Cyber Security Minister O’Neil states that relentless cyber attacks are here to stay…Right but they have always been here but governments were not paying attention. The problem is now data breaches are becoming an ongoing political rather than legal issue
October 20, 2022 |
The sub editors are earning their keep coming up with ever more dramatic headlines for cyber attack stories. It is as if data breaches were a new phenomenon. They aren’t. I have been writing about data breaches and privacy and cyber security for over a decade. What has changed things is the Optus Data Breach that affected almost half the population in one way or another.
The Home Affairs Minister Clare O’Neil has echoed earlier statements by ministers that the Medibank cyber attack is a huge wake up call. The problem is that this wake up call has been made by civil society groups and commentators for years. It was ignored by both sides of politics. This sudden interest in cyber security and privacy by a government reminds me of a conversation I had with Professor George Williams during a break at a legal conference years ago. I was bemoaning the ineffective privacy protections in legislation and the lack of options at common law and equity. He said that reform will come with a major privacy incident which gets the governments attention or convinces the courts of an unacceptable gap in legal protections. How prescient were those comments. The Optus and Medibank data breaches seems to have achieved the former. Or at least the promise of the former. Hopefully the courts will recognise the protections at common law and equity are wholly inadequate.
Now MInisters are inserting themselves into every significant data breach. That has all the makings of poor policy. It is relatively unusual for governments and their ministers to insert themselves into the middle of a cyber attack. There have been exceptions, usually for extraordinary events, but on the whole it is a matter for the regulator, the affected organisation, the various experts brought in to fix the mess and sometimes the insurer. Later the courts become involved either through prosecutions or class actions. As data breaches are quite regular and likely to remain so having government comment on each large data breach raises expectations that that is its role. It isn’t. It may end up being a burden for little practical gain. But if it becomes a political exercise the opposition will engage. As Senator James Paterson has done with frenetic activity. Some of his criticisms have validity but they end up being aimed at the Government where the appropriate target should be the affected organisation. But being a political exercise of course every effort will be made to draw the Government in. That is politics 101. But it ends up being a foolish waste of time.
None of this is to say Ministers and Governments do not have a role to play. Ministers have a role in explaining changes to regulations what changes to the law will mean and the consequences of breaching the law. Educating and explaining is part of a Governments job but that is different to providing a running commentary on this or that data breach. Government should focus on ensuring the legislation is fit for purpose, the right people occupy the key positions within the Information Commissioner’s Office, the regulator is properly funded and that it actively enforces the regulations. To do any of that would be a welcome change. To do all of that would leave room for little else, including ex tempore comments on the how’s, whys and wherefores of data breaches.
O”Neil issued a media release:
A significant cyber security incident has occurred within Medibank. The facts are continuing to be established.
I have spoken with the CEO of Medibank, David Koczkar, and the heads of the Australian Signals Directorate and the Australian Federal Police.
Medibank is cooperating with government in responding to this incident. Significant support has been provided by the Australian Signals Directorate’s Australian Cyber Security Centre, and the Department of Home Affairs.
My department is working with all relevant agencies across government.
Specific inquiries about this incident should be directed to Medibank.
This incident is another reminder for Australian governments, businesses and citizens to be vigilant about their cyber safety. Helpful resources can be found at ACSC.
She also had a long interview with the ABC about the issue. It provides:
SABRA LANE: One of Australia’s biggest health insurers, Medibank, is grappling with a major cyber security incident after receiving a ransom demand from hackers who claim they’ve obtained customer data. Medibank says it’s taking the claim seriously and it’s now been referred to the Australian Federal Police. Last week the company revealed it had detected unusual activity on its systems but didn’t think any data had been stolen. The Minister for Cyber Security is Clare O’Neil. Minister has confidential customer information fallen into the hands of hackers, as the ransom claims?
CLARE O’NEIL: Sabra, the facts in this matter are still being established, as you would expect for a large cyber security incident such as this one. What has changed in the last 24 hours is that malicious actors have contacted the organisation claiming to have customer data, and that is why the situation has become of great concern and there are various arms of the Australian Government which are working very hard to support Medibank to try to prevent any customer data from being released.
SABRA LANE: Medibank had been telling its customers last week that no data had been taken. You’ve spoken to the CEO of Medibank. How many customers are potentially exposed here?
CLARE O’NEIL: Again, Sabra, the facts are still being established. And I appreciate it might be hard to understand this from outside of a large organisation, but when you’ve got a complex technological system, it takes a bit of time to understand what has changed in that system in the event of an attack. If you imagine a big organisation such as the ABC, there will be literally thousands of interactions with your data every day that are legitimate, and it does take some time for organisations to understand where illegitimate data changes have occurred.
So that work is being undertaken by Medibank at the moment. They’ve engaged external providers to assist them, and the Australian Signals Directorate, which is the best cyber organisation in the country, which is part of the Australian Government, has also been intimately involved in this along the way.
But the reason that I am so concerned about this at the moment is because of course the sensitive nature of the information involved. So, if you think about a lot of cybercrime relates to financial or identity information, which is very problematic when it comes into the problem realm. What we have here is information that’s held by this organisation which is health care information. And that just on its own being made public can cause immense harm to Australians. And that’s why we are so engaged with this and trying to help Medibank from understanding what’s happening so we can repair it.
SABRA LANE: Medibank says it’s received messages from a group that wants to negotiate a ransom demand. Is the Australian Cyber Security Agency advising Medibank to engage, to negotiate?
CLARE O’NEIL: Sabra, I’m not going to comment on – there is an attempt to commit a crime potentially underway here, so I don’t want to give a running commentary on what exactly Medibank is being advised to do. But, yes, it’s correct that someone claiming to have customer data has contacted Medibank to try to negotiate. So, this is what we call a ransomware attack. It’s quite a common form of cyber-attack.
Last night this matter was referred to the Australian Federal Police and an Australian Federal Police investigation has now been stood up. So, Medibank are now working closely with the Australian Signals Directorate and the Australian Federal Police to try to manage the situation.
SABRA LANE: You’re the Minister for Cyber Security, but the Nine newspapers is reporting this morning that the Federal Government has quietly added cybercrime to the Attorney-General’s responsibilities and taken it from you. Is this a demotion? Why has it happened?
CLARE O’NEIL: No, it’s not. It’s not. The Attorney-General and I share a lot of responsibilities. He is responsible for the Australian Federal Police. I’m responsible for cyber security. So, it’s very common across government for responsibilities to be shared, and this is one of them.
SABRA LANE: There would be so many people who are very anxious about this this morning, that potentially their health care information and potentially bank details have been exposed. What’s your words of advice to them?
CLARE O’NEIL: Well, my words of advice to them are that the very best people in the country are working with Medibank to try to prevent any harm from occurring from what has gone on here. But I’d also just say to Australians – and this applies to government, to business, to individuals –there is an element here that cybercrime is growing really quickly around the world.
There was an INTERPOL conference yesterday, the kind of police heads of forces from around the world got together, and their message to the community was that cybercrime is now their main crime concern internationally. And this is the new world that we live in. We are going to be under relentless cyber-attack essentially from here on in, and what it means is that we need to do a lot better as a country to make sure that we are doing everything we can within organisations to protect customer data and also for citizens to be everything that they can.
So, I think combined with Optus, this is a huge wake-up call for the country and certainly gives the government a really clear mandate to do some things that frankly probably should have been done five years ago but I think are still very crucially important.
SABRA LANE: Just quickly, the Optus hack, has the culprit been found?
CLARE O’NEIL: I’ll let the Australian Federal Police share information publicly about that one, Sabra. But I can say that there’s no clear evidence of financial crime that’s resulted from the Optus hack so far, which is good news.
SABRA LANE: Minister, thanks for joining AM this morning.
CLARE O’NEIL: Thanks so much, Sabra. Much appreciated.
SABRA LANE: That’s Clare O’Neil, the Minister for Cyber Security.