Hackers that hit Australian targets need "clear consequences"

“Clear consequences” are needed for attackers that target Australia or Australians, with local defenders better resourced and willing to publicly attribute the source of attacks more often, an industry panel of mostly telco executives says.

The consequences against attackers could include "enhanced law enforcement, diplomatic means, and economic sanctions".

The industry advisory panel to the Government’s forthcoming 2020 cyber security strategy made public its recommendations today. [pdf]

The telco-heavy panel includes representatives of Telstra, NBN Co and Vocus, alongside Tesla and Northrop Grumman Australia.

It formed its views partially on the basis of classified briefings with “national security and intelligence officials”, including from the Australian Signals Directorate (ASD).

Among its detailed findings, the panel calls for attackers to face “clear consequences” for their actions against Australian individuals and interests.

It says the Australian Government “should openly describe and advocate the actions it may take in response to a serious cyber security incident to deter malicious cyber actors from targeting Australia.”

In addition, it wants more state-sponsored attacks to be attributed; something that governments and defence agencies in the past have been lax to do.

“While government should continue to respond to state sponsored incidents on a case-by-case basis, we recommend the government adopt a more forward leaning posture on attribution and deterrence (including by increasing the frequency of attribution, and joint international attribution, where relevant and appropriate),” the panel said.

Industry also called for intelligence on attacks to be declassified and communicated outside of government - or alternatively, to allow more people to obtain security clearances to hear it.

“The panel encourages the government to be open and transparent about its knowledge of the threat environment wherever possible, including by declassifying information when appropriate, increasing proactive cyber threat briefings to security cleared industry personnel with a need to know, and sponsoring greater numbers of industry representatives to obtain security clearances,” it said.

The panel said future attacks could target Australia’s food security or corrupt medical data.

It called on the government to broaden the definition of what is considered to be “critical infrastructure”.

Govt as a 'security exemplar'

Elsewhere, the report asks that governments across federal, state and local levels become “exemplars of cyber security best practice”, despite acknowledging that there “is some way to go in achieving this aspiration”.

Government agencies that provide “essential services” are of particular concern, and should required to “meet the same cyber security standards as privately owned critical infrastructure, with increased accountability and oversight,” the report said.

This is a far cry from current arrangements, where agencies can flout mandatory cyber security controls set by the Australian Signals Directorate with little or no repercussions under the government’s Protective Security Policy Framework.

“The panel is of the opinion that government systems should be treated in the same way as critical infrastructure owners in the private sector,” the report states.

“There should be mechanisms that hold decision-makers to account when agreed cyber security controls are not implemented.”

The report also suggests that the government look into shoring up the cyber resilience of smaller agencies that lack the necessary resources or talent by allowing larger agencies to offer a helping hand.

“Larger agencies should be given responsibility for IT service delivery where this approach can reduce risk to smaller agencies ,” the report states.

“These recommendations are consistent with the recent Thodey Review of the Australian Public Service, which recommended improving the ‘funding, structure and management of digital functions across the Australian Public Service.”

The report also recommends that the government “prioritise the decommissioning or hardening of vulnerable legacy systems”, which is said are “frequently used by malicious actors as an initial entry point to a network”.

Dark web focus

The industry panel called for more resourcing to be put towards policing activity on the dark web, where - for example - data stolen from major Australian companies has increasingly ended up.

“Agencies also lack the resources to cope with the sheer volume of cybercrime affecting the Australian community,” the panel said.

“To illustrate the size of the problem, the Australian Cyber Security Centre’s 24/7 Global Watch receives a phone call about a cybercrime incident every 10 minutes.”

The panel also wanted to see the cash flow of cyber criminals “disrupted”, though did not say how this might be possible, particularly when the attackers are based overseas.

Overall, the panel believed there needed to be a much stronger response to attacks generally. 

“There was a clear view that as long as risks are low and rewards are high, malicious activity will continue and malicious actors will continue to invest in sophisticated ways to evade law enforcement.”

Stay tuned to iTnews for further analysis of the panel's findings.