This year was a tough year for cyber security. In May the US Government suffered a major breach of the records of its Office of Personnel Management.
John Hilvert | Canberra
Initially it was thought to cover some four million records. Later we learned that the hackers, thought to have come from China, also accessed “SF-86” forms. These documents are created for security clearances.
They include sensitive data not only of the workers seeking clearance, but also their friends, spouses and other family members. One estimate of the number of persons affected by the breach puts it as high as 14 million.
As is becoming the pattern in these attacks, the breach was not discovered internally through their intrusion detection systems. Instead it only came to light as part of another security company’s demonstration of its firewall.
Similar themes were aired at the 5th Cyber Security Summit.
In particular, the speed, frequency, sophistication and severity of cyber incursions were accelerating. The capability of police and other associated high tech investigations capabilities was lagging.
Dr Greg Austin, visiting professor at the Australian Centre for Cyber Security, UNSW mused it was almost impossible to be caught if you are a cyber criminal.
In short, we are still losing the cybercrime war.
Our cyber security skills basis is so poor that Defence chiefs are mulling varying physical and remuneration standards to attract specialists to create a separate cadre of recruits. Then again, all this may do is raise the demand and price for such expertise, cannibalising Australia’s reservoir of such specialists.
The supply of officers with such skills is flat. Universities are struggling to attract sufficient students to grow our own sources of cyber security skilled graduates.
Dr Greg Austin of the Australian Centre for Cyber Security at UNSW. Credit: ADM David Jones
While the long awaited Cyber Security Review will have issued its report to Government by the time you read this, indications are it will not rattle any cages or propose funding major reforms.
It appears its main focus is on process issues such as ensuring Government views are understood and consistent to industry.
Prime Minister & Cabinet’s FAS, Cyber Policy and Intelligence Division Lynwen Connick conceded the Government’s record of working cooperatively with industry and businesses had been “patchy”.
“At best we have more to do. At worst we have only really started down this path to work collectively as a nation.”
Similar concerns were raised last year as well under the theme of Cyber security strategy was a “team sport”.
However little new appears to have occurred since then. The ASD’s 35-point check-list approach got re-aired. Connick revealed the Review had received many submissions for a “voluntary principle-based” standard that is not just there for Government but for business as well.
“We are looking at what we can do there.” We shall see.
Meanwhile it’s now more than a year since the ASD provided its statistics on current cyber threats and attacks. “Watch this space” was the palliative offered by CERT Australia.
One scintilla of progress was a consensus that effective resilience required global efforts. But, as Greg Austin concludes, effective multilateral agreements on combating cyber crime and espionage remain elusive.
One bright spot to set against this gloomy perspective was that the Government’s flagship cybercrime reporting system ACORN (Australian Cybercrime Online Reporting Network) was revealing patterns of crime that could be investigated and lead to convictions.
Another ray of light was that there seemed to be progress in the Government adopting industry standard threat languages such as STYX and TAXII to automate threat sharing. Whether the Cyber Security Review makes this mandatory for other targeted industries remains to be seen however.
Meanwhile threats of breaches continue. Telstra's Asian subsidiary, Pacnet, reported a breach covering data of thousands of corporate and government customers potentially exposed. In that case Telstra did the right thing by alerting ACSC of the breach as it became aware of it.
Key clients of Pacnet include the Department of Foreign Affairs and Trade, The Australian Federal Police and Austrade.
The continued lack of a mandatory breach requirement undermines a broader understanding of how the battle is raging or retreating.