Australia under cyberattack – are you ready? Key takeouts from Cyber Week 2020

This week marks Australian Cyber Week 2020. To underline the importance of digital trust for keeping Australia’s digital activity secure and resilient, ‘Australia under cyberattack – are you ready?’ simulated a significant cyber-attack on Australia through a hypothetical. It was just one of many of this week’s events and took a page out of the recently released Australia’s Digital Trust Report 2020, bringing together a panel of four industry experts to discuss.

Here’s how the situation played out and the key takeaways.

Predicting a potential future

In the AustCyber report, they described what would happen should there be a four-week digital interruption to the Australian economy – in their case, a widespread cyberattack. The estimate was that such an attack would cost the economy $30b (or 1.5% of the GDP), and lead to 163,000 job losses.

Central to both AustCyber’s hypothetical and the simulation that played out at Cyber Week was the theme of digital trust. Below we’ll cover the scenario that was given, and share insights from the four panellists.

Building the scenario

Here’s a quick summary of the in-depth simulation that was built for the event:

  • It’s mid-2021 – the fallout from COVID-19 and the subsequent recession is still heavily impacting daily life.
  • Cluster outbreaks have continued but remain small – health authorities are well and truly on top of contact tracing.
  • International travel is only at 10% of pre-COVID levels, but domestic travel along the Eastern Corridor has returned to 65% of pre-COVID levels.
  • There is also an effective travel bubble between Australia and New Zealand.
  • Australia has weathered the financial impact of the coronavirus, but it doesn’t have much left in the coffers if another incident were to significantly disrupt the economy.
  • The COVID-19 vaccine is due to arrive in Australia within a week.

In the face of this scenario, the panellists shared their thoughts on their biggest concerns.

“The threat landscape is evolving and security threats are increasing,” said Tim Daly, Chief Security Officer at the Australian Energy Market Operator. He added that “organisations should be aligning with new cybersecurity mandates” to be adequately prepared for future cyberattacks.

Serge Maillet, Head of Cybersecurity at Siemens Digital Industries Australia and New Zealand, noted that a global distribution of the vaccine could very easily be targeted by malicious actors:

“There are no more borders when it comes to the cyber-world, which is a critical point for our supply chains and the growing danger of threat actors.”

The family at the heart of things

Living within this hypothetical was a very personal spin – a fictional ‘typical’ Australian family:

Lucia, the mother, owns a number of aged-care facilities. COVID-19 caused major disruption to her business, and she relied on JobKeeper throughout 2020 and early 2021. In the face of these changes, she adopted new digital technologies to improve her business, however at home she’s stressed about her two-year-old son, Hugo, who is immunocompromised, and her mother, Ruby, who is in her 80s. Husband James works long hours in his government role, while 17-year-old daughter Addison longs to finish her final school exams and start travelling the world.

The scenario is changing

Our host for the event makes a new announcement: the vaccine is ready to be deployed in a phased approach, with our PM saying frontline health workers and existing COVID patients will be first in line to receive it. This creates pockets of distrust around the veracity of the vaccine itself, feeding fear-mongering that some people will miss out entirely.

At the same time, phishing and credential stuffing are on the rise, mostly targeting smaller and distributed businesses thanks to bad actors seeing gaps in supply chains. Lucia falls into a trap – opening an unfamiliar email before she is hit with a ransomware attack. This has various knock-on effects, with existing customers beginning to distrust her business.

Christopher Turner, Executive Lead (Capability) at Cohealth, said that the loss of trust from Lucia’s existing customer base may actually be worse than she thinks – potentially affecting her ability to bring in new customers as well. “A lot of her focus will be on whether she should respond to the attack at all, and then how she should respond to it.”

Berin Lautenbach, Global Head of Information Security at Toll Group, agreed that Lucia should be focusing on how to manage the ransomware problem appropriately, saying: “The most effective thing for Lucia to do is turn to someone who has expertise with cyberattacks. She should not believe she can manage the situation herself. It’s quite concerning because she runs a small business and she may not have the maturity to respond quickly and effectively – which in the case of a ransomware attack is the most important element.”

At this point, a member of the audience asked: “What happens if you pay the ransom versus you don’t pay it?”

Tim was quick to provide a response that all business owners should take heed of: “The standing advice is that even if you do pay a ransom, there’s no guarantee you’ll get your data back. So you need to have some business-continuity plan in place.” That means plenty of offline backups – without them, Tim said, you are more likely to pay the ransom and yet still not get any of your stolen data back.

Cyberattacks on the rise

Our host tells us that Lucia’s phishing attack is not isolated, with many aged-care businesses and hospitals becoming digitally compromised over a two-week period. These follow-up attacks have created more disruption, with malicious actors targeting the energy sector and the vaccine’s supply chain. This is undermining the government’s ability to deliver the vaccines where they need to be.

This scenario shift raises an important question: how would businesses more broadly be responding to such widespread digital chaos?

“There would be a lot of organisations who are getting nervous about their current security postures,” said Serge. “They would feel very vulnerable to cyberattacks, knowing what they know about the rise in ransomware attacks. They may be looking at various cybersecurity providers to create their own security plans, but at this point there may not be enough cybersecurity professionals to meet the demands of such a threat landscape.”

Serge used this opportunity to describe what businesses would need to focus on to adequately protect themselves against such threats: “As a country, we are going to have to start adopting automation technologies for cybersecurity, and underpin them with artificial intelligence and machine learning. This will allow organisations to be able to implement the next-generation cybersecurity solutions that will help provide that real-time continuous threat detection within their IT environments, to give them a fighting chance against threat actors with malicious intentions.”

When does an attack turn into a disaster?

Our host signals the final scenario change in this hypothetical – and it’s not pretty. The ASX has been affected, with further disruption predicted to damage the GDP and GVA. There’s been a coordinated cyberattack on the vaccine’s global distribution network, with outages lasting up to a week. Media headlines have hailed it as a ‘form of digital lockdown’. For Lucia, she’s seriously considering voluntary administration as the only option available to her – while she holds a cyber insurance policy, it won’t cover the cost of the ransomware attack and its many knock-on effects on her business.

Tim rang the alarm bells for how this would impact the energy sector, supply chains and more if such an attack were to come to pass in reality: “In terms of the resilience of interconnected systems, if we’re not where we need to be already then you can’t fix that overnight. So we’d be running with our emergency management arrangements and our contingency planning.”

Berin, however, was more positive – although still very concerned about the long-term consequences: “I’d like to think at this point we would be treating this more as a natural disaster than merely a standard cyberattack. As a society, we wouldn’t be comfortable letting the aged-care industry, for example, fall apart without a groundswell of support.”

So there you have it – a hypothetical rooted in reality. For organisations, it should signal the very real need to align your cybersecurity strategy, business-continuity planning, and disaster and recovery kits right now. As we can see with Lucia’s business, if you aren’t protected before a digital disaster strikes, the odds of turning things around are heavily stacked against you.