Cybercrime, cyber espionage and the 'dark web'

Efforts to bolster the preparedness of Australian government agencies for cyber attacks received yet another blow as a significant move by Prime Minister Malcolm Turnbull compounded concerns that federal and state governments simply aren’t taking cybersecurity seriously enough.

Industry journal iTnews revealed this week that Prime Minister Turnbull had rejected the draft of the government’s long-overdue cybersecurity strategy, an update to a 2008 policy that was originally slated to be released in mid 2015 and had subsequently been pushed back to late October.

The PM’s read of the first draft, however, had found that it “lacked teeth or funding”, the report said, and it had been sent back for a rewrite that will now be delivered at an uncertain date in the future.

The move was a blow for efforts to update Commonwealth cybersecurity policy to reflect the dramatically different cybercrime landscape as it has evolved in recent years — and it suggested that Australian governments at all levels are still struggling to evolve cybersecurity policy from the realm of the theoretical into the realm of the concrete.

Cliff Huntington, a security specialist and global director for the Archer risk-management tool with EMC subsidiary RSA, has seen the ongoing shortcomings in government policy first-hand and believes that in the last two years, government “has really started to take a step back”.

“There are some areas where ‘antiquated’ doesn’t even begin to describe their overall risk posture,” Huntington told GTR. “In the past, certain areas of government were incredibly advanced in this, with strong controls in place.

“But recently, private companies have invested an incredible amount of money developing strong, good practice and developing talent in challenge areas — and the government, which always used to lead in front in a lot of these areas, is starting to realise that it can learn a thing or two from the private sector.”

Strong awareness of a few particularly progressive agencies had masked the less progressive reality at many other government organisations, Huntington warned, with many struggling to build actionable policy around the “thousand pages of ‘thou shalt’” cybersecurity guidance they’ve received.

Concerns about the government’s cybersecurity maturity were echoed at the state level in recent cybersecurity reviews in which the Western Australian and Victorian Auditors-General separately raised serious concerns about IT security practices within their state agencies.

The WA Office of the Auditor-General’s ‘Information Systems Audit Report – Application Reviews’ report reviewed key business applications at four state agencies and found “control weaknesses” that “compromised the security of sensitive information”.

The review also investigated 13 databases at seven agencies storing critical government information and found 115 weaknesses “with failures in all seven key areas”.

“Most concerning was a lack of some basic controls over passwords, patching and setting of user privileges,” the report concluded. “Our findings also revealed copies of sensitive information across systems and poorly configured databases.”

Victoria’s review — which found 134 high-risk IT deficiencies including, among other things, that the state’s agencies were exacerbating security risks by delaying migrations away from end-of-life computing platforms — raised particular concerns because many of the issues raised in this year’s review had also been raised last year, with no action taken to improve the situation.

State agencies needed to apply “more focused attention and oversight by accountable officers and governance bodies”, the report warned.

A new evaluation of Asia–Pacific countries’ relative cybersecurity maturity, conducted by the Australian Strategic Policy Institute’s International Cyber Policy Centre, ranked Australia fifth overall in terms of cybersecurity maturity, with a weighted score of 79.9 — compared with the top-ranked United States’ 90.7 and sixth-ranked New Zealand’s 72.8.

“Cyber-hygiene awareness and practice are very low, so there are easy pickings for criminals,” the report warned, adding that APAC countries need to “urgently address shortfalls” in cybercrime policy.

Such issues continued to be major obstacles in improving cybersecurity practice — and inertia was often an indomitable force in such instances. “Everyone in the organisations got comfortable with a certain level of security,” Huntington warned. “Unfortunately, in organisations like that where we shine the light on potential gaps, there still seems to be little or no appetite for changing.

“It takes a rude awakening — or someone with authority to come into the organisation and say ‘this is not acceptable’. Until then, we are boiling the frog.”

Image courtesy of Dennis Skley under CC