Taiwan’s Vice Premier Simon Chang wants in on the US government’s Cyber Storm exercises. A biennial exercise series curated by the Department of Homeland security, Cyber Storm tests the capacity of agencies and critical infrastructures to absorb and respond to cyber attacks. Several foreign government agencies, including Australia, have been invited to participate in the exercises in the past. Chang argues that the move would help strengthen the countries’ defences against unrelenting attacks from China. US cyber security firm FireEye released figures in 2014 that showed Taiwan faced the most targeted attacks that sought to steal data in the Asia-Pacific region, a large proportion of which targeted government networks.
US coding site GitHub knows all about unrelenting attacks. The site is enduring the sixth day of a massive DDos attack. The attacks have been traced back to Chinese search engine Baidu and are targeting two specific pages. One, GreatFire, develops ways for users to circumvent the so-called ‘great firewall of China’. The other is a Chinese mirror page for the blocked New York Times website. The company has successfully managed to deflect a large amount of the DDos traffic, which is positive given the amount of companies and programmers who rely on the site as a coding resource.
The US has taken China to the WTO over its proposed new banking technology restrictions, with some success. The new rules, proposed in December were set to force banks to have ‘all new computer servers, desktop computers and laptop computers and 50 percent of new tablets and smartphones meet “security and controllability” requirements’. These moves were developed to encourage ‘indigenous innovation’ and promote ‘cybersecurity’. However, the US government challenged the plan, arguing that they challenged the WTO fair trade rules. It seems that their protests have gained some traction as China has ‘suspended’ the regulations, for now.
While bigger international security issues continue to grab headlines, more mundane cybercrime is arguably far more damaging to the overall stability and security of cyberspace. As Charles Henderson, vice president of managed security testing at Trustwave, characterised the threat to point-of-sale devices, ‘It’s not some ninjas coming through the ceiling on ropes, putting malware on your point of sale in the dead of night… It’s fairly easy attacks.’ The reason that simple attacks can wreak such havoc is that so many businesses are not taking the most basic steps to improve the security of their systems and lack of deep-dive testing.
Of course, one cannot blame businesses for forgoing pragmatic steps to improve cybersecurity when government is setting such a poor example. An Auditor-General’s report found that the information security of four of Tasmania’s largest state bodies were lacking, with all the departments failing to fully implement the top four mitigation strategies from the Australian Signals Directorate. The Department of Treasury and Finance and the Department of Primary Industries, Parks, Water and Environment struck back, claiming that state agencies do not require the same level of cyber protection as Federal Departments and that the costs don’t justify implementation of these measures.
One group not taking the cyber threat so lightly are lawyers. With further data retention and breach notification legislation in the works, cyber risk insurance market is set to boom and as the Australian Security and Investments Commission continues to focus on incident reporting, companies are likely to ‘face greater compliance and regulatory burden’ in cyber risk management.
While greater investment in business cybersecurity would be a welcome step, without proper information sharing within the private sector and between government and businesses, the cards will remain heavily stacked against the defenders. Step one to facilitate information sharing is building trust, no easy task. Deepak Jeevankumar offers a call to arms and a few suggestions to bridge the trust chasm, including the appointment of Chief Trust Officers and expiration dates for data. The US Congress has been set to take a crack at this challenge as well, however Jennifer Granick tempers expectations, calling this a banner year for flawed cyber information sharing proposals.
Of course all of this will be moot when the robots take over. DARPA is kicking off a two-year competition to lay the groundwork for automated cyber defence. Although very much at its early stages and a fully-automated systems is not likely anytime soon, initial tests have been promising and these systems could offer a more cost effective way for companies to automatically spot and fix vulnerabilities.