Australia’s Corporate Soft Underbelly First Point Of Cyberattack
Security, military and cyber experts are alarmed by corporate Australia’s lack of awareness or preparedness for cyberattacks, writes Steve Cropper*.
In December last year, then Home Affairs Minister Peter Dutton raised cyber security as a critical issue when he introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and told parliament it was “a significant step in the protection of the critical infrastructure and essential services which all Australians rely upon”.
He might have appeared like a prophet of doom back then when he told Parliament, “Australia has not suffered a catastrophic attack on our critical infrastructure, but we are not immune – malicious cyber activity has been identified as one of the most significant threats affecting Australians”.
While the original Bill dealt mostly with threats ranging from natural hazards such as weather events, it also considered human-induced threats such as cyberattacks, espionage, chemical or oil spills, and from trusted insiders.
Dutton said that Australia is facing increasing cyber security threats to essential services, businesses and all levels of government. Since then, Dutton has moved to the Defence Ministry and we have seen cyberattacks on federal parliamentary networks, logistics, Channel Nine, banking ATM networks, the medical sector and universities, just to name a few.
Elsewhere, the Russian-linked SolarWinds attack and the China-linked attack on Microsoft Exchange have stunned governments and observers worldwide. And yet, cyber security budgets in Australia’s corporate sector have remained stagnant and executive teams continue to underestimate the level of damage cyber threats can do to organisations according to the Sophos survey report, The Future of Cybersecurity in Asia Pacific and Japan.
The survey found that 52 per cent of Australian organisations suffered a data breach in 2020, up from 36 per cent in 2019 – this is despite 61 per cent of Australian organisations claiming to have a proactive or better security capability in place today. This is still considerably better than the average across Asia Pacific and Japan, where 70 per cent of surveyed organisations reported a breach in 2020, which is a 2-fold increase since 2019.
At present, the new legislation is being reviewed by the Parliamentary Joint Committee on Intelligence and Security, but according to a leading academic in the field, all the new amendment does is announce the build-up of our already near non-existent cyber mitigation capability.
Former chief executive officer of the ANU’s Cyber Institute Lesley Seebeck says the problem faced by the government is the demand curve in terms of the depth, breadth and level of cyberattacks on critical infrastructure is increasing.
“There are also a lot more nation states getting involved in attacks and the supply chain in terms of people and cyber capability is pretty flat,” Seebeck said.
Meanwhile, vice-president of the Australian Security Industry Association Rachaell Saunders said the key word in cyber security is the word ‘security’.
“There are plenty of IT consultancies who advise their customers on fortifying their computer systems, but that’s not enough,” Saunders said. “Cyber security is about a lot more than just computer systems and organisations have to examine their operations from a broader security standpoint.”
Saunders said corporates need to be better educated about how cyber incursions are carried out.
“Cyberattacks include gaining access to codes via email phishing, people impersonating banks or other so-called trusted sources to gain critical data about people to help them break into companies’ systems. Cyber intruders get inside companies by taking jobs – even as cleaners, and sometimes, they just break in and steal critical information.
“It’s important that companies stop thinking about cyber as just something that happens in computers and see it as a major security challenge,” she said.
Last year, the Australian Strategy Policy Institute’s researched Australia’s Cyber vulnerabilities and found: “Our approach to national security planning should now include key companies and their supply chains: it’s time to rethink our national security approach in a more complex, dynamic and interconnected world.
Their report, “From Board Room to Situation Room” described the corporate sector as Australia’s soft underbelly and the most likely point of first strike by a hostile nation state.
The authors recommended closer integration between Australia’s government security agencies and the Australian Defence Force with the private sector.
Concerns about cyber vulnerabilities are not limited to the Government, Defence and the Security Industry. The recent Australian Security Confidence Index (ASCI) showed that Australians feel most unsafe online (41 per cent), especially people over 40, who fear cybercrime, identity theft and other cyberattacks while using online banking, chatting in social media or online shopping.
In the final analysis, Australia’s characteristic ‘she’ll be right’ attitude will have to give way to a strong dose of reality. Australia must wake up and get cyber-ready before it’s too late.
*Steve Cropper is Industry Affairs Officer for the Australian Security Industry Association Ltd.