Not so sunny: the CSIRO has released a report warning Australia is at risk of major cyber security threats. Photo: Katherine Griffiths
Cyber attacks could shut down Australia’s electricity grid, steal government records, or force government services offline, according to a new CSIRO cyber security report to be released at a technology conference on Monday.
To varying degrees these attacks have already happened, the report said, including stolen ASIO building plans in a major breach revealed last year.
“We’re seeing a rapid move towards digital services in everyday life - in electricity, in healthcare - quickly becoming digitised,” said James Deverell, director of CSIRO Futures, who is launching the report Enabling Australia’s Digital Future: Cyber Security Trends and Implications at CeBIT 2014 in Sydney.
“This increases productivity and decreases costs, but it also is leaving these utilities vulnerable to cyber attack.”
Reliance on technology, with smart grids, digital personal health records, and integrated government information, increases the risk of information being hacked, the report said. It paints realistic scenarios where, for example, criminals could hack into sensitive patient records and blackmail hospitals millions of dollars to get control back; or a malicious cyber attack to the electricity grid by a disgruntled third-party contractor leading to major power losses.
Australia can expect rapid exponential growth in the number, speed and severity of breaches - far beyond what any single organisation can tackle on its own, Mr Deverell said.
“The old paradigms of keeping data in an organisation with a firewall to protect it is rapidly changing. We need to change the way we think about cyber security. It is not purely an IT problem. We need to start thinking about cyber security as a shared responsibility - government, research organisations, industry and the public - and what we need to do to protect ourselves. Don’t assume that the tools and services will always protect you.”
Furthermore, Mr Deverell said passwords should be a thing of the past as the number of sites people log into grows. “Passwords are becoming a burden," he said. "We want a solution that protects our digital identity and authenticates who we are without having to remember a password.”
In its role as trusted adviser, the CSIRO has a key role to play in helping government and industry solve critical issues such as cyber security.
Cyber security, e-health and resilience adviser to Flinders University, Professor Kenneth Morgan said it was important for various agencies to look at cyber security - including the Attorney-General's Department, defence and universities as well as the CSIRO - for their own points of view in order to build a better picture of cyber security and encourage widespread debate.
The report contains no surprises, but it does focus on healthcare and has input from the Defence Science and Technology Organisation.
The report’s strength is that focuses on the Australian situation, Professor Morgan said.
“But the greatest threat to Australia is who looks after cyber security? Is it the military or civilian [organisation] or the Attorney-General? This is our biggest challenge, and there is great debate about this in the US and UK as well.”
Complacency inside organisations towards cyber security was also a threat.
However, the report underestimated the speed of impending cyber attacks, Professor Morgan said. “CSIRO is looking at 2025; I’m looking at 2015.”
The research body and Professor Morgan said while organisations were reluctant to disclose security breaches, they needed to share knowledge of their breaches to help combat future losses.
The report called on businesses, public-sector organisations, and individuals to embrace open disclosure; focus on simplifying digital systems, including "designing "invisible" security measures that don't hassle or slow down users"; and Invest in new systems to verify and protect digital identities from theft or fraud - something the CSIRO is developing.