Just before Alastair MacGibbon resigned as the head of Australia’s Cyber Security Centre (ACSC) in May, he issued a stern warning. Cyber attacks, he said, are the “greatest existential threat we face.”
It’s this ever-present danger that’s behind this week’s Stay Smart Online campaign.
The ACSC’s message to online users is to “reverse the threat” by following a series of simple steps outlined on its website.
Banks are also spreading the word. On Monday (October 7), many turned their online portals black and white while urging customers to keep their personal information safe.
Earlier this year, Scott Morrison made cyber crime an election issue – announcing plans for a $156 million investment in communications networks, scholarships and recruitment programs. Since his election, several funding rounds have been opened to security companies through the AustCyber Projects Fund.
Mr MacGibbon, who oversaw the investigation into hacks on the 2016 Census and on Parliament, is now working in the private sector.
He joins the industry leaders who’ve been raising alarm bells over the potential to undervalue cybersecurity investment. The outcome, they say, could be catastrophic.
Greg Austin is an international security specialist and a Professor at UNSW’s Canberra Cyber Centre. He shares their concerns and adds that there were signs of a shift in focus after the Liberal Party’s leadership change.
He says significant progress points in Australia’s cybersecurity development had been forgotten; threat reports and updated strategies were not being released; and there is no longer a Minister for Cybersecurity.
“Malcolm Turnbull was one of the few Australian political leaders who understood the information age,” he said.
“Now, if you look at the front-bench of the Coalition or the Labor Party, you don’t see anybody talking or thinking about the digital age.”
Professor Austin says that while cyber security matters are usually kept under wraps, the Morrison Government’s funding package seems to be the first course of action towards picking up the pieces.
One of the potential beneficiaries of that investment is 19-year-old Lavert Mashingaidze, a second-year cyber security student at Macquarie University.
He says if the funding is invested wisely, it could be a huge factor in boosting Australia’s cybersecurity.
“The amount could mean nothing, or it could mean everything.
“If the Government (doesn’t) seek advice from people such as uni students and professionals who are up to date with the technologies cyber criminals use to act, then it could ultimately prove useless.
“They could invest that $150 million into ensuring every household and government building has (the latest) Wi-Fi security.
“As long as they get their information from people who know what they’re doing, it could change everything. It could reassure Australian citizens that Australia cares about their cyber security.”
Mr Mashingaidze’s interest in the field stems from his love of computers as a child, and he says he committed to majoring in cyber security because it is a growing industry in which he could make a mark.
“As technology advances, and as cyber crime has become a bigger threat, I figured I’d contribute to Australia’s efforts and try and get a job in that field.”
But his motivation became personal when his father was the victim of a cyber attack on his online banking and financial services. A hacker accessed his phone number to steal from his online banking accounts, causing what he describes as a chaotic array of events.
“It was just a matter of seeing how long that person could wreak havoc. And I’d say they did a good job at it, as they were able to take $900 from PayPal, $1000 from my father’s bank – and [that had] a huge affect on our family as a whole.
“We were behind on bills. My youngest sister had a school performance coming up and she needed money to go on the bus trip. But we couldn’t afford it because we’d been hit by such a large attack.
“As the days did go by the perpetrator kept on taking more money. The banks had taken days to respond, and in that time they were already branching over to my stepmother. And that just shouldn’t have been able to happen.”
The official response to this instance of cyber crime was for the family to stop using mobile banking applications – which Mr Mashingaidze believes to be an impractical outcome for a victim of a crime.
“Their response made me think that the people in charge of a company’s cyber security don’t understand the methods and the techniques that cyber criminals have as time advances.”
“Do they not know about Handshake? People can intercept those. They can make fake access points, they can infect your computers with root kits, with malware and viruses. There’s a lot of things that big companies still don’t know about, because they weren’t able to help my father use their own services.”
Still, he considers himself lucky. The way the hacker used the stolen funds enabled police to locate and capture them. Had they been more conscious of covering up their tracks, the funds would never have been returned.
Mr Mashingaidze’s case supports the findings of a 2016 Australian National University report, which found that only 58% of cyber security professionals in medium-sized businesses thought their board had a sufficient understanding of cyber risks. While less than half (46%) said their board discusses cyber security rarely or never.
Right now cyber crimes fall under the ‘other’ category in NSW Police crime reports, and therefore runs the risk of being under-represented statistically.
Professor Austin says this is likely because greater attention and more resources are directed towards larger-scale crimes that police are already trained to solve.
“The number of prosecutions for cyber crimes in Australia is really small, it’s absolutely tiny,” he said.
“So that means that criminals operating in Australia, in cyberspace, are relatively safe from capture or prosecution.”
“Not a lot of police are trained in the areas of cyber crime, and there’s not a big political constituency.”
This is largely because Australia simply hasn’t been through the experience of a cyber catastrophe.
“We have not been prepared to invest as heavily as we need to … we haven’t been prepared to invest the resources,” Professor Austin said.
“The Federal Government released a document in December last year with coordination arrangements for a national cybersecurity incident. It was a seven-page glossy brochure. It was an important first step.
“But that document is almost primary school level compared to the equivalent document in the United States which is 60-70 pages long, fully detailed and [which] embraces a whole range of policy issues our government hasn’t even begun to consider.”
Michael Jensen is a Senior Research Fellow at the University of Canberra Institute for Governance and Policy Analysis. He says our inability to defend ourselves against internationally based cyber espionage was proven during February’s data breach on the Australian Parliament and its major political parties.
The exposure of personal data to a foreign power has not only opened up a threat for more instances of personally targeted cyber crime, as in the case of the Mashingaidze family, but also to a plethora of new threats that Mr Jensen says may undermine our democracy as a whole.
“This could give rise to a hack and dump operation like what we saw in the US in 2016,” he said.
“Online influence activities don’t require the specialised technologies, skills and testing to the extent that other weapons technologies require… or nearly the capital investment.”
Despite a seemingly slow government response, Australians are increasingly taking responsibility for their own data.
Simon Elvery, the journalist behind ABC News’ #DataLife series, says the positive response to his work has shown that awareness of data protection and privacy issues is growing quickly.
But he adds that it’s from a low base, and without much political action in return.
“It would likely take a fairly egregious violation of norms from a prominent Australian organisation (a major bank, political party or government organisation) to really make a change.”
— Story and photos, Renae Barber