How do you improve data security in Australia? Have an iconic media organisation hit with a cyber attack. Except that is probably not going to happen. Lots of talking and little action

March 31, 2021 |

On day 4 after the attack on Nine the media is still churning out bromides of advice together with dark warnings of things to come.  Because all of this was unknown until now! Yeah right. That involves running around looking for a talking head to give a standard form warning.  And the Australan does just that with Cyber attacks: banks, super ‘only a matter of time’, warns APRA.  It is a better than average Henny Penny piece with the end is nigh being a strong theme.  Good dramatic reading but not all that rewarding journalism.  What is not done, and journalists should be doing, is looking at the state of regulation, inadequate, the effectiveness of the regulator, lacking and what needs to be done, a long list that has been repeated with montonous regularity in Law Reform Commission reports, an ACCC report and by commentators such as myself for years.  Meanwhile at the Age, a Nine publication, there is a “Feel our Pain” piece titled How the Nine cyber attack is affecting The Age and a quasi investigative piece as to the source of the attack with Is a nation state or disruptive criminals behind the Nine cyber attack? And the Age editorial Cyber attack on Nine sends a broader warning is a waffly piece about cyber attacks and then proceeds to do an analysis of “..the deeper threats they pose.”  As if this hasn’t been a significant problem for years.  And typical of many Australian organisations refers to the Government response, in the form of the Cyber Security Strategy and cash for security agencies. Yes that is important but ultimately the key is that organisations must have adequate protections, strategies in place.  The most relevant sentence is the last, “All businesses …should assume that their systems may someday be targeted for attack and make sure they have the proper protective measures and training in place.”  And that is where Nine is coy.  It is unlikely that the hackers would have successful placed malware into Nine’s systems without there being a failure in Nine’s cybersecurity; a failure to patch, a successful phishing or spear fishing attack or access via a trusted secondary supplier which had access privileges.  Put simply, Nine was successfully attacked because of its negligence in one way or another. It should be candid and explain what happened in detail so others can learn.  That is common practice overseas. It is also a fair bet that Nine did not have a comprehensible Date Breach Response Plan.  Not uncommon but still unforgiveable.  So the response, no doubt heroic, was a cobbled together hot mess of on the fly responses.  Nine has probably been poorly served by its Board of Directors in not putting enough effort and money into its cyber security defences and strategies, its managers in not having a Data Breach Response Plan (which has been wargamed on a regular basis to see how well it operates) and its lawyers in not having a review of its compliance with APP 11 of the Privacy Act 1988, which requires organisations to maintain proper data security (not just of the cyber variety).  My sympathy for Nine is very limited.  Outside of a few industries, too many organisations regard privacy as an afterthought and the legal obligations in protecting personal information as a secondary matter.

The editorial provides:

For the employees of The Age and the wider Nine Entertainment group, the cyber attack that began in the early hours of Sunday morning has been disruptive and challenging. The attack targeted Nine’s corporate network, but has affected Channel Nine in Sydney and mastheads including The Age. We have managed to improvise solutions using back-up technology at every turn but, as such attacks on companies and online platforms become more frequent, it is important to look beyond the drama they cause to grasp the deeper threats they pose.

In June last year Prime Minister Scott Morrison held an impromptu press conference in Parliament House’s Blue Room to warn that “Australian organisations across a range of sectors” were being targeted by “a sophisticated state-based cyber actor”. The vagueness of that warning is understandable given it is often difficult to definitively prove who is behind such attacks. But while his words resonated in the corporate world, the careful language diluted the strength of his intended message for the wider community.

Part of the problem is that these attacks come from a world of shadows – of encryption, false identities and espionage trade craft. At this stage neither the identity nor the motive of Nine’s attacker can be known for certain, though there has been unconfirmed speculation that a foreign regime is indicating its displeasure with Nine’s coverage of its actions. It’s welcome that the Australian Federal Police is now engaged in trying to answer these questions.

To some it might seem fanciful that an Australian media company would be singled out in this way by a major world power such as Russia or China, or a pariah dictatorship such as North Korea. It is not known whether these countries were involved, and no demands for a ransom have been made. But it is precisely on such powers’ peripheries, where their control of information is weakest, that they may resort to outlandish and visible measures. Countries such as Ukraine and Estonia have long known what it is like for every part of their online infrastructure to come under sustained attack. Estonia’s response was to set up a digital vault in Luxembourg so the country could “reboot” if its systems failed.

After sounding the alarm in June, the Morrison government updated its Cyber Security Strategy in August, having pledged $1.35 billion to security agencies to tackle cyber threats and $35 million for a platform allowing government and industry to share intelligence and block emerging threats. But despite reports that there might soon be a cabinet minister for cyber security, a December reshuffle left then home affairs minister Peter Dutton with the portfolio in his sprawling department. Presumably that arrangement will continue under the new minister, Karen Andrews.

There are lessons for the government and the private sector in Nine’s experiences this week. For the government, it is perhaps time to sharpen its narrative around cyber security and appoint a dedicated official. Treasurer Josh Frydenberg is right when he says the threat is “more pervasive than people think” and it is “not going away”.

These attacks are not new. But for companies, universities and other organisations around Australia, Nine’s experience is another warning about the power that state and non-state actors increasingly have to interfere in all our affairs. All businesses from winemakers to film festivals should assume that their systems may someday be targeted for attack and make sure they have the proper protective measures and training in place.

Rather than having garment rentng jeremiads about the state of the world and why people are being mean to the media publications like the Age should engage in more serious coverage.  Stories along those lines would go to the state of the nation’ cybersecurity and discover that organisations do little to protect themselves because the perceived risk is small and the consequences of not complying with inadequate legislation are minimal.  Perhaps a start would be to review an article such as the US article In wake of giant software hacks, application security tactics due for an overhaul.  This piece descends into some detail at least.

Part of any proper investigation would look at the ineffectiveness of the Australian Information Commissioner’s office, a governmental backwater if there ever was one.  Businesses and agencies don’t comply with the law because they know the cop on the beat is in the station house asleep at his desk. When ASIC falls down in its regulatory duties it is called to account.  The Australian Information Commission doesn’t even engage with its obligations and receives no scrutiny.  It has polished its image to a fine sheen and that has gulled the media.  No one every said the Privacy Commissioners and then Information Commissioners weren’t nice.  They were and are.  Its just that they have been not much good.

Unfortunately in terms of data protection and enforcement Australia is the land of the lotus eaters.  Nothing much has changed while the risks grow.  The media coverage is selective and its attitude is downright harmful in its outdated kneejerk reaction against a statutory tort for the interference with privacy, which would force organisations to get their houses in order.

Meanwhile in the real world FatFace, a UK clothing retailer, paid $2 million to unlock ransomware  as part of a completely bungled response to a cyber attack. It wrote one of the more ridiculous disclosure letters where it asked individuals whose personal information may have been compromised to keep the contents of the letter confidential.  How FatFace’s managers thought that was going to work is beyond me.  But it is odds on that it did not have a data breach plan so all of it was done on the fly.  The extent of the hopeless response is set out in FatFace disclosure a case study in ‘bungling the process’.  And as part of the hackers strategy they attack insurance firms to determine who has cyber insurance which can be used to pay a ransomware attack.  Which explains CNA Hardy suffering a sophisticated cyber attack, using new Phoenix CrytoLocker ransomware, as it announced on 21  March 2021.

Just as a sample of the recent cyber attacks in the last week are Jefit announcing a data breach, being attacked, the Mott Community College suffering a data breach and a New Jersey Law firm Decotiis, Fitzpatrick, Cole & Giblin suffering a data breach.

The Australian article provides:

The banking regulator has warned it is “only a matter of time” before a major bank, insurer or super fund in Australian suffers a major cyber breach.

In the wake of cyber attacks this week on media group Nine Entertainment, Australian Prudential Regulation Authority chairman Wayne Byres said it was a “timely warning” that cyber threats, including attacks from criminal groups and state-sponsored hackers, are growing.

His comments come as Australian companies are now getting ransomware attacks demanding as much as $10m each from cyber criminals, McGrathNicol partner and cyber security expert Darren Hopkins has warned.

Mr Hopkins said requests to McGrathNicol from clients for assistance in handling ransomware cyber attacks had tripled in the past three months, with cyber criminals — often criminal gangs from Eastern Europe — becoming increasingly sophisticated in assessing the capacity of companies to pay ransoms.

He said some companies were now opting to pay the ransom and claim on their cyber insurance policies.

Mr Hopkins said $10m had been the largest amount demanded in recent times for an Australian company McGrathNicol had advised.

The high-profile cyber attack this week on the Nine group, which has affected the production of newspapers including The Australian Financial Review and The Sydney Morning Herald as well as Nine’s television broadcasting arm, is expected to cost the company more than $1m.

His comments came as bank executives also warned on Tuesday of increasing cyber and phishing attacks.

ANZ’s institutional bank group executive Mark Whelan told a conference that his bank was batting off up to 10 million cyber attacks a month on the bank, its systems and customers — including phishing attacks as well as more sophisticated cyber attacks.

“I see it as the single biggest issue which we talked about, or threat, in banking today,” he said.

He said it was important to put as many controls as possible in place against cyber attacks, including educating staff and customers around the dangers.

Westpac’s chief executive Peter King said scams and cyber risks had spiked during the COVID-19 turmoil.

“Cyber has to be up the top of every business’ and frankly every consumer’s, mindset at the moment,” he said.

“The potential for very sophisticated attacks has gone up so we have to operate at both a co-ordinated national level as well as an individual level.”

APRA’s Mr Byres said: “We’ve seen recent moves by state sponsored hackers and criminals to exploit vulnerabilities in Microsoft Exchange,” he said.

“It’s just a timely reminder that those cyber threats continue to grow and they require a continuous cycle of investment in improved practices.”

The comments follow warnings last year from the Australian Cyber Security Centre chief executive Abigail Bradshaw that Australian companies needed to prepare for increasing incidences of ransomware attacks.

Launching a campaign to get companies to be more proactive in protecting themselves against cyber attacks last December, Ms Bradshaw said that the ACSC had seen a 50 per cent increase in ransomware attacks in businesses in Australia in the past year.

She said this included “very public reports” of ransomware attacks on some of Australia’s largest companies.

She said the attacks inflicted “significant damage” on businesses, including small businesses.

Criminals were using ransomware to “tie up your data, to steal your IP, to lock up your systems and then to demand money and payment for its release.”

“It’s relentless and merciless, and we know that their tactics are to attack those most vulnerable,” she said.

Ms Bradshaw urged businesses to continually update their software and regularly back up data and store it in a safe place “away from the internet”.

She said companies should also seek to use multifactor authentication where they could when people logged into their accounts.

Then Defence Minister Linda Reynolds said the attacks were coming from a range of sources from “very ruthless cyber criminals” to “state based actors.”

McGrathNicol partner Darren Hopkins told The Australian that in most of the cases his company had advised on, the ransomware attacks could have been prevented if the victim had paid more attention to taking preventive action, including making sure they regularly downloaded patches updating their software.

He said he believed that many of the attacks were being made by organised crime groups in Eastern Europe which were using ransomware as a way of funding their organisation.

“There are a lot of suggestions that cyber crime is now worth more to organised crime than the drug industry,” he said.

He said many of these ransomware attacks did not start with a flat demand for an amount to be paid by ransom but left messages in the computer system asking the companies to get in touch with regard to the amount to be paid.

He said the ransomware extortionists were becoming increasingly clever in assessing how much companies were prepared to pay to buy them off.

Some companies at the moment were opting to pay the ransom and claim the cost off their cyber insurance.

Mr Hopkins said McGrathNicol was currently working on advising clients on several ransomware attacks at the moment and had dealt with some 150 different cyber attacks and breaches for clients over the past year.

“We are seeing a lot more ransomware attacks in the last six months which are becoming far more damaging to business.”

He said that there were an increasing number of cases where it was clear there was a human being involved, directing the process.

“The last few cases we have been working on have been human led.

“There is a person in the system, it is not just a piece of malware.”

He said the cyber criminals were talking directly with companies, warning them they would releasing their customers data and the company’s private data to the world unless they agreed to pay the ransom.

“They are being asked to pay a ransom so as not to cause more harm to the people who information the company has.”

He said McGrathNicol had been working with some companies for as long as three months to try to help them handle their problems with ransomware criminals.

“A lot of ransomware has been coming out of Eastern bloc countries,” he said.

He said in many cases the initial file on the system requested the company under attack to get into contact with the cyber criminal to discuss payment of the ransom.

“They are telling the company that it needs to make contact to understand what the payment might be.”

The incidences of ransomware attacks had involved claims for payment of up to $10m.

“We have seen incidences where people have paid the ransom,” he said.

He said most recent attacks had involved situations where the victim organisation has had to download a piece of software in order to contact the attacker and find out the terms.

He said the cyber security world was closely watching the situation where a ransom of $50m had been demanded of computer company Acer.

He said the Nine group should be prepared to tell their external vendors and partners of the details of the attack “so other organisations can take steps to safeguard their own networks and not let the attack spread.”

Leave a Reply

Verified by MonsterInsights