Cybersecurity Australia. PHOTO: Cybercrime Magazine.

Australia Wages War On Cybercrime

An island of security in a sea of compromise

David Braue

Melbourne, Australia – Jan. 23, 2022

It has been just over eighteen months since Scott Morrison, Australia’s prime minister, fronted an increasingly COVID-weary nation to make a surprise public proclamation that its government and business sectors were being targeted by a “sophisticated state-based cyber actor” that was launching repeated cyber attacks against all kinds of businesses.

Although he did not specifically name China, few speculated that any other country could be involved in the announcement, which marked a dramatic escalation of the government’s rhetoric around cybercrime.

Followed weeks later by the launch of a significant, updated national Cyber Security Strategy — a far more front-footed document than the 2016 version it replaced — Morrison’s cybersecurity pivot paved the way for a significant shift in the cybersecurity posture of a country whose relative financial and social success during the pandemic has made it a prominent target for cybercriminals.

Like many of the politically and socially conservative government’s other policy platforms, the 2016 strategy had emphasized the role of the government in nurturing the private sector to build a national cybersecurity ecosystem.

This included the business development agency AustCyber as well as five public-private Joint Cyber Security Centres (JCSCs) and the Australian Cyber Security Centre (ACSC), a division of the Australian Signals Directorate (ASD), a signals intelligence body that maintains a bank of white-hat hackers and cybersecurity specialists that, in the government’s words, “lead the Government response to help mitigate the threat and strengthen defences.”

Cybercrime Radio: Julie Inman Grant, Australia’s eSafety Commissioner

Protecting citizens in 2022 and beyond

Lighthouse in a cybersecurity storm

This network of bodies reflects the government’s efforts to separate the business of cybersecurity — an area in which Australia’s deep base of computer engineering skills has built strong competencies — from the need for more responsive cyber defense capabilities at a national level.

Those capabilities have never been more important, with Accenture recently labelling Australia the third most frequently-attacked country in the world — accounting for 11 percent of all cyber attacks globally, despite its population of just 26 million.

And while some recent threats have been attributed to the activity of cybercriminal gangs in Russia and cryptocurrency thieves in North Korea, it is China — with which Australia has close export ties but a fractious political relationship — that looms large in the back of a steady succession of policy changes designed to shore up Australia’s cybersecurity soft spots.

Those soft spots have been exploited in the past with politically embarrassing efficiency, as in the 2015 compromise of supercomputers at the national Bureau of Meteorology — blamed squarely on China — and the embarrassing 2016 disaster when a series of denial of service (DoS) attacks capsized the country’s first online census.

Subsequent years have seen one government agency after another compromised, either by cybercriminal gangs or nation-state actors.

Australia punches well above its weight as a victim of many cybersecurity crimes, with the ACSC’s latest annual threat report noting the agency had received over 67,500 reports of cybercriminal attacks — up 13 percent on the previous year — and self-reported losses of more than $24b ($A33b).

There were nearly 500 official reports of compromise by ransomware — up 15 percent on the previous year — and ransomware has become such a problem that the government recently floated a multi-pronged Ransomware Action Plan, which is cracking down on cryptocurrency anonymity, and is considering holding company directors personally liable for cybersecurity failures.

Whether or not such actions can reduce the incidence of data breaches — the Office of the Australian Information Commissioner (OAIC) administers the Notifiable Data Breaches (NDB) scheme and documented 446 reported data breaches in the first half of 2021 — remains to be seen.

With one in four attacks targeted at critical infrastructure operators, the past year has seen a particular focus on the exposure of such infrastructure to manipulation by nation-state actors — a threat that became terrifyingly immediate when last year’s ransomware attack on meat processor JBS Foods shut down the company’s Australian operations for days.

The vulnerability of food supply chains was a timely validation of the government’s expansion of the definition of critical infrastructure from conventional gas and water networks to include data centers and communications services.

Last year, contentious enabling legislation was fast-tracked due to what Department of Home Affairs Secretary Mike Pezzullo called an “immediate, realistic, credible” threat from nation-state cybercriminals.

Cleaning up the Internet

Morrison loves a plan — sometimes to the point of political humiliation — but his government’s focus on cybersecurity has been relatively productive, helping unify the nation’s defenses against nation-state actors and critical infrastructure defenses.

Australia is also simultaneously waging a war on cybercriminal activity in all its forms — whether passing legislation theoretically enabling authorities to forcibly decrypt data, demanding that social media giants reveal the identities of online trolls and miscreants, or working to bolster cybersecurity awareness and protections through the country’s world-first eSafety Commissioner.

Recent changes to the eSafety Commissioner’s powers, which come into effect this month, aim to overhaul social cybercrime with controls over malicious online activity such as bullying, cyber abuse, image-based abuse, and other powers.

“We’re not just a regulator, but take a multi-pronged approach to all of our issues,” eSafety Commissioner Julie Inman-Grant recently told Cybercrime Magazine.

“We’ve got a range of civil powers so we can find perpetrators, find content hosts, and seek the removal of seriously harmful illegal content.”

The latter powers came into being in the wake of 2019’s livestreamed mosque shootings in neighboring New Zealand, but also set the regulation-happy government on a collision course with social media giants hiding behind US First Amendment protections that don’t apply in Australia.

“We have an extensive set of prevention programs, including a research division, so everything is evidence-based,” Inman-Grant said. “We want to stop the harms from happening in the first place.”

“The proactive change work is really meant to limit the threat surface for the future,” she continued. “But this is something that government couldn’t do to industry; we had to do it with industry. Companies should be assessing risks at the very beginning of the design, development, and deployment process.”

Yet online abuse is just one of the problems affecting Australia’s population, whose relative affluence has made the country a high-profile target for overseas cybercriminals and scammers.

Australians reported losing $233 million ($A323 million) to scammers last year alone, according to the umbrella Scamwatch organization, and the pandemic-era explosion of delivery, coronavirus and vaccine-related scams has driven dominant telecommunications carrier Telstra to add filtering of malicious text messages and other protections.

An island of security in a sea of compromise

The recent proactivity around Australia’s cybersecurity industry and policies reflects the country’s desire to be a digital leader in the Asia-Pacific region — but as the implications of the recent AUKUS security pact become clearer throughout 2022, the country’s defenses are likely to be tested like never before.

That pact, which allies Australia with the UK and US to create an axis of democratic military powers, also includes collaboration in areas such as cybersecurity — something that is already happening through the Five Eyes security partnership that also includes New Zealand and Canada — and is likely to pull Australia further out of its once-insular cybersecurity mindset.

Proactive operations, such as the successful US-Australian An0m sting, reflect the value of Australia’s contribution to cybersecurity enforcement — but its long-term success in defending itself will depend on the aggregate protections it can produce by backing a more confrontational political and technical posture with a business and end-user community that is learning to be more proactive about cybersecurity.

That is, as Morrison so often loves to say, the plan. Yet with cybersecurity’s toll continuing to rise in Australia as in every other country, its successful execution has become inextricably linked to the viability of Australia’s economy — and of its position of ideological prominence in the Asia-Pacific region and across the globe.

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.