The recently released Commission of Audit report recommends that the Australian government needs to become “digital by default“. The continued shift to digital service delivery is intended to reduce costs, improve quality of service and provide greater transparency. But it will also open up new vulnerabilities to cyber attacks that could be used to access secure and confidential data, compromise the integrity of trusted authorities and disrupt critical services.
Security picture from Shutterstock
In a report launched last week at the CeBIT cybersecurity conference in Sydney, we outline cybercrime trends which could feasibly shut down critical utility infrastructure such as energy grids and defraud the healthcare system to the tune of $16 billion by 2023.
The recent Heartbleed security bug is a telling example of the evolving nature of cyber threats, with the vulnerability impacting many popular websites and going undetected for almost two years.
Technology trends
The shift towards digital commercial services will continue to play a key role in driving the economy and society forward, as these services become increasingly embedded into business operations across a wide range of industries.
The healthcare industry is looking to digitisation to reduce spiralling costs while meeting changing patient needs and improving the care experience. The adoption of electronic health records will allow physicians to easily create and share medical records and other important patient data.
Investment in cloud computing will drive efficiencies and allow interoperability between provider systems. And new diagnostic and non-invasive sensor technologies will improve remote monitoring and telehealth solutions.
Similarly, digital infrastructure will transform the energy industry. Smart grids and smart meters will allow providers to better forecast and adjust to peak demand, driving improved pricing models and optimised production. And in-home energy management devices will connect with smart appliances and allow consumers to monitor, control and optimise consumption automatically.
Alongside critical industries, consumers are also becoming more digitised, with a growing number of devices connected to the network. This goes beyond personal computers, smartphones and tablets to include wearable devices, sensors and interactive displays such as in-home energy monitors. The number of devices connected to the internet is expected to increase to as many as 50 billion by 2020.
Evolving cyber threats
This increased dependence on technology, combined with the evolving complexity of cybersecurity threats will increase our level of vulnerability – at a national, organisational and individual level.
The Department of Defence estimates that 5.4 million Australians were victims of cybercrime in 2012 and independent estimates put the cost of cybercrime in Australia as high as A$2 billion per year.
Left unchecked, these figures will continue to rise in coming years as cyber attacks become more sophisticated and harder to detect.
As more data and processing continues to move to public networks and the cloud, traditional network boundaries are dissolving, leading to new challenges in how we secure data and infrastructure across virtual locations.
The tools needed to carry out a cyber attack are becoming more widely available, opening up attack opportunities to a wide range of would-be attackers, from disgruntled corporate insiders seeking retribution, to “hacktivists” promoting a cause, to corporate espionage and criminal syndicates using cyber breaches as a means for financial gain.
Navigating the threat
An April report by the Australian Strategic Policy Institute (ASPI) ranked Australia second in cybersecurity capabilities in the Asia-Pacific region. But Australia cannot remain complacent in its approach to cybersecurity. Our strategies and tools need to evolve and keep pace with rapidly advancing cyber challenges.
To address these emerging threats, Australia will need a change in perspective, recognising that cybersecurity is not solely a technology challenge. It is also a cultural challenge; one that extends beyond traditional information security practises.
Because attackers frequently exploit the weakest link, cybersecurity will need to be viewed as a shared responsibility with everyone having a role to play in ensuring the security of the entire digital ecosystem.
This will need:
- a commitment to improved education and training to make users aware of the risks and consequences of their actions
- improved software and system design that integrates effective security as naturally and invisibly as possible
- new technologies to prevent and respond to future cyber threats.
We are working on these challenges, through improved digital identity systems that will make it easier to verify identities and establish trust in collaborative environments and through researching new homomorphic cryptography techniques that allow processing secure data without needing to decrypt it.
CSIRO’s research in data analytics and machine learning could also contribute to new innovations that make it easier to detect and quickly respond to network anomalies.
Future attacks will likely be beyond the response capabilities of any one organisation. Successfully navigating the road ahead will require a whole-of-nation effort, harnessing the full range of resources available across our economy.
Alongside existing national and defence-related strategies, the research community in partnership with industry and government have a vital role to play, through applying innovation and cutting-edge technology to the people, process and technology solutions needed going forward.
Through the integration of knowledge, ideas and resources, we can ensure strong cybersecurity capability is at the core of the digitally-enabled future of Australia.
James Deverell is Director, CSIRO Futures at CSIRO.
This article was originally published on The Conversation. Read the original article.
Comments
5 responses to “Where Australia Is Still Going Wrong With Cyber-Security”
One word that sums up the whole issue with security – here and around the world: budget.
I’m a security professional and the most common response to security risks is ‘how much will it cost to fix?’ or the one that I really hate ‘but we have nothing worth protecting’.
Could there be a silver lining in the fact that as cyber threats become more and more sophisticated, our terrible internet infrastructure will no longer be able to handle them properly?
And of course I’m not being serious.
(well maybe a tiny bit serious)
This is even worse when you look at it from the perspective of the utilities and pieces of infrastructure we like to have operational to run our day to day lives (electricity, water, gas, roads, airports).
Without legislative change there just isn’t the incentive to spend the money within these (largely government owned) critical infrastructure organisations. Happy to spend $500M on a new plant, but definitely not ok with the $50K to get the security right.
The technology and expertise is available here in Australia, but unfortunately the risk of an incident just isn’t a big enough driver to change the culture.
Surprised I haven’t heard anything about the OAuth vulnerability that was recently discovered and the fact that myGov uses OAuth (using the Oracle solution judging by URLs). I also believe that at least two of the big four banks use the same Oracle stack using OAuth as well.
http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062
Despite hearing nothing about this, a couple of weeks ago The Age felt the need to write an article about how myGov had weak security because it used security questions at logon, rather than two-factor authentication (which I doubt will ever happen, as the banks are loath to introduce 2FA due to cost, I can’t imagine the government would be in a rush).
I watched some of the videos associated with that OAuth flaw, and it seems to show that an authorization code gets leaked. While that is sensitive data, you need an access token to actually call a protected API and the video seemed to stop before doing that.
You need to make an “access token request” to the service in order to do this, and if it refuses to give you the access token, there isn’t an exploitable vulnerability. It could do this by either checking the redirect URI (which is passed as part of this request), or by checking the API client’s credentials (which an attacker won’t have).
While some services might be missing the checks, this doesn’t seem to be a failing of the specification.
Would also like to point out that despite all the concerns pointed out in this article, it all boils down quite simply, governments are always watching, and most security incidents aren’t terribly sophisticated (and don’t need to be because so many organisations fail at the basics. Why try your luck at a complicated man-in-the-middle attack, if you can use SQL injection to get credentials for the CMS off the website, through which you can then likely find working email credentials, from which you can then social engineer your way past the rest).