Navigating the Cyber Battlefield: Australia's Journey to Strengthening Cybersecurity

Published by: Anusha Sharma

In an age defined by advanced digital connectivity, businesses across Australia, spanning from small enterprises to major corporations, grapple with the concern of cyber threats. The recent onslaught on renowned corporations like Optus, Medibank, Canva and even Victoria’s justice system serves as a stark reminder of the dangers, underscoring the vulnerability ingrained within Australia's cyber systems and emphasising the pressing need for proactive measures to fortify cybersecurity.

Major cyber breaches

In September of 2022, Australia suffered one of its largest cyberattacks of all time, compromising the highly confidential information of 9.8 million Optus customers. This information included names, birth dates, addresses, phone numbers, passport and driver's licence information and much more. This breach underscores the critical importance of cyber defence measures, highlighting the significant risks and consequences associated with digital security. Beyond the immediate financial and reputational damage inflicted on Optus, the incident underscores the far-reaching consequences of cyber threats for individuals and society at large. The exposure of such sensitive personal data not only undermines trust in digital platforms but also leaves millions vulnerable to identity theft, financial fraud, and other malicious activities. The potential ramifications of such confidential details being released only makes the inadequacy of the protection and enforcement surrounding cyberspace a more pressing issue. 

Source - Financial Review

More recently, on January 2, 2024, Victoria’s court system confirmed a cyberattack revealing “unauthorised access” of the audiovisual technology network just before Christmas. The hackers obtained video and audio recordings and transcripts of trials that took place between November 1 and December 21 2023 including access to a murder trial involving a Melbourne underworld figure that is the subject of a strict suppression order. 

These are only two of the numerous cyberattacks that have occurred in Australia’s recent history. Alongside the increasing sophistication of cyberattacks, 2023 brought on an increase in the frequency of cybercrimes as well. Regardless, Australia’s regulatory regime has not kept up to manage these risks. Figures show that 22% of businesses experienced a cybersecurity attack during the 2021-22 financial year, representing one in five businesses being affected directly.

These breaches not only underscore the immediate security concerns but also raises ethical, legal, and public trust implications that demand comprehensive attention and strategic responses. The growing menace of cyber threats compromised customers' digital identities and payment details, damaging the livelihoods of individuals and additionally costing organisations millions of dollars.

Source - National Cyber Security Centre

Motives of cyber criminals

As we confront the aftermath of the cyber intrusions, it becomes imperative to delve into the worlds of these hackers. Their motivations generally range from financial gain and political motivations to the theft of sensitive data.

Gaining insight into cybercriminal motives is pivotal for establishing cybersecurity defences. This understanding enables the development of effective strategies tailored to anticipate and counteract diverse cyber threats. In cybersecurity, strategic foresight, rooted in a thorough understanding of cybercriminal motivations, is indispensable for safeguarding our systems effectively.

Typically, they are driven by financial gains, whether through selling stolen data or demanding ransom payments. The recent incident with Medibank, where hackers demanded $15 million, illustrates how these attacks can extend beyond mere monetary gain. Similarly, in the Optus breach, the sophistication of the attack suggests potential insider involvement. The average cost of a data breach in Australia has grown 32% in the last 5 years, reaching AUD $4.03 million according to the “Cost Of Data Breach Report 2023” findings.

Our response to cybercrime

Optus’ response to their cyberattack demonstrates their lack of preparedness. The inefficiency of Optus’ response system to cyberattacks and data breaches is not a shock to observers of Australia's business cybersecurity scene during recent times. Cyber Security Minister Clare O'Neil’s claim that "[Australia’s cyber defence] is probably a decade behind… where we ought to be" highlights how Australia lags behind other countries in this area. A 2019 review of the identity theft response system commissioned by the government found a system that was ‘either non-existent or performing poorly from a citizen’s perspective’. The findings revealed a lack of a unified national strategy and a dependence on outdated standards that offered inadequate protection in the digital era. Additionally, IDCARE, a charity, took on the primary role in addressing cyberattacks and identity breaches for customers but struggled to cope with the surge in inquiries and requests following the Optus data breach.

Source - ABC news

Businesses and governments have acknowledged their vulnerabilities to cyber threats and the associated risks. Recently, key cybersecurity agencies like the Australian Signals Directorate and the Australian Cyber Security Centre have received significant funding boosts. This increased funding is expected to enhance their capabilities in preventing and deterring cyberattacks. Additionally, businesses are projected to invest over $9 billion in cybersecurity protection over the next decade. This investment is not only driven by new national security requirements but also by the need to mitigate potential losses from service disruptions and recovery expenses. Heightened concerns among businesses about the escalating threat of cyberattacks as a business risk underscore the importance of prioritising additional investment in cybersecurity protection.

What’s to come

In response to the growing cyber threats, Australia has introduced the Security of Critical Infrastructure (SOCI) Act in 2018. However, recent events have shed light on the Act's limitations and prompted calls for enhancements. The Australian government, as part of its 2023-2030 Australian Cyber Security Strategy, has outlined proposed legislative reforms and amendments to the SOCI Act to better protect critical infrastructure. These reforms include clarifying obligations for critical infrastructure entities, introducing last resort consequence management powers for the Minister of Home Affairs, and simplifying information sharing to enable quicker responses to high-risk incidents. The government's commitment to strengthening the SOCI Act reflects a broader effort to fortify Australia's cyber resilience and protect essential sectors from evolving cyber threats.

While Australia has started to address the threat of cyberattacks seriously, challenges lie ahead, particularly regarding the strategies employed. A contentious issue in cybersecurity improvement discussions is government surveillance of the internet. While such surveillance can deter cybercrimes, it often infringes on user privacy. Any expansion of internet surveillance by governments should be proportionate to the enhancement in their ability to assess cyber threats accurately. Excessive surveillance could lead to decreased acceptance by users, potentially fueling defiance and creating a breeding ground for cybercriminals. This poses risks for businesses of all sizes, highlighting the need for a balanced approach that respects user privacy.

Another solution is to enhance business cybersecurity, such as through the implementation of mandatory cyber insurance legislation. Research indicates that cyber insurance can be crucial for SMEs, potentially determining their survival in the face of cyberattacks. This is especially relevant in industries like finance, where evolving technologies like cloud solutions and big data introduce new cybersecurity challenges. Thus, cyber insurance should be seriously considered by both businesses and authorities to safeguard contemporary enterprises.

Looking forward

Australia’s cybersecurity requires a large amount of development in order to keep up with this quickly developing threat to our nation. If the proper enhancements are not made to our cyber defences we will see attacks far worse than those that occurred to Optus and Medibank. This is partly because of the swift changes in the digital and socio-political landscape, and their consequent impact on the intricacy of cyber assaults. As a result, defending against cyber attacks is a much more complex journey. As said by Hazel Diez Castaño, Chief Information Security Officer at Banco Santander, “Cyber criminals have the battlefield advantage: it's easier to attack than to defend, as defending requires more effort and resources. Therefore, the public and private sectors must act together to develop collective cyber threat intelligence and detection sharing, security and technology and coordinated incident response mechanisms.” Thus the road ahead is definitely a difficult one, however, with new regulations being put into place for cybersecurity improvement in the country, we can hope to see a reduced frequency of such severe cyber attacks.

This article is published by CCA, a student association affiliated with Monash University. Opinions published are not necessarily those of the publishers. CCA and Monash University do not accept any responsibility for the accuracy of information contained in the publication.