Cyber security services - performance analysis
Over the reporting period, ASD's ACSC has continued to deliver whole‑of‑economy cyber security services, in line with its remit to provide cyber security advice and assistance to Australian governments, business and critical infrastructure, as well as communities and individuals.
The ACSC's incident response capabilities span the full range of cyber incidents, from national crises to incidents affecting individual members of the public. In order to manage the broad range of cyber incidents, the ACSC uses a Cyber Incident Categorisation Matrix (see Figure 3) to triage and prioritise the immediate defensive response to mitigate each cyber incident. This allows the ACSC to focus its resources more effectively, ensuring consistent messaging and an appropriate level of response measures are activated.
During 2019–20, the ACSC responded to 2,266 cyber security incidents of varying significance. Of the 2,266 incidents, the largest proportion were assessed as being ‘Category 5’ (C5) followed by ‘Category 4’ (C4). These categories broadly represented malicious cyber activity such as targeted reconnaissance, phishing emails and malicious software impacting larger organisations, key supply chain and Commonwealth and state government entities.
On 19 June 2020, the Prime Minister and the Minister for Defence publicly announced that the Australian Government was aware of, and responding to, a Category 1 level cyber security incident involving the sustained targeting of Australian governments and companies by a sophisticated state-based actor. The ACSC published an advisory titled ‘Advisory 2020-008: Copy-paste compromises’ which was derived from the adversaries’ heavy use of tools copied almost identically from open source. The advisory details the tactics, techniques and procedures (TTPs) identified during the ACSC’s investigation of the cyber campaign, as well as the mitigations to reduce the risk of compromise.
On 30 June 2019, the ACSC launched ReportCyber, replacing the Australian Cybercrime Online Reporting Network (ACORN) previously managed by the Australian Criminal Intelligence Commission (ACIC). Major improvements to ReportCyber continued to be delivered during this reporting period. ReportCyber has simplified Australians’ ability to report cybercrimes such as hacking, scams, fraud, identity theft, and attacks on computer systems. This capability has also enabled an improved user reporting experience, greater victim care, including the latest advice and guidance, and more accurate referrals to help police manage processing times.
The ACSC has continued to manage ReportCyber on behalf of federal, state and territory law enforcement agencies. During the period of this report, ReportCyber has processed 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes. The data collected from these reports will help the ACSC and law enforcement agencies to better understand the impacts of cybercrime on the community, track and share trends and patterns in cybercrime as they are reported and more effectively work with other government agencies to disrupt cyber criminals.
The ACSC worked actively with public and private sector organisations to strengthen cyber security arrangements and build resilience. Key activities included:
- delivery of the Government Uplift Program on 25 select government networks, comprising:
- ‘Essential Eight’ Sprints conducted between July and December 2019
- follow-on consolidation of cyber security improvements through administration of the Cyber Security Response Fund
- improved sharing of cyber security best practice among state, territory and federal governments through the Chief Information Officer / Chief Information Security Officer Forum since June 2019
- a pilot of ACSC’s Strategic Host Based Sensor Program, to facilitate real time threat monitoring and rapid remediation.
- establishing a pilot scalable cyber defence capability, Protective Domain Name Service (PDNS) in February 2020. Five federal government agencies have been successfully on-boarded to date, including approximately 9,000 users
- the Australian Internet Security Initiative (AISI), providing daily threat information about malware infected or vulnerable networks via 4.2 million Active Compromise Reports and 575.2 million Vulnerable/Open Service Reports on vulnerable networks to over 300 member organisations, including Internet Service Providers, state and federal government agencies, medium-to-large private organisations and critical infrastructure
- the ACSC's National Exercise Program, which supported 19 cyber security exercise activities across government and the energy, banking and finance, academia, transport, water, defence industries, health and resource sectors
- expanding the ACSC Partnership Program, which grew during this reporting period to incorporate 667 organisations across all levels of government, critical industry, business, and the academic, research and not-for-profit sectors
- delivering Operational Technology-Information Exchanges around Australia involving hundreds of organisations responsible for vital control systems ranging from electricity and water to transport, health and defence
- providing cyber security support to the Australian Electoral Commission, including vulnerability assessments, advice and assistance, threat briefing and incident response in the lead-up to and during the May 2020 Eden-Monaro by-election, and preliminary activity with the relevant electoral commissions ahead of Northern Territory, Queensland and Australian Capital Territory elections later in 2020.
During 2019–20, the ACSC used a variety of means to provide accurate and timely cyber security advice to Australians including product tailored to address the cyber security challenges across the economy during COVID‑19 (see Case Study 1). The ACSC produced:
- the ACSC’s Small Business Cyber Security Guide, accompanied by a suite of supporting publications including 11 Step-by-Step Guides and three Quick Wins publications
- twenty-two new PROTECT publications on cyber.gov.au for public consumption, including updates to several existing publications
- six unclassified Sector Snapshots covering banking and finance, water, education and training, communications, sports and health sectors, designed to inform decisions about investment and allocation of internal resources by executives and cyber security professionals relevant to that critical infrastructure sector
- fifteen Australian Communications Security Instructions to Australian government agencies and associated contractors tasked with the control, handling and maintenance of cryptographic products used to protect classified government information
- monthly updates to the Information Security Manual ensuring that cyber security principles and guidelines remain relevant and applicable for organisations in managing their own risk framework to protect their systems from cyber threats
- seven Information Security product certifications under the Australasian Information Security Evaluation Program.
In June 2020, the ACSC launched the new cyber.gov.au website. This consolidated all cyber-enabled reporting channels across government to provide the breadth of services including incident reporting, threat reporting subscription services, customer management and Protective DNS for whole‑of‑government and select critical industry systems. The site underwent numerous incremental changes during 2019–20 to modernise, replace and consolidate ACSC‑related legacy sites and services, including incorporation of the Stay Smart Online Program. The changes improve the delivery of information by customer segmentation and make it easier for the full spectrum of ACSC customers – from individuals, small and medium-sized business, to large organisations, critical infrastructure and government entities – to access relevant cyber security advice, news and alerts, tailored to their needs.
The ACSC collaborated with industry and government stakeholders on cyber security matters, including:
- supporting the Department of Home Affairs' Critical Infrastructure Centre with technical assessment of critical infrastructure and telecommunications security issues
- extensive consultation with industry and government regarding the replacement of the Cloud Services Certification Program and related Certified Cloud Services List (CCSL), with the industry co‑designed Cloud Security Guidance
- initiating enhancements to the Information Security Registered Assessors Program (IRAP) to meet increasing demand for assurance services by government and industry.
Throughout 2019–20, the ACSC helped inform policy makers of the key trends and continuously evolving and sophisticated nature of the threat environment, including by:
- leading six Commonwealth Chief Information Security Officer Forums and two Information Technology Security Adviser Forums, where senior government officials with responsibility for cyber security were able to leverage the collective knowledge and experience of members to improve cyber resilience
- supporting major government policy initiatives to publicly attribute malicious cyber activity through our technical advice and intelligence
- producing upwards of 190 classified and unclassified intelligence assessments, covering the actions of state and non-state actors, global cyber policy developments of relevance to Australia, and the challenges posed by new cyber technologies. The ACSC also provided input on the cyber threat to other intelligence products across government agencies, including supporting the ONI and the Defence Intelligence Organisation
- chairing the National Cyber Security Committee (NCSC), which provides a platform for detailed engagement and collaboration between the Commonwealth and state and territory governments on cyber security issues. Due to an increase in COVID‑19 related cyber security threat activity and other targeted incidents affecting state and territory governments, the NCSC has met more regularly than usual: between 23 March and 30 June, the NCSC met on 18 occasions. The ACSC provides threat updates at each NCSC meeting, and has also provided several classified briefings to assist state and territory authorities with their investigations.
Case Study 1: ACSC support provided during the COVID-19 pandemic
The COVID-19 pandemic saw an increase in the operational tempo for the ACSC, with an increase in government and public need for cyber security advice and support tailored to meet the challenges of the threat environment. Key support provided during this reporting period included:
- providing cyber security technical advice to the Digital Transformation Agency (DTA) for the development and ongoing implementation of the COVIDSafe app
- mitigating and disrupting COVID-19-related crimes
- conducting covert disruption and offensive cyber operations to combat COVID-19 themed malicious cyber activity (see Case Study 2)
- providing hospitals and health service providers across the country with cyber security advice, and sharing threat information and technical support to help mitigate risks
- producing tailored cyber security advice, focusing on: teleconferencing solutions, working from home, protecting small and medium enterprise systems, and protecting critical infrastructure networks in the context of remote access requirements.
Case Study 2 – Countering COVID-19 Themed Cybercrime
Throughout the COVID‑19 pandemic, ASD observed cybercrime actors quickly adopting a range of existing methodologies to take advantage of Australians looking for information about COVID-19 testing, social distancing restrictions and government assistance.
In February 2020, the ACSC observed cybercrime actors registering COVID‑19 themed websites in Australia and overseas. These websites were designed to host malicious software (malware) or harvest personally identifiable information. In order to lure unsuspecting Australians to these malicious websites, cybercriminals distributed a range of different email and SMS phishing campaigns, often impersonating government agencies and health officials.
The cybercriminals behind these campaigns were agile, adapting messages to closely align with breaking developments, such as government relief payments or public health guidance, within days – even hours – of these announcements occurring.
In response to this criminal activity, the ACSC took action to mitigate and disrupt COVID‑19 related cybercrime, working closely with Australia’s telecommunications providers to block access to websites identified as malicious. The ACSC also worked with industry partners to have the websites flagged as malicious, to ensure web-users are warned about these sites before they are able to visit them.
In parallel, ASD mobilised its offensive cyber capabilities, to disrupt foreign cyber criminals responsible for a spate of malicious activities during COVID‑19. Those operations included disabling online infrastructure used by the foreign cyber criminals and blocking their access to stolen information.
Case Study 3: National cyber security exercise for Australia’s electricity industry
In November 2019, the ACSC coordinated a national cyber security exercise series in partnership with Australia’s electricity industry and government agencies. The exercises were designed to strengthen industry and governments’ coordinated response to a significant cyber incident affecting Australia’s electricity sector.
The series involved two exercises, a two-day operational exercise and a strategic discussion exercise. Participants were from the electricity industry, Australian government agencies and state and territory government agencies. The operational exercise involved 560 personnel from 32 electricity and government organisations. The strategic discussion exercise involved 25 personnel from 23 electricity and government organisations.
The exercise series produced learnings for all participating organisations to further strengthen current arrangements and areas to improve organisational and sector cyber incident response arrangements. The series demonstrated a strong desire by electricity organisations and government agencies to practise and improve arrangements for responding to significant cyber incidents. It also helped to strengthen the ACSC’s relationships with the electricity industry, and increase our understanding of the challenges and needs of organisations affected by significant cyber incidents.
Organisations that participated in the operational exercise invested significant time and resources into planning, exercise conduct and evaluation, and the success of the series was dependent on contributions from, and participation by, organisations. Feedback provided to the ACSC was that the exercise provided value to organisations and planners like the flexibility of the distributed exercise model for the operational exercise, which the ACSC adopted from the North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Centre (NERC’s E-ISAC). One participant said the exercise provided their organisation with an opportunity to test its security incident response process. Another participant said their executive gained valuable insights on what is required in a significant cyber event.
Partnerships and engagements
ASD’s ACSC engages directly with the private and public sectors through a range of mechanisms and forums. The ACSC Partnership Program is the primary vehicle for organisations to engage with the ACSC, and also allows partners to collaborate across sectors with their cyber security professional peers.
In their statement on 19 June 2020 on malicious cyber activity against Australian networks, the Prime Minister and the Minister for Defence publicly encouraged Australian organisations to become ACSC Partners in order to access the latest cyber threat advice. In the three weeks following this statement, the ACSC received 990 expressions of interest in the program.
The Partnership Program is primarily delivered through the Joint Cyber Security Centres (JCSCs) around Australia. The JCSCs create a trusted, neutral environment, driving collaboration and information sharing on joint cyber security challenges and opportunities and propagating this across all sectors.
During 2019–20 the JCSCs built collaboration across the Australian economy, hosting interactive workshops, presentations, training sessions, information exchanges and working groups, as well as providing facilitated space for collaborative working and information sharing. ACSC Partners also collaborate actively on the JCSC Slack channel.
Examples of collaboration and information sharing facilitated by the ACSC Partnership Program and JCSCs include:
- spearphishing training delivered to over 500 attendees
- regular sector and general ‘drop-in days’ in the Centres, with over 100 Partners attending larger sessions
- advance notification for Partners of significant ACSC investigations
- support and education provided to small and medium businesses across Australia; and,
- regular threat intelligence exchange sessions for industry and government.
While the COVID-19 pandemic has meant that the JCSCs have been unable to host in-person events and collaboration for much of the final quarter of the reporting period, the ACSC has pivoted to providing events virtually. Between 1 April and 30 June, the JCSC ran 19 virtual events for partners across videoconference and Slack. Events have ranged from smaller discussion groups for partners on areas of specific relevance, such as videoconferencing security, to larger discussions on the general threat environment facing partners, and a question and answer session with ACSC incident response experts to discuss the ACSC’s ‘Copy Paste’ Advisory.
Cyber security threats and incidents continue to traverse international borders and impact Australia’s domestic and offshore interests. The ACSC maintains strong international relationships with global cyber security counterparts in order to share information, mitigate incidents and enhance Australia's cyber security resilience.
The ACSC participates in numerous international engagement and capacity-building activities, to build our collective resilience to cyber security threats and, ultimately, advance Australia's national cyber security objectives. During 2019–20, these included the following:
- The Asia Pacific Computer Emergency Response Team (APCERT) is a community of Computer Emergency Response Teams and Computer Security Incident Response Teams dedicated to encouraging and supporting cyber security cooperation in the Asia-Pacific region. APCERT has an operational focus, with objectives to help create a safe and reliable cyberspace in the Asia-Pacific through global collaboration. The APCERT community continues to collectively detect, prevent and mitigate malicious cyber activity through the sharing of threat information, working-group activities, training and drills. In 2019–20, the ACSC concluded its fourth and final term as Chair of the APCERT Steering Committee, but remained an APCERT Steering Committee Member. ACSC’s sponsorship of CERT Tonga for APCERT Operational Membership demonstrates its proactive support of partners in international forums.
- The Pacific Cyber Security Operational Network (PaCSON) is designed to facilitate cooperation and collaboration across the Pacific to strengthen the region's cyber security posture. PaCSON provides a working-level network of cyber security incident response professionals in the Pacific - its members are the people responsible for their respective governments' responses to cyber security incidents. In 2020, COVID-19 impacted planned face-to-face events including a cyber security information exchange, an annual general meeting and a series of technical and strategic workshops. In response, the ACSC - in collaboration with PaCSON Members - transitioned PaCSON activities further online.