Cyberspace is a world of opportunities

The Internet based economy is growing twice as fast as the rest of the global economy. This is driven by a combination of surging business innovation and increased connectivity. Eight in ten Australians access the internet daily. If poor cyber security erodes trust and confidence in cyberspace, the economic opportunity of a connected Australian economy will suffer. On the other hand, Australia stands to prosper significantly with reliable cyber security.

Australians have quickly embraced economic opportunities in cyberspace. In 2014 alone, the Internet based economy contributed $79 billion to the Australian economy (or 5.1 per cent of GDP). This amount could grow to $139 billion annually (7.3 per cent of GDP) by 2020 as more devices, services and people are connected online.

Businesses and governments are also benefiting from improved online and mobile technology. They are using information gathered online to tailor products and services to individual needs. The rate of development of new commercial opportunities will accelerate as more and more of the things we own and use, such as fridges, cars, even pacemakers, are connected to the internet and to each other. Once referred to as the ‘Internet of Things’, this phenomena is now the ‘Internet of Everything’.

Australians are becoming increasingly connected online

...But cyber security threats are serious and growing

As people and systems become increasingly interconnected, the quantity and value of information held online has increased. So have efforts to steal and exploit that information. Cyberspace, and the dynamic opportunities it offers, is under persistent threat.

Malicious cyber activity is a security challenge for all Australians. Australian organisations across the public and private sectors have been compromised by state-sponsored or non-state actors. Overseas, large multinational companies and government organisations have been targeted, losing substantial amounts of sensitive commercial and personal information or incurring major damage to their business and reputation.

Figures vary, but cybercrime is estimated to cost Australians over $1 billion each year. Worldwide, losses from cyber security attacks are estimated to cost economies around one per cent of GDP per year. On this basis, the real impact of cybercrime to Australia could be around $17 billion annually. These costs are expected to rise. Government, telecommunications, resources, energy, defence, banking and finance sectors are likely to remain key targets for cyber criminals and malicious state actors alike.

The Australian Cyber Security Centre Threat Report 2015 says the cyber threat is undeniable, unrelenting and continues to grow. If an organisation is connected to the Internet, it is vulnerable to compromise—and the malicious cyber activities in the public eye are just the tip of the iceberg.

Types of malicious cyber activity

Malicious cyber activities are wide ranging. They include activities designed to compromise the confidentiality, integrity or availability of computer networks or ICT systems or the information on them. The term ‘cyber espionage’ refers to theft of information for intelligence purposes. ‘Cybercrime’ refers to crimes directed at computers, such as illegally modifying electronic data or seeking a ransom to unlock a computer affected by malicious software. It also includes crimes where computers are part of an offence, such as online fraud.

In this Strategy, the term ‘cyber attack’ refers to deliberate acts that seriously compromise national security, stability or prosperity by manipulating, denying access to, degrading or destroying computers or networks or the information resident on them. Other compromises are referred to as ‘malicious cyber activity’.

Cyber adversaries are aggressive and persistent in their efforts to compromise Australian networks and information. They are constantly improving their tradecraft in an attempt to defeat our network defences and exploit new technologies.

They will also target the weakest link; if the network security of their primary target is robust, they will move to more easily compromised connected networks that could provide access to the primary target.

Further, the differences between some malicious cyber actors—such as organised criminal networks, state-sponsored actors and issue motivated groups—are becoming less distinct. For example, activity by some cyber criminals can be more sophisticated than those conducted by many nation states. This growing network of malicious actors is having a global impact.

Drivers of the rising cost of malicious cyber activity in Australia

Intrusion Vectors

An intrusion vector is the path or means an actor uses to gain access to a target. Common intrusion vectors include emails sent with malicious links and attachments; fake or manipulated websites that download viruses; removable media such as USB drives; unsecured wireless hotspots; and access through weak passwords.

Malicious actors can also use intrusion vectors to exploit human behaviour. Crafting an email containing malicious software based on a person’s interests to entice them to open it is a vector, known as ‘spearphishing’. These types of vectors are often referred to as social engineering: manipulating a person, overtly or otherwise, into performing actions or divulging confidential information. It can be in person or through cyberspace, such as grooming targets on social media.

Making a Difference

Australia has an opportunity to be a leader in the global cyber solution. As a stable and creative nation, Australia will help ensure the Internet is open, free and secure. In partnership with other countries, we can strengthen the foundations of international stability in cyberspace, enhance cooperative partnerships and build cyber security capacity.

Modelling in the US suggests the costs of managing cyber security risks for businesses are set to increase by 38 per cent over the next ten years, as further investment is required for cyber training and security tools. It is estimated that spending on cyber security of critical infrastructure in the Asia-Pacific region will reach US$22 billion by 2020, presenting a growing opportunity for Australia’s cyber security industry.

This will deliver domestic dividends. Businesses are looking to invest in places with skilled workforces, engaged online consumers and simple regulatory environments that support innovation and security. Confidence in doing business online is critical. Getting cyber security right will mean Australia becomes a location of innovation and investment, a place where businesses start and grow, where organisations diversify and export and where all individuals can protect themselves online.

Cyber security enables disruptive technology

In combination, many ‘disruptive’ technologies have significant potential to drive economic growth. In Southeast Asia alone, McKinsey has estimated that between mobile Internet, big data, the Internet of Things, automation of knowledge work and cloud technology, there is the potential to unleash some $220 billion to $625 billion in annual economic impact by 2030. But to fully realise these and other opportunities, these technologies and the infrastructure on which they operate must be trusted. Strong cyber security will enable this.

Internet of Everything. It is estimated that by 2020 there will be at least 50 billion devices connected to the Internet globally. This explosion of connectivity will accelerate innovation in products and services, providing new business opportunities and new jobs.

However, the more connected ‘things’ are, the more targets there are for malicious actors. Part of the problem is that online security has not been considered in the design of many of the devices connected to the Internet. This has made it easier for malicious actors to disrupt and damage networks.

As an example of how vulnerable internet connected devices can be, in 2015 the popular technology website Wired.com reported that security researchers had hacked into the electronics of a US car through its online entertainment system, changing its speed and braking capability before shutting the car engine down remotely. This demonstration led to the manufacturer having to provide software updates for 1.4 million US cars and trucks fitted with the same entertainment system.

Increased connectivity is also changing the relationship between consumers and businesses; it is fragmenting supply chains and business models. In turn, this will affect how people live and work, and how industries and economies perform.

Cloud computing is a key feature of Australia’s increasingly networked society. It provides individuals and businesses with greater data storage capacity, cost savings, convenience and flexibility. However, there are risks associated with cloud computing, including loss of control of data and problems recovering data.

The Government launched its Cloud Computing Policy in 2014, requiring Government agencies to adopt a ‘cloud first’ approach—where it is fit for purpose, provides adequate protection of data and delivers value for money. With the right measures, cloud computing can be used in both the public and private sector to improve cyber security, particularly for small organisations and businesses.

The Australian Cyber Security Centre has also provided guidance on secure cloud computing, including a list of Certified Cloud Services.

The Cyber Security Strategy underscores the powerful potential sparked by the cyber phenomenon. That potential revolves not just around Australia’s national security, but equally around its economic wellbeing: it is unlocked by tackling these issues square on; by getting to grips with them in partnership across government, industry, academia and society; and in mastering their complexities and seizing their inherent possibilities.

Sir Iain Lobban, a member of the Cyber Security Review’s Independent Panel of Experts