​Australia outpaced by cyber criminals: Cyber professor

With most cyber criminals never caught or punished, Greg Austin, professor at the Australian Centre for Cyber Security, has said we should accept government will never be up to speed with today's threat actors.

Greg Austin, professor at the Australian Centre for Cyber Security, believes it is a fact of life that governments are well behind corporate actors when it comes to cybersecurity; what he is concerned about however, is the flow on effect that has when it comes to bringing justice upon cyber criminals.

"What's really important about the position of government is that if the governments are the people that set the priorities and give money to the police forces, then the police forces are going to be a long way behind the governments," Austin said at the Aon Cyber Security Symposium in Sydney.

"We're in an environment where we have all of these threats coming from criminals, other states, other corporations acting against our interests here in Australia, and we don't have, we will never have -- no country will ever have -- a police force that can investigate and prosecute the majority of cybercrime."

Such a situation, Austin said, leaves Australia in a position where governments, corporations, and citizens have to find a new formula of self defence that does not depend on deterrence through the criminal justice system.

Australia is not alone however, with Austin highlighting that while the United States is considered one of the leaders both in technological development of cybersecurity technologies and in the application of cyber technologies, including for military purposes and espionage, it has conceded it is in the midst of something beyond its control.

"[The US is] really at the epicentre of global evolution in this space and just a few weeks ago, the president's main advisor on homeland security for counter terrorism and cybersecurity, Lisa Monaco, gave a speech saying the world is facing a revolution in cyber threats," Austin said.

The speech came after US President Barack Obama declared a national emergency in cyber space that gave authorisation to a set of new sanctions against individuals or groups whose cyber attacks result in significant threats to US national security or economic health.

"This is a solid demonstration of where we're really at and how serious the set of problems are," Austin said. "That doesn't mean that every corporation or every country faces the same sort of problems as the United States does, but the sorts of attacks and the sorts of implications that carries are similar to sorts of attacks and implications it carries for all countries, both government and private sector."

Austin emphasised the need for Australian business, government, and citizens to understand that most cyber criminals are never caught nor punished, with the elite bunch moving around undetected.

"If you're the person guarding the systems of a corporation or a government, your only mission in one sense is to prevent the intrusion or to stop the intrusion. But as a government, as a country, how can we maintain the situation where cyber criminals are rarely caught and the best cyber criminals are never detected?" he said.

"What does it say about a country that can't stop this serious damage to our national economy and to our national interest?"

When Australian Prime Minister Malcolm Turnbull launched the country's cybersecurity strategy in April, he estimated the impact on Australia of cybercrime to fall somewhere between AU$1 billion and AU$17 billion per year, Austin said.

"What does that mean of the government's grasp of the problem if the estimate of the damage is somewhere between AU$1 billion and AU$17 billion?" Austin said. "It also speaks the question -- if it was AU$17 billion, how many hundreds of millions should we be spending at the national level and the state level to counter cybercrime?"

Amongst other things, the centrepiece to Turnbull's AU$240 million cyber package is the sharing of threat information between business and government, using the Australian Cyber Security Centre and new portals in capital cities. For a cost of AU$38.8 million, the security centre that opened in November 2014 will be relocated from Australia's spy building in Canberra to a more accessible venue, with the prime minister expecting to convene annual meetings with business leaders.

Turnbull's strategy aims to defend the nation's cyber networks from organised criminals and state-sponsored attackers, and sits alongside the AU$400 million provided in the Defence White Paper for cyber activities.

Austin believes the chance of a serious cyber attack on any one corporation or entity -- government, NGO, or business -- is quite low, but said, however, that the consequences of an attack being severe is extremely high.

"While very few Australian companies will suffer in the next year a devastating cyber attack, there is a likelihood that three or four will suffer some serious attack which goes to the heart either of their brand or their business liability.

"In a situation where the threats are unpredictable and come from almost any source, be that a foreign government or criminal organisation, or perhaps as it was in the case of the census, hactivitsts, you don't know, and you really have to be aware of all of the threat actors and threat types."