Government agencies, utilities and corporates such as banks covered by the Security of Critical Infrastructure Act (SOCI) will soon have to front up to regular, government-coordinated counter-penetration and incident response exercises and fitness tests under a crackdown on cyber slackers.
The sharp and swift response comes in response to what home affairs and cybersecurity minister Clare O’Neil likened to those ultimately overseeing corporate and government cyber functions being asleep at the wheel as hostile state and criminal hackers increasingly target Australian systems for intelligence plunder and financial profit.
Speaking at the Australian Strategic Policy Institute’s Sydney Dialogue on Tuesday, O’Neil said “Australia is waking up from the cyber slumber, but now we need to hit the gym”.
“I have no doubt we will discover some areas where we need to train harder on incident response ensuring plans don’t just sit on the shelf.”
So far the government is coy about what will happen to those who fail the cyber fitness and penetration tests, but the obvious answer is that it will seek to address weaknesses as they are identified.
While technical weaknesses have more easily accessible remedies, the real question is what happens to company directors or executives in entities covered by SOCI requirements who repeatedly flunk cyber tests.
A known issue is that many directors seeking to promote their cyber acumen to prospective boards for seats often come from a digital marketing or legal background with little or no systems or software engineering background or working knowledge of networks being targeted.
Regardless, O’Neil is insistent cyber snoozers will benefit from a spot of state-sponsored cardio.
“This exercise series will build muscle memory in how to deal with a cyber attack — and importantly cover the types of incidents we have not yet experienced on a national scale — such as a lock-up of critical infrastructure or integrity attacks on critical data,” O’Neil said.
“Critically, it will look at how to work with governments, including dealing with the consequences of a crisis that inevitably will not impact just one company but potentially millions of Australians.”
Dog acts hacked back
O’Neil’s pledge to pay back criminal cyberattacks on Australian entities, especially the persistent epidemic of ransomware and wholesale data theft hits, is also being fulfilled, and authorities are going in with both fists (metaphorically speaking, of course).
“A big part of the Australian government’s approach is punching back at cyber attackers for the first time. We’re doing that through our Hack the Hackers Taskforce – a 100-strong force of ASD and AFP officers who are hacking back at criminals who would seek to do Australia harm,” O’Neil said.
Despite the payback, the hits keep coming and intensifying.
“Given the combined breaches of Optus, Medibank and now Latitude, there probably is not an Australian who either has not been impacted personally or does not have a close family member that has,” O’Neil said.
“Last week, Latitude advised that a forensic review of the incident uncovered the fact that a total of 14 million records, encompassing 7.9 million Australian and New Zealand driver’s licence numbers, 53,000 passport numbers and 100 monthly financial statement records had been exposed.
“It is understood that the personal information accessed for impacted individuals also includes name, address, telephone and date of birth.”
The other problem is that Latitude, while portrayed as a credit vendor, is also basically a bank. While people largely don’t care if a company they owe money to gets hacked, they care a whole lot more if the bank they have their savings or pay going into is rumbled. That is why Latitude sent shudders across industry and government.
O’Neil warned that while many current breaches are enabled by human error, the combination of artificial intelligence, automation, quantum decryption and technical improvements could soon see far more technical, machine-to-machine cyberattacks.
Digital identity backed-in
After decades of state-mandated data hoarding in the name of anti-money laundering compliance and rapacious know-your-customer checks ranging across government, banks utilities and even RSL clubs, the digital identity penny appears to have finally dropped in the current federal Labor cabinet.
There’s still a privacy and access debate to be had, but O’Neil has backed her cabinet colleague, finance minister Katy Gallagher, in supporting the rollout of commonwealth digital credentials.
Labor had previously shot down attempts to digitise or nationalise identity credentials as Orwellian over-reach, including opposing the 2006 Access Card proposal to create a single, multi-use credential using a chip that has now been leapfrogged by smartphones.
It is still unclear in NSW whether the new Minns government will support the pursuit of a digital identity credential pushed by former state digital minister Victor Dominello, who has been replaced by Jihad Dib.
While NSW Labor played possum on the issue of digital identity and the future of Service NSW, Bill Shorten is an unashamed fan of digital identity, striking a reformist bromance with Dominello that has resulted in the jurisdictions playing swapsies with items like the Medicare card that can now go into a Service NSW digital wallet.
O’Neil can see the benefits, too.
“Only this morning I was discussing with my colleagues the urgent need to refresh our national strategy for identity resilience, together with our state and territory counterparts,” O’Neil said.
“Under the leadership of my colleague, the minister for finance Katy Gallagher, this government is moving forward on a new national digital ID system. This will streamline transactions and reduce the need for companies to hold unnecessary data; and where they do hold personal data, ensure it has the highest level of protection.
“Ultimately, this is all about making Australian identities hard to steal and, if compromised, easy to restore.”
Feeling lucky
But there is conspicuous silence on the future of Australia Post’s much-vaunted digital identity system launched to great fanfare a few years ago. It seems to have been iced following the departure of Ahmed Fahour from Australia Post, followed by an epic row with the Morrison government of making banks pay their way.
Appointed to Post’s top job by the Rudd government, many of Fahour’s key executives followed him onto his next gig — at Latitude, where he recently announced his planned departure prior to the breach.
O’Neil’s unspoken message at ASPI to cyber protagonists and potential adversaries was also pretty clear: before you hit another Australian bank, there’s one question you need to ask yourself — do you feel lucky?
“Making hackers think twice about targeting Australian interests is being conducted with some of our closest allies and partners to impose costs, shatter technical capabilities and undermine the cohesion of these threats by targeting all aspects of their business model such as ransomware-as-a-service,” O’Neil said.
The key word there is impose costs. Just don’t ask how, or where the crypto went.
READ MORE:
Dominello, Shorten declare digital love-in for wallets, identity credentials
Any feedback or news tips? Here’s where to contact the relevant team.