A recent string of data breaches has prompted rapid changes to Australia’s cybersecurity and data protection policies, and the latest development appears to be a cyber task force set to “hack back” and actively pursue what Minister for Home Affairs Clare O’Neil described as “scumbags.”
Home Affairs is promising a new “tough on crime” policy toward cyber incidents and data leaks, as millions of Australian citizens have seen sensitive personal data stolen from a variety of major companies and long lines have formed to have compromised personal identification re-issued. The agency is promising a force of around 100 officers comprised of a partnership between the Australian Federal Police (AFP) and the Australian Signals Directorate.
Cyber task force looks to crack down on data thieves, promises action against overseas targets
The Home Affairs office says that the cyber task force will be a standing operation that focuses on criminal syndicates, and that it would engage in “day in day out” actions in tracking down the perpetrators of data breaches. Officials said that the string of recent attacks can be tied to organized criminal groups in Russia, but stopped short of naming specific targets when asked if the notorious REvil ransomware gang had been involved in the attack on Medibank.
Officials did say that they had identified the Medibank hackers, but would not be releasing the name to the public at this time as it engages in talks with Russian law enforcement agencies via Interpol. There has been speculation that it is either a re-emergence of REvil, or an offshoot group potentially composed of former members.
The backlash from the Australian government appears to be prompted not just by the rapid-fire string of breaches that have occurred since September, but the particularly heinous nature of the data extortion in the Medibank case. Among the 9.7 million records stolen was a good deal of sensitive health information, and the attackers have slowly leaked the most sensitive items via a dark web site. This includes patients with a drug and alcohol addiction diagnosis, those that have had abortions, and high-profile public figures. Medibank has declared that it will not make any ransom payments.
To what extent can a cyber task force really “hack back”?
The announcement has raised questions in some circles as to what the extent of the cyber task force’s plans are. “Hacking back” is a very contentious concept that exists in a murky international water of cyber engagement norms and unspoken rules.
The idea has sometimes been bandied about by private industry, but is generally shot down due to the possibility of causing an international incident by hitting a nation-state entity or damaging innocent third parties in the process. At the government level, the move is usually to issue an indictment against any known hackers and then cooperate with international law enforcement to disable and seize their servers and infrastructure and eventually track them down in person.
It is thus unclear what Australia’s cyber task force intends to put on the table that is not already being done, considering that the country is a member of the “Five Eyes” intelligence network of nations that generally most aggressively pursue international criminal hackers. On some level the move may be just bluster to reassure the Australian public that “something is being done” about the worrying string of recent breaches.
However, the cyber task force is far from all that Australia has done to bolster cybersecurity and data privacy as of late. Earlier in the year, the “Redspice” program (Resilience, Effects, Defence, Space, Intelligence, Cyber, Enablers) was budgeted AU $9.9 billion over the coming decade, tripling its current annual funding and adding three new offices with a total of 1,900 new employees.
The country is also in process of updating the Privacy Act 1988, the law that governs data handling and privacy for private companies. A finalized revision is expected in the coming months, but for now the government has rushed to increase penalties for breaches in the wake of the recent crime wave. Companies now face loss of up to 30% of annual domestic turnover.
One of the most frustrating elements of the recent cyber crime spree in Australia is the lack of news on potential perpetrators, aside from the tentative links of REvil to the Medibank incident and a general expectation that most or all of the attackers are based in Russia (no surprise to anyone with even a cursory knowledge of cybersecurity issues). It is thus difficult to tell if Australia has been the target of some particular recent campaign, or if a number of its organizations just happened to have vulnerabilities exploited at around the same time. The cyber task force might at least provide more timely and reassuring answers to questions such as these.
Ryan English, Cybrary Threat Intelligence Group (CTIG), is a proponent of governments taking aggressive “hack back” action against criminal groups and hopes that the Australian government is doing more than just putting on a show: “We have not found any success limiting criminal groups through diplomatic means. Governments realizing that to deal with the criminal menace, they will need to fight fire with fire signals an acceptance that the scourge of ransomware and other destructive attacks will not just fade away. I am a fan of retaliating in kind and hope this kind of wisdom makes its way to US shores.”