Why did the Prime Minister stand up in front of reporters on Friday morning to announce a series of cyber attacks against federal, state and territory government organisations, businesses and essential infrastructure?
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
When questioned, Scott Morrison wouldn't say when the attacks started, or why he chose that time to make the announcement, after warning his state and territory counterparts and Five Eyes partners including British Prime Minister Boris Johnson the night before.
Outside of the geopolitical ramifications of naming the perpetrator as a "sophisticated state-based actor" and leaving others to point the finger at China, experts say Friday's announcement points to wider issues within Australia's cyber security policies and preparedness.
"On closer examination, this attack or series of attacks has been under way for some period of time and the announcement reveals the continuing inability of Australian government departments to remedy known vulnerabilities," says Dr Greg Austin, senior fellow for cyber at the International Institute for Strategic Studies.
While a prime ministerial press conference seems dramatic, the advice from the Australian Cyber Security Centre is anything but. All that is asked of organisations is basic cyber hygiene, including patches for internet-facing software and using two-factor authentication, as well as "strongly" recommending organisations implement the "Essential Eight" strategies for cyber security.
The reason the advice isn't so dramatic is because the vulnerability being used in the current attacks has been known for more than a year. According to Dr Austin, the United States documented it in February last year, and the Australian Signals Directorate and the US National Security Agency released a report about how to defend against it in April this year. He says the government is now repeating an advisory first made in March.
"The timing is most interesting because the government has been looking at this vulnerability for quite some time and hasn't been able to get on top of it," Dr Austin said.
The director of RMIT's Centre for Cyber Security Research and Innovation, Matt Warren, said it was common for hackers to exploit a known vulnerability.
"What the attacker is exploiting is the lack of knowledge within that organisation that there is a patch and they haven't patched their system appropriately," he said.
The timing is most interesting because the government has been looking at this vulnerability for quite some time and hasn't been able to get on top of it.
- Dr Greg Austin
Professor Warren said the announcement highlighted the lack of maturity in organisations across Australia.
On Friday, Mr Morrison referred to the government's significant investment in cyber security - including $230 million for the 2016 cyber security strategy over four years, and $156 million to build cyber resilience and expand the cyber workforce in government.
Despite these investments, and a new cyber security strategy that is due to be released in the coming weeks, a series of reports in recent years have shown Australian government agencies are falling behind.
The Commonwealth Cyber Security Posture in 2019 report, written by the Australian Signals Directorate, found levels of cyber security vary across the government and some entities remain vulnerable to threats.
The report didn't name which agencies had particular issues, but found some had inadequate visibility of their information systems and data holdings, had obsolete and unsupported operating systems, and misunderstood, misinterpreted and inconsistently applied the "Essential Eight" strategies.
Despite it being compulsory for agencies to have implemented the directorate's "Top Four" mitigations since 2013, last year just 61.7 per cent of government agencies had complied with them.
In a 2018-19 report on the maturity of agencies against the Protective Security Policy Framework, almost three-quarters of non-corporate federal agencies said they had "ad hoc" or "developing" levels of maturity.
A report from the Auditor-General released last month found "there continues to be limited improvement in the level of compliance with the controls, despite being mandated in 2013".
A mobilisation review by the Department of Defence, released under freedom of information laws, found Australia was not well set up to deal with a "cyber war" situation, which would be not only across the whole of government, but would include businesses and individuals.
It found that "when it comes to mobilising for a cyber war, a future government's role may be predominantly about co-ordinating and communicating, rather than directing or controlling".
While the need for a major overhaul of cyber security practices within the government has been urgent for some time, the existence of COVID-19 changes the game again.
READ MORE:
ANU National Security College director Rory Medcalf warns that in the context of the international push for a vaccine for COVID-19, health infrastructure is likely to be increasingly targeted.
"There's likely to be a major contest under way in cyberspace at the moment with states trying to essentially steal COVID-19 vaccine research," he said.
These are all issues that are likely to feed into the next cyber security strategy, the release of which was originally scheduled for April and is believed to have been delayed by the coronavirus pandemic.
"One thing that is pretty clear is the last cyber security strategy from 2016 made almost no impression on the practice of cyber security in Australia," Dr Austin said.
When he first heard the release of the new strategy had been delayed, he felt it must be evidence of a "significant unpublished, unrevealed series of attacks".
Professor Warren said the new strategy needed to put a dedicated minister in charge of cyber security, a position which hasn't existed since Angus Taylor held the title in Malcolm Turnbull's government. Currently, reponsibility lies with Home Affairs Minister Peter Dutton.
"From a governance perspective, to have that advocate, to have that leadership would be very beneficial," he said.
It's a call that has also been pushed by Labor's spokesman on cyber security, Tim Watts, who said in Parliament this week that Australian cyber security policy lacks political leadership.
"When something is everyone's responsibility, it tends to become nobody's responsibility," he said.
Professor Warren said Singapore recently invested $4 billion into its cyber security strategy, but given Australia's budget position the government could be asking the private sector to pick up more of the slack.
He said Australia could also look to its own success with the role of the eSafety Commissioner as a model for how individuals and businesses could be educated about their own cyber security.
"This is the new digital normal - countries and organisations will be constantly under these types of cyber attacks, whether it's be organised cyber gangs, or politically motivated cyber hackers," he said.