The NSW Department of Resources and Energy last month revealed that its regional NSW was the subject of a cyber attack in December, occurring not long after a significant breach at the Bureau of Meteorology and at a time when projects such as the $1.2 billion Shenhua Watermark coal mine were being considered.
The executive director of the Australia Strategic Policy Institute, Peter Jennings drew similarities between the two attacks, saying hackers search for vulnerabilities to exploit to get to their ultimate target, saying “hackers are looking for the weakest link in the chain, again similar to the Bureau of Meteorology where apart from the value of the bureau’s data, they’re looking for links in to perhaps more classified areas of government activity and it’s a case of going to where you think you might have the best opportunity to actually infiltrate computer systems.”
Alarmingly, he added that it’s difficult for government departments to tell whether they’ve been compromised in an attack, “So I think perhaps a more accurate way to put it would be to say they don’t think they’ve been compromised on this occasion, but if it’s like many other areas of government, they will be under constant attack, there will be sort of daily probes, hourly probes on the part of malicious cyber actors looking for vulnerabilities.”
Recent research by the Australian Centre for Cyber Security (ACCS) painted a grim picture of Australian readiness, saying government and civilian organisations were well behind the preparation of China and the United States and that Australia and other middle powers have overly relied on United States internet prowess.
The report’s author Professor Greg Austin has described Australian response to cyber-security threats as “slow and fragmented” and calls for a “rapid catch-up in Australian capabilities for military security in the information age.”
For its public sector, the US government relies on a $6 billion system called EINSTEIN, or the National Cybersecurity Protection System, rolled out in 2013 to detect and stop cyberattacks on its computers. But in damning criticism, the US Government Accountability Office (GAO) says EINSTEIN gives its users only “a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies,” identifying only 6 per cent of the common vulnerabilities in typical government programs including Microsoft Office and Internet Explorer in GAO tests.
The culprit for system failures may be a familiar one, however: human error and lack of implementation. In the same tests, the US GAO found just 5 of 23 federal agencies actually use the “intrusion prevention” parts of the system that actively block malicious content.
In other studies of US public servant behaviour, 20 per cent of thumb drives intentionally left in car parks and public spaces were plugged in, 22 per cent of employees clicked on a URL in a test phishing email; and over 40 per cent of employees provided passwords to someone posing as IT support.
The human vulnerability to cyber security systems are believed to be how Stuxnet was released. Stuxnet was the first discovered malware that spies on and subverts industrial systems and one of the most well-known example of modern malware targeted at military and industrial targets.
Professor Austin explains that these vulnerabilities increase can have impacts on a massive scale, “cyberspace governs all economic, social, scientific, business and medical activity dependent on any sort of computerised record keeping or more complex analysis.”
Austin called for a national innovation strategy, and recommended increased investment in IT and education, to encourage more graduates into the field.
In addition to pledging to make innovation a cornerstone of his leadership, Prime Minister Malcolm Turnbull announced an annual Australia-US Cyber Security Dialogue last month to work together in tackling cybercrime.
Turnbull also promised $30 million over the next four years as part of its AU$1.1 billion National Science and Innovation Agenda to establish a new industry-led Cyber Security Growth Centre, estimating in government publications that the global cybersecurity market is worth more than $71 billion growing at least 8 per cent each year.
What is clear from recent attacks is that cyber security is an industry that shows no signs of slowing down, and federal and state governments stand to be severely compromised if they don’t invest in up-to-date systems, education systems and internal procedures to ensure implementation.