The government's recent $230m commitment to build Australia's national cybersecurity defence was welcomed by industry and notable for many reasons, but observers were quick to point out that the new Cyber Security Strategy (CSS) marked the first time the government had publicly stated that it was ready to go on the offensive against hackers.
Noting that “malicious actors including serious and organised criminal syndicates and foreign adversaries” are driving an “unprecedented” climate of attacks on Australian organisations, prime minister Malcolm Turnbull wrote in his introduction to the policy document that the government “has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace”.
That those interests were under attack was no surprise: sporadic reports of breaches and security errors at various government departments have leaked out over the years despite a culture predominantly focused on handling security issues internally. However, perhaps heralding Turnbull's new spirit of government cybersecurity openness and sharing – to be facilitated through a nationwide network of collaborative cybersecurity centres – the launch of the policy was flagged as the first time the government had confirmed that foreign interests had successfully breached the Bureau of Meteorology (BoM) late last year.
That revelation came as no surprise to industry figures but, given the context, formed part of a sort of declaration of war on the cybercriminal world. “Australian organisations across the public and private sectors have been compromised by state-sponsored or non-state actors,” the document states, “losing substantial amounts of sensitive commercial and personal information or incurring major damage to their business and reputation.”
To fight this impact, the strategy says, the government will work with international law-enforcement, intelligence agencies and computer emergency response teams (CERTs) to “build cyber capacity to prevent and shut down safe havens for cyber criminals.... Australia's defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack.”
“The APT world is changing. It's no longer the sole possession of the NSA; it's being outsourced to individuals and small organisations. The bad guys never rest and they are always one step ahead of us – so we need to keep up the pace.”
By surrounding himself with cybersecurity advisors and building an offensive cyber capability, Turnbull is positioning Australia to stop being a perennial victim, instead taking the fight to offshore cybercriminals where national interests are threatened. It remains to be seen where the triggers for such action lie – whether action would be initiated to reduce Australia's top-ranked proclivity for ransomware, for example, or would it take evidence of a concerted attack by state-sponsored hackers in China, North Korea, or elsewhere.
This strategy reflects a more proactive tone being adopted by governments around the world. “In the past, the preparedness of a country and its military readiness were measured by how many warships and active personnel it had,” says Robert Parker, APAC head of security solutions with Verizon Enterprise Solutions.
“The level of preparedness to respond and react at a national level is a key component in the new digital economy.” Preparedness will be crucial if Australia's cyber-coalition of the willing is to make inroads against an onslaught of increasingly targeted attacks against national and business interests.
Indeed, Verizon's recently released 2016 Data Breach Investigations Report (DBIR) concluded that 89 percent of breaches in 2015 had a financial or espionage-related motive. This espionage was often linked to malicious activity by privileged insiders – an attack method that accounted for 16.3 percent of analysed breaches – who abuse their access rights to access and exfiltrate sensitive corporate or government data.
DBIR's analysis, which is based on reports of analyses by law-enforcement and other authorities from dozens of countries – found that espionage activity was most common in utility, manufacturing, transportation and professional services companies – reinforcing ideas that outside parties remain deeply interested in industries that are part of a country's national infrastructure.
Intellectual property is a common target for such espionage: fully 47 percent of all confirmed breaches in manufacturing, the DBIR found, “could be classified as cyber-espionage.... These attacks typically begin with the same tools and techniques used successfully elsewhere, before moving on to more sophisticated methods.”
“That means that basic security measures [such as prompt patching, configuration change monitoring and systems segregation] are recommended are surprisingly effective in protecting against cyber-espionage and should not be forgotten in favour of specialised protection.”
“In the past, the preparedness of a country and its military readiness were measured by how many warships and active personnel it had. The level of preparedness to respond and react at a national level is a key component in the new digital economy.”
Security specialists are already well aware of the profile of cyberespionage within the pantheon of security threats – even from smaller groups that represent political interests much more targeted than entire countries – and the Australian policy reflects growing recognition amongst law-enforcement bodies that a far-reaching international response was the only way to fight back effectively against such criminals.
Last year, an Australian Crime Commission report highlighted the growing shift of conventional criminals to cyberespionage, money laundering, fraud, and other online activities. “Now the attacks are everywhere and it's not only on governments and financial institutes,” says Maya Horowitz, intelligence operations group manager with Check Point Software Technologies.
Horowitz, who manages the security giant's 150-strong global threat-research team from its base in Israel, has watched threats become more sophisticated and easier to launch over time. The reality, she says, is that nation-state attacks aren't just for nation states anymore: with targeted spear-phishing and whaling delivering big bucks for criminals and requiring very little by way of technical expertise or resources; with complex and rapidly-mutating exploits readily available online; and with massive global botnets-for-hire providing nearly unlimited capacity to launch attacks; the massive volume of resources that typically characterised the nation-state attack is available to almost anybody with criminal intent.
“In many of these campaigns are not your full-of-resources nations, like Chinese, Russia, the NSA or MI6,” she says, citing the recent discovery of a Lebanese hacker group linked to Hezbollah that was able to run an advanced persistent threat (APT) campaign against several Middle Eastern telecommunications companies for years before being caught.
Fully 47 percent of all confirmed breaches in manufacturing “could be classified as cyber-espionage.... These attacks typically begin with the same tools and techniques used successfully elsewhere, before moving on to more sophisticated methods.”
“They don't have too many financial or technical resources, and still they were able to maintain a campaign that lasted 2.5 years,” Horowitz says. Another, Iranian group used massive, targeted attacks focused on thousands of politically-related targets across Saudi Arabia, the US, the Netherlands and other countries. Such attacks are happening every day, often without discovery by the target organisation until the damage has been done.
Indeed, Verizon's 2016 DBIR found that in 93 percent of cases, attackers took minutes or less to compromise their target systems – but weeks or more to be discovered.
“The APT world is changing,” Horowitz says. “It's no longer the sole possession of the NSA; it's being outsourced to individuals and small organisations. The bad guys never rest and they are always one step ahead of us – so we need to keep up the pace.”