Critical infrastructure providers regulated by Australia’s recently beefed-up cyber security laws, which let the government take control of companies and organisations that are under attack by hackers, could soon have their customer data roped in under the Security of Critical Infrastructure Act (SOCI).
In a move that could seriously challenge current lax customer data-protection practices that are rife across high-profile industries like the FinTech sector, which is still dependent on insecure screen scraping to onboard customers, one of Australia’s most senior infrastructure protection officials has revealed there is now live debate and discussion over using SOCI laws to protect customer information.
Speaking on a recent Policy, Guns and Money podcast from the Australian Strategic Policy Institute, deputy secretary of the Cyber and Infrastructure Security Group Hamish Hansford said his agency and stakeholders were now looking at the issue and what to do following a spate of ransomware attacks.
“The big question following from some of the cyber incidents last year, and it’s in the expert advisory board’s discussion paper, is do you look at customer data and the protection of customer data as part of critical infrastructure? So that’s a live discussion.” Hansford said.
“When you look at it internationally, Colonial Pipeline is a really good example about where an attack on the customer data actually led then to the shutdown of the pipeline. So there is some connectivity and some issues, but that is a live policy discussion.”
Running on empty
Hansford’s reference to the Colonial Pipeline incident — which shut down a key pressurised petroleum and jet fuel pipeline feeding the southeast US when ransomware hackers hit the company’s billing systems — is significant because it means authorities are looking further than the usual industrial SCADA-based systems or communications infrastructure.
Colonial Pipeline’s pumping systems were not hit by the attack: rather its billing systems were, and the company stopped pumping because it couldn’t bill customers, meaning it would lose money if they pumped fuel without paying.
In the case of Medibank, Optus and Latitude, all three had sensitive customer data stolen or encrypted and then released, with minister for home affairs Clare O’Neil visibly frustrated by the levels of disclosure and cooperation coming from the besieged corporations.
Tellingly, while Hansford agreed the rationale for Colonial Pipeline’s shutdown was primarily commercial, he stressed there were other factors.
“I think there’s also a risk of lateral movement. So I think [it is] a bit more complex than maybe the media’s portrayed,” Hansford said.
Lateral to literal
Lateral movement refers to the ability of hackers to move around within systems they have penetrated and potentially control them. While ransomware actors typically look to lock and spill data to prompt payments, their primary typology is extortion using a threat.
In the event ransoms are not paid or specifically banned under laws, it is logical hackers will look to other ways to prompt payment or cause damage, potentially shutting down infrastructure.
It is also significant Australia’s policymakers have also tacitly attributed many ransomware attacks to Russian-speaking actors or groups, with relations with Russia at a new low following the invasion of Ukraine.
Last week, the Australian Cyber Security Centre, part of the Australian Signals Directorate that has carriage of offensive cyber operations against foreign adversaries, issued a lengthy study on the tactics and techniques used by the Russian LockBit ransomware-as-a-service crew, whose victims have included Sydney’s Cross City Tunnel.
At the same time, banks and the Australian Competition and Consumer Commission are having kittens about the proliferation of scams duping people into transferring money for bogus purposes.
This industrialised, targeted and increasingly artificial intelligence-enabled spivving is fed by vast troves of personally identifiable information (PII) harvested through hacks, breaches and data spills where the liability flips from the merchant (think Amazon) to the consumer (you), disobliging institutions from pest control when their flyscreen fails.
Open data versus closed networks
One of the biggest questions that screams out from Hansford’s very necessary revaluation of the breadth and scope of the SOCI is its intersection with so-called Open Data, which has started off with Open Banking and is being extended to other sectors via the Consumer Data Right (CDR).
The product of technology-smitten lawyers fascinated by ‘network effects’, the basic premise is that vesting data ownership in the consumer thus empowers them to move their business around in a near frictionless process that allows competitors to pitch easily activated offers.
Make no mistake, it is an admirable model, indeed a highly efficient one if the diagrams are to be believed.
The reality is that banks attempting to lock down customer data from predators now have to tolerate dozens of fintech firms legally able to extract customer data via insecure screen scrapers that require sharing bank account identity and log-in credentials with third parties explicitly against the terms and conditions of the bank.
Better still, this breach of basic security protocols (screen scraping works by harvesting account data once accounts can be interrogated via authorised access) creates a whole new attack and distribution vector that has been ruthlessly weaponised in the UK.
One of the joys of government is that elections allow those assuming power to disown the mistakes of their predecessors, even when there was no prior position held.
It is unclear how the dreamy Consumer Data Right of frictionless transactions coalesces, let alone interoperates, with SOCI, which looks like it is about to be broadened in terms of scope and compulsion, and with good reason.
When banks and payments schemes eschew responsibility for the safety of funds and transfer liability back to consumers, authorities get jittery, lest there be a major loss of confidence and a run on an institution.
Banks have not been hit by a massive breach but are likely to be in time. This is generally accepted. And it’s what Hansford is quietly sandbagging against.
Cleaning up the backyard before the cyclone
One thing Hansford is unapologetic about is being across the detail of his job; that is, quietly mapping the unknown vulnerabilities, looking for the unknown unknowns and preventing the proliferation of black swans.
Hansford makes no apology for digging around either — he understands he is a regulator, and takes this seriously.
“I think it’s an ongoing dialogue with industry, but I think the concept is, unless you know particularly what is critical and what you’re trying to protect, everything’s critical, and that’s not a good place for an Australian economy to be in, or any country,” Hansford said.
“So, it is granular, and we are building up a strong picture … particularly about interdependency and how the assets interrelate. I think that’s a really important thing for government and industry to focus on.”
If that sounds like a reality check, it’s probably because it is. And how’s Russia looking?
:
Air Force’s readiness chief sent into Home Affairs to fortify response to ‘cyber scumbags’