CSIRO warns new cyberthreats will dwarf 'Heartbleed'

Australia’s government research agency, CSIRO, warns that hackers could steal billions of dollars and disrupt critical public infrastructure in the cyberattacks of tomorrow.

Launched at the CeBIT Cyber Security Conference in Sydney, the report - Enabling Australia's Digital Future: Cyber Security Trends and Implications - says attackers could use security vulnerabilities similar to ‘Heartbleed’ to steal passwords, credit card information and other sensitive data from major websites such as Instagram, Gmail, Facebook and Pinterest.

The report raises serious concerns that hackers could capitalise on loopholes in computer security to shut down infrastructure such as energy grids, interrupt government services and steal enormous quantities of sensitive data - such as health records and taxation data - all leading to many billions of dollars of losses.

It also predicts a greater number of online attackers than at present.

“Despite recently being ranked second in the Asia-Pacific region when it comes to cybersecurity capabilities, we need to recognise that our increasing reliance on digital services leaves us potentially vulnerable at unprecedented scales," said James Deverell, Director, CSIRO Futures.

“The sheer complexity and interconnectedness of different elements of our digital economy means we can expect rapid exponential growth in the number, speed and severity of breaches - far beyond what any single organisation can tackle on its own.

“The more we rely on digital services for our basic needs like healthcare and energy, the more drastic the consequences of any breach may be,” said Deverell.

“As we begin to develop and embrace these services, it’s in our national interest to ensure they’re designed with simplicity and transparency in mind from the very start.”

The CSIRO report uses three scenarios to illustrate cybersecurity problems of the near future.

In the first scenario, in which the national electricity grid has become highly automated and there is widespread use of ‘smart meters’, a rogue employee gains access to an unprotected part of the computer system and shuts down the grid during a summer heatwave. This leads to severe power outages nationwide, billions of dollars in losses for both the public and industry, and loss of life due to vital life support equipment failing.

In the second scenario, private healthcare data stolen or accessed by individuals and crime syndicates is costing the healthcare system up to $16 billion in fraudulent claims. Criminals with stolen patient records are holding hospitals to ransom to the tune of millions of dollars.

And in the third scenario, online hacktivists break into government records and siphon off huge volumes of private data. Governments react by taking all of their data offline, resulting in widespread disruption.

To prevent such losses, the report calls for governments, businesses and individuals to: disclose and work cooperatively when a breach occurs; simplify digital systems and design in invisible security measures that don’t inconvenience users; and develop new ways to verify and protect digital identities from theft or fraud.

“As shown recently in the international response to the Heartbleed exploit, collaboration and open disclosure are essential when tackling threats that cross networks, industries and national borders,” said Professor Jay Guo, Research Leader - Smart, Secure Infrastructure, CSIRO’s Digital Productivity Flagship.

“We need to dispel the fear of the consequences of disclosure - including those to brand reputation and shareholder value - that currently discourages Australian organisations from full openness about breaches, and share our resources and knowledge to devise more effective, timely cybersecurity solutions.

“Instead of being caught up in a digital arms race against increasingly intelligent threats, we need to design our cybersecurity approaches to focus on people - anticipating their behaviours and taking advantage of their unique traits,” said Professor Guo.

“No system will ever be perfect, but we can prevent and minimise the impact of even extremely complex threats by approaching cybersecurity as a community.”

Photo: CSIRO report predicts major cybersecurity headaches in the future. Chris Roberts/MOD.