Cyber security was placed squarely centre stage for Australian governments and businesses last month, when this country’s Federal Government and its allies accused the Chinese Government of officially sanctioned cybercrimes.
Minister for Home Affairs, the Hon Karen Andrews in a move to reassure business, said the Federal Government was delivering a $1.67 billion Cyber Security Strategy – the single largest investment in cybersecurity in this nation’s history.
She had announced the week prior the Government was considering reforms, including stronger cybersecurity standards for the digital economy, more transparent information about cybersecurity, and stronger legal remedies for consumers.
“And the Government continues to progress our reforms to protect our critical infrastructure – with legislation in the Parliament right now to secure the essential services all Australians rely on, including everything from electricity through to water, to healthcare, and even to groceries.”
The Minister’s announcement provided a timely reminder to businesses, individuals and local governments to make sure their digital data systems had appropriate levels of cyber security in the knowledge that about 30,000 businesses were affected worldwide by the attacks on Microsoft Exchange earlier this year. The Australian Cyber Security Centre (ACSC) assisted 70 Australian organisations, while 10,000 servers based in this country were potentially affected.
Presenting at the Australian Local Government Association (ALGA) National General Assembly in June this year, CyberArk Regional Director Australia/New Zealand, Thomas Fikentscher, said the average cost of a cyber breach in Australia was $3.35 million with 59,806 cybercrimes reported to ACSC last financial year.
Amongst other alarming statistics he quoted was a 102 percent increase in ransomware attacks in 2021 compared with 2020 and a 23 percent increase in government breaches. His warning to the audience of local government elected representatives and officers was: “It’s a matter of when – not if.”
Australians are vulnerable
On 28 July 2021, ACSC, United States Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre (NCSC) and United States Federal Bureau of Investigation (FBI) co-authored The advisory, the first time all four agencies had issued joint advice on cyber vulnerabilities
of mutual concern.
Their joint media release said, “Since 2020, a range of malicious cyber actors including criminal syndicates operating worldwide have continued to target Australians, conducting cyber operations that threaten national, economic and security interests in the private sector and government, as well as Australian households.
The advisory assessed that organisations and households had likely been exploited by malicious cyber actors through more recently-disclosed software flaws in 2020 because of the expansion of remote work arrangements during the COVID-19 pandemic. Four of the most targeted vulnerabilities in 2020 affected remote work, virtual private networks (VPNs), or cloud technologies.
The ACSC, CISA, the NCSC and FBI assessed that public and private organisations worldwide remain vulnerable to compromise from the exploitation of these cyber vulnerabilities unless they are urgently patched.
UK councils attacked
In the United Kingdom, a report by cyber security company RedScan, disclosed that more than 700 data breaches were reported by councils in 2020.
“A notable number of councils experienced data breaches that impacted their ability to deliver important services,” according to the report titled Disjointed and under-resourced: cyber security across UK councils.
“As towns and cities become more data-driven and interconnected, the possibilities for disruption will only increase. To minimise the risk of data breaches in the future, it is imperative that councils continually evaluate their security controls to keep up with the evolving threats.”
The findings, which follow a freedom of information request, highlight the incidents reported to the Information Commissioner’s Office (ICO) and the importance of cyber security for councils.
Issues highlighted within the report involved ransomware, human error and a lack of funding, while recommendations stressed the importance of a strong cyber security approach with an emphasis on staff training to defend councils against various forms of cyber attack.
Local Government an easy target
In the United States, state, local and county government officials testified in June at a Homeland Security and Governmental Affairs Subcommittee on Emerging Threats and Spending Oversight hearing, that they needed continually renewed, flexible funding to fend off increasing cyber threats.
With more than 70 percent of ransomware attacks in the United States targeting state and local governments it is safe to say the attackers have realised they make an easy target.
A 2020 report by Deloitte Centre for Government Insights titled Ransoming Government: What state and local governments can do to break free from ransomware attacks, states that the rapid rise in ransomware attacks is the result of governments now providing more services to citizens through digital means than ever before. With a computer on every desk, customer service centre and fleet car, with councillors and staff using laptops, tablets and smartphones for work and personal use, sourcing information and entertainment as well as engaging on social media, ‘the potential attack surface a government agency must protect has grown significantly without commensurate investments in cybersecurity’.
Smart cities whose infrastructure relies on interconnected technologies are more at risk of being crippled, but many councils moving into this area without dedicated IT staff will also be vulnerable as demonstrated by a coordinated attack in 2019 in which 22 smaller communities in the state of Texas, were hit at once for a combined ransom of $2.5 million.
While in the United States and the United Kingdom advice for government entities is to become resilient in a world where a constant threat of a cyberattack is the ‘new normal’, in Australia the problem is stuck at the stage of getting many local governments to
recognise a threat even exists.