Cybersecurity is on the government radar and addressing it has finally become a top priority. It has taken a lot – potentially even too many – successful attacks over the years to reach this point.
Increasingly, governments themselves are targets: Australia found itself in the sights of a “sophisticated state-based cyber actor” in mid-2020. The attacks increased in frequency over the following months. Another attack hit parliamentary systems in March this year.
All of which is to say that governments – in Australia and abroad – are under no illusions of the threats and risks they face.
But they are also responding to the threats.
Governments have warmed to the idea of taking meaningful action:
- Enacting legislation
- Exerting political and economic pressure
- Re-examining its vulnerabilities
- Identifying ways to address them
Australia, US make legal moves
The Australian government has a heightened legislative interest in cybersecurity. It is seeking to expand the number of sectors deemed to be critical infrastructure providers and require these organisations to disclose attacks expediently and accept government assistance on incident response.
In addition, it has created a ransomware action plan that could result in mandatory reporting of ransomware encounters. It would levy criminal offences and penalties for those caught distributing the malware or seeking to profit from it.
Some observers see Australia as a leader in pursuing more advanced cybersecurity legislation, particularly compared to some of its ‘Five Eyes’ alliance partners - the United States, United Kingdom, New Zealand, and Canada.
However, these, and other jurisdictions and administrations, are starting to catch up.
In the US, for instance, there are currently more than a dozen pieces of federal cybersecurity legislation in various states of consideration. Not all these bills are necessarily good, and most will never see the light of day. Still, it is encouraging to note that cybersecurity issues are gaining traction within the highest levels of government.
There is bipartisan support for regulating industries more stringently to report breaches and share information for the first time. Stopping 100% of attacks will never be a realistic possibility. However, more reliable incident reporting and sharing of indicators of compromise and adversary tactics, techniques and procedures represent steps in the right direction.
The new US administration has also shown an increased willingness to pressure nation-states supporting these large-scale attacks. Countries like Russia, Iran, and North Korea are already under substantial political and economic pressure.
The US is in a prime position to offer both the carrot and the stick by lifting or strengthening its economic sanctions but needs the support of other countries for a coordinated and united response, which it is now receiving.
The US has also played a key role in extracting billions of dollars of commitments from ‘big tech’ companies that will go towards security system enhancements and training. The billions of extra dollars in backing for cybersecurity shows the gravity of the situation currently facing governments and organisations worldwide and the resolve of all interested parties to come together to quell attacks and regain an upper hand.
The substantive nature of some of these actions has caught the attention of observers and threat actors alike.
It’s also the persistence of the efforts: cybersecurity has never commanded this kind of time or resource commitment. There are few signs that the current scrutiny will be allowed to trail off, and attackers will again be left to their own devices and tools to attack organisations indiscriminately and with impunity.
Chasing better cyber hygiene
Outside of legislation and policy, more robust cyber hygiene in government and its chosen partners and the industries it regulates is also essential.
Hygiene is about more than using strong passwords and installing updates promptly. Identity security must be a part of the broader definition, and agencies must manage their pool of permissions more effectively. Attackers have realised that once they breach perimeter defenses, many networks lack the in-network protections to promptly detect and derail their activities.
When attackers are free to move laterally throughout a network with minimal fear of detection, they can look for valuable information and assets to steal, increasing the potential damage. Worse, it allows them to escalate their attacks by targeting Active Directory, potentially compromising administrator-level identities, and effectively seizing the keys to the castle, which happens all too often.
Active Directory and identity services are essential to the function of today’s network and cloud environments and protecting them must be a part of basic cyber hygiene.