The government’s top cybersecurity agency has assured companies and public agencies worried about being victimised by cyber breaches that they can expect to receive swift help that aims to minimise harm to their customers.
The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, emphasised the agency was not a regulator. She encouraged infrastructure players to join a threat intelligence sharing platform and for small and medium businesses to join its 140,000-strong partnership program, aimed at uplifting cyber defences and practices.
The ACSC is part of the Australian Signals Directorate in the Defence portfolio and is the Commonwealth government’s lead responder to cyber incidents.
In line with the whole-of-government economy-wide approach to building national resilience, highlighted in the recent Defence Strategic Review, the Signals Directorate and the ACSC now offer coordinated cyber support to both civil and defence agencies and entities.
Following difficulties coordinating the response to last year’s Optus and Medibank data breaches, a senior military official, Air Marshall Darren Goldie, was appointed as the coordinator of cybersecurity, working with various agencies, including the ACSC, to provide a more joined-up response to victims of cyber data breaches.
“You should expect someone will answer that phone 24/7 with discretion and compassion and ultimately, the aim to minimise harm,” Bradshaw said.
“We are not a regulator, so the primary purpose for the Australian Cyber Security Centre’s assistance is harm minimisation.
“So any contact that we have from an entity, whether it’s a government entity or a private entity, our first priority is remediation and recovery of that entity, and then to use that advice to the extent possible to protect others who might be using the same system or vulnerable to the same threat actor.”
Recovery and resilience are central.
Her comments on remediation came as Kyndryl’s global security and resiliency leader Kris Lovejoy cautioned firms to invest more in recovery. “It’s not just about security, it’s also about resilience, it’s about bouncing back once that happens”, Lovejoy said. Kyndryl is a large US technology advisory spin-off from IBM.
Lovejoy said this included backing up not just core data servers but also key support systems such as usernames and passwords and internal industrial computers that control key manufacturing or product systems.
“Invariably, organisations who have not prepared to recover are stuck. They never meet their SLAs (service level agreements). It’s not just about the proactive prevention, it’s also about the reaction.”
Bradshaw noted the Ukraine war had prompted “game changers” in the threat landscape.
“One of the major changes is the affiliation state-based actors have with what we would call non-state actors or cyber criminals. Very close affiliation with a state’s intent is one of those changes.”
“The next is the targeting of critical infrastructure for disruptive purposes. We have seen criminal actors get on board with disrupting targets and privately owned targets like telecommunications, which have seen rolled-on impacts across Europe.
She said there had also been ongoing targeting of allies of countries giving support to Ukraine, and in particular, the concern around those criminals targeting affiliated sectors – such as the targeting of gas infrastructure in North America.
Lovejoy also pointed to how the conflict in Ukraine had exposed the need for governments to be proactive against misinformation and disinformation, especially campaigns aimed at destabilising traditional democratic processes.
Cyber defence remains the top priority.
The Defence Strategic Review highlighted national resilience and sovereign capability as a central component of the new strategy. This explicitly included robust cybersecurity and data networks, which is now being backed in by the nearly $10 billion Red Spice program.
Bradshaw said the ASD will double in size over the next four years, tripling its offensive cyber capabilities.
“We [the Signals Directorate] have a legal jurisdiction to disrupt cyber criminals where they emanate from offshore and AFP [Australian Federal Police] have similar jurisdiction onshore,” Bradshaw said.
“That means we have the capacity to share between ourselves both our visibility but also our enforcement powers.”
However, she cautioned that base-line defence remained the top priority, noting the high interest many had in the government’s counter-offensive capabilities.
“People are super interested in our offensive capabilities [but] we are not going to shoot our way out of this,” Bradshaw warned.
She noted when a breach occurred, the ACSC may hit back in the moment or use the intelligence to disrupt.
“I can issue you a warning: the AFP and us, we have very long memories, and we don’t forget. We are always looking for opportunities to disrupt as high as possible up the threat chain.”
Human factors still dominate
Both Bradshaw and Lovejoy pointed to human errors as a dominant cause of cyber breaches, despite significant improvements in community awareness.
“What is not changing is the movement from awareness through to actual action,” Bradshaw warned.
She noted figures from the Information Commissioner that suggest a third of cyber reports are caused by human factors and confirmed half of these were weak passwords or giving away credentials to scammers.
Bradshaw explained the ACSC was also proactively reaching out to organisations based on intelligence from ASD and its long-held relationships.
“They’re very deep data intelligence holdings which come with those, and that means that sometimes it’s actually us calling you to tell you that we’re here for you and that we’ve seen some signals that might suggest that you’ll be having a bad day.
“I’ve done that on about 148 occurrences which are matters many of which the vast majority of you will never hear about – because we quietly and discreetly go about our business, assisting those entities.”
Documentation is key
Bradshaw emphasised the need to keep good records.
“The next thing I’m going to ask you are some questions and ask you to share some information with me. I’ll ask you for IOCs or indicators of compromise, or memory logs, or disk images.
“It’s really important that people don’t send us photos of their servers,” Ms Bradshaw said, noting it was a geek joke. “But these are the sorts of things we might ask you for.”
As part of the more sophisticated response, cyber breach information was being analysed against the deep intelligence the ASD holds. This includes previous “hand-to-hand combat” with a threat actor and any experience remediating the actual malware.
Historic uplift in capability
Home Affairs secretary Michael Pezzullo noted the remarkable step-up in cyber capacity the ASD and ACSC had led.
“I have never seen in the 36 years with the access to the highly sensitive and compartmentalised information that I’ve had over the years, a more engaged involved and action orientated agency … [that] is so invested in cybersecurity and keeping the community safe.”
“It’s been astonishing, even in the last five to 10 years, the transformation has been quite remarkable.
“The most sensitive information that’s available to the Australian Government is well shared by ASD and informs all of the other activities that have been spoken about and ASD is a real credit, it’s a credit to the current leadership of ASD,” Pezzullo said.