Not a Wake Up Call

In 2021, calling a cyber attack a wake-up call is not only wrong, it is dangerous.

It’s true that we have seen some of the most serious cyber-attacks in history in the last 18 months.

In May this year, a state of emergency was announced across the east coast of the United States, with widespread fuel shortages and panic buying after its main fuel supply line, the Colonial Pipeline, was shut down by one of the largest cyber-attacks on oil infrastructure in the country’s history.

The same month, the information systems of the world’s largest meat processing company, JBS Foods, fell victim to cyber-attacks that shut down production around the world, including in Australia, putting thousands of jobs at risk.

Also in Australia, our corporate watchdog ASIC was struck by a cyber-attack in January which left credit license applications exposed. And last year, wool sales across the nation were cancelled after the IT system underpinning auctions and exports was hit by a cyber-attack.

According to first annual report of the Federal Government’s Cyber Security Industry Advisory Committee, released last week, the Australian Cyber Security Centre responded to 1786 cyber security incidents between 1 June 2020 and 31 May 2021. Many of these affecting essential services including electricity, water, education, banking and finance, health, communications and transport. There was a 400% increase in calls to the ACSC’s 24/7 cyber hotline in May 2021 compared to May 2020.

In June 2020, Prime Minister Scott Morrison announced all levels of the Australian government, critical infrastructure and the private sector were being targeted in cyber-attacks organised by a “state-based cyber actor”.

Around the world, critical infrastructure and services including water and electricity supplies, hospitals, and transport services, are regularly compromised by cyber criminals – and these attacks will become more common.

Researchers Cybersecurity Ventures expect global cybercrime costs to grow by 15 percent per year over the next five years, reaching $US 10.5 trillion per year by 2025, up from an already gob-smacking $US 6 trillion in 2021.

By the end of this year, it predicts the rate of ransomware attacks to reach one business every 11 seconds.

Yet awareness and preparedness among Australian businesses remains alarmingly low. Each time a serious cyber attack occurs, news headlines inevitably react with shock, describing it as a “wake-up call”.

“Hacking American beef: the relentless rise of ransomware – Cyber attack on JBS has been a wake-up call for governments and businesses to strengthen defences”

“Australian cyber attack not ‘sophisticated’ – just a wake-up call for businesses, experts say”

“The Colonial Pipeline attack should be a wake-up call for hardening our cyber defenses”

What more will it take for us to accept the threat of cyber attack is all pervasive and here to stay?

How many jobs or lives lost before we embed cybersecurity into our day-to-day operations in the same way we have incorporated other important concepts like occupational health and safety?

In particular, the danger to our critical infrastructure is very real. And we have known this for decades.

As far back as 1984, former US President Ronald Reagan directed his administration to create policies to protect the US Government’s information technology and systems after the science-fiction film ‘WarGames’ made him doubt his own government’s cyber security capabilities. After looking into his concerns, US generals confirmed the seriousness of the risk.

In recent years we’ve seen State and Federal governments commit millions to bolster Australia’s cyber security capabilities and strengthen relevant legislation. This is encouraging.

But we are vulnerable on countless fronts. It can’t just be left to the government of the day to determine Australia’s cyber security readiness.

What if criminals decided to hack into airline systems, rendering them incapable to receive crucial communications mid-air? What if they shut down the ABC’s emergency response system during bushfire season? All organisations – public and private – need to seriously consider their investment in defensive and comprehensive cyber security measures.

In December last year, the ACSC launched its ‘Act Now, Stay Secure’ campaign targeting the general population and small to medium enterprises. We understand the Federal Government is developing  a further campaign to raise awareness of cyber security, to be launched in 2021-22. For the sake of the Australian community, not just businesses, I hope the message gets through.

Cyber attacks are not new but the threats that accompany them are becoming increasingly dangerous. It is beyond time for us all to take responsibility for protecting our people, businesses and critical infrastructure.

With more than 20 years of experience in electronic warfare and cyber security, I have seen first hand the speed at which defensive technologies have grown and improved.

The technology is there – we just need to use it.