Banks praised for their internal cyber defence capabilities

With concerns over where the responsibility of attribution should lie.

The Commonwealth Bank of Australia, the National Australia Bank, the Australia and New Zealand Banking Group, and Westpac currently hold around 95 percent market share of the entire finance industry, requiring stringent internal defence capabilities and an understanding of the global threat landscape in order to keep the information -- and money -- of their customers secure.

special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

According to Dr Atif Ahmad from the University of Melbourne, the top tier banks have the internal capability, but are yet to head down the attribution path.

"We've been doing case studies on the banking sector and looking at how Australian organisations are treating the shift in the threat landscape and what we've found so far is that most of the banks -- the top tier banks -- they have the capability to respond internally, and that's what they tend to focus on," Ahmad told the Cyber Storm international conference at the UNSW Canberra Australian Defence Force Academy (ADFA) on Monday,

Where the banks are succeeding, Ahmad explained, is in bringing analytics from the business side of the organisation into the security arms so they can begin to, in real time, develop intelligence on attacks.

"The next step, which is to actually have the attribution, where they can recognise the same attacker over a period of time, that seems to be something that they're still working towards," he said.

"When they get there, the question is going to become, 'If you know that a particular attacker is hitting you consistently over the years and you know what they're after, what are you going to do about it?' Are you going to hand it to the ACSC or are you going to do something?"

The problem with that, however, is naming a state-actor would result in organisations being on the radar of the likes of Russia and North Korea as a target.

Joining Ahmad in the discussion was executive director of the Cyber Policy Research Institute at the University of California Irvine Bryan Cunningham, who said that there are a lot of large multinational companies that have developed the capability to launch an offensive or an active response.

"Under the [United States] Computer Fraud and Abuse Act, almost any type of active defence that goes outside your firewall is currently illegal," he said.  

While Cunningham believes the moves in Congress to change that will see fruition, he pointed to how Microsoft has gotten around such a roadblock, and put itself in a position to respond offensively.

"What Microsoft has been doing is going into a US Federal Court and suing their attackers. They're saying they're suing APT28 -- they know that they're never going to get APT28 into a US Court, but what they get is that the judge orders a temporary restraining order to the ISPs to reroute all the traffic that Microsoft identifies to Microsoft servers and Microsoft is authorised to launch counterattacks," he explained.

"Right now, it's clear Microsoft has this capability and they basically zapped the botnets and they don't even know what countries they're in, they don't know what computers they're on -- order of magnitude, they do -- they're getting these judges to issue orders to let them launch their attacks."

Cunningham believes that activities of this type are going to become legitimised over time by US courts, which will see Congress authorise companies with the internal capability to do it with merely legislative oversight.

Opening the conference, Australian Defence Force Head of Information Warfare Major General Marcus Thompson posed the question of how much of Australia's critical infrastructure the government should be responsible for, highlighting a need for public and private to work together on protecting the nation, including where attribution is concerned.

"How do we defend civilian infrastructure we don't control? That makes Telstra, Optus, Vodafone the operating environment; makes the banks, other financial institutions, utilities companies, targets," he asked. "How do we determine what infrastructure will be the government's responsibility to defend?"

MORE AUSTRALIAN SECURITY NEWS

Cyber blitzkrieg replaces cyber Pearl Harbor

The first cyber attack in the war against electricity grids was in 1999, says one of Australia's leading cyber strategists, but 20 years later we're still not ready to face 'multi-vector' cyber attacks.

Australian political parties also hit by state actor in parliamentary network attack: PM

Prime Minister Scott Morrison has said a sophisticated state actor also hit the networks of Australia's political parties when it attacked the parliamentary network.

Australia has a challenge of scaling defence capabilities for large cyber attacks

Major General Marcus Thompson says Australia's ability to scale its defence capabilities when it comes to the crunch is what keeps him up at night.

At least nine global MSPs hit in APT10 attacks: ACSC

HPE and IBM are reportedly among the managed service providers targeted by China's APT10 group. Meanwhile, the Australian Cyber Security Centre hasn't ruled out government agencies being among the end targets.

Duelling ghosts battle over encryption laws in a dying Parliament

After just two hours of debate, Australia's encryption law amendments are now stalled in the Senate until April. Only one key amendment was passed, but both government and opposition can claim a win.