Last week, the Australian Cyber Security Centre (ACSC) released its annual cyber threat report.
The report confirms what any business, or indeed internet user, in Australia instinctively knows: our cyber threat landscape continues to deteriorate.
The volume of cyber attacks against Australian organisations is increasing, the severity of their impact is intensifying, and cybercriminals and nation states are becoming more aggressive and more indifferent to collateral damage.
This is occurring despite a growing awareness by governments, businesses and citizens of Australia’s cyber security challenge and sustained efforts to uplift our cyber resilience.
The headline statistics in the report are sobering:
• Australians are reporting a cyber attack every eight minutes;
• Our economy lost more than $33 billion in 2020-21 from cybercrime; and
• Nearly 50 per cent of incidents had a “substantial” impact on their victims.
But the grim reality is these statistics are only the tip of an ever-expanding iceberg. They tell only a fractional story of Australia’s real cyber threat landscape.
This is because the report relies, for the most part, on organisations self-reporting. But we know not all organisations do so. The report itself acknowledges that cyber attacks in Australia are underreported.
Nonetheless, the statistics reflect three significant trends.
First, Australia remains a highly permissive environment for financially motivated cybercrime. In the ACSC’s words, cybercriminals were “prolific and overt” in targeting Australian organisations in 2020-21.
At CyberCX we have seen criminals using tactics previously only available to nation-states. They’re also improving both the ‘business’ and technical sides of their operations, which makes them more efficient and dangerous.
The most likely cybercrime Australian businesses will experience is a ‘business email compromise’ (BEC) scam – where criminals engineer fraudulent financial transfers. Australian businesses lost more than $81 million to BEC scams in 2020-21. One company was so badly hit that it went bankrupt.
But by far the most serious cyber threat is ransomware. And when ransomware criminals knock Australian health facilities, national media and food supply offline (as happened in 2020-21), this not only affects the victim organisations, but also the broader community.
Second, both cybercriminals and nation-states are increasingly aggressive. As we routinely see at CyberCX, threat actors have capitalised on our public health crisis. They have sent thousands (possibly millions) of COVID-themed phishing emails. They search for and exploit weaknesses in the remote connections most of us use to work from home. This reminds us that cyber security is not just a technical battle: threat actors learn about and exploit our personal, social and political vulnerabilities too.
Third, Australia’s critical infrastructure and essential services are at risk. One in four incidents reported to the ACSC were related to these most important of systems. The fact that Australia is yet to suffer a major disruption – and associated social upheaval and loss of life – can mostly be put down to luck.
Governments don’t often reveal their assessments about the future, preferring to err on the side of caution. But the ACSC starkly warns that the next 12 months will bring more major cybercriminal attacks that could “disrupt critical services” and, potentially, cost Australian lives.
Even more concerning, the ACSC describes the “volley of large-scale ransomware attacks” inundating our economy as “the new norm”. It doesn’t have to be this way.
The ACSC should be commended for producing annual threat assessments that help Australian businesses understand their cyber risk. But there is a need for ACSC to move from counting to countering cyber threats.
Of nearly 500 reports of ransomware, the ACSC responded in 160 instances. The ACSC received an average of 60 calls per day to the Cyber Security Hotline, up 310 per cent from the previous year. How many of these cases were escalated for assistance, or referred to law enforcement? How many resulted in some sort of resolution for the victim? The report doesn’t say.
As Australia’s cyber threat landscape continues to deteriorate, ACSC’s capacity to triage and respond to incidents is increasing, but it must now rapidly grow.
So too must its capacity for preventative actions. ACSC supported 18 cyber security exercises involving 50 Australian organisations. But set over a denominator of the total number of organisations in Australia, this quantum of assistance is too small.
A deeper partnership between the ACSC and the private sector will become even more essential as the Security of Critical Infrastructure reforms become law later this year. Government is expecting major cyber security uplift from business. Business is quite rightly expecting a commensurate step-up in ACSC outreach capability and capacity.
Of course, this is not ACSC’s burden to bear alone. The Australian Government has many levers to pull to make this country a more hostile hunting ground for cybercriminals. We need enhanced law enforcement action to drive cost into the business models of cybercriminals. And we need to get serious about incentivising telcos and internet service providers to block malicious threats at scale – something Telstra has taken a lead on with its ‘Cleaner Pipes’ initiative.
Business is arguably now the keystone of Australia’s cyber defences. Government is slowly but surely increasing obligations on business to boost their cyber resilience. But for this symbiotic cyber relationship to work well, business don’t just need assessments from government – they need action.