Why Australia Will Lose a Cyberwar
In 2015 hackers got into the Bureau of Meteorology's network, which is connected to the military's. The case was a warning.
Image by Flickr user Christiaan Colen
For more on militarised hacking, watch "Cyberwar" on SBS VICELAND. Thursday night, 8:30 PM.
"We have reached the stage at which the internet has been weaponised," Jill Slay, Director of the Australian Centre for Cyber Security (ACCS) wrote in October. She was referring to the proliferation of mercenary hackers around the world now available at low cost to anyone, from foreign governments to terrorists. She went on to argue that the internet is the war zone of the future, and will someday require vast numbers of troops. Yet Australia, she noted, "Greatly lacks a trained and experienced cyber security workforce."
She's right. There are several problems we need to solve to make sure that Australia doesn't get slaughtered in a cyberspace showdown—and we need to address them soon.
The Threat Is Real
According to the Australian Cyber Security Center Threat Report, 1,095 cybersecurity attacks considered "serious enough to warrant operational responses" were logged between January 2015 and June 2016. As the cyber security adviser for the Prime Minister stated, the Australian Government is "attacked on a daily basis".
While we're yet to see a catastrophic case, there have been some close calls. The most serious, in 2015, targeted the Bureau of Meteorology. It was likely a Chinese attempt to gain access to more sensitive systems run by the Defence Force. The information that was compromised included military grade mapping information and military Radar surveillance systems.
Corporations come under attack too, because third party contractors often handle sensitive government information or have access to restricted systems. An example is Newsat, a private satellite company who were significantly compromised in 2013 and subsequently went into liquidation. When described by Newsat's former IT manager the situation sounded a bit like a horror movie with hackers at every door and window: "We were up against China, state-sponsored, a lot of money behind them and a lot of resources… we were only a very small IT team, it certainly wasn't a fair fight for us."
So let's say that attacks are becoming more sophisticated and only more common. How would this translate to a threat that could affect the average person? According to Dr Greg Austin of the ACCS, Australia's electrical grid is a very soft target. "If you took out NSW's electricity grid, Australia would grind to a halt on almost every level. Depending on how long the outage lasted, it would interrupt things like food deliveries to supermarkets and the delivery of essential medicines to hospitals." He says that the aim would be to "disable Australia's efforts to mobilise or operate our own military forces, or send a big political signal."
The People in Charge Are Easy to Hack
These attacks aren't limited to compromising integral systems or stealing satellite blueprints. Politicians and decision makers are at a high risk of personal attack, and that could threaten our democratic processes. Dr Austin argues that while we are actually quite good at countering state-sponsored espionage against government departments, "we don't have the capability of tracking foreign espionage against the country's political leaders."
Dr Austin uses the recent resignation of former health minister Sussan Ley as an example. Ley was forced to resign after it was revealed she'd used a government-funded trip to buy an apartment. Dr Austin suggests that there is a reasonable possibility that this information came to light through cyber espionage. While the issue was that she'd claimed personal travel expenses as business, the fact she was caught illuminates how vulnerable our ministers are to hackers.
Poor digital hygiene goes all the way to the top. Malcolm Turnbull recently came under fire for instructing his ministers to use Whatsapp. His reasoning was that the app encrypts the messages, but apparently he'd overlooked the fact that Whatsapp is a commercial company based in a foreign country. "Some governments also have technologies to intercept that information before it's encrypted," explains Dr Austin. But the real problem with using Whatsapp is it indicates federal politicians don't have anything better.
We're Short on Cash and Hackers
Prime Minister Turnbull has proposed $230 million in funding against cyber warfare tactics. This is nothing compared to the £1.5 billion the United Kingdom annually spends, or the $19 billion that the US has set aside. Even normalised for gross domestic profit and population, Dr Austin calls the amount "paltry." Especially as we're more of a target than you'd think. Australia participates in an espionage agreement called Five Eyes with the US, New Zealand, UK, and Canada. Five Eyes has "one of the greatest capabilities in the world" but Dr Austin warns it would also make us a high-priority target.
But the real problem is that even if we did throw more money at cyber security, there aren't enough qualified cyber security experts in the country. This has been attributed to an age and gender imbalance, as well as a failure of the education system. Potentially it could also be attributed to a failure to accommodate stoners. Last year the FBI admitted they struggle to recruit trained hackers because they often don't pass mandatory drugs tests. The Australian Defence Force has a similar policy, and may find it hard to find hackers that can code without the help of narcotics.
The impacts of this shortage will only get worse. Analysts predict that by 2020 we'll be short nearly 100,000 trained cyber-security experts. To solve this problem, the ACCS recommends creating a nationally-recognised accreditation in cyber security and spending $20 million a year forging pathways for Australians to be trained or retrained as cyber security experts.
So Are We Screwed?
What's important to note is that we haven't suffered a significant cyber attack... yet. And while the nearly quarter billion earmarked for cyber defence will go some way towards ensuring we don't, proposals to reduce financial support and deregulate university fees will only undermine efforts in training.
Beyond bolstering IT education, we need to plan for defences to be breached, or fail completely. Dr Austin recommends we do what America does: complete national drills in preparation for full blown cyber attacks. We also need to foster a culture of flexibility and adaptability in our critical private and public institutions—and create experts that know the limits of the system, and have a deep understanding of the dependencies built in to Australian infrastructure. This will ensure we can make a system both strong enough to resist the endless barrage of cyber attacks we face daily, and flexible enough to adapt quickly as the digital landscape shifts.
Follow Samuel on Twitter