Fighting online threats
INTERNET Service Providers will be forced to block nefarious online threats from Russian and Chinese cyber criminals before their scams hit our shores under a plan being considered by the Federal Government.
And Australian companies could be banned from paying ransoms to hackers, with fears such payments are promoting the country as a “lucrative target” to cyber criminals.
As well as increasing fines for companies who suffer data breaches, the Federal Government is also now looking into setting minimum cyber security standards for critical infrastructure used by telcos, health providers or the nation’s own government departments.
Home Affairs and Cyber Security Minister Clare O’neil said the Medibank and Optus data hack crisis had shown Australia was “playing catch up” and has instructed her agencies to look at multiple options to stop the relentless cyber assaults.
The Federal Government’s cyber security strategy 2020-23 runs out next year and is being significantly overhauled to be “more ambitious” in outlook in tackling one of the great threats of our time.
The Minister revealed Russian crime gangs “sitting in office blocks for whom this is their day job” are designing software packages that are then onsold to other criminal networks allowing them to hack into data bases around the world.
It is believed hundreds of millions “if not billions” of attempted hacks are carried out on Australian companies each month.
Conservatively it is estimated more than $30 billion a year is lost to the Australian economy from cyber crime.
“We have to react and plan for this new landscape which is essentially the future of crime, it is online,” Mr O’neil said.
“I think Optus and Medibank are game changers for the nation … the information revealed is an unbelievable threat to Australians”.
Authorities investigating the Medibank data leak – which has impacted all 3.9 million members of the health insurer – have established a criminal stole the log in credentials of a senior staff member and sold them to a hacker on an online Russian-language forum.
The initial theft was simple, most probably through a malicious malware email, but was on-sold to a more sophisticated criminal network that spent some time inside the Medibank system with a software tool to harvest vast amounts of data to then use in the extortion bid.
While coy on the cyber strategy reboot, Ms O’neil confirmed one issue being looked at was a “clean pipes” program where internet service providers (ISPS) – of which there are six major ones in Australia – are mandated to offer customers security as a default, automatically blocking malicious websites and malware.
This would be done at the “landing point” of the 95 per cent of the data that is transmitted into Australia via undersea cables.
ISPS would be forced to run software blocking known malicious or phishing data before it reaches people’s online accounts.
Telstra is currently believed to be the only ISP providing clean pipes – an analogy for water utilities providing clean drinking water – and would be a policy switch from the current onus and burden on the individual customer or business.
“We are looking at the role of infrastructure providers in literally blocking nefarious data that comes into Australia because in Australia we have a limited number of ways in which that data can come into the country, limited number of undersea cables that can bring data into Australia and they are run by a small number of provider,” Ms O’neil said.