The Sydney Morning Herald – The nation’s biggest banks and financial services companies will be summoned to a series of unprecedented war-gaming exercises to test how they would respond to debilitating cyberattacks that could upend the lives of tens of millions of Australians.
Home Affairs Minister Clare O’Neil said recent attacks on Optus, Medibank and Latitude Financial were just the tip of the iceberg when it came to damaging cyberattacks, and the government was preparing for more profound breaches that crippled critical infrastructure assets such as the water supply and electricity grid.
“The groups that are conducting cyberattacks are becoming more professionalised, industrialised, powerful and effective,” she said.
O’Neil, who is responsible for cybersecurity, said the impacts of recent large data breaches had been “real and consequential … but when you think about the impacts of the failure of a major hospital, the interruption of a traffic network or serious disruption of our banking system, the impacts can get much worse.
“Consider what damage could be caused if attackers intentionally try to degrade trust in a major system we depend on like telecommunications or banking.
“We need to plan for utilities to go down, for hospital systems to be under attack.”
O’Neil said the government had begun a series of cybersecurity exercises with the banking and finance sector because of its importance to the functioning of the economy.
“We’re conducting exercises where we play through what it would look like to have a major bank, for example, come down in a cyberattack,” she said.
“How would government work with that company to get services back online? If one of our big four banks is down, who can assist in providing services to those customers? How can we make sure the country continues to function properly while we solve the problem?”
The government ran a three-hour tabletop exercise with representatives from the Reserve Bank, Australian Securities and Investments Commission, Australian Prudential Regulation Authority and Australian Federal Police last month to examine how they would respond to attacks involving the theft of sensitive data and encryption of information technology.
Similar exercises will be held with individual banks before the government moves on to the aviation sector and other critical infrastructure networks.
Australian Banking Association chief executive Anna Bligh said protecting customers’ information and funds was the highest priority.
“Given the interconnectedness of the banking, finance and payments systems to the whole economy, sector-wide cyber-resilience exercises are critical for the safety of all Australians and the finance sector itself,” she said.
Tech Council of Australia chief executive Kate Pounder also welcomed the exercises, saying the cyber threat was not going to diminish.
Last month’s cyberattack on Latitude Financial led to the theft of 14 million customer records, including driver’s licence numbers, passport numbers and financial statements.
O’Neil is overseeing the creation of a cybersecurity strategy that aims to make Australia the world’s safest nation by 2030.
In a speech last week, she warned that urgent work was needed to prevent a “dystopian future” in which data breaches were replaced by “data integrity attacks, where small errors are induced in compromised sets with outsize implications, such as financial records”.
While not all cyberattacks could be prevented, O’Neil said, their damage could be mitigated if companies and government agencies were better prepared.
“What good looks like here is for Australian citizens to have no profound impact on their life when a system or a company is under cyberattack,” she said.
“We want to make this muscle so finessed and strong that when we confront cyberattacks, citizens can be confident we’ve thought through how we’re going to handle it and we are executing on a plan that we’ve set out.
“But that’s not what we’ve had before. When Optus and Medibank hit, we didn’t have plans in place, we didn’t have clear rule books about who would do what, and that’s what we’re trying to fix at the moment.”
While advances in technology such as quantum computing and artificial intelligence would make it easier for hackers to do damage, O’Neil said, they would also help governments and companies fortify themselves.
“To be clear, there are answers and solutions to all these problems,” she said. “But we have to get cracking and work out what those answers are before we’re in a crisis.”
O’Neil declined to comment on whether Australia had been affected by a damaging leak of about 100 United States Defence Department documents that included detailed accounts of the training and equipment being provided to Ukraine in its fight with Russia.
A government spokesperson said: “The Australian government is concerned about the disclosure of US classified information.
“We are pleased the US Department of Justice has acted quickly in announcing an investigation.”
