The exponential growth of information and communications technology (ICT) technology that includes Internet, telecommunications networks, computer systems, and embedded processors and controllers, has led to creation of Cyberspace, a global domain within ICT. The economic, social and strategic influence is exerted within, and through cyberspace domain, much like the land, air and maritime domains. In addition to great opportunities, cyberspace also presents significant challenges. According to leading cybersecurity market intelligence agency, Cybersecurity Ventures, cybercrime will continue to rise and cost businesses globally more than $6 trillion annually by 2021.
Cyber technology has become an embedded feature of modern military systems. Defence and other critical national systems are rapidly evolving to become software defined (i.e. cyber-physical) systems and are also increasingly relying on networks for their operation. There is also a developing relationship between cyber and the military capability of electronic warfare driven by the convergence of technologies, techniques and concepts and in the future we can expect to see integration of these capabilities into one continuum.
Australian Prime Minister Scott Morrison said in June 2020 that a “sophisticated state-based cyber actor” has launched a “malicious” attack targeting its institutions, including health, critical infrastructure and essential services holding sensitive economic and personal data.“We know it is a sophisticated, state-based cyber actor because of the scale and nature of the targeting, and the tradecraft used,” Mr Morrison said. The cyberattacks come amidst Australia’s rising rift with China over a number of issues including its recent demand for an investigation into the origins of the coronavirus pandemic. “Of particular concern are reports that malicious cyber actors are seeking to damage or impair the operation of hospitals, medical services and facilities, and crisis response organisations outside of Australia,” it said.
The Australian Government is developing our nation’s next Cyber Security Strategy as part of its commitment to protecting Australians from cyber threats. The new strategy will be a successor to Australia’s landmark 2016 Cyber Security Strategy, which set out the Government’s 4 year plan to advance and protect our interests online backed by a $230 million investment. The 2020 Cyber Security Strategy will build on this investment to position Australia to meet the rapidly evolving cyber threat environment.
Defence cyber security has also been quickly elevated to an even greater priority as geopolitical tensions rise between China and Australia in the wake of the coronavirus pandemic. Richard Price, chief executive of South Australian defence agency Defence SA, says enhancing cyber security is crucial across all aspects of the defence industry and the spillover business sector as well. “Mitigating and managing the risk of cyber attack by criminals is an essential activity for everybody these days,” Price says. “For businesses in critical infrastructure and critical supply chains, of which defence is one obvious example, the threats are much more sophisticated, persistent and patient,” he says. He says there needs to be a culture of embedding the ”right” behaviours in all staff and suppliers.
Australia faces more cyber attacks than any other country in Asia Pacific
In addition to great opportunities, cyberspace also presents significant challenges. Investment by the commercial sector in ICT is resulting in an almost continuous innovation of new cyber devices and novel applications; deepening human-technology partnerships; and an evolving cyber threat that is continually growing and changing.
On 18 February 2019, Prime Minister Scott Morrison revealed that an unknown actor, presumed to be a foreign state, launched a cyber attack against the country’s major political parties in its Parliament House. “In several respects, Australia is already in a cyber storm while major powers are actively planning much more intense and wide-ranging attacks, perhaps a form of cyber blitzkrieg, in the event of war,” the research group wrote.
The Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, which compares 11 countries and their cybersecurity standing, reveals that Australia is the nation most under attack with 90 per cent of Australian companies reporting they receive up to 5,000 threats a day. Of those, 33 per cent of Australian companies deal with 100,000 to 150,000 threats a day, while seven per cent are seeing more than 500,000 threats each day.
Each breach carries a large financial impact to businesses – with the cost of an attack in Australia ranking the most expensive in Asia Pacific region. Of those enterprises surveyed, 52 per cent claim breaches cost anywhere between $1 million to $5 million USD, while nine per cent claim the cost was more than $10 million USD. This includes costs from lost revenue, loss of customers, and out of pocket expenses caused by a cybersecurity breach.
Despite the financial impact of an attack, over two thirds (69 per cent) of respondents report experiencing cyber fatigue, admitting to have given up trying to stay ahead of malicious attackers. This is well above the worldwide figure of 46 per cent. The findings show that more needs to be done to equip, educate and support businesses and security professionals across Australia against a cyberattack.
Speaking about the report, Steve Moros, Director of Cybersecurity at Cisco Australia and New Zealand, said: “The results of the study highlight both the scale and complexity of the challenge faced by Australian companies in the current cybersecurity landscape.”
“The stakes are at an all-time high for Australian businesses. The launch of the Notifiable Data Breaches scheme early this year, in which organisations have to report the breaches that happen, means that businesses not only risk financial loss but also reputational loss if a breach occurs,” said Mr Moros.
The study also highlights that the use of multiple vendors and products is making monitoring cybersecurity threats more complicated. Across the region, over half of surveyed organisations (72 per cent) work with more than 10 security vendors, while 12 per cent say they have more than 50 vendors in their businesses. This creates an added layer of complexity and increases vulnerability, as having different security products can lengthen the time to detect and contain a breach.
“In order to achieve best cyber practice, everyone from government to vendors, educational institutes to independent bodies, need to collaborate, share information and threat intelligence. When it comes to cyber security, businesses cannot afford to work in silos.
“Businesses need to raise awareness about the issue, have proper processes in place and deploy the right technologies to help identify, block or remediate against any malicious attacks. Finally, we need to develop local cybersecurity talent so that we have the skills to support the country’s digital drive in a sustainable manner. It’s not a problem that can be tackled in isolation but one we need to tackle as a country,” Mr Moros adds.
Sustained targeting of Australian governments and companies by a sophisticated state-based actor.
Prime Minister Morrison said that the cyber activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure. Australian Strategic Policy Institute executive director Peter Jennings said the attack was “95 per cent or more” likely to have been launched from China. In May 2020, a joint statement by the Department of Foreign Affairs and Trade and the Australian Cyber Security Centre said there had been “unacceptable malicious” cyber activity.
The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.
The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public-facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public-facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability.
The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.
When the exploitation of public-facing infrastructure did not succeed, the ACSC has identified the actor utilising various spearphishing techniques. This spearphishing has taken the form of:
- links to credential harvesting websites
- emails with links to malicious files, or with the malicious file directly attached
- links prompting users to grant Office 365 OAuth tokens to the actor
- use of email tracking services to identify the email opening and lure click-through events.
Once initial access is achieved, the actor utilised a mixture of open source and custom tools to persist on, and interact with, the victim network. Although tools are placed on the network, the actor migrates to legitimate remote accesses using stolen credentials. To successfully respond to a related compromise, all accesses must be identified and removed.
In interacting with victim networks, the actor was identified making use of compromised legitimate Australian web sites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations. During its investigations, the ACSC identified no intent by the actor to carry out any disruptive or destructive activities within victim environments.
At the conference, the Australian Defence Force (ADF) Head of Information Warfare, Major General Marcus Thompson, had warned that while Australia’s cyber defences were “good”, they might not be able to scale if faced with a large-scale attack. The research group’s conclusions are more pessimistic. “The discussion … does not allow any other conclusion than this: Australia is not adequately prepared for a cyber storm. It has not yet made adequate investments in a range of capabilities and human capital that would help the country prepare appropriately,” their discussion paper said.
Australia’s 2016 cyber strategy
The australian government unveiled its cyber security strategy in April 2016, and allocated A$230m to various initiatives over four years. The pilot Joint Cyber Security Centre was opened in Brisbane on 24 February 2017. More than 20 organisations are represented from the energy, water, finance, transport and mining sectors, as well as Queensland Government, CERT Australia, the Australian Federal Police and the Australian Criminal Intelligence Commission. Priorities for the Centre are automated information sharing and targeted analysis of specific cybercrime threats against Australian industry networks.
Cyberspace has no national boundaries, has the potential for strong asymmetry and provides global reach for nation states, organised groups or individuals to mount an attack or use cyberspace for malicious purposes. Australia has ranked cyber security as one of the key risk areas for both Defence and national security
The enduring challenges identified are: Environmental Surprise : technology progress and its adoption and adaptation can result in unexpected morphing of cyberspace– for example the rapid emergence of mobility and cloud computing. Unknown and Persistent Threat: the cyber threat is highly variable, diverse and rapidly evolving.
Untrustworthiness: There are no guarantees that hardware devices and components; software, firmware and applications; data and information; and people can be trusted. Data-to-Decision Reflex: the ability to respond appropriately, proportionately and in relevant timescales. Cyber-EW concepts, are an emerging area hence concepts are immature.
Strong cyber security is a fundamental element of our growth and prosperity in a global economy. It is also vital for our national security. In April 2016, the government of Australia forwarded a cyber security strategy proposal to solidify its cyber space and fend off the increasing digital threats hurled by enemy states, cybercriminal organizations, and amateur opportunists.
The strategy establishes five themes of action for Australia’s cyber security over the next four years to 2020: A national cyber partnership, Strong cyber defences, Global responsibility and influence, Growth and innovation and a cyber smart nation. The policy proposes “five themes of action” to see the strategy through to its execution and implementation.
A National Cyber Partnership: To develop co-operation and co-leadership between government bodies and business leaders for the design and implementation of the strategies. Also, to understand and estimate the cost of the cyber threats to the Australian economy.
Strong Cyber Defenses: To evaluate the cyber security performance of government agencies and use advanced technologies to reinforce the security systems of Australia, thereby making the Australian cyber infrastructure resilient to online threats.
Global Responsibility and Influence: To join International partners and promote an “open, free and secure Internet”, and find and terminate the cyber spaces that cyber criminals consider a safe haven.
Growth and Innovation: To bring about innovation in the cyber security defense system by establishing a research and development department. Plus, to empower cyber security businesses to build, promote, or export cyber security products and services.
A Cyber Smart Nation: To spread cyber security awareness in the country as well as to bring on board more cyber security professionals.
It requires partnership involving governments, the private sector and the community. The Australian Government will take a lead role and in partnership with others, promote action to protect our online security.
Much of our digital infrastructure is owned by the private sector, so securing Australia’s cyberspace must also be a shared responsibility. It will be important that businesses and the research community work with governments and other stakeholders to improve our cyber defences and create solutions to shared problems.
The new Critical Infrastructure Centre in the Attorney-General’s Department – in cooperation with the Australian Cyber Security Centre – will work closely with our national critical infrastructure companies to identify cyber vulnerabilities, develop risk assessments and risk management strategies.
Cyber security incidents also offer an opportunity to learn. A new mandatory data breach notification law has come to Australia. Effective in early 2018, if not sooner, the new law will require businesses to notify serious data breach incidents to the Australian Information Commissioner and customers whose data has been compromised. This should place cybercrime high on Australian boards’ agendas and drive the revamping of existing cyber security systems.
To grow our cyber security capabilities to anticipate and respond to cyber threats, we must address our shortage of cyber security professionals. Government has partnered with industry and academia to build research and workforce capability in cyber security by establishing Academic Centres of Cyber Security Excellence,
The Prime Minister and the Minister Assisting the Prime Minister have led international collaboration on cyber security. Australia has continued cyber policy dialogues with China, India, South Korea, Japan, New Zealand and will shortly hold its inaugural dialogue with Indonesia. In February 2017, cyber security was permanently added to the agenda of the Australia-Indonesia Ministerial Council on Law and Security. Bilateral cyber policy engagement has been expanded with other Indo-Pacific nations, including Singapore, Fiji and Samoa.
In March 2019, Research Group on Cyber War and Peace at the University of New South Wales (UNSW) Canberra Australian Defence Force Academy (ADFA) recommended retirement of the current national cyber security strategy of April 2016 in favour of nine separate strategies for the following, quite distinct national needs: cyber civil defence, countering cyber crime, containing cyber terrorism and online hate crimes, countering cyber espionage and information warfare, cyber-enabled war, protecting personal privacy and human rights online, enterprise-level cybersecurity, industry policy for the ICT sector, and human capital development for the information age.
Enabling the vision
Three themes have been developed via diverse industry consultation to understand how cyber security solutions can lead to more effective organisation and business operations, and improve Australia’s overall cyber security posture to take advantage of digital transformation.
Trusted ecosystem: creating digital ecosystems that are highly trustworthy, allowing for rapid exchange of information and providing a stronger environment for trade.
Secure by design: ensuring new products, services, platforms and processes are designed with cyber security as a key consideration.
Robust and resilient: building greater cyber maturity and resilience in Australian industry and communities by developing a robust security culture.
Joint Cyber Security Centre (JCSC)
Australia has launched a Joint Cyber Security Centre (JCSC) to provide enhanced protection for its critical infrastructure, including its national defence industry, the government announced on 23 November 18. The JCSC – located in Adelaide, South Australia – is part of Australia’s leading cyber security agency, the Australian Signals Directorate, and its Australian Cyber Security Centre (ACSC). The government said new facility also expands the footprint of its existing Joint Cyber Security Programme and its wider Cyber Security Strategy.
The new facility expands the footprint of the government’s $47 million national Joint Cyber Security Program and Australia’s Cyber Security Strategy. The JCSC is part of Australia’s lead cyber security agency, the Australian Signals Directorate (ASD), and its Australian Cyber Security Centre (ACSC). The JCSC program is a partnership between business, government, academia and other key partners to enhance collaboration on cyber security.
CSC is a central initiative of the Australian government’s Cyber Security Strategy to bring together business and the research community along with state, territory and Commonwealth agencies in an open and co-operative environment, with the following key objectives:
- Sensitive information, including actionable cyber threat intelligence, is shared quickly between and among partners;
- Solutions to cyber security risks and issues are developed through collaboration and without commercial bias;
- A common understanding of the cyber security environment and optimal mitigation options is achieved through sharing and analysis of incidents, threats and risks;
- Organisations – at all levels – have access to practical tools and resources to improve their cyber security; and
- Consistent education and awareness messages are promoted with and among partners.
Detection and mitigation recommendations
It is imperative that Australian organisations are alert to this threat and take steps to enhance the resilience of their networks. Cyber security is everyone’s responsibility.
ACSC recommended prioritised mitigations
During the course of its investigations the ACSC has identified two key mitigations which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory.
Prompt patching of internet-facing software, operating systems and devices
All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available. Organisations should ensure that security patches or mitigations are applied to internet-facing infrastructure within 48 hours. Additionally organisations, where possible, should use the latest versions of software and operating systems.
Use of multi-factor authentication across all remote access services
Multi-factor authentication should be applied to all internet-accessible remote access services, including: web and cloud-based email,
collaboration platforms, virtual private network connections, remote desktop services.
ACSC recommended additional mitigations
Beyond the ACSC recommended key mitigations above, the ACSC strongly recommends implementing the remainder of the ASD Essential Eight controls. During investigations, a common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. The ACSC strongly recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.
Australia Needs Civil Defence Against the Cyber Storm
The research group recommended forming a National Commission for Cyber Civil Defence, “led by the private sector, supported by government, and with heavy representation from a wide variety of scholars”. “The logic behind the leadership of the private sector is that civil defence activities always fall heaviest on private actors,” they wrote. The group noted that the existing State Emergency Services could provide a suitable model for any new cyber civil defence corps or militia.
“The benefit of the SES model is that it brings together disciplined structures of command authority through a relevant Minister, the Commissioner, Zone Commanders, Local Commanders and Unit Commanders,” they wrote. “The current practice of appointing retired military commanders to Commissioner roles in some states also provides a useful pointer for cyber civil defence policy. In the current New South Wales SES Act, state police are subordinated to the SES Commissioner in the event of emergency.”
The research group also recommended a wide range of research to inform the development of “a national cyber incident response plan that is far more detailed than anything in existence in Australia”. They also suggested year-long inquiries by the powerful Parliamentary Joint Committee on Intelligence and Security (PJCIS), and the Senate Committee on Constitutional and Legal and Constitutional Affairs. The idea of a cyber civil defence corps has slowly developing one over the last decade, with Austin as one of its key proponents.
A China expert, Austin previous noted that “China is exceptionally well placed to develop the most powerful and best-organised cyber militias in the world”. In 2012, emeritus professor Bill Caelli also suggested the formation of a cyber posse when circumstances demanded. Caelli argued that police could simply enlist any technically adept citizens and form a posse to deal with the bad guys. Similarly, citizens could be conscripted into a militia, should the threat be more military in nature rather than criminal.
Cyber Capabilities and S&T plan
The DSTO realeased Cyber Science and Technology Plan outlining the DSTO strategy to help strengthen Australia’s cyber capabilities and deliver impact to Defence and national security.
The critical capabilities for cyberspace are threat assessment, intelligence, situational awareness, information assurance, and planning and shaping. Threat estimation includes judgment of the possible technical nature of threats (e.g. hardware or software based), likely manifestations (e.g. intermittent loss of communications) and the potential impact on cyber and interdependent systems.
Information assurance encompasses the confidentiality, availability and integrity of information whether it is stored (at rest), being processed (in use) or transmitted (in transit). Intelligence is the collection, processing and analysis of information pertaining to cyberspace and its actors. Situational awareness is the dynamic understanding of the current and projected state of own and other systems and actors and is necessary for decision making. Planning and shaping includes the selection and use of capabilities to influence and shape the cyber environment to support operations.
The DSTO Cyber Science and Technology Plan outline the DSTO strategy to help strengthen Australia’s cyber capabilities and deliver impact to Defence and national security by:
• Identifying foundational research themes that are enduringly relevant, can be applied to priority problems and underpin the development of cyber capabilities.
• Developing the ideas, concepts and methods that will forge the relationship between cyber and other defence capabilities such as electronic warfare.
• Ensure a relevant, resilient and responsive DSTO cyber capability and foster a cohesive, integrated national science and technology base.
Five foundational research themes
S&T is central to developing and seizing cyber opportunities, overcoming cyber challenges and achieving success for Australia as a digital nation, says Dr Alex Zelinsky Chief Defence Scientist. The Plan identifies five foundational research themes that are enduringly relevant; sufficiently comprehensive to cover the cyber problem space and support the development of future capability; and can be readily applied to priority problems.
• Technology Forecasting: Technology forecasting is a multi-disciplinary, capability focused activity, and typically includes Science and technology analysis of technology trends and their potential impact, prototype building and testing, operations research and analysis and modeling and analysis of potential future threats.
• Cyber Influence and Data Analytics: Research and development of data processing and big data analytics; social influence and behaviour analysis; multi-level information fusion; reasoning under uncertainty; machine intelligence; reasoning and decision support.
• Sensing to Effects: Research and development of sensor to effector concepts, techniques and technologies, and the associated planning and decision making, includes Cyber-EW effects.
• Autonomous Cyber Systems: Research and development of concepts, techniques and technologies for automated through to autonomous data processing and analysis and decision making; Artificial intelligence, machine learning, automated reasoning and planning under uncertainty, self-adaptive waveforms and algorithms.
• System Design for Resilience: The science and technology underpinning cyber systems designed to operate with the explicit assumption of untrustworthiness. Trusted, trustworthy and robust systems; self-repairing and survivable networks; static and dynamic malware analysis; vulnerability analysis; hardware and software trojan analysis; Secure architectures, dynamic security protocols (including identity management), systems architecture and policies and cloud computing.
The Plan ends with the outline of a proposal to establish a Cyber Security National Science and Technology Strategy designed to: integrate and orchestrate the national resources to focus on cyber security research in support of national security, and grow the national science, technology and professional capability to benefit all sectors of the cyber community.
“South Australia is building a highly skilled workforce, industry capability and the underlying policy to protect our businesses, governments and essential services and to capture economic benefit from the growth of the cyber industry,” Richard Price, chief executive of South Australian defence agency Defence SA, says. One of the growing hubs in this field is at Lot Fourteen on North Terrace in the Adelaide CBD, bordering the Botanic Gardens. Hi-tech has replaced a hospital. The old Royal Adelaide Hospital has been steadily demolished and in its place is a growing precinct devoted to space, technology, artificial intelligence and machine learning.
Almost 1000 people now work at the Lot Fourteen site, where there are 36 business and more than 40 start-ups, all trying to learn and interact with each other for the greater good. The Australian Cyber Collaboration Centre is one of those entities. Its aim is to foster collaboration, innovation, entrepreneurship and enterprise to try to come up with practical solutions for the wider world.
Price says it aims to partner with industry to ensure that a new generation of cyber professionals is ready to take on the huge challenges emerging in this sector. It brings together education, industry and business.Organisations involved in the centre include AustCyber SA Innovation Node, the Department of Defence, Science and Technology, Dtex Systems, The Office for Cyber Security and Optus.
Its close neighbours on North Terrace, the University of Adelaide and the University of South Australia, are also part of the collaboration centre. Lot Fourteen also plays host to the Cyber Range, which enables businesses to put their operations to the test. It is Australia’s largest commercial test range, allowing businesses, researchers and government to test their cyber security devices and software so they meet lofty standards.
The meshing of information technology, artificial intelligence and machine learning is coming together at another part of the Lot Fourteen site. Among the other entities beavering away is the Australian Institute of Machine Learning, an offshoot of Adelaide University. AIML is the largest university-based research group in machine learning in Australia. Paul Dalby, business development manager at AIML says the entity was formed in 2018 and builds on the previous decade of work by the Australian Centre for Visual Technologies. “There is a lot of demand for our capability in defence and security,” Dalby says.