Editor's Desk "Our members share the Australian Government’s commitment to protecting Australians and Australia’s critical infrastructure against cyber threats [….] However, these two provisions would not accomplish that goal, would have significant unintended consequences that would decrease security in practice, and would set dangerous global precedents" - Letter to Minister for Home Affairs, The Hon. Karen Andrews MP from the Information Technology Industry Council (ITI), Cybersecurity Coalition, and the Australian Information Industry Association (AIIA), 14 October, 2021
W
elcome back to the Australian Cyber Security Magazine and the last issue for 2021. There continues to be much debate on the most appropriate legislative approach to take in response to a sustained cybersecurity threat landscape. Critics of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 argue it is an extension in the long line of security related acts that could potentially give more power to the executive and at the expense of individual freedoms of citizens. Despite years of warnings that legislation was needed but seemingly resisted, there is no doubt this is all being rushed through and with limited consultation with industry. As a cover feature in this edition, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 will give the government power to defend networks of critical infrastructure providers under cyber-attack as a “last resort”. The Australian Federal Police and Australian Criminal Intelligence Commission will have the power to combat serious crime enabled by anonymising technology using three new warrants: network activity, data disruption and account takeover. The Federal Government has also announced new criminal offences, tougher penalties, and a mandatory reporting regime as part of a new Ransomware Action Plan. The Plan follows the establishment of a new Australian Federal Police-led multi-agency operation which targets ransomware attacks that are linked directly to sophisticated organised crime groups operating in Australia and overseas, and shares intelligence directly with the Australian Cyber Security Centre as they utilise their disruptive capabilities offshore. Significant action is clearly needed. In another report, commissioned by Cisco and conducted by Dynata, as Australian SMBs continue to digitise, with 85% having a digitalisation roadmap in place, cyber threats are mirroring the pace of digitalisation, with 77% of Australian SMBs more worried about cybersecurity now than 12 months ago. The survey highlighted that SMBs saw a myriad of ways in which attackers tried to infiltrate their systems. Malware attacks, which affected 88% of Australian SMBs, topped the
charts, followed by Phishing, which affected 70% of Australian SMBs, and Denial of Service which affected 64% of Australian SMBs. The number one reason highlighted as the cause of these incidents was cybersecurity solutions not being adequate to detect or prevent the attack. More than a third (37%) of those that suffered incidents ranked this as the top factor. Meanwhile, 32% ranked not having cybersecurity solutions as the number one reason. These incidents are having a tangible impact on business. Of those that suffered cyber incidents in the past year, 1 in 3 Australian SMBs said these have cost their business more than $1.3 million. The ACSC Annual Cyber Threat Report 2020–21, released in mid September, the second unclassified annual cyber threat report since ASD became a statutory agency in July 2018, highlights the key cyber threats affecting Australian systems and networks. Over the 2020–21 financial year, the ACSC received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. The increase in volume of cybercrime reporting equates to one report of cyber attack every 8 minutes compared to one every 10 minutes last financial year. Abigail Bradshaw, Head of the ACSC confirmed, “As Australia’s dependence on the internet for work, information, access to services, or even just to stay in communication has increased as a consequence of the pandemic and lockdowns, so too has the threat surface increased enormously.” In addition to the pandemic, the report identifies five other key cyber security threats and trends over the last year. They include the disruption of essential services and critical infrastructure, the rise of ransomware, rapid exploitation of security vulnerabilities, supply chain threats, and business email compromise incidents. Consider also our last edition which highlighted Australian and international partners calling out the malicious cyber activities by China’s Ministry of State Security. On the back of announcements such as AUKUS, actions by competitive and combative nation states, such as China, is a significant threat and the Australian Government is responding to a Cyber Cold War, or worse situation. Their intent is clearly seeking
to trigger business and industry to prepare themselves as we move further to a digital economy – including with the ability to force the 11 critical infrastructure sectors to take necessary measures for the sake of national security. Yet as the letter referred to above, the Morrison Government struggles with engagement. The Security 2025 Report, commissioned by Australian Security Industry Association Ltd (ASIAL) and conducted by the Australian Security Research Centre, found Australia will not be equipped to handle future security challenges unless governments, business and the Security Industry work as a team to bring about much needed reform, collaboration and planning. The report’s Head Researcher, Dr Gavriel Schneider said the key to Australia’s future security wellbeing is to move quickly to a more collaborative approach in which government, business and the Security Industry work together, instead of in isolation. In this edition, we partner with AustCyber to amplify #AUCyberWeek2021 and provide a broad set of articles and market updates. Maksym Szewczuk writes of the protective security culture in Australia undergoing a renaissance and we outline the proactive considerations being taken across multiple sectors and which confirms that the growth of cyber security in Australia lays in education. That is, in the education of ourselves but also the education of government, industry and businesses, large and small. Finally, we include links through to our many interviews conducted as part of our MySec.TV Tech & Sec Weekly Series and the latest Cyber Security Weekly Podcasts. As always, there is so much more to touch on and we trust you will enjoy this edition of Australian Cyber Security Magazine. Enjoy the reading, listening and viewing!
Chris Cubbage CPP, CISA, GAICD Executive Editor