We’re (not really) under cyber attack
3 Aug 2015|

Not under attack

Last week’s release of the first Australian Cyber Security Centre (ACSC) Threat Report provides some sobering statistics and interesting case studies on the cyber threats facing Australia. It outlines the problem well, but beyond the usual missives to implement ASD’s Top Four Mitigation Strategies, it’s relatively mute on the response. This is a task that has likely been left for the Government’s Cyber Security Review to complete in the coming weeks.

It’s unsurprising to most that Australia endures constant attempts to breach public and private networks. The combined 12,204 incidents that either ASD or CERT Australia responded to in 2014, around 33 each day, provides some insight to the scale of cyber intrusions that the ACSC handles. The threat is also growing in sophistication, as cybercrime groups begin to rival the capability of some state-sponsored actors, demonstrating the enormous resources they’ve accumulated from their successes.

The ACSC has categorised cyber adversaries into three tiers: foreign state-sponsored, serious and organised crime, and issue motivated groups. The motivations of those groups vary, as does their capabilities. State-sponsored actors are the most capable, closely followed by the larger cybercrime syndicates. Those two actors have the most sophisticated capability and potentially the biggest effect on our national security and economic well-being. Issue motivated groups use less complex, more readily available capabilities, such as DDOS, to bring attention to their cause, without causing serious damage or harm. The ACSC predicts that terrorist groups will continue to be a nuisance in cyber space by defacing websites and using DDOS capabilities to draw attention to their cause, rather than pursuing the use of more destructive cyber capability as the financial and technical barriers to these more sophisticated tools lower further. .

The careful definition of the term cyber-attack is of particular interest to policy wonks. Used colloquially to describe just about any malicious act in cyberspace, for Government—and in particular the Defence-dominated ACSC—the term is defined as an act that seriously compromise national security. The report notes that Australia has never suffered an event that Government would consider to be a cyber-attack, but if it did, it may be considered to be an act of war. The imprecision of the common usage of ‘cyber-attack’ would be unsettling for an agency that’s primarily responsible for responding to armed attacks on Australia. Careful definition provides greater clarity about how and when Defence is involved in responding to the many thousands of cyber intrusions Australia is subject to.

Government’s efforts appear to be bearing some fruit as the number of incidents ASD responded to has grown at a slower pace than in previous years, and the confirmed number of significant breaches of Australian Government networks has . The biggest hole in the statistics noted in the report is intrusions against the private sector, which the ACSC admits it has a more limited understanding of. This means that there’s potentially more cyber intrusion attempts occurring than is known, with attempts going undetected and unreported.

CERT’s statistics show that the energy, banking and financial services, and the communications, defence industry and transport sectors have reported the most cyber intrusion attempts. These sectors are more likely to have implemented the required capabilities to identify cyber intrusions as they are well aware of the impact of cyber threats on their business. Other industry sectors, like mining and resources and agriculture, also face similar risks, but report far fewer incidents. Government is encouraging the private sector to implement adequate measures and share information. However, without adequate understanding of the risk, there’s often little incentive to invest in expensive cyber security capabilities until a major incident has damaged a business’ reputation and bottom line. This is a shared problem, and many of our key partners such as the United States are struggling with the same issue.

While the Government’s work to build stronger cyber defences appear to be successful in the face of more numerous and sophisticated cyber adversaries, it seems that the private sector is still struggling to come to terms with cyber threats. ACSC offers its usual advice—that implementing ASD’s Top Four Mitigation Strategies will assist in deflecting all but the most determined adversary—but Government can do more. Better two-way information sharing with businesses will highlight the need for investment in cyber defence, a task made difficult by the classified nature of much of the cyber threat intelligence Government holds, and the sensitive nature of ACSC’s current accommodation which it shares with ASIO. This makes it difficult for business to engage with ACSC and to use the information it can furnish. The forthcoming Cyber Security Review should provide greater clarity on how Government intends to address the threats outlined in ACSC’s report, and hopefully how it will work with the private sector to make all of Australia a difficult cyber target.