Are Australians at a ‘turning point’ on cybersecurity or still unprepared?
More Australians are alert to the threat of cyber attacks following Prime Minister Scott Morrison’s warning in June that Australia was targeted by a sophisticated “state-based” cyber attack, but are we doing enough to prevent a crisis?
Tech One has revealed it had been hacked (Photo: ABC)
According to the Australian Cyber Security Centre (ACSC), the attack was the most significant and coordinated cyber-targeting against Australian institutions to date.
The Prime Minister said while such intrusions on Australia’s cyber network were “not new”, the “frequency has been increasing”.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” Morrison said at the time.
He did not publicly name which state, but senior sources had confirmed it as China.
The Northern Territory Government revealed at the weekend the supplier of one its cloud-based IT systems was targeted in a ransomware attack, forcing the system offline for three weeks — but it insists the integrity and confidentiality of government data was never compromised.
Telstra boss Andrew Penn was in October appointed as head of an industry advisory committee charged with implementing the Federal Government’s $1.7 billion cybersecurity strategy.
He says 2020 marked a “turning point” for cybersecurity in Australia.
The industry advisory committee has warned of an urgent need for Australia to step up its cyber defences.
To that end, the committee has provided 60 key recommendations as part of the Federal Government’s 2020 Cyber Security Strategy.
These recommendations are aimed at preparing the nation against highly-sophisticated threats targeting critical networks to less-sophisticated but still damaging activities targeting small businesses and individuals.
RBA assistant governor Michele Bullock is among regulators who have warned that Australian businesses and households are at increased risk of cyber attacks and it could threaten financial system stability.
An average of 164 cybercrime reports are made by Australians every day — about one report every 10 minutes — according to the Australian Cyber Security Centre (ACSC).
The agency is a subsidiary of the Australian Signals Directorate tasked with strengthening the nation’s cybersecurity.
It also provides a single online portal for individuals and businesses to report cybercrime, known as ReportCyber.
Between July 1, 2019 and June 30, 2020, the ACSC responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports.
The most common category of cybercrime reported was fraud, which relates to criminals obtaining benefit through deception, such as investment, shopping, or romance scams.
Identity-related crimes incorporating the theft and misuse of personal information was the second most common category, followed by cyber abuse.
While the numbers show that fraud is the most common category, the ACSC assesses ransomware as the highest threat.
ACSC head Abigail Bradshaw recently told ABC NewsRadio Drive that while phishing scams were still common, ransomware was increasingly being used by criminals to lock up people’s systems and data then demand a ransom in return for their release.
And it is not just individuals who are being targeted.
“This year we’ve seen ransomware attacks on reasonably large businesses, as well as small businesses, which can cripple a business while they try and work out how to keep their businesses going,” Bradshaw said.
As the threat of cybercrime increases, the potential cost to the economy does too: there are estimates cyber-related attacks could cost Australia’s economy about $29 billion per year, or 1.9 per cent of the nation’s GDP.
Most Australians understand there is a greater threat of cyber attacks, particularly as more people move online during the COVID-19 pandemic.
A Cyber Security Research Report prepared for Australian Signals Directorate in September 2020 and published online in December says that about one in three adult Australians uses the internet for six hours a day or more.
And three out of four (74 per cent) spend more than two hours per day connected to the internet.
But most individuals and businesses are not properly protecting themselves against more frequent cyber attacks.
While levels of concern about cybersecurity are high — the report said about one in two Australians indicate they are extremely or very concerned about it — only one in four considered themselves to have an expert or good understanding and many are failing to take basic steps to boost their security.
The need to ramp up security is heightening as criminals use more sophisticated methods to get Australians’ money and data.
In 2020, BlueScope, MyBudget, Toll Group and Services New South Wales were among some of the organisations confirming they had been subjected to a cyber attack.
Ms Bradshaw said there had been almost 60,000 reports from individuals and businesses reporting instances of cybercrime, but the actual numbers of incidents could be much higher.
“I actually think that there’s far more going on than actually reported and we’re encouraging people to come forward and report,” Bradshaw told the ABC.
“The reason we do that is that, aside from the fact that we might be able to assist entities, it enables us to get a better view of contemporaneous threats.”
Andy Penn also believes that the list of “those who would do us harm” is growing in a more interconnected digital world.
“More abundant and better-resourced cybercriminals and cyber activists, and increasingly sophisticated and emboldened state actors, mean Australia is quite literally under constant cyber attack,” he said in October.
Since the June state-actor incident, Defence Minister Linda Reynolds says there have been further foreign government attacks in Australia and that they are blurring the lines “between peace and war”.
“At one end of the spectrum, there are opportunistic cybercriminals who target Australia and Australian companies for financial gain,” Reynolds said.
“And at the other end of the same spectrum, there are sophisticated and very well-resourced state-based actors who are seeking to interfere in our nation.”
Penn said it was now more crucial than ever for Australians to prepare against the cyber threat.
“Connected technologies are now right at the heart of the lives of most Australians and increasingly pivotal in shaping our economy, our society and our prospects for the future,” he said.
“Our ability to fully embrace a digital future is also central to our post-COVID-19 recovery and long-term competitiveness.”
At the onset of the coronavirus crisis in Australia, cybercriminals adapted their phishing methods to take advantage of the pandemic.
Between March 10 and 26, 2020, the ACSC responded to more than 45 pandemic-themed cybercrime and cybersecurity incident reports, with the Australian Competition and Consumer Commission’s (ACCC) Scamwatch receiving over 100 reports of COVID-19-themed scams.
During April 2020, the ACSC said it was operating at an elevated Australia’s Cyber Incident Management Arrangements (CIMA) level in response to COVID-19-themed cybercrime.
But ACSC said of the almost 60,000 attacks that were reported, there were two notable “spikes”.
One was in October 2019, in the form of a widespread malware called Emotet that targeted sensitive personal and financial information. It peaked at 4500 unsolicited and malicious emails in one day.
Another notable spike in April 2020 related to a bulk extortion campaign, resulting in 3876 cybercrime reports.
The ACSC said that 45 per cent of cybercrime reports in April related to this one campaign, which was not directly related to COVID-19.
Instead, the ACSC said, “one or more adversaries had emailed thousands of Australians and threatened to release sensitive information to the recipient’s friends and family unless they paid an amount in untraceable cryptocurrency”.
IBISWorld senior industry analyst Arthur Kyriakopoulos said while government support was required, businesses needed to take responsibility for their own cybersecurity.
The research firm’s data shows that Australian IT and telecommunications adoption has risen at an annualised 2.1 per cent over the past five years, with the COVID-19 pandemic driving the speed with which Australians move online.
“The pandemic has intensified cyber attacks, as cybercriminals have adapted to target an increasing number of Australians working, studying and connecting online,” Kyriakopoulos said.
At the same time as cyber attacks have risen, businesses set up to fight against it have also increased.
IBISWorld found the growing threat of cyber attacks drove the cybersecurity software services industry to grow at an annualised 10.7 per cent over the five years through 2020-21.
And revenue for industry is forecast to grow at an annualised 15.2 per cent over the next five years, to become a $3.6 billion industry.
But businesses are not the only ones who need to better prepare.
The ACSC has launched a cybersecurity campaign that provides easy-to-follow advice for all Australians online at cyber.gov.au.
It says many cyber attacks could have been avoided or substantially mitigated by good cybersecurity practices such as not responding to unsolicited emails and text messages, implementing multi-factor authentication and never providing another party with remote access to your computer.
Bradshaw urged Australians to start with simple steps, such as updating their devices and software.
“Don’t push ‘remind me later’, push ‘turn it on now’ — If you can, put on the automatic updates so you don’t even have to think about it,” she said.
She also suggests using two-factor authentication and to always create backups of valuable data.
“That’s the best business continuity plan you can have,” she said.
– ABC / business reporter Nassim Khadem