Federal government cyber security officials are trying to help business fend off an unprecedented level of digital attacks against banks, energy grids and other critical infrastructure, and imploring private firms not to cover up hacks.
Amid warnings that wars of the 21st century will be fought in cyberspace against foreign countries and criminals, the government is developing new proposed powers so security agencies can better defend critical private-sector infrastructure from cyber attacks by Chinese and other hackers.
The departing head of the Australian Cyber Security Centre, Rachel Noble, told The Australian Financial Review that the government wanted to work closely with business to protect assets crucial to the economy and community.
“When the bad day comes we will be working in partnership [with private companies],” she said.
“As we have seen more recently, those who plan for it, and get on the front foot and explain what they are doing about it, and don’t try to downplay it, reputationally they do better in the wash-up than those who try to hide it when it happens.”
Ms Noble is in coming weeks set to become the new director-general of the Australian Signals Directorate, the first woman to lead a major intelligence organisation.
Cyber incidents can take years to detect and the prudential regulator recently warned, “it’s entirely possible that one of the banks, insurers or super funds has been compromised and we simply don’t know about it”.
National Australia Bank told a parliamentary hearing it was spending up to $150 million annually on cyber security to stop intrusions from fraudsters, prevent the spread of viruses and protect sensitive customer data.
“We are active daily in identifying potential threats and shutting them down and we work closely with all the authorities,” NAB chairman Philip Chronican said in November.
“Every day there are attempts to attack our environment and every day we are beating them back.”
The energy grid is also seen as a prime potential target by nefarious foreign hackers.
The Australian Energy Market Operator (AEMO) quietly disclosed that on July 30 and 31, 2018, Perth-based Western Power experienced an “unplanned IT outage which impacted AEMO’s market systems, data flows and supporting processes”.
It is understood that although the power network was not disrupted, the systems outage forced AEMO to suspend the short-term energy market for about 24 hours.
Cyber security officials are mindful of a crippling cyber attack on Ukraine’s power grid in December 2015, when electricity was denied to more than 200,000 people for up to six hours.
A hacker, suspected to be a Russian cyber war operative, used malicious phishing emails to steal log-in credentials to attack the power network.
In Canberra, government officials from the Department of Home Affairs and the Australian Signals Directorate and its offshoot, the Australian Cyber Security Centre (ACSC), are working closely with the energy sector to set up more formal cyber security partnerships.
Industry sources said the collaboration included an ACSC joint training exercise with electricity companies and AEMO in November, code-named GridEx.
A TransGrid spokesman said: “Exercises such as the GridEx joint exercise conducted in November 2019 will assist those organisations to identify areas for improvement, particularly in engagement with the ACSC and other agencies.”
“TransGrid frequently conducts similar exercises internally and externally in collaboration with our industry partners, and state and federal agencies.”
The ACSC responded to 2164 cyber incidents in 2018-19, including disruption of essential systems and services, damage of data and intellectual property, malware, network intrusions and low-level phishing attacks on less sensitive data.
The activity included the malicious intrusion into the Parliament House computer network – with China speculated to be but not officially confirmed as – the perpetrator.
Business is usually co-operative when approached by national security agencies on a cyber breach.
Quite often you can be under attack and not realise it until you see things going wrong.
— Jacqueline Craig, a former chief of the Cyber Electronic Warfare Division at the Department of Defence
However, sometimes companies push back against assistance due to concerns about government meddling in their systems, exposing sensitive commercial information and customer data, or fears of reputation damage from being publicly exposed for suffering a hack.
Jacqueline Craig, a former chief of the Cyber Electronic Warfare Division at the Department of Defence and now a fellow at the Australian Academy of Technology and Engineering, said the government and business must work together to thwart cyber attacks.
“People in the private sector looking after critical infrastructure and the government must share situational awareness about cyber threats coming in, dealing with threats and how systems are behaving,” she said.
“Banks, physical infrastructure and large industry need to be able to communicate information with the government in real-time.
“It’s not always possible to recognise the signature of a threat, so quite often you can be under attack and not realise it until you see things going wrong.”
Financial regulators are devoting more resources to the systemic risks posed by potential attacks on the banking payments system, insurers, superannuation funds and market operators such as the Australian Securities Exchange.
In four months last year, the Australian Prudential Regulation Authority received 36 notifications on material information security incidents and control weaknesses, including the disclosure of personal information, a compromise of staff or customer credentials for the manipulation of records, website defacement and fraud.
APRA executive Geoff Summerhayes warned in a recent speech financial companies may not be adequately prepared to respond as the “fog of war” descends during a real-world cyber attack.
“The level of threat it poses, and the extent to which business has become exposed to that threat, has drastically escalated over recent years,” he said in a speech in November.
“To date, no APRA-regulated entity has experienced a breach material enough to threaten its viability, but I can assure you it’s not for want of trying.
“We’ve warned repeatedly that it’s only a matter of time until an Australian bank, insurer or superannuation licensee suffers a significant breach that, in a worst-case scenario, could force it out of business.”
Secretary of the Department of Home Affairs Mike Pezzullo in October pointed to risks posed by “certain state actors” and “very capable non-state actors”, saying the government’s highly classified cyber tools can “see through a particular lens what’s happening on our networks”.
He said in the not-too-distant future a capable non-state “Bond villain” may be able to “short a market to change market signals and take advantage of that from a profit point of view”.
“Hopefully, we can close this gap in sufficient time before that day, the equivalent of a cyber Pearl Harbour, comes,” he told a Senate hearing.
The government is developing new legal powers to allow it to intervene more easily to defend critical private-sector infrastructure, such as the financial payments systems, the electricity grid, gas and water supplies, sensitive data holdings, traffic management systems and ports.
Under the current law, the government’s cyber agencies can usually only intervene on cyber security incidents with the permission of private network owners.
The Council of Financial Regulators met representatives of the Department of Home Affairs and the Australian Cyber Security Centre on November 29 to review the cyber security environment.
Did You See This CB Softwares?
37 SOFTWARE TOOLS... FOR $27!?Join Affiliate Bots Right Away
“They also discussed key initiatives to improve cyber resilience, including the development of the government’s 2020 Cyber Security Strategy, and application to the financial sector,” the CFR said in a statement.
“Council agencies, the Department of Home Affairs and the ACSC will continue to co-operate to improve the preparedness of the financial sector.”
The CFR is chaired by Reserve Bank of Australia governor Philip Lowe and attended by the heads of APRA, Australian Securities and Investments Commission and Treasury.