Cyber Security: The Extent of the Cyber Security Threat | ADM November 2011

John Hilvert, with additional reporting by Gregor Ferguson | Sydney & Canberra

McClelland didn’t depart from the conventions of diplomacy, but in his keynote speech1 to the ADM Cyber Security Summit in Canberra on 25 July he didn’t pull any punches, either.

“The cyber threat to Australia is real, evolving and continuing to test our defences,” he stated. “It comes from a wide range of sources, and from adversaries possessing a broad range of skills. Threats exist from the full range of individuals, criminal groups and nation states.”

McClelland in 2009 acknowledged the Federal government’s central role in cyber security and announced two significant cyber security initiatives. These were the establishment of the Cyber Security Operations Centre (CSOC) within the Department of defence, and CERT Australia within his own department. And the result?

“Since its opening in January 2010, the Cyber Security Operations Centre has identified 2,100 cyber security incidents in its work with government agencies,” McClelland said, adding, “Recently, I announced that within my department, CERT Australia identified 250,000 stolen information records, and advised the organisations from where the information had been stolen of the theft,  allowing these organisations to take steps to minimise the damage.”

More worrying for the defence community, he noted, the Pentagon had recently suffered a major data breach resulting in some 24,000 files being stolen from a defence contractor – allegedly by a foreign government.

While “Australia occupies a strong place internationally as a world leader on cyber issues,” he said, “the interconnected, global nature of cyberspace … raises all manner of complexities in trying to prohibit, investigate, prosecute and regulate the sources of cyber security risks.”

Graham Ingram, General Manager, AusCERT injected a note of urgency into the summit when he argued the Federal Government was well behind in managing cyber security threats.

Our planning for cyber security is five years too late, AusCERT’s general manager Graham Ingram said.

“I want to leave you with a very bad feeling.”

He argues the threat of a cyber attack is high and it has been so for some time. Any day of the week, he said, we have tens of thousands of machines that are attacking or being attacked. We have criminal researchers that find “zero day exploits” (fresh mischievous software that has not yet come to notice of security providers).

He said a critical trend over the last five years was the rise of an underground economy and sustainable business model for cyber crime which amplified the rate of compromised systems, making it a national security issue. In the past the main issue was the annoyance of spam. This had now been overtaken by attacks through drive-by websites that were not dodgy but quite respectable such as the Sydney Opera House that were compromised by SQL injection techniques that could allow users to book for tickets via their credit cards to bogus sites complete with compromised certified signatures. 

AusCERT estimates that in the 2010/2011 financial year in the .AU name domain some 4,733 unique domains, 29,216 URLs, 2,246 unique IP addresses and a whopping 296 self-contained or autonomous systems were compromised with many actively infecting users that accessed  their systems.

The cancerous growth of cyber attack has been accelerating, Ingram said, evidenced by his data that compromised Australian web sites grew from a few hundred in 2007 to around 7,000 in 2009, then skyrocketing to just under 30,000 in 2010.

“We have programmers now that sell their skills for custom-made malware which is undetectable,” he told the Summit. “Up to 50 per cent of the malware we see is initially undetectable. The signature approach to malware has failed. The volumes – 10,000 new signatures a day means it’s all customised.”

Ingram predicts smartphones like the iPhone and its Android counterparts will be the next frontier for organised attacks.

Any response the Government puts into place is going to be outmoded by technology, he added.

Ingram’s  views were echoed by hacker specialist Dr Nicholas Chantler from the Faculty of Law at QUT.

“We are not moving at the speed that technology is moving and we are slipping back,” he warned bluntly. “There is so much that is happening on the Internet. There is so much that has happened in Information, computers, communication technology that we can no longer be a specialist across everything but we do need to keep up. And we are not. The gap is growing larger.”

Chantler argues that many hackers from East European, China, Asia have become “cyber-soldiers”, either under the command of their Governments or acting in sympathy, though less organised. He noted the existence of groups such as the Iranian Cyber Army, Indian Cyber Army, Pakistan Cyber Army, Peoples Liberation Front (Cyber Knights), Honker Union of China, Albanian Cyber Army, Estonian Cyber Defence League, Soldier X, and more anarchistic groups such as Anonymous.

More conventional authorised alignments include the USA Cyber Command, Russia’s 5th-Dimension Cyber Army, The Revolution Guard Cyber Defense Command and the PLA Cyber Command.

Cyber security is everybody’s problem, Chantler said. However the Australian Government seems to have dispersed responsibility for action across some seven federal entities:

• DSD’s Cyber Security Operations Centre (CSOC)
• Australian Defence Force (ADF)
• DSTO
• Attorney-General’s Department
• The Australian Federal Police; and
• CERT Australia (formerly GovCERT)

He posed the question whether there was need for an Australian Cyber Czar to bring these activities together. The US are ahead of us in appointing a cyber security chief who reports to the national security council, Chantler noted.

Des Ball Professor in the Strategic and Defence Studies Centre at the Australian National University, Canberra, offered a welcome insight into national cyber security incursions from China.

Drawing on his paper “China’s Cyber Warfare Capabilities” 2 paper in Security Challenges, Ball argued that China had the most extensive and “most practiced” cyber-warfare capabilities in Asia. But its technical expertise was very uneven. He concludes that China may be a cyber threat but the circumstances under which it would launch an attack against Australia are more complex than many other commentators have suggested.

The organisation of its cyber warfare units is often misunderstood. China’s official cyber –warfare units are active but their activities are often confused with those of so-called private “Netizens” or WangMin.

While many of its non-Government cyber-warriors were motivated by national causes there were also a huge though unquantified range of “hacktivists”, sometimes working in opposition to its national strategies.

Australia ranks among the top ten targets for China’s cyber-intelligence operations, Ball told the Summit. China seemed to be behind the theft of emails from Parliament computers reported back in March 2011.

At the same time, paradoxically, China is the biggest victim country of hacking. There were at least as many Netizens that wanted to breach China’s Great Firewall (fanquiang – scaling the wall) as wanted to foreign networks.

According to the National CERT Technical Coordination Centre in Beijing more than 4,600 Chinese government websites had their content modified by hackers in 2010, an increase of 68 per cent over the previous year. Furthermore the vast majority of personal computers in China (over 80 per cent) were infected with a computer virus.

Significantly, Ball found no evidence that China’s cyber-warriors could penetrate highly secure networks or covertly steal or falsify critical data. This leads Ball to conclude that China’s information warfare capabilities are inferior for at least the next ten year or more.

“China’s cyber-warfare authorities must despair at the breadth and depth of modern digital information and communications systems and technical expertise available to their adversaries,” he commented.

Instead, he warned, the real danger is that if China were to make a major cyber war attack (like a distributed denial of service or DDOS attack) it would seek to make a major strike first and pre-emptively. Accordingly, Australian national security agencies need to strengthen their protective capabilities and be ready for retaliatory or other offensive operations.

Nevertheless, the scale of the cyber threat, both from foreign intelligence agencies and criminals, has grown exponentially, according to Alastair MacGibbon of the Centre for Internet Safety at the University of Canberra. From a cottage industry a decade ago cyber crime is now a large-scale, automated industrial enterprise, serving governments, non-state players and single-issue political pressure groups.

In parallel, the IT and internet industries have grown unchecked in what MacGibbon termed a ‘catastrophic market failure’: Telcos set up Internet Service Providers (ISPs) in an unregulated environment and now have over 1 billion users who barely, if at all, understand the cyber threat. The biggest of these in Australia will be the federal government once the National Broadband Network (NBN) rolls out, and this provides an opportunity to try and create a new security and jurisdictional paradigm, he said.

If we allowed car makers to sell their products the way we allow people to sell IT they would be litigated out of business, MacGibbon told the Summit. It’s not enough to educate users in ether safe web surfing or safe driving: just as car makers are now heavily regulated and bound by product safety rules, are we coming to a time when we need to regulate ISPs and technology companies?

As a community we need to be able to put in place the ability to report cyber crime and provide victim care and support, said MacGibbon. Presently, victims are discouraged from reporting cyber attacks, either because they are shy, or don’t want to damage customer confidence, or they get told the incident is ‘not in my jurisdiction’

Tim Scully, CEO stratsec and Head of Cyber Security BAE Systems Australia, argues that senior executives tend to be in denial about likely cyber attacks and cyber security practitioners are not communicating with them effectively. He says the current reality of working on the Internet is that attackers cannot be kept “on the outside”, meaning that everything on the inside is not secure.

He blames “out-dated mindsets” towards security which see practitioners focusing on the system at the expense of the organisation’s trophy information, and senior executives believing it “won’t happen to us”.

However, his counsel is not of despair. Instead he suggests practical measures that can be taken to detect, isolate, monitor and terminate threats and minimise an organisation’s cyber vulnerabilities. These require conscientious and continuous effort, but they do grant organisations more freedom to tackle targeted cyber intrusions.

But there remain critical asymmetries between Government and Industry in their ability to respond quickly to cyber events, Robert Giesler of SAIC told the audience. Government’s slow processes render it vulnerable.

Furthermore, as some 80 per cent of government networks exist on commercial infrastructure and the economy is now heavily internet-dependent, the strategic centre of gravity in cyber warfare is the private sector. This reality demands in turn a closer partnership between Government and industry which maximises their joint strengths while ensuring speed of movement in what he termed a ‘hyper-speed environment’.

The enduring reality of a threat outpacing Government and industry responses requires a more interventionist approach than has been the case previously, argued John Blackburn and Gary Waters who published a Kokoda Foundation paper on Cyber Summit threats. They argue there is a need for a more forward-looking, agile and flexible environment.

Blackburn and Waters argue that industry needs more guidance, and they even floated the concept of a Government-owned company for this very purpose. The lack of official statistics on cyber crime is one reason the Government is being seen as failing to advance  on this front.

Alice Hutchings, Research Analyst with the Australian Institute of Criminology, submitted to the Summit a wide range of estimates of the cost of cyber crime, varying from $345 million to over $1 billion. She cited a 2009 AIC survey of businesses that found 14 per cent had experienced “one or more computer security incidents”. Corruption of hardware or software was the most common impact.

Differences in research designs and a lack of national consistency in the recording of computer crime offences made it tough to form a clear and credible benchmark of what was happening, to determine whether it was getting worse, where resources should be directed and what worked best in reducing these types of crimes.  

Footnotes:

1. http://www.ag.gov.au/www/ministers/mcclelland.nsf/Page/Speeches_2011_ThirdQuarter_25July2011-AustralianDefenceMagazine-CyberSecuritySummit

2. http://www.securitychallenges.org.au/ArticlePages/vol7no2Ball.html

Subject: Cyber Security