Late last month, the Australian Cyber Security Centre (ACSC) released its first public report. Titled "Threat Report", the forward begins with the ominous statement, "The cyber threat to Australian organisations is undeniable, unrelenting and continues to grow". You have been warned!
The Threat Report is delivered at a time when the nature and extent of the cyber threat facing Australia is subject to some contention. Most importantly, in only the last few weeks, a draft industry submission to the federal government in response to its proposed Telecommunications Sector Security Reforms (TSSR) that found its way to the media pushed back on the need to introduce extensive new powers to fight cyber threats.
Specifically, the telecommunications industry challenged the government to identify "what specific failings and/or weaknesses the Government is seeking to address". Some hard evidence of the scale of the threat might justify the draconian powers being proposed.
In this context, what does the Threat Report say about the threat to our national infrastructure and systems? Does it identify any "failings and weaknesses" that must be addressed with new regulation? Does it provide detailed information regarding potential threats to national IT infrastructure?
Picking carefully through the broad explanation of terminology (also defined Glossary, in case you missed the first 10 pages), quite some platitudes, and many generalisations, we are advised that "the number of confirmed significant compromises of federal Australian Government networks has decreased since 2012", and "Australia has not yet been subjected to any activities that could be considered a cyber attack".
Also, for some reason the only statistics that are provided relate to the lowest level of issue "incidents". In the context of 12.6 million internet subscribers and 21 million mobile subscribers, the ACSC reported 1131 "incident responses" last year.
The report includes no information on the extent or seriousness of compromise of systems or devices, or the number of incidents suffered by government vs the private sector. Government is not a category in the breakdown of incidents by sector even though the need for better adherence to security standards and countermeasures is mentioned. "Communications" as a sector represents only 12 per cent of the reported incidents.
There are eight short case studies. Of those, only five relate to actual incidents apparently causing harm. In only one case is information provided about how the compromise occurred.
The ACSC is a new body comprising an amalgamation of Australian cyber threat expertise. It comprises security capabilities from the Australian Crime Commission, the AFP, ASIO, the Australian Signals Directorate, the Computer Emergency Response Team (CERT) and the Defence Intelligence Organisation.
This organisation, perhaps together with the Australian Internet Security Initiative (AISI) run by the Australian Communications and Media Authority, represents the prime repository of our best and most detailed understanding of the cyber threat facing Australia. It should produce a better report than this one, with less hyperbole and more real information.
It also seems that the ACSC has made the case put by the telecommunications industry against the TSSR as proposed.