Clock Ticking for Cyber Security Laggards?
International cyber breaches prompt the call for secure government action
The Office of Personnel Management in the US sounds like an innocuous sort of agency.
It is a kind of giant HR department for the US Government. The type of anonymous government body that provides a vital service but makes few headlines.
That is, it was until last year, when it was revealed that is was the subject of one of the most massive and far reaching government security breaches in history.
Twenty-one and a half million personnel records were lost.
These included files with the security clearance information of past, present and prospective members of the US government and military, including information about their families.
And 5.6 million sets of fingerprints.
In this context, the comment by Clive Lines, co-ordinator of the Australian Cyber Security Centre, in his foreword to the Centre’s 2016 Threat Assessment Report that; “In cyber-security, prevention is better than cure,” is surely a model of calm understatement.
It is almost impossible to quantify the ramifications and costs of network breaches resulting from inadequate cyber security strategies by government agencies – whether a giant, high profile department, or a small obscure instrumentality.
This is because, in a world of interconnected, modern communications networks, one person’s lack of vigilance was another’s vulnerability.
“Bad actors” in cyber space are increasingly adept at finding weak links and then hopping from one IT system to another.
They are actively looking for and exploiting weak links in the broad world of government departments, agencies and businesses, knowing that once inside, they can find back doors to others, potentially digging out national and trade secrets along the way. It’s all about cracking the secure government infrastructure and wreaking havoc.
The ACSC report makes clear the malicious activity is not all 21st century James Bond stuff.
It covers the gamut from vandals to organized criminals to – in a rarer but increasing number of cases – other nations.
Sometimes the damage is immediate and reputational.
Sometimes, it is massively disruptive and expensive.
When winds took out power to South Australia this month by breaking parts of the network, thus triggering a defensive shutdown, many in the Canberra cyber security and secure government community saw a warning.
What if the network management systems in one or more states could be made to think the network’s integrity was threatened, and turn off the lights?
Look no further than the Ukraine in December 2015 to see the real life example of a nation crippled by power black outs as a result of cyber attacks from an international adversity.
As the OPM story shows, the greatest threats might be the least high profile.
What about our departments and agencies with, for example, travel and accommodation information about their personnel?
Do they have staff who might be advising or negotiating in sensitive commercial or diplomatic transactions and negotiations?
Government agencies and essential service providers that do not treat cyber security as core business for their senior management in 2016 are not doing their jobs.
They are also putting everyone else at risk.
The Federal Government provides advice to all government agencies about what they need to do to protect themselves, through the Australian Signals Directorate and other policy directives that guide how agencies acquire and consume information technology.
But many of agencies and government businesses are not fully implementing these policies and directions.
Some because they don’t have to, some because they struggle to find the resources, and some because they still don’t fully understand the risks.
In deciding to publicly acknowledge that Australia has suffered serious cyber security breaches, the government has clearly signaled that it is determined to elevate whole-of-government cyber defence to a new level.
This is not only an essential example to the private sector, it is crucial to national security.
The key is now getting comprehensive action from agencies to step up and treat cyber security and create a secure government with the sense of urgency that the threat demands.
That might require a more co-ordinated and co-operative model between agencies and private sector suppliers to recognize that the enormity of the task means leaving smaller organisation to their own devices is a recipe for failure.
*This article first appeared in Computer World