On the 10 October 2017, the Hon Dan Tehan MP, in his capacity as Minister Assisting the Prime Minister for Cyber Security, launched the Australian Cyber Security Centre (ACSC) 2017 Threat Report.
This author attended the launch at the National Press Club together with Maddocks colleagues and invited guests and can report as follows.
The 2017 Threat Report notes two trends in the cyber risk landscape.
First, attacks against well protected networks, including government networks, are becoming increasingly more sophisticated. The Report notes that “[f]oreign states still possess the greatest capability to compromise Australian networks” and that “[o]ver the last twelve months, the ACSC detected extensive state-sponsored activity against Australian government and private sector networks in support of economic, foreign policy and national security objective”.
The persistence and escalation of this area of threat dovetails interestingly with Australia’s International Cyber Engagement Strategy, launched last week, which refers to the Australian Government’s “capability to attribute malicious cyber activity in a timely manner to several levels of granularity – ranging from the broad category of adversary through to specific states and individuals” (see Part 4 of the strategy, “International Security and Cyberspace”). We reported on this in our recent analysis of the strategy.
The second trend referred to in the report relates to the continuing exploitation of known vulnerabilities with known mitigations.
This ongoing risk area is a source of some frustration for the ACSC which notes in the report that “[t]oo many of the incidents the ACSC responds to could have been prevented”.
A further area of significant cyber risk covered in the Report relates to the compromise of Managed Service Providers (MSPs).
MSPs are an irresistible honey pot for malicious actors as access to an MSP can provide an entrée into customer networks and data.
The Report refers to the ACSC’s observations of the compromise of MSPs subsequently leading to the compromise of customers of the MSP.
It appears to this author at least that the targeting of MSPs and their customers by malicious actors may be acting as a potential brake on the uptake of cloud services, not only by government agencies but more broadly.
Moves to certify cloud providers to hold classified information will hopefully assist in building confidence in this area (see for example page 54 of the report).
The report notes another security issue with cloud services, that is the inadvertent exposure of data as the result of human error or lax administrative practices. There have been a number of high profile incidents involving one example of such issues referred to in the report, the misconfiguration of Amazon S3 buckets. See for example the exposure of Time Warner Cable customer records, Chicago voter records and the leak of Dow Jones user details.
The key to minimising the occurrence of such errors lies in ensuring that appropriate policies, procedures and controls are in place; see for example practical guidance offered at CSO Online.
Finally, the Report briefly refers to cyber insurance and at the launch Minster Tehan touched on such insurance as a potential method of laying off cyber risk. However the market for cyber insurance in Australia is immature and there are some significant issues to be aware of when considering cyber insurance; as to which, see further our 21 August 2017 article, Making decisions about cyber insurance.