Australian Signals Directorate cyber security chief, Major General Stephen Day, has described the defences of the nation’s state governments against computer-based intrusions as patchy and variable.
“We haven't reached a critical mass of understanding in the state governments yet,” he said during a lecture at the University of Canberra earlier this month.
“There are some who are at the very good end of the freeway and there are some at the opposite end as well.
“What we have noticed is that something as simple as a change in the minister or even just one senior official can have an extraordinary impact on the understanding in a state government in terms of the cyber threat.”
However Major General Day, who heads the Australian Cyber Security Centre, had much warmer feelings towards the Federal Government and its agencies.
“My sense is that we have probably reached a tipping point within the Federal Government. Enough ministers and senior officials in enough departments that matter, understand enough about the threat to know we have to do something about it.”
Day explained that since the Cyber Security Centre opened in 2010 it has been locked in “a daily struggle” against major cyber intrusions targeting government intelligence and intellectual property.
“The trend is increasing year on year,” he said.
In 2012 the number of attacks detected skyrocketed by 41 percent, and continued to increase another 21 percent last year. He credited some of the increase with greater detection rates but also believes real attack numbers are on the rise.
State-sponsored attacks make up nearly half of the strikes he sees (48 percent), followed by unidentifiable sources (40 percent), and then a fringe of cyber-criminals (9 percent) and so called ‘hacktivists’(3 percent).
While he acknowledged that it is not the most glamorous side of cyber security operations on a national scale, Major General Day stressed that just implementing the ASD’s top four mitigation strategies – application whitelisting; applying application patches; applying operating system patches; and restricting administrative privileges) - has been shown to stop 85 percent of all known “badness” in the cyber security space.
To test the figure, he said, his team spun up 1200 virtual machines and then ran 1700 sets of known malware and other intrusion techniques to a varying scale of sophistication on them.
No intrusions got through on those machines with all four mitigation techniques fully applied, Day said.
“Across the nation there is a vast amount of activity going on that no one is looking at. I don't think we will ever have sensors across the nation that will pick up all the badness that comes in - that is why prevention is so important,” he said.