Australian Cyber Security Centre Threat Report 2015

lachlan ingram croppedThe Australian Cyber Security Centre (ACSC) has just released its first unclassified ‘Threat Report’, purporting to map out the current Australian cyber-risk landscape.

The ACSC is a collaboration between government organisations (including the Australian Federal Police, ASIO and the shadowy Australian Signals Directorate (ASD)) that connects cyber security capabilities across government bodies.

The report highlights the increasing rate of cyber-attacks in Australia. Statistics from ASD (predominantly relating to government agencies) show a more than 350% increase in reported incidents since 2011.  Computer Emergency Response Team Australia (CERT), a government agency predominantly assisting strategically important Australian businesses facing cyber risks, reported that almost 50% of the 11,073 incidents it responded to in 2014 were from businesses in the energy and banking and finance sectors. The report also notes “daily cyber espionage activity” against Australian Government networks, identifying that government agencies have improved their cyber resilience by implementing the ASD’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions, said to mitigate more than 85% of the attacks to which the ACSC responds.

The report also provides a more detailed insight into the goals and methods of cyber-attacks and the types of cyber adversaries, warning against a reactive approach to cyber security. It notes in particular  that Australia’s status as a resource-rich regional leader with important global partnerships makes it an attractive target for cyber adversaries and that “Australian organisations could be a target for malicious activities even if they do not think the information held on their networks is valuable, or that their business would be of interest to cyber adversaries”.  

However, despite partnering with around 500 strategic Australian businesses, including those in the energy, banking and finance, communications, defence and transport industries, the ACSC’s reliance on voluntary reporting of cyber-attacks, means that there are ‘gaps’ in the ACSC’s “understanding of the extent and nature of malicious activity, particularly against the business sector”.  In this respect, the report does not identify the total number of cyber incidents that occurred in Australia in 2014.

Nonetheless, the report is timely given proposed legislation that includes the introduction of mandatory data breach notifications and recent feedback on other elements of the proposed legislation (reported on by Insurance Flashlight here and here).  Mandatory data breach notification may give cooperatives like the ACSC a greater ability to identify and assist businesses to respond to the scale of cyber risk facing Australia.

This blog was co-authored by DLA Piper partner Jacques Jacobs and senior associate Nitesh Patel.