Peter A Clarke

There is nothing quite like an ex politician complaining about this or that aspect of the country when he/she did nothing about the problem when in power. It is even more galling when it is an ex Prime Minister. And so it is quite extraordinary that Malcolm Turnbull complains about the complacency in the market to cyber attacks in the Australian’s Malcolm Turnbull warns of alarming pattern in cyber attacks on Australian companies.  What needs to be understood is that the poor privacy culture has been an endemic problem for decades.  Successive Federal Governments have either ignored the issue or did the bare minimum.  Turnbull was a minister in the Howard Government, which did as little as possible to reform the Privacy Act and did nothing to enervate the Information Commissioner.  The Abbott Government, where Turnbull was also a minister, reduced funding to the Information Commissioner and removed the Privacy Commissioner as a position.  Turnbull was the Australian Prime MInister from 2015 – 2018.  No privacy reform took place then even though the Australian Law Reform Commission had published Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  it recommended comprehensive privacy reform.  His Government also had in its possession For Your Information: Australian Privacy Law and Practice (ALRC Report 108), an even more comprehensive 2008 report recommending privacy reform. If those reports had been properly acted upon, the regulator had been properly funded, a  more assertive person was at the helm of the regulator and the government had given a focus given to cyber protection things may have been different.  If there had been proper prosecutions with real consequences for malefactors the price of complacency may have been too high. But none of that happened and there is widespread complacency.

The article (in red), with a few of my comments (in black), provides:

New data from cyber security firm Semperis has revealed almost half of all attacks are on understaffed weekends, with hackers repeatedly targeting the same businesses in the past year.

Despite the strikes, politicians and business leaders aren’t taking the breaches seriously enough, with Mr Turnbull – who advises Semperis – saying many are “treating ransomware attacks as just a cost of doing business”.

Again, his concerns have merit.  There is an attitude that cyber attacks are inevitable and the costs of doing business. They are inevitable given the poor resourcing for cyber defences, the terrible state of preparedness within an organisation and the poor training of staff.

His urgent message: cyber security isn’t an IT problem, it’s an executive failure, demanding immediate boardroom-to-browser action to avoid catastrophic consequences, including identity fraud, loss of essential infrastructure and steep financial losses.

There is nothing new in his comments.  ASIC has said much the same thing for years.  

Yet, Anthony Albanese dismissed attacks as happening “all the time” after criminals siphoned hundreds of thousands of dollars from AustralianSuper and other industry funds earlier this year.

Mr Turnbull, who considered an early internet pioneer in Australia before entering politics and has invested in cybesecurity firms, including Dragos, Cado Security and Kasada – said such comments were not helpful.

“The truth is these attacks do happen all the time, but that doesn’t mean you should be complacent about it,” he said.

All of that is very true.  That said, successive governments which he either led or was a minister was totally complacent about the growing threat of cyber attacks.  And cyber attacks have been present for decades.  If anything governments regarded the Privacy Commissioner almost as a necessary evil, a regulator required to show the EU that Australia was providing the minimum acceptable privacy protections.  

“There’s all sorts of bad things that happen all the time. If somebody was mugged walking down Martin Place and the police commissioner just said ‘muggings happen all the time’, people would be calling for his head.”

But, Mr Turnbull said it was up to businesses to protect customer data and fend off cyber attacks.

Very true.  But businesses will not protect data and invest enough fend off attacks until the consequences of failing to do so far outweigh the acceptance of the risk.  That means swingeing fines, civil penalty proceedings and liability by company directors.  

“The government cannot protect you in this field. Australian Signals Directorate does great work and obviously, Australian Cyber Security Centre and all the government agencies are very important. But … if you have a business, responsibility for protecting it against a cyber attack is yours.

Turnbull touches on a real problem developing in the market.  Every time there is a major data breach companies are quick to say that they are working with the ASD, the ACSC, the AFP, the OAIC and any number of other agencies.  So what.  Those agencies can provide very good advice about how to pick through the ruins but that is very different to making sure the attack doesn’t happen.  

“What government’s got to do is raise levels of awareness. It’s got to provide tools. It has got to provide legislation, which we’ve done to ensure that people report breaches. But ultimately it’s down to businesses.”

This is only a part explanation.  The necessary reforms to the Privacy Act have not been completed.  The process has been unnecessarily slow and the “tools” to use Turnbull’s turn of phrase are quite inadequate.  

Mr Turnbull said the problem was many executives and directors delegated too much in regard to cyber security.

“When I was in office, I used to say to chief executives, ‘do you know who in your organisation has administrative privilege? Who is your system’s administrator or administrators? And they never generally had no idea. I said, ‘well, you don’t you think you should find out? Don’t you think you should know who’s got the keys to the castle?’ And so raising awareness is very important.”

But Turnbull the PM did very little to give the regulator teeth, money and a mandate to prosecute those who fell down in their responsibilities.  Civil proceedings would send a message to the market that knowing administrative privilege is necessary. Anecdotes highlighting ones superior knowledge of cyber security is no substitute for proper legislation and regulatory action. 

But even when awareness is raised, executives have done nothing. Superannuation fund trustees ignored repeated warnings from regulators to strengthen their “weak” online security.

Which is why the regulator needs to take action and individuals and classes should the ability to bring a direct action under the Privacy Act, a reform in waiting.  

The Australian Securities & Investments Commission told superannuation trustees — who are mainly union or employee group appointees — in late January trillions of dollars of Australians’ retirement savings were at risk to data breaches and scams.

The Australian Prudential Regulatory Authority also urged the funds in May 2023 to adopt multi-factor authentication to protect members’ savings — a measure many funds, including AustralianSuper, failed to adopt until after the attack.

Mr Turnbull said directors, executives and super fund trustees must learn to educate themselves about cyber risks.

Education is the mantra weak regulators constantly use instead of the more difficult but necessary action of taking action.  

“I don’t want to hold myself up as an example but you know when we made the decision about 5G … I bought the latest textbook on 5G. I made myself as familiar as I could be. I spent a lot of time directly with ASD so that I understood the advice that I was getting and was able to challenge it and interrogate it. And so I was able to be an informed client. And I think that’s what you’ve got to be. You just want to take this super seriously.”

This is hardly novel.  The risks are well known.  It is the willingness to do what is required to minimise the threats which is lacking.  Putting enough resources into the C suite has always been a problem.  There is no interest in privacy by design.  There is almost never a data breach response plan and there are inadequate back ups.  

The Semperis report, which was based on a survey of 1500 companies, found one in three cyber attacks targeting Australasian organisations were hit more than once in the past 12 months, significantly higher than the global average.

Meanwhile, 38 per cent of global organisations paid multiple ransoms, and 11 per cent paid hackers three times or more.

More troubling, the report found 43 per cent of ransomware victims in Australia were threatened with physical harm if demands were not met, highlighting the psychological warfare element of cyber crime. This is only slightly below the US (46 per cent) and Germany (44 per cent).

Semperis found most companies operated a Security Operations Centre, yet 89 per cent said it was not fully staffed on weekends and holidays.

This is despite 52 per cent of attacks being deliberately launched on weekends or holidays, when IT teams were likely understaffed.

“Complacency is a real issue and the fact that Australian companies are getting attacked repeatedly indicates that they’re not taking the threat seriously enough. If you are treating ransomware attacks as a ‘cost of doing business’, all you’re going to do is encourage more ransomware attacks. So the one message I would have is that if you are a director of a business or an owner you have a duty to do everything you reasonably can to protect your company from cyber attacks.”

Complacency has been the issue for 20 years.   The complacency is not confined to companies.  Governmental complacency has been pervasive.  In that regard ex Prime Minister Turnbull should look to his actions/lack of action and ask what he should have done.