Initial scrutiny following the attacks turned to the targeted companies. The Office of the Australian Information Commissioner (OAIC) is probing whether Optus and Medibank complied with privacy laws and handled the personal information of customers appropriately. Both companies say they are working on shoring up their cybersecurity policies.
The breaches have also prompted the Australian government to strengthen data privacy safeguards. The Australian parliament has passed changes to online privacy laws that increase the maximum penalty that companies face for privacy breaches from AUS $2.2 million ($1.4 million) to whatever is greater of AUS $50 million ($32 million), three times the value of any benefit obtained from the misuse of stolen data, or 30% of the company's adjusted turnover in the relevant period. The regulatory changes aim to incentivize companies to strengthen their cybersecurity stances to better protect their data.
Additional changes will strengthen the power of cyber authorities to investigate breaches. Interagency collaboration on cyber issues will also be boosted, seen in the establishment of a permanent joint standing operation between the AFP and Australian Signals Directorate on cybercrime.
Canberra is also considering the more drastic response of banning ransomware attack payments. The move would criminalize cyber ransom payments to undermine cybercriminal extortion efforts. Critics of the strategy say it will discourage companies from reporting cyber incidents. They also warn that it may be used as another layer of pressure by attackers on victims and prompt cyber threat actors to demand payments in alternative ways.
Australian Cybersecurity Minister Clare O’Neill has vowed that the Australian government will “hack the hackers” to prevent further major cyber incidents. This new, offensive approach would have Australia proactively target and take down cybercriminals who they believe pose a threat. Difficulties with this strategy include the distributed nature of cybercriminal groups and the lack of assurance that attacks will permanently harm cyber adversaries.
Australia is also pushing its allies for greater cybersecurity cooperation. At a recent cybercrime summit in Washington, Australia said it will lead an international counter ransomware taskforce. The ‘International Counter Ransomware Initiative’ will facilitate capability and information sharing and have members participate in biannual cyber war games.
BACKGROUND
- Australia is no stranger to escalating threats in cyberspace. The Australian Cyber Security Center (ACSC) reports that it received 76,000 cybercrime reports last financial year, marking a 13% increase from the previous year.
- Other major hacks in Australia’s private sector include a breach of the retailer MyDeal, which is majority-owned by grocer Woolworths Group Ltd, that exposed the personal information of 2.2 million customers; a breach of Australian Clinical Labs that exposed the data of 223,000 patients; and a breach of Australia’s largest telecoms operator Telstra that exposed the data of 30,000 current and former employees back to 2017.
- Ransomware attackers targeted ForceNet service, an external communications platform used by Australian military and defense staff, in late October. Australia’s Defense Ministry says the incident did not result in a breach of data.
THE EXPERTS
The Cipher Brief tapped a range of cyber experts to provide a more comprehensive perspective on the attacks and what they mean for Australia moving forward. We asked Australian Ambassador for Cyber Affairs and Critical Technology Dr. Tobias Feakin; Bracket f, Inc. CEO Tim Kosiba; and KBI Founder Karissa Breen to assess the impacts of the recent cyberattacks and to better understand what steps Australia is taking to bolster its cybersecurity.
Dr. Tobias Feakin, Australian Ambassador for Cyber Affairs and Critical Technology
Dr. Tobias Feakin is Australia's inaugural Ambassador for Cyber Affairs and Critical Technology. He formerly served as Director of National Security Programs at the Australian Strategic Policy Institute and was Director for National Security and Resilience and the Royal United Services Institute in London. He is also a Senior Fellow with the Royal United Services Institute and a member of the Carnegie Endowment for International Peace's FinCyber Advisory Group.
Tim Kosiba, CEO, Bracket f, Inc.
Tim Kosiba recently retired from the National Security Agency after 33 years of federal service. He most recently served as a deputy commander with the Department of Defense and represented the NSA and US Cyber Command at the White House. He previously worked as a technical lead for the Naval Criminal Investigative Service and was also formerly the chief of the NSA special liaison office in Canberra, Australia.
Karissa Breen, Founder, KBI
Karissa Breen is a former cybersecurity practitioner who founded KBI, a media and marketing organization that specializes in improving the communication and engagement strategies of technology companies. She also serves as the Vice President of Communications at YOLO Entertainment and is a Corporate Board Member at the Canberra Business and Technology College.
Expert Q&A
The Cipher Brief: Can you give us a sense of the impact of recent cyberattacks? Putting the numbers aside, has the public or private sector been more impacted or galvanized to rethink its cybersecurity posture?
Feakin: Putting aside all the numbers, I think what we have been through inside government and externally has been a real wake-up call in terms of the threat landscape that's out there and proportions of the threat that we are dealing with here in Australia. Colleagues internationally of course, deal with the threat too. But for us in Australia, I would say A) absolutely, you've seen how ministers across our cabinet, primarily Cybersecurity Minister, the Honorable Clare O'Neill but also other members of cabinet, have been very vocal in responding to these incidents and taking it as a key priority area for this government to take forward. That's also resonated clearly with all the government agencies inside the Australian system. Equally, I think you've seen a wake-up call in the boardroom in Australia that these types of incidents can happen and will happen on occasion.
There is that old attitude that you'll probably sigh at, but it's not a matter of 'if', it's 'when'. But I think what you see now is the boardrooms of Australia abuzz with how we position what our cyber posture is vis-á-vis this kind of incident. And actually, what is our cyber posture vis-á-vis any other kind of cyber incident? We've had two large scale data breaches and obviously there's a whole array of different threats out there in the cyber landscape that could impact business.
Then the trickle-down effect of this as well, is also a public awareness now of these issues because of the widespread impact on members of the public and their information that would suggest a significant difference in the level of personal consciousness in terms of data access and data provision from individuals.
Breen: The sheer scale of these attacks has been the largest in Australia and something our country hasn’t witnessed before. Consumers have definitely been affected, exacerbated by the fact that they didn't know or fully appreciate the implications that these types of attacks can cause.
People are on high alert due to many of them unfortunately — and very loudly — subsequently becoming victims of identity theft with criminals’ attempting to take out loans in their names. Due to these attacks being so recent, we are yet to experience the full impact, which may take place over a longer period of time, and the total scale of the ramifications may never be fully understood. Truly, the reverberation of these attacks could go on for months or even years, as the identities of those compromised can’t be used en masse, but will typically be used more surreptitiously and judiciously so as not to trigger wholesale actions that block any potential transactions more aggressively.
There will undoubtedly be some shift in public policy to — at least ostensibly — address and placate the population writ large, that this ‘...will never happen again.' At least until the next time.
The Cipher Brief: What is the nature of the cyber threat? What kinds of attacks are happening, and are they mostly from state-sponsored or cybercriminal groups?
Feakin: We are concerned about the whole gamut of threats. Let me do the simple breakdown. Obviously, Australia has a deep concern about state-based threats, whether it be for espionage or other purposes. Obviously, we have increasing concerns about the level of cyber criminality and I would suggest if there's been one significant uptick in our consciousness and understanding of the threat, it's the uptick in cyber criminality, and we can dig into that in a moment. Thirdly, it's that increased numbers of individuals have access to the tools necessary to conduct cyber criminality or interference, if they wish, for whatever reason that might be. What we often find is that individuals can be operating by themselves within criminal groups and indeed with certain states. There's an increased blurring of boundaries in a significant way, which it is a significant threat in and of itself. It means tackling individuals is as important as tackling the larger states that might be housing some of the criminal groups, too. But certainly in terms of the cyber criminal issues that we are dealing with, here are some figures for you. The Australian Cybersecurity Center released its annual threat report and it received more than 76,000 cyber crime reports over the last year. That was an increase of 13% from previous years. We've seen the average cost of each cybercrime report increase by 14%, whether you're a small, medium or large industry partner. So everything's trending upwards.
We've also seen a huge upward trend in responses that the Australian Cybersecurity Center had to make to ransomware incidents during the last year, with responses to 135 ransomware incidents. That was an increase in over 75% compared to 2019/20. Those are just some of the statistics we're dealing with. Then incidents like this, really bring that home in a significant manner.
Kosiba: Like recent attacks in the United States, these intrusions happening in Australia appear to be profit motivated. Cyber criminals and nation-state actors continue to evolve their techniques in order to stay ahead of defenders. Industry and government in Australia, like other democratic countries that find these attacks insidious and criminal, must prioritize their efforts to protect and defend their intellectual property, PII, PHI, and other valuable information that can be monetized by criminal hacking organizations. Continued sharing of threat information between governments and private industry is critical to successfully stopping these actors.
Breen: We are yet to know the identity of the attackers — accurate and unquestionable attribution is nearly impossible. While complex geopolitical conditions can indeed lead directly to state-sponsored attacks, we frequently see direct correlations in the increase of these nefarious activities in lock-step with more traditional military efforts by nation states. In these recent instances, it seems that any equivalence would be circumstantial, and likely merely opportunistic. When there’s already a hurricane, it’s easy for a breeze to go unnoticed.
The nature of state-sponsored hacking has somewhat shifted over the past five years into more of a grey area. ‘State-endorsed’ or ‘State-slightly-more-than-condoned’ are likely more accurate monikers, as private groups seek approval, and very likely funding, from the state, rather than being directly set up and run by the state. Previously, such groups would be more military than paramilitary.
Regardless of taxonomy and organisation, the scale and sophistication of such threat actors is only growing year after year. And while we see the structure of these groups as somewhat fluid and ill defined, the repercussions their attacks have is universal, as they compromise both public and enterprise organisations, undermining public trust and confidence, while profiteering handsomely.
Get your 10-minute national security daily open source brief by signing up for The Cipher Brief’s Open Source Report Daily Newsletter or by listening to The Cipher Brief’s Open Source Report Podcast with Suzanne Kelly and Brad Christian, wherever you listen to podcasts.
The Cipher Brief: What do you think is the reason for the spate of cyberattacks? Is it a lack of cybersecurity regulations? Is it a lack of cybersecurity professionals?
Feakin: The journey that everyone is on with approaches to cybersecurity, is that you are constantly recalibrating and adjusting your settings and understanding of where the threat's coming from, what it's targeting and what are the best responses. What we have done as government and what our ministers have said very clearly and the Cyber Security Minister, Clare O'Neill has said, is that she is taking this challenge head on. Rather than dwell on exactly what could have been done better — and there is a review going on currently inside government headed by an individual called Rachel Falk into the Optus and Medibank breaches — it's lessons learned. What could be done better? One thing that this government has decided is that it will reevaluate its cybersecurity strategy and make sure that that is fit for purpose.
Kosiba: These attacks are profit motivated. In Australia, cybersecurity regulations are advancing at a similar pace in the United States. Leveraging cybersecurity professionals across the globe who are trusted and knowledgeable is key to defending company IP and information valuable to criminal actors. Australia is leading the effort in their stated position to no longer tolerate such unlawful hacking activity. Choosing to “hack back” is a bold policy statement, which could have some short-term benefits and not many long-term gains. Whether the actors are state-sponsored, proxies, or criminal hacktivists, these organizations have shown a level of resilience themselves.
Breen: Fundamentally, my opinion is that it's the nature of our world becoming exponentially more digitised. We’re at a critical tipping point now where the push towards making (just about any) records digital is inescapable, but the ability to do so with the requisite level of security is lagging significantly. It’s easy to do and you can be anywhere in the world to perform these types of attacks. I’m still unsure if more regulation will solve the immediate problem.
The Australian Government has been discussing cyber reforms in order to address the types of shortfalls exemplified by the organisations that were recently breached. This will likely fall to the creation of new regulations and push organisations to invest more heavily, and prioritise cybersecurity accordingly.
Opinions on whether a shortage of security professionals directly or indirectly led to these attacks are wildly varied. From my observations, however, there is a shortage of capable professionals at the moment, and this certainly does pose a risk for Australia long term. In the instances we’re talking about, it seems poor practices were likely the culprit, with rudimentary security measures being neglected in terms of API implementations and secure coding practices as outlined in the SSDLC.
Looking for a constant source of cyber expertise around today’s most pressing issues? Subscribe to the Cyber Initiatives Group digital magazine to stay ahead of what’s coming in cyber. Sign up today.
The Cipher Brief: What steps are the Australian government and private industry taking to increase cyber resilience?
Feakin: With sharpened attention on these issues, that means that even more efforts will be made to make sure that those response settings are appropriately sharpened. One of those has been the Privacy Act changes that uplift the penalties for serious or repeated privacy breaches. It was sitting at $2.2 million as a penalty, that's now being lifted to whatever's the greater of 50 million Australian dollars, or three times the value of any benefit obtained through the misuse of information, or 30% of a company's adjusted turnover in the relevant period. That's a significant uplift in penalties against companies that are seen not to be taking their responsibilities appropriately in accordance with the legislation.
It also means that as part of this cybersecurity strategy, the government is looking at all measures in terms of how to lift the bar of cybersecurity across the economy and across the entirety of the Australia network whether it be government, industry, or civil society. That's a process that's ongoing right now in government at a rapid pace and in a very serious way.
In response to the "hack the hackers" question, I'll say that Australia's made no secret that it has an offensive cyber capability that it would use against criminal entities. I believe in early 2018, we acknowledged that we had and would use, an offensive cyber capability against criminal entities. What [Cybersecurity Minister Clare O'Neill] is referring to is her initiative to create a new grouping to pursue cyber criminals through a new offensive unit staffed jointly by the Australian Federal Police and the Australian Signals Directorate (ASD), to go after criminal's digital infrastructure.
Kosiba: The establishment of the Australian Cyber Security Centre (ACSC) was a huge step forward to deal with these types of attacks. The Australian government has ample personnel and technical resources; the question is about priorities and leveraging relationships to defeat these actors.
Breen: An event like this had to take place for people to collectively open their eyes, which we’re currently witnessing, and to take heed of cybersecurity practices.
Any cyber reforms are at least a step in the right direction to close the gap between best practice and cybersecurity reality. The specifics of how that will manifest are yet to materialise, but are hopefully more than tokenistic, just being aimed at appeasing the current national sentiment.
The practice of ‘threat hunting’ where security practitioners proactively look for and address, any threat that penetrates defences, can work in isolation. The notion of hacking the hackers though, may lead to escalation when announced. A more surreptitious approach may be wiser, but given the possibility of several recent attacks being executed by individuals, the very overt threat may deter others — particularly domestically — from following suit.
The Cipher Brief: What role do allies and partners play in bolstering Australia’s cybersecurity?
Feakin: The International Counter Ransomware Taskforce (ICRTF) is housed by our home affairs department and it's a new global disruption effort with 36 different countries to formulate and then operationalize ever more effective ways of countering ransomware. It's purpose is to bring the joint ingenuity of our operational community from 36 countries to make sure we're all better equipped to deal with what is a significant global problem. That's one way we collaborate internationally. Obviously, all of our operational agencies are always collaborating, whether it be through Five Eyes or through various other conduits. The international outreach work that we do through this role continually builds better bilateral, regional, and global ties so we're on the same page not just from an operational point of view, but from a policy point of view, in understanding what the threat is and how to respond to that.
As I said, one of the ways that we help our regional partners, because ransomware issues are impacting many countries around our region, is by capacity building and assisting nations with their technical ability, both from a human resources point of view with technical training skills, but also from a technology point of view, to be able to respond to these incidents, too. We spend a lot of time and effort and money through our cyber capacity building efforts to try and raise the collective cybersecurity bar in our region. We've invested well over a $100 million over the years in doing that and we've run close to a hundred different projects around the region in order to do exactly that.
I would underscore in a position like the Ambassador of Cyber Affairs and Critical Tech, one of the roles that it plays, is in its international outreach and coordination. I'd stress the vital role that the international outreach part of this equation plays because there are so many countries in the world that are struggling with baseline cybersecurity and awareness of the new technological era that's creating all these economic opportunities. One of the things that we strive incredibly hard for in this sense, is to try and raise that bar. I would just underscore that. The more we can collaborate and coordinate internationally, the better equipped we're all going to be to work our way out of these issues.
Kosiba: The United States has always valued Australia as a like-minded partner in defeating those who challenge our way of life and beliefs. The Five Eyes and other allies are committed to being staunch supporters of national efforts to crush these activities which continue to have detrimental impacts on our societies. The White House recognizing Australia to lead an international task force against ransomware actors is indicative of the close relationship that exists today. Australia will continue to lead efforts in the future given their advancements in the field of cybersecurity.
Breen: With most security endeavours, whether militarily or relating to cybersecurity, the more collective data present, the more informed the response, the better the ultimate outcome. Much like the Five Eyes intelligence alliance, this recent summit could lead to an improvement in the security posture of each member nation.
By leveraging new technologies that can compute incredible volumes of data — including cyber telemetry and related threat intelligence — a federated understanding of current threats can protect all members in any alliance. The resources provided collectively benefit each member individually as economies-of-scale mean that new research and technologies can be developed collectively that otherwise may not have materialised.
While far from a panacea warding against the world’s threat actors — including other nation-states — a collective effort is the best chance we have of at least reducing the incidence and severity of any cyber threat.
Cipher Brief writer Ethan Masucol contributed to this report.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
