Global firm Palo Alto Networks suggests it’s time hospitals, government services and businesses start discussing whether they’d pay a ransom and how much they’d fork out.
“What are your crown jewels and if someone wants to get access to that, how much is it worth to you?,” says regional chief security officer Sean Duca.
“(What if) you’ve got people sitting mid-operation on an operating table and the systems around them can’t actually work (because they’re locked down)? Do we just let the individual die because we don’t want to pay the ransom?”
While Australians are increasingly aware of the consequences of cybercrime, there’s not enough focus on its potential to cripple systems, Duca warns. As for organisations that refuse to believe they will be targeted: “It’s a foreseeable event … and you’re probably a little bit delusional.”
Edith Cowan University senior computing and security lecturer Mohiuddin Ahmed shares the sentiment. He not only predicts a rise in threats over the next year, he anticipates more attempts targeting Australia’s critical infrastructure, with “highly digitised” hospital systems among the potential casualties.
It is “just the beginning” for cyber attempts and attacks, Dr Ahmed warns. The recent Medibank and Optus hacks may drive criminals to consider where Australia has other vulnerabilities.
“We use lots of internet-connected healthcare devices and if those devices are hacked and remotely compromised by these cyber criminals, we’ll be left in a situation where we have to pay ransom, otherwise people’s lives will be at stake,” he says.
“Imagine that for senior citizens using pacemakers or any other embedded or implanted devices.
“Who knows, if we do not pay attention, if we do not follow cyber hygiene, things (may) go catastrophic.”
International hackers are praying on Australia partly because of its wealth and partly because it has been rendered vulnerable by the COVID pandemic, cost-of-living pressures and natural disasters including floods, Dr Ahmed says. Cyber security researcher Mamoun Alazab likens cybercrime to a battlefield, saying it’s a matter of when – not if – Australia will see data leaks affecting more people than in the Medibank and Optus hacks. The associate professor of information technology at Charles Darwin University predicts greater government organisation in cyber warfare as it becomes part of national security.
Australia’s Cyber Security Minister Clare O’Neil last month announced a 100-strong, standing cybercrime operation targeting hackers led by federal police and Australian Signals Directorate.
A Medibank store front. Experts say organisations that refuse to believe they will be targeted are ‘a little bit delusional’. Credit: Cyber attacks are expected to double in Australia within five years and the country will also experience a shortage of 3000 highly-skilled cyber security workers by 2026, according to a national plan. Dr Alazab cautions that publicly announcing the new operation could goad criminals into further attacks. “We focus so much on (Australia’s) offensive operation – we need to focus on the defensive operation,” he says.
“We are encouraging other … criminal groups to get together to prove us wrong, to cause more embarrassment.”
Australia needs to significantly scale up its cyber security investment to keep pace with crime, Dr Alazab suggests. He points to the $42 billion cost of cyber incidents to Australian businesses in 2021, saying it’s just “the tip of the iceberg”.
“Did we invest 10 per cent of that in security? No, we did not,” he says.
Dr Alazab predicts more individuals and enterprises will be targeted and “botnets” – a collection of hijacked computers used to launch attacks without their owners’ knowledge – will become larger.
Australia could also see the arrival of what Dr Ahmed calls “ransomware 3.0” whereby cyber criminals don’t bother immediately announcing they’ve hacked a system – instead, taking the time to identify and exfiltrate sensitive data. Then they can suddenly strike, for example, rerouting Centrelink payments from legitimate benefactors into their own bank accounts before asking for ransom to restore the legitimate data.
“It might happen in 2023 but again, I hope it doesn’t,” Dr Ahmed says.
The experts say hope is not lost when it comes to Australians defending themselves against attack.
Dr Alazab says Australia needs to have a collective approach towards cyber security, building a strong public-private partnership and bolstering the workforce by filling the education gap.
Small and medium organisations can also turn to resources like the Australian Cyber Security Centre’s “Exercise in a Box”, he suggests.
All Australian organisations should also have cyber security insurance moving forward, Dr Ahmed says. “This Medibank and Optus breach is the perfect wake-up call for everyday Australians and, more importantly, for the critical infrastructure, the government agencies and the private sector.