threats.”
The same occurs between federal, state and territory agencies to try to stay on top of the tricky sets of digital fingers that keep trying to break into systems to nick things from governments, academic institutions and corporations.
Blaxland said that engagement with the states is done through Home Affairs and Defence with joint cybersecurity centres in most capital cities.
“These are service-providing offices on how to mitigate the risks of cyberattacks,” Blaxland said. “They are educational outposts if you like with a mandate to engage with the community and respond to requirements within the community.”
Cybersecurity coordination
Home Affairs minister Clare O’Neil’s recently announced coordinator of cybersecurity is an attempt to try to stitch the various panels of the cybersecurity quilt together so government agencies can respond to emerge digital threats more quickly in dire situations such the data hacks that took place with Medibank and Optus in 2022.
This coordinator role is in addition to new laws related to report of cybersecurity incidents that impact on entities that have critical infrastructure that are designed to mitigate the impact of large scale attempts to disrupt business and steal data for the purposes of extortion.
Coordination is one thing but providing a broader analysis of threats from a cybersecurity perspective is also important for understanding, according to Bart Hogeveen, the head of cyber capacity building at the Australian Strategic Policy Institute.
Hogeveen said the recent practice adopted by the Australian Cyber Security Centre of providing an annual assessment of cybersecurity threats is useful in establishing an understanding of challenges Australia faces.
“I think it is super, super important. If done properly, that sort of document gives a whole of government appreciate of what’s occurring across the landscape,” Hogeveen said.
“Where are the threats coming from? What are our priorities? Where are we most vulnerable? That should ideally inform not just policy decisions, but operational decisions about where to deploy different capabilities at a federal and state level.”
Governments are putting their game pieces in place when it comes to dealing with cybersecurity threats but what do corporations – the ones in the public spotlight when hacking incidents occur – think about the new regulations and obligations that have landed at their doorstep?
A World Economic Forum report recently revealed that corporate attitudes have shifted materially over a 12-month period.
More than half of the respondents to did not agree that “cyber and privacy regulations are effective in reducing their organisations cyber risks” in 2022 but 73% of respondents agreed with the same statement a year later.
The commercial or private sector might be getting used to the need for greater government intervention in the quest to protect systems from cyber attacks from state or non-state actors, but governments have just as much to learn in the process.
What did a government department like Home Affairs learn about itself when it took a look in the cyber mirror after the Optus and Medibank hacks?
Evidence provided by Home Affairs secretary Mike Pezzullo to the most recent round of Senate estimates hearings revealed the department had the possibility of data being used for the purposes of extortion as part of its risk assessment following the data being and stolen at both Optus and Medibank.
He said that the department had learned a range of things about how it operates when it examined Home Affairs’ internal systems following the major data breaches in the private sector.
“Certainly the learnings that the department formed in relation to both matters are that we have very well-honed practices and procedures that really relate to what I’d call the technical breach, which I was describing to Senator Shoebridge earlier: how an actor might get into your network; how they might roam through your network; how they might exfiltrate data; how they might encrypt that data for the purposes of ransom,” Pezzullo said.
“And how they might exploit that data for, for instance, extortion purposes by, for instance, transmitting that data onto the dark web. You saw instances of that occur with both Optus and Medibank in different kinds of ways — certainly in relation to Medibank.”
The approach to the cybersecurity issues outlined by Pezzullo to senators at the hearing was consistent with the kind of philosophy employed in dealing with natural disasters, and he likened the work done by the Australian Signals Directorate as being similar to that of a first responder in a fire or flood.
“So, the excellent work done by, for instance, the Australian Signals Directorate, which is a Defence portfolio agency, and the centre within ASD known as the Australian Cyber Security Centre is the equivalent of the initial first responder: make sure everything’s safe, make sure that lives are being saved and all the rest of it, in the same way that our firefighters and emergency services personnel would undertake,” Pezzullo said.
“But then there’s often a long tail to these incidents that is really beyond the initial technical breach and that relate to things like stolen identities, information on the dark web, some of the matters that Senator Shoebridge was referring to in other respects [during the hearing] and in some cases even the publishing on the dark web of residential addresses that can give rise to physical threats.”
Disinformation, deep fakes and the deception economy: cyber’s new reality
- Give them nothing: Data governance practices to stop hackers in their tracks
- How geopolitics is shaping government cyber agendas
- The role of data science in optimising health and other government services
- Where radicalisation starts and how fake news spreads
- Why quiet quitting is a cybersecurity risk
- Cybersecurity ‘crowded pitch’ creates complexity
- Inside Australia’s digital identity journey
- Outside the algorithm: disinformation, deception and influence
- With digital ID top of mind, have government biometrics finally beaten fraud?
- In myGov we trust: Labor puts its faith in digital
- Getting the best outcomes from integrated datasets
- Why the right messaging can help bureaucracies counter disinformation
