The newly released Australian Cyber Security Centre Threat Report contains some fascinating tit-bits and telegraphing of messages. It's the Centre's second report but the first since the Government released its Cyber Security Strategy. Here are my takeaways:
1. Diverting from the approach of our major ally, the US, the report makes clear Australia does not see value in naming and shaming state perpetrators...at this stage. It is extremely coy about naming any countries, even when discussing attacks where the perpetrator is well known. And this is not for want of knowing, as the report clearly telegraphs to states (and criminals) that 'the Government has developed the capability to attribute malicious cyber activity in a timely manner to several levels of granularity - ranging from the broad category of adversary through to specific state and individuals'. Translation: do something bad to us and we will be able to call you out quickly and come after you with the offensive capabilities outlined by Prime Minister Turnbull.
2. Cyber attacks are endemic and costly, but so far Australia has escaped an attack which hits the government's threshold definition of a cyber attack that has 'the effect of seriously compromising national security, stability or economic prosperity', an admittedly high bar.
3. The report is surprisingly confident Australia won't suffer major cyber attacks, but not necessarily because our defences are strong. It concludes 'a cyber attack (hitting the government's above-mentioned threshold) against Australian government or private networks by another state is unlikely within the next five years'. Similarly, 'It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years'. But it notes, 'a range of states now have the capability to conduct cyber attacks against Australian government and industry networks' so the absence of an attack is contingent on 'the absence of a shift in intent'. [fold]
4. Without calling for it directly, the report spells out the urgent need for a national cyber foreign policy. As the report notes:
- The absence of effective repercussions is emboldening some states to develop and use cyber attacks as a coercive tool.
- A 'continued lack of international consensus on proportionate and appropriate responses' makes the threshold for response ambiguous and risks miscalculation and escalation.
- The emerging norm in favour of peacetime cyber attacks, which I flagged prevoiusly on The Interpreter, has 'set precedents for how states may seek to use cyber operations to generate effects that could have a potentially significant impact'.
- With the ACSC responding to three attacks a day on government systems serious enough to require operational responses, there is no sign we are making progress.
5. Private sector losses remain a dark hole and the private sector is not helping itself. The Computer Emergency Response Team (CERT), the Government contact point for major businesses facing cyber attack, responded to some 40 attacks a day (14,804 for the financial year), with 418 involving systems of national interest and critical infrastructure. Because CERT relies on voluntary reporting from companies, the scale of the problem is likely much worse. The consequences for Australia are serious. As the report notes, 'The ongoing theft of intellectual property from Australian companies continues to pose significant challenges to the future competitiveness of Australia's economy'.
The report saves its most pointed words for the private sector, saying it needs to do more to save itself and stop the haemorrhaging of our most precious national asset. It notes 'the private sector's ability and willingness to recognise the extent of the cyber threat and to implement mitigation strategies varies considerably...Those without direct experience of being targeted or a victim may not be aware of the potential economic harm malicious cyber activity can cause their businesses, do not understand the value of the data they hold, and cannot conceive why they would be targeted'.
6. Finally, the report offers cautionary advice to individuals, particularly Interpreter readers. It provides examples of increasingly sophisticated tradecraft and practices like:
- Secondary targeting: going after targets of seemingly limited value because they hold a trusted relationship with a higher value target.
- Sophisticated spear phishing: emails containing a malicious link or attachment.
- Web-seeding: compromising websites frequented by targets, which it cautions have proven effective for campaigns targeting foreign policy and defence officials.
Photo: Getty Images/Bloomberg