By Zeb Holmes and Ugur Nedim
The former head of ASIO has warned that Australia is not in a position to deal with cyber-crime and threats to online security.
David Irvine, who headed ASIO until 2014 and now chairs the Cyber Security Research Centre (CSRC), has called upon the federal government to create a new agency dedicated to dealing with the increasing threat of cyber-attacks, and to oversee cyber investigations.
“Australia’s national capacity to counter threats and criminal activity using cyber investigative tools is weak, uncoordinated and dispersed across a range of agencies…” Irvine wrote in a submission to a parliamentary committee inquiring into the “impact of new and emerging information and communications technology”.
Breaches of cyber security
A recent report found that cyber criminals hacked into the computer system of an Australian national security contractor last year, accessing a significant amount of classified data.
And in December 2015, the Bureau of Meteorology reported that China had engaged in a major cyber-attack which compromised the data of several Federal agencies. The Bureau owns one of Australia’s largest supercomputers, which holds highly-sensitive information about a range of agencies, including the Department of Defence.
In its first unclassified threat report in 2015, the CSRC described the threat to Australia as “undeniable” and “unrelenting”, saying that it “continues to grow”.
The Centre reported that it “sees daily cyber espionage activity targeting Australian Government networks”, which seek to gain a strategic advantage in business activities and foreign policy negotiations.
Overall, the Attorney-General’s Department estimates the direct cost of cyber-crime in Australia at $2 billion per year. This is said to be rising at a rate of at least 20 percent per year.
The CSRC is calling for a single Commonwealth-led cooperative agency that would be responsible for providing “expert technical cyber investigative services” in support of law enforcement and national security investigations.
The agency would also have a training function to help develop national cyber resilience across the government, private, and individual internet-user sectors, Mr Irvine’s submission explains.
The proposal comes in the context of a shortage of cybersecurity professionals across the country.
A survey conducted by Intel Security last year found that 88 percent of Australian IT companies believe there is a shortage of cyber-security skills, both in their organisations and across the nation.
According to the same survey, 44 percent believed they are susceptible to hackers due to limited cyber-security. Nearly a third said they had already lost proprietary data.
The newly appointed Minister Assisting the Prime Minister for Cyber Security, Angus Taylor, sees cyber-security and cyber-crime as amongst “the fastest growing threats to corporations, citizens and governments globally”.
“The rapid pace of technological change means that we need to be prepared to adapt the approaches, tools and techniques that we use in law enforcement and national security,” Mr Taylor explains.
Sharing of information
In a separate submission, the Data to Decisions Cooperative Research Centre (D2D) highlights the problems of a single-minded approach to security threats.
According to D2D, there is a pressing need for the development and implementation of a comprehensive system across a range of security domains, including border security, financial intelligence, defence, counter terrorism, and cyber-security.
The Australian Securities and Investments Commission (ASIC) is also calling for better infrastructure to be developed to enable sharing of information between agencies. ASIC wants reforms which “harmonise and enhance” its search warrant powers with those in the Crimes Act, including allowing it to operate or secure electronic devices to investigate and prosecute serious offences.
Civil libertarians have expressed concerns about the potential privacy implications of sharing between a range of agencies, including the greater risk of hackers obtaining a wide range of data by hacking a single agency.
They have emphasised the need to keep data both secure and compartmentalised.