National Security

Cyber power ramping up

October 16, 2021

Ellen Whinnett - The Herald Sun - Saturday 16 October 2021

People who refuse to allow cyber spooks access to their business computers would be jailed under new laws being rushed into parliament to toughen up the nation’s cyber defences.

Legislation is being fast-tracked to give the Australian Signals Directorate (ASD) the power to take over the computer systems of any critical infrastructure business which is unable or unwilling to defend itself against a crippling cyber attack.

The move is in direct response to fears Australia’s critical infrastructure is dangerously vulnerable to an attack from China, other rogue states, or criminal ransomware gangs.

The new “government assistance’’ powers would authorise the Australian Federal Police to force entry into a business and arrest individuals if they did not agree to let the cyber spooks into their computer systems.

Two-year jail terms and fines of $26,640 would be levelled against individuals who failed to respond to an ASD order on how to respond to the cyber attack. Corporations would face fines of up to $133,200.

And while the penalties could be levelled against company CEOs, jail terms and fines could also be handed out to employees whose job is to manage cyber attacks, such as chief information and security officers.

The extraordinary new “last resort’’ powers, thought to be the toughest suite of powers for a Government cyber agency anywhere in the world, are being introduced as Australia comes under sustained cyber attack from malicious state actors, and from criminal gangs extorting ransom payments.

High-level briefings in Canberra have warned that China’s Ministry of State Security in particular posed a real threat to Australia’s critical infrastructure.

Multiple sources told News Corp it was likely Beijing’s hackers had already infiltrated some critical infrastructure systems and planted malware which could be used in the future to bring Australia’s critical infrastructure to its knees.

One scenario discussed is the possibility China could launch a crippling cyber attack on Australia to take us out of the game ahead of any potential move against Taiwan.

The Security Legislation Amendment (Critical Infrastructure) Bill 2020 will bring 11 sectors – communications, financial services and markets, data storage or processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage – under the remit of the new powers, alongside the industries already deemed vital to Australia’s national security – electricity, gas, water and ports.

Chairman of the Parliamentary Joint Committee on Intelligence and Security, Liberal Senator James Paterson, said urgency was required because Australia’s critical infrastructure faced a cyber attack every 32 minutes.

“Given how interconnected our digital systems are, it’s not difficult to imagine the society-wide consequences if our financial system was shut down or if our food supply chains were disrupted,’’ Sen Paterson said.

“Our security agencies need the appropriate tools to mitigate these serious risks.’’

The committee has just completed an inquiry into the legislation, which recommended splitting the bill to rush the new government assistance powers into parliament.

Sen. Paterson said most companies willingly co-operated with the Australian Signals Directorate when they suffered a cyber attack.

“But we heard during our inquiry an example of at least one systemically-important business that failed to co-operate in a timely way, and there may be others who never reported they were under attack,’’ he said.

“In the event of a crisis we must have last-resort powers to keep critical infrastructure up and running if they are unwilling or unable to do so themselves.’’

Sen. Paterson said independent experts had told the committee it was likely there was “already a dormant presence of foreign state actors on at least some of our critical infrastructure networks.’’

“They advised the committee that these vulnerabilities could be activated as a prelude to a regional crisis to hamper Australia’s ability to project power to defend our allies, interests and values,’’ he said.

Sen. Paterson said criminal ransomware gangs were an ongoing threat but were less likely to cause a major national crisis by launching a comprehensive attack on a number of critical assets at once.

“Only a sophisticated state actor has the resources and the incentive to launch such an attack.’’

China, Russian, North Korea and Iran have all been named internationally as the major threats to western democracies.

“China is not the only state actor who operates in this space but for Australia they are easily the largest and most sophisticated threat,’’ Sen. Paterson said.

The committee has recommended the legislation be split into two, with the first tranche to be introduced this sitting fortnight. This bill would bring the 11 new sectors under the critical assets legislation, require companies to report any cyber attacks, and allow the ASD to step in as a last resort.

The second half of the bill, which requires companies to upgrade their cyber security, would be referred off for further consultations after strong opposition from business which fears it could prove too costly.

Director of think tank ASPI’s International Cyber Policy Centre, Fergus Hanson, said the powers contained within the bill were “a big deal’’.

“It gives the Government the ability to send people into an organisation and demand, under pain of a sizeable penalty, that they must run a piece of software or do a certain thing to protect their systems,’’ he said.

“In practise, I don’t think it means you’re going to be seeing ASD ordering major technology companies around about what they should and shouldn’t be doing with their very complicated systems.

“I don’t think it’s going to move the dial on companies like Amazon AWS or Microsoft Azure, they’re already going to have superior cyber security capabilities.

“But for sectors that haven’t really thought about cyber security but are really vulnerable to cyber risks and will be increasingly vulnerable, I think it’s really useful.

“Australia will be in the vanguard of a small group of countries that are really at the forefront of creating these sorts of powers for critical infrastructure.’’

Mr Hanson said he believed cyber criminals such as ransomware gangs were the most urgent threat to Australia’s critical infrastructure network, but said “several states are certainly burrowing into critical infrastructure systems around the world and laying in wait basically to deploy and exploit if needed.’’

“I think it’s almost certain, that’s happened all around the world, not just in Australia but everywhere.’’

Home Affairs Minister Karen Andrews said a range of malicious cyber actors were intent on doing harm to critical infrastructure and Australia’s way of life.

“We must give our agencies the powers and authorities they need to keep us safe, and to support and protect the shared national resources we’re all connected to and rely on – like power grids, transport links, and secure e-commerce networks,’’ she said.

Labor has indicated it supports the splitting of the Bill, with a spokeswoman for Opposition Home Affairs spokeswoman Kristina Keneally noting the last resort powers were “required and urgent.’’

It will make a final decision on whether to support the legislation once it sees the amended legislation.

Real world examples of attacks on critical infrastructure:

February and May 2020:
Transport giant Toll Transport suffered two separate cyber-attacks on its Australian business, launched by Russian-linked criminal gangs seeking a ransom. The attack resulted in weeks of costly disruptions to Toll’s deliveries business. The company did not pay a ransom.

April 2020:
Hackers attacked Israel’s water supply, hitting six Water Authority facilities and trying to increase the amount of chlorine in the water to dangerous levels. The potentially deadly attack, blamed on Israel’s enemy Iran, failed.

May 2020:
A cyber-attack crashed the computer system at a major port near the Iranian city of Bandar Abbas, crippling movements at the port, causing cars to bank up for kilometres, ships to be stuck in the harbour and days-long transport chaos. Israel was accused of launching the attack in retaliation for the water supply attack.

April 2021:
Fuel supplies were disrupted for a week, prices spiked and petrol shortages were reported after hackers launched a cyber-attack on the Colonial Pipeline, which carries petrol across the USA’s East Coast. The attack was a ransomware hit by a criminal gang known as DarkSide, based in Eastern Europe. The company paid a multimillion-dollar ransom to have their systems restored.

May 2021:
Green energy technology company Volue was hit by a ransomware attack which resulted in the shutdown of water and water treatment facilities in 200 municipalities across Norway. The Ryuk ransomware was thought to have been deployed by the Russian-based ransomware gang known as Wizard Spider.

May 2021:
The world’s largest meat processing company, Brazilian-based JBS, was attacked by the Russian cybercrime group REvil, shutting down facilities for five days in Australia, the United States and Canada. The company later confirmed it paid a $14.2 million ransom to have its systems released.

August 2021:
A Covid-19 vaccine-scheduling website for the Italian region of Lazio was forced to shut down after a serious cyber-attack. Later found to be the work of a notorious criminal ransomware gang RansomEXX, the attack delayed the rollout of the vaccine.

September 2021:
Hungary’s first opposition primary elections were disrupted after the polling system was hacked. The vote, to find a candidate to take on Prime Minister Viktor Orban, had to be extended for two days after the attack. Those responsible were not identified, although Orban loyalists were suspected.

Recent News

All Posts