I had trouble finding any newsworthy fresh meat in the 2017 Australian Cyber Security Centre (ACSC) Threat Report, and that's a worry. Not because the report is bad, because it's not. Not because the ACSC is bad, because it's not. No, what's wrong is the mainstream conversation about cybersecurity.
Pretty much every media report still treats cyber matters, or quite frankly the internet in general, as something over there somewhere, where the geeks live, rather than the core infrastructure on which our society is now built.
The report [PDF], released on Tuesday, builds on previous years' reports to provide an authoritative, if slightly bland, snapshot of how the cybers have been affecting Australia, and what we can look forward to. They, and our other cybersecurity organisations, are making steady progress in integrating and improving the nation's cyber defences -- even if it's sometimes frustratingly slow.
Last year, I wrote that the real messages of the 2016 ACSC Threat Report were about separating hype from reality.
At the time, mainstream news about the ACSC report led with the scare story. "Bureau of Meteorology hacked by foreign spies in massive malware attack," reported ABC News, for example.
Same this year.
"During the past financial year there have been 47,000 cyber incidents in Australia, up 15 percent on the previous year," reported ABC Radio's AM. "And despite all the warnings about online scams and frauds, they're up too, by 22 percent."
But the statistics were never questioned. "Cyber incidents" was never defined, despite recent public service efforts to clarify the language. The possibility that the increase in the number of reports was the result of more awareness, and more investigative resources, was never raised.
Mainstream media gobbled up the scare stories too.
"Cyber thieves hacked into the computer system of a national security contractor." reported ABC News.
"Mums and dads under attack from cyber criminals," reported the Sydney Morning Herald. "Password1 does not cut it," they quoted Minister Assisting the Prime Minister for Cyber Security Dan Tehan as saying. And so on.
But beyond these the news stories fed to the mainstream media, the insights from the minister and the questions from the mainstream media led to little analysis.
Anyway, the highlights for me from the 2017 ACSC report:
- "Australia continues to be a target of persistent and sophisticated cyber espionage directed by foreign intelligence services -- and will remain so for the foreseeable future," the report says. "This targeting does not only include Australian government networks. Private enterprises engaged in activities or industries of interest to foreign states are also targeted."
- Cyber terrorism still isn't a problem. "Terrorist groups lack the technical sophistication to threaten Australia's security using cyber means," the report says. "Despite promises and inflated claims of cyber prowess, terrorist groups' use of offensive cyber capabilities has been limited. In the meantime, we should continue to expect terrorist groups using basic methods to make propaganda wins, such as defacing websites and hacking social media accounts."
- There have been "fewer major compromises of Australian government networks, but this doesn't necessarily represent a reduction in targeting." As the Australian Signals Directorate (ASD) itself said in 2015, Australia's cyber defences were pretty ordinary before the Top Four strategy was implemented.
- "As government defences gradually improve, cyber adversaries will increasingly look to identify softer targets to gain access to government information and networks. Advanced cyber adversaries are also using increasingly sophisticated tools, meaning that some compromise attempts could go undetected.
- "The vast majority of reported cyber incidents affecting the Australian private sector were criminally motivated, typically for financial gain. Malicious emails continued to be a common vector for compromising private sector networks. Targeted socially-engineered spearphishing emails, sometimes combined with phone calls, were regularly used to gain access to corporate networks." The bad guys use "annual reports, shareholder updates, and media releases to craft their malicious cyber activities".
- Cyber criminals still try to hit the banks, but not so much in Australia. "Criminal activity is generally opportunity-based, and the relative cybersecurity maturity of Australian financial institutions means there are more attractive and vulnerable targets in developing countries."
There's not much new there. We know that the banks' better cybersecurity has meant that criminals now target payroll, invoicing, and superannuation systems, for example. But these messages need repeating, much as we need to remind people to floss their teeth.
As I say, the ACSC report is a decent snapshot. Read it.
But if we're still having to spell out the basics to the mainstream media, and if the mainstream media still can't ask informed questions about this stuff, how can they then inform the mainstream audience?
Until this problem is fixed, we cannot even get out of first gear on this topic.