The Medibank and Optus hacks of 2022 put cybersecurity front and centre. Not only for businesses but for the millions of everyday Australians who were affected. Although the identity of the groups – and their backers – behind the attacks remains murky, what’s clear is we’re living in an environment where cyber awareness is heightened.
Compounding the situation is the war in Ukraine, now entering its second year, as well as increased geopolitical tensions with China. The question is whether these events are leading to great levels of hacking and, accordingly, what like-minded governments are doing to combat these threats.
According to Nigel Phair, director (enterprise) at the University of NSW Institute for Cyber, the war in Ukraine hasn’t led to an increase in domestic cyber attacks. This position is borne out by research conducted by Google’s Threat Analysis Group (TAG).
The TAG study found cyber attacks have increased because of the Ukraine war, but those attacks, emanating from Russia and its satellite states, have tended to focus on Ukraine itself and NATO nations backing the former Soviet republic.
However, Michael Mestrovich, a former chief information security officer with the Central Intelligence Agency, and current CISO at IT firm Rubrik, says the biggest impact of rising geopolitical tensions is the heightened public awareness of cyber threats.
“This is partly due to evidence showing governments in the conflict [are] leveraging both official cyber resources and patriotic – or perhaps opportunistic – cyber-criminal groups in the digital domain,” says Mestrovich.
“These entities have conducted a wide range of malicious cyber activities from destructive attacks to espionage intrusions and misinformation operations.”
UNSW’s Phair agrees, arguing the Ukraine conflict has sped up general cyber awareness: “I think there’s a general thought process that we need to do more within Australia.”
But when it comes to China, all bets are off, says Phair. He notes there’s general acknowledgement the middle kingdom “doesn’t play by the rules of the road”.
He doesn’t think there’s been a recent increase in the number of cyber attacks against Australia coming out of China, instead just an understanding they do come from there – as well as many other places.
“What is highlighted is the general geopolitical nature of cyber attacks,” Phair says.
Are governments investing enough in cyber?
Governments, including Australian governments, have been guilty in the past of not viewing cybersecurity as a critical issue, says Chris Hockings, CTO for IBM Security Asia Pacific.
Nigel Phair agrees, noting other issues have been seen as more pressing, but also observing the proof of Australia’s renewed cyber-focus will come when the nation’s new cyber strategy is unveiled, sometime in the next six months.
“I think there’s acknowledgement international cyber-criminals are having a go at everyone,” Phair says, which is where agreements and organisations like Five Eyes and AUKUS come into play in terms of information sharing.
There’s also the Council of Europe Convention on Cybercrime, encompassing about 60 countries, all of whom share information on criminal activities.
Former CIA CISO Mestrovich also observes cybercriminals are never standing still, with techniques and technologies deployed by crooks constantly evolving. This means the response from nations (and, indeed, the private sector) must also evolve.
He also notes cybercrime tends to be underreported, and the only way law enforcement can get ahead of the problem is if there is accurate, timely reporting of incidents.
“Once reported, my experience in the US has been that the FBI is extremely effective at prosecuting cybercrime when they have the opportunity to do so,” he says.
“There is a desire and a willingness to pursue cybercriminals, but there needs to be a better job of reporting cybercrime, so law enforcement has a better trail to work with.”
In Australia, laws are in place mandating any attacks against critical infrastructure are reported within 72 hours as part of the Security of Critical Infrastructure Act.
Under the Act, 11 infrastructure providers, including electricity, communications, financial services and transportation must report if they’re hit by cybercriminals. If the attack is likely to have a significant impact on services, the reporting period falls to just 12 hours.
Cybersecurity isn’t really about technology
It might seem obvious an attack using technology against a business or government is a technology issue, but that, according to UNSW’s Phair, is not the case. Instead, it’s really a people issue.
Attacks like ransomware – which is where an unsuspecting user clicks on a malicious link that then downloads software, encrypting corporate data and holding it to ransom – as well as phishing, where users are manipulated into giving security credentials to an attacker, are all very human-focused.
Technology might be the road an attacker drives on, but it’s the human behind the wheel who makes the mistake of clicking on a link or responding to an email who is responsible for the critical error.
And Phair believes there is too much victim-blaming when it comes to cyber attacks. He is opposed to statements often trotted out by cybersecurity experts saying “people are the weakest link”, or that it’s not a matter of if an organisation is going be hacked, but when it is going to be hacked.
“Saying things like that makes people think they are going to get done over, so what’s the point in trying to defend against attacks?” he says. “I think we need to turn the narrative on its head into something more positive. We need to say ‘our employees, staff and users are our best line of defence’ and work from there.”
Source: Joshua Gliddon for The Mandarin