As highly sophisticated cyber attackers continue to breach organisations, seemingly unabated, the government’s draft mandatory data breach notification laws, unveiled last year, are an important step in the right direction.
You could be forgiven for thinking Australian organisations were not being targeted by cyber attackers — but breach disclosure laws will shine a spotlight on a world which has remained largely hidden locally.
We will start to gain a clearer picture of exactly what it is happening. Those in the Australian security industry know breaches are occurring, but without a legislative framework compelling businesses to disclose them, the true state of Australia’s cyber security has stayed concealed.
However, in its current form, the draft legislation applies to only a limited number of industries. But cyber attackers don’t discriminate. Attack campaigns have targeted every Australian industry. Entertainment, education, resources, media, hospitality, retail – even not-for-profits – every single industry has found itself in the crosshairs.
Simply put, the draft legislation’s scope must be expanded.
The timing of these laws is fortuitous, as cyber defences are set to become much more difficult to maintain thanks to the expected explosion of the Internet of Things. Gartner is predicting that this year 1.6 billion connected things will be used by smart cities – 518 million of which will be in commercial buildings.
Each of these devices is a potential weak link for an attacker to exploit – by their very nature they have poor security controls, such as weak or unauthenticated access, software security problems, or are too trusting of other devices on the network. They could fast become a favourite attack vector for threat actors.
While these proposed laws go some way to addressing how an organisation should act after it knows it has been breached, it doesn’t address the complexity in discovering the breach in the first place.
According to Mandiant’s latest M Trends Report, it takes an average of 205 days between a company being hacked and it detecting the compromise. This is more than six months that an attacker can spend within a network, completely unrestricted. In order for an organisation to notify affected parties, steps need to be taken to assist with the initial discovery of breaches.
One way in which this can be achieved is for the government to assist with intelligence sharing – not just with affected parties, but with other businesses so they can defend themselves against the same, or similar, attacks.
Cyber attackers are in league with each other, sharing the latest exploits and malware, giving each other support and tips on how to circumvent defences. Isn’t it time the public and private sectors banded together and presented a similar united front?
By sharing the intelligence – the signatures and indicators of compromise – of specific attacks, not only can other organisations protect themselves but they can also much more quickly detect if they have already been breached. By cutting down the period that an attacker has free reign within a network, the amount of damage and the number of people affected can be drastically reduced, it not nullified.
Ultimately, Australia is catching up to a global trend of adopting data breach disclosure laws. Similar legislation is already in place in the European Union and the United States. The new EU cyber security directive, expected to be finalised soon, will require breach reporting without undue delay, an element similar to that currently proposed by the Australian government.
The largest difference between the two, however, is that the EU’s directive would mandate penalties of up to five per cent of a company’s annual revenue for failure to maintain security or report breaches, making it stronger than the current Australian draft.
While the current draft legislation will help to illuminate the true extent of cyber-attacks on Australian industry, we need to ensure we get the complete picture. In other words, we need a spotlight, not a candle.
Not only must the legislation’s scope be expanded, but organisations need to be assisted during the discovery process. Otherwise, despite the best intentions, breach disclosure laws will have no effect as no one will know they’ve been compromised in the first place.
Phil Vasic is regional director at FireEye ANZ