Hack job: Understanding the cyber threat

 

The cyber domain is now the main arena for modern day crime, conflict and competition. Protecting the nation’s cyber infrastructure has never been more important. By James Paterson.

October is cyber security awareness month. The theme “Have you been hacked?” is ironic to say the least.

The public relations professional who came up with this concept should send a bouquet of flowers to Optus, who has done more to raise awareness of the importance of cyber security than any theme-month ever could.

If there’s one good thing – and there aren’t many – to come from the largest ever cyber attack against an Australian business, it’s a nationwide awareness of the cyber-enabled threat to our way of life. And with this, the pertinent reminder that we all need to do more to counter it.

The cyber threat, and how to keep our systems secure, is now a mainstream conversation.

And it couldn’t have come at a more critical time.

At all levels, the cyber realm is the main arena for modern day crime, conflict and competition.

When discussing the Optus hack at a press conference on Friday, Australian Federal Police Assistant Commissioner Justine Gough correctly assessed that “cybercrime is the break and enter of the 21st century”.

At a grander scale, state on state competition is largely orchestrated in the cyber realm through espionage, intrusion, interference, cyber attacks and through critical advancements in emerging technology.

The Australian Cyber Security Centre reported in 2021 that there is a cyber attack against an individual every eight minutes and against our critical infrastructure every 32 minutes. But it only takes one successful attack to cause society-wide harm, as the 10 million Optus users who are now at risk of identity theft and fraud are personally aware.

All of our adversaries, whether they be ‘the kid in the basement’ and lone criminals, or organised criminal syndicates and nation states, understand the value of technology and seek to exploit it.

Our cyber-enabled way of life comes with as much risk as it does reward.

Companies like Optus need to acknowledge the risk of harvesting data in equal measure to the reward they get for obtaining it.

This is their responsibility and where there is responsibility there should be accountability. Australians deserve nothing less.

There is much discussion on fixing our laws as if this would have prevented the Optus cyber breach.

It’s true something new is learned from every incident. The Colonial Pipeline, Toll Group and JBS Foods attacks all helped make the case for the Coalition’s world-leading critical infrastructure reforms in 2021 and 2022.

The Opposition will be constructive about any reforms the government brings forward in response to the Optus incident.

But current privacy laws already require companies to destroy personal data when it is no longer needed. We have to ask why Optus, and possibly many other companies like it, clearly aren’t doing so.

If the threat of bigger fines is what it will take to hold companies accountable to existing laws, then the government needs to seriously consider this.

But we can’t just expect reactive legislative change to solve the perennial cyber security challenge. We need technological solutions as much as legislative ones.

It is incredibly risky and outdated for every service provider to be collecting 100 points of personally identifying information to verify customers’ identity, especially when these companies can’t be trusted to destroy this information when it is no longer needed.

We must move to digital verification where companies no longer need to collect let alone store document numbers or images.

Trusted digital identity models are one option. In government, the Coalition presented laws enshrining safeguards to enable a secure process for Australians to prove their identity in one online location instead of being required to do so repeatedly.

It would allow Australians to access services with lesser risk of having their personal information stolen from multiple points of entry. Other similar technical solutions, including those proposed by Australian industry, to the problem of safely verifying identity should be explored by the government as a priority.

The open hostility and war of words between Optus and the government is of benefit to no-one, least of all the 10 million Optus users who remain at risk of identity theft and fraud.

Anthony Albanese appointed Claire O’Neil as Cyber Security Minister with much fanfare in June. But despite this, Minister O’Neil was missing-in-action for three days when news of the Optus attack first broke. While Optus bears significant responsibility for this security failure, Australians need their Cyber Security Minister to work constructively with Optus to protect the victims and investigate the breach to ensure this doesn’t happen again.

The government must now outline what reasonable measures are needed to secure Australian user data and to deter criminal cyber actors.

That’s what cyber security awareness month is all about. Because at all levels, our cyber-enabled way of life depends on it.

James Paterson is the Shadow Minister for Cyber Security. This article first appeared in The Daily Telegraph and has been republished with the author’s permission.