Australia has yet to be hit with anything the nation’s cyber chiefs would classify as a full scale cyber attack, with the Australian Cyber Security Centre imploring the media and infosec community to stop using the term ‘hack’ so liberally.
The federal government security centre has launched its second annual threat report with a plea for the public to tone down its use of “sensationalist” words like cyber and hack, which it says create hysteria around digital threats and get in the way of a mature discussion about information security.
Nothing has so far passed the government's test for a nation-scale hack, which would require “seriously compromising national security, stability or economic prosperity”, it said.
Frustrated cyber bosses have stressed that “calling every incident a ‘hack’ or ‘attack’ is not helpful for a proportionate understanding of the range of threats and only promotes sensationalism”.
“The use of the term ‘cyber attack’ to encompass common cyber threats complicates an advanced appreciation of the spectrum of cyber security risk ... and undermines the development and application of proportionate nation state responses,” the ACSC said in its report, to be released today.
The office - which is the public-facing co-ordination point between agencies like the Australian Signals Directorate, the Australian Federal Police, and CERT - is reeling from the high-profile collapse of the 2016 online Census, which saw the Australian Bureau of Statistics undermined by what it claims was a series of external DDoS attacks.
The ACSC has taken umbrage with the fallout being described as a ‘foreign cyber attack’, instead calling it a “disruption” to the collection of surveys based on a rational risk assessment by the statistics agency and its IT partner IBM.
“Australia treats cyber attacks as extremely serious and provocative events,” the ACSC said.
“If a nation says it has been subjected to an ‘attack’, this is weighted with tremendous significance."
Despite its calls for calm, however, the ACSC conceded the risk that Australian networks will fall victim to a genuine national-scale attack has grown, and some cyber adversaries are becoming nearly impossible to spot.
Between 1 January 2015 and 30 June 2016, the Australian Signals Directorate responded to 1095 intrusions and attempted intrusions on government systems that it deemed serious enough to warrant an investigation. CERT responded to 14,804 incidents affecting Australian businesses, of which 418 involved nationally significant systems and critical infrastructure.
Some were highly sophisticated: the ACSC said a foreign nation state hacker attempted to regain access to a patched-up government network in the past year by sending a spear phishing email from the legitimate account of their target’s associate in another overseas agency.
They proceeded to drop familiar terms for the agency’s IT support desk into a message explaining how the target could circumvent security controls to enable what turned out to be corrupt Microsoft Office macros.
The ACSC has warned government organisations to think long and hard about how they treat MS Office macros and whether they should be blocking the notoriously vulnerable Adobe Flash.
It said websites legitimately being visited by government employees in the course of their work are being turned into “watering holes” by assailants to host Adobe Flash exploits.