Australia's cybersecurity fragility: just how vulnerable is business?
The announcement of the biggest ever package to fight cyberattacks confirms just how vulnerable Australia's cybersecurity really is to foreign economic espionage – and businesses must do more to protect themselves before it's too late
Earlier this week, Prime Minister Scott Morrison announced Australia's largest-ever investment in cybersecurity – $1.35 billion in existing defence funding to be spent over the next decade to boost the cybersecurity capabilities of the Australian Signals Directorate and the Australian Cyber Security Centre. As part of this, the government said it would create more than 500 new jobs in its cyber intelligence agency.
But experts warn such measures will be of limited use unless businesses take action to educate themselves and implement cybersecurity within their organisational structures properly.
The announcement followed a public warning earlier this month that several Australian governments, businesses and political organisations had been exposed to an escalating series of cyberattacks from a "sophisticated state-based cyber actor".
Who is behind the attacks?
According to reports, many of the attacks were on state government departments and agencies and local governments, all of which hold sensitive economic, financial and personal data. Hospitals and state-owned utilities were also reported as targets.
The Prime Minister would not identify the nation Australia believed responsible. But he said, "there aren't too many state-based actors who have those capabilities", leading many experts to suspect it was China behind the attacks.
However, a closer look at the nature of the attacks – using attack code published publicly several months ago – suggests they were not very sophisticated at all, according to Richard Buckland, Professor in Cybercrime, Cyberwar and Cyberterror at the School of Computer Science and Engineering UNSW Sydney.
"Everyone seems to think it's China – they certainly seem the most obvious," said Professor Buckland. "But what's interesting about these attacks is that they're not very sophisticated. They're using very obvious, long-known strategies and ways of carrying them out and so they haven't had to create anything new themselves," he explained.
By using such simple techniques, the attackers left behind no fingerprints of their own. If attackers limit themselves to using attacks that are known in the industry with widely available tools, then it makes it much harder to trace them, explained Professor Buckland.
"It makes it much more difficult to find leaks or patterns of past behaviour and makes attribution very difficult, but at the same time discovering that the attacks happened is inevitable because they're not doing anything clever," he continued.
"[So] my thought is, these [cyberattacks] were intended to be discovered. It's a bullying strategy," continued Professor Buckland. "If they really wanted to cause harm, there would be other ways," he said, suggesting the cyberattacks could have been a lot worse.
Were the attacks the result of escalating trade tensions?
COVID-19 has seen rising trade tensions – the most notable being the recent threat to Australian barley and beef exports to China. Although China has claimed that the announcements are unrelated to Australia's call for an independent international inquiry into the cause of the pandemic, the timing of it seems to be part of a global diplomatic onslaught.
But the recent cyberattacks trace back to pre-COVID-19, suggesting the role of economic espionage through cyberattacks plays a much more significant role in geopolitics than the current timing suggests. Worryingly, this also means that future attacks are highly likely, if not inevitable.
"The recent cyberattacks were in place before COVID-19 and before Australia's call for an investigation into coronavirus. But certainly, the new confrontation and tension between China and the United States and China and Australia does not help," agreed Greg Austin, Professor at UNSW Canberra. He is currently serving as Senior Fellow at the International Institute for Strategic Studies, where he leads the program on Cyber, Space and Future Conflict.
Interestingly, the nature of the recent attacks suggests they aimed to penetrate a system to obtain data, as opposed to a 'denial-of-service attack'. “So if you're acting for a foreign country, your job – once you've hacked the system – is to watch and learn”, said Professor Buckland. "To get as much data as you can, find weaknesses, put other weaknesses in, but not attack now," he explained.
"It's believed that China, for many years now, has been on our systems, looking at our systems, constantly testing the systems, but then they don't do the bad thing. So it's almost like they've been building up a big list of all our weaknesses, just in case they ever need it," said Professor Buckland.
"That such a simple and out-of-date attack would work against us, is a damning indictment of our level of preparation," he added.
Is Australia prepared for future cybersecurity threats?
While Australia's cybersecurity problems existed long before trade tensions, foreign economic espionage through cyberattacks is undoubtedly on the rise. This is in part because the Australian government has not been able to put in place a cybersecurity strategy that meets even the basic needs of the government or business, said Professor Austin.
In the world of cybersecurity, the first thing you have to do to mitigate a security breach is to apply a 'patch' – where the maker of the software sends out a patch to remove and repair any vulnerabilities, so you do not continue to be subject to the attack, he explained.
But cybersecurity audits over the years have shown even some Australian government departments are not very rigorous in applying such patches, explained Professor Austin. "This is only one of 38 mitigation strategies which the government advises companies and government departments to undertake, so we're in a rather crippled state," he said.
However, Australia is not alone in this, and many countries are in a very similar situation. "Australia is not necessarily doing far worse than other countries, but other countries also need to lift their game," added Professor Austin.
What steps should businesses take to protect themselves?
The business community should be asking more of the government, said Professor Austin. "We should expect consistency, in terms of [cybersecurity] policies and the delivery on what was promised," he said.
For businesses, one of the main challenges in improving cybersecurity is having to reconsider their business model. Professor Austin explained that many companies so far are seeking to address their cybersecurity problems by looking at only the technical aspects – but often, it is people who make critical mistakes.
"The organisational challenges within any corporation or government department are the main things which interfere with good technical performance," he said. "So, it doesn't matter how good the technical experts are if you don't get the organisation of your corporation or government department right; a lot of that effort is going to be wasted."
"Companies that can work more effectively in the area of management and organisational change to achieve cybersecurity will certainly be more effective than ones that focus narrowly on the technical," added Professor Austin.
So how do Australian businesses stack up in terms of cybersecurity compared to other countries? As a general rule, the further you are away from seeing it as vital to business to defend yourself, the worse you are, explained Professor Buckland.
As a starting point, Professor Buckland urged businesses should ensure they are taking actions to:
- Improve staff training and awareness of cybersecurity fundamentals, including being tricked.
- Invest and have a dedicated cyber team or capability.
- Regularly and independently test the cybersecurity mechanisms that are in place.
For more information, contact Greg Austin, Senior Fellow for Cyber, Space and Future Conflict at International Institute for Strategic Studies, and Richard Buckland, Professor in Cybercrime, Cyberwar and Cyberterror at the School of Computer Science and Engineering UNSW Sydney.