Time to prepare for a cyber version of the coronavirus crisis

01 May 2020

The Strategist - Australian Strategic Policy Institute

The Covid-19 pandemic has changed the way we think about national resilience in the face of global crises. It’s shown us, brutally, how such disasters can cascade around an interconnected, interdependent world. It also invites us to question what other potential shocks we might be vulnerable to as a nation.

In this new world, Australia should be thinking hard about its national cyber resilience. We can’t predict the future, but we often have forewarnings. We might not know the where or the when of the next crisis, but we often have a good idea of the what. In the past 100 years, Covid-19 was preceded by the Spanish flu, MERS, SARS, H1N1 and Ebola. We had seen enough to know the potential risk.

The next global cyber crisis will have been preceded by NotPetya and WannaCry. In 2017, the NotPetya malware, designed to propagate rapidly and automatically, began corrupting computer systems across the world. It happened swiftly and indiscriminately in a way that now seems analogous to the coronavirus pandemic.

When the NotPetya wiper was first unleashed by the Russian government on Ukraine’s critical infrastructure, the malware crippled hospitals, airports, banks, the power grid and almost every government department. In an interconnected world, it quickly spread globally and ultimately caused damage that cost US$10 billion. The crippling of a major logistics company, Maersk, meant that one-fifth of the world’s shipping was affected.

Only a month before, the North Korean government released the WannaCry worm as a way of raising much-needed hard currency through cybercrime, in this case via ransomware. It spread rapidly, causing up to US$8 billion of economic damage while threatening even more serious harm. The network of Britain’s National Health Service was corrupted, causing panic and delaying surgeries. The UK National Audit Office reported that the attack had potentially serious implications for the NHS and its ability to provide care to patients. ‘It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice’, the audit office said.

Both attacks could have been much worse. A report commissioned by Lloyd’s as part of its cyber risk management project has warned that a global infection by contagious malware could cause up to US$193 billion of economic damage worldwide. The impact on interdependent essential services would be enormous.

Unfortunately, Australia is not well prepared to confront this kind of widely dispersed threat. Late last year, David Irvine, a former head of the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service, warned that ‘we need … to have much more effort by both the government and the private sector and individuals into developing what I’ll call national cyber resilience to a far greater level than we have now’.

The Australian Signals Directorate has some of the best cybersecurity capabilities in the world, but throughout the nation, our cyber resilience is highly variable. Six years of reviews by the Australian National Audit Office show that 40% of Commonwealth entities continue to fail to implement basic cybersecurity measures. Last year’s review of the Commonwealth’s cybersecurity posture confirmed sustained indifference to this national vulnerability.

Australia’s major banks can draw on large teams of highly skilled cybersecurity professionals to confront the most sophisticated adversaries, but time-constrained and resource-poor small and medium businesses struggle to protect themselves from even the most basic commodity attacks.

The Australian Labor Party has released a new policy discussion paper, National cyber resilience: Is Australia prepared for a computer COVID-19? and convened a stakeholder roundtable to canvas policy options that should be considered now to ensure that Australia is ready for cyber incidents in the future.

To deliver national cyber resilience, we need to reconceptualise our approach to cybersecurity policy. We need to think like public health experts trying to improve the health of a diverse population rather than like defence professionals trying to secure a single entity. We need policies that bring cybersecurity to the community and build cyber resilience throughout the country.

In our paper, we call on the government to follow the lead of the UK’s National Cyber Security Centre (NCSC) and implement a framework for active cyber defence in Australia. That would provide a set of tools for automated, scalable mitigation against the most common cyberattacks. The objective is to ‘take away most of the harm from most of the people most of the time’.

The head of the NCSC, Ciaran Martin, said active cyber defence was based on the premise that in a modern economy ‘there are some market failures where the government needs to intervene if there is to be an acceptable level of national cyber security hygiene’. To promote national cyber resilience, Martin argued that the government needed to make ‘more fundamental interventions’ to ‘improve the digital homeland’. Or, as the NCSC’s technical director, Ian Levy, memorably put it, ‘getting off our backsides and doing something’.

Active cyber defence is not a silver bullet. It can’t defend against sophisticated attacks. But it could improve the collective safety of Australia’s internet by hardening our most vulnerable organisations against high-volume, low-complexity attacks.

We’re also exploring the creation of a civilian cyber corps, a kind of cyber version of the state fire and emergency services, made up of experienced cybersecurity professionals who work as volunteers to build the capabilities of vulnerable organisations in their communities such as not-for-profits and small businesses, and potentially to help respond to large-scale incidents in a crisis.

Such organisations are already at work. While Estonia’s volunteer-based Cyber Defence Unit is attached to its paramilitary organisation, the Estonian Defence League, it emphasises broad national resilience and public education. The unit runs courses in schools, conducts simulation exercises in government departments and educates policymakers while also providing an emergency response capacity.

After a series of cyberattacks crippled its government, banks and online newspapers in 2007, Estonia well understands that cyber incidents can threaten the nation’s resilience. It is a lesson Australia should draw on.

We hope the discussion paper kicks off a constructive debate and a reconsideration of our cybersecurity policies. We shouldn’t wait until another global crisis is upon us before we respond. Leadership requires preparedness, especially when the threats — and our vulnerabilities — are already well known.