Rapid developments in quantum computing could soon compromise encrypted Australian government data, a cyber security policy assessment has concluded, while warning that cybercriminals are targeting critical supply chains and running rings around “highly vulnerable” small businesses and citizens.

Despite years of trying to increase awareness around the steadily-worsening impact of cybercriminal attacks, the Cyber Security Industry Advisory Committee (CSIAC) Annual Report 2021 warned, “there is a large segment that is not aware of how, or where to find information to mitigate these risks.”

“Evidence suggests that while Australian individuals and SMEs are improving their cyber resilience, they still remain highly vulnerable to cybercrime at a time when cybercriminals are becoming increasingly sophisticated.”

The report – which evaluates changes in the cyber security climate and the government’s progress in following the Cyber Security Strategy 2020 it released last August – is the first formal assessment of the government’s multi-pronged $1.6 billion cyber security investment, which includes support such as skills grants, jobs creation, SME-focused programs, and more.

Yet for all the money the government is spending, Telstra CEO and CSIAC chair Andy Penn said in a National Press Club address releasing the report, the past year or so had seen the cyber security climate becoming “complex and layered” – as high-profile ransomware attacks on the likes of Colonial Pipeline and meat processor JBS had clearly illustrated.

“Abundant and better resourced cyber criminals, cyber activists, and increasingly emboldened nation-state actors, means that Australia and Australians are quite literally under constant cyber attack,” Penn said, adding that “the growing focus on high-profile targets does not mean small-scale targets are any safer.”

Telstra had been working with the Australian government to monitor the country’s COVID-19 vaccine supply chain for threats, Penn said, noting that “all supply chains are important, but perhaps none more so currently than the COVID vaccine supply chain, which stretches around the world.”

He wouldn’t be drawn on the details of any attacks that had been observed targeting Australia’s vaccine supply chain – noting that “there’s malicious activity around [healthcare] organisations all the time” – but said the company was “very, very attuned” to the possibility of live attacks.

However, he added, despite the proliferation of high-profile targets “many criminal gang groups are still very actively targeting unsecured individuals and [SMEs]…. Meeting this challenge means that our cyber defences have to be strong, adaptive, and built around a framework that is co-ordinated, integrated, and highly capable.”

Sharpening the government’s cyber focus

The report of the CSIAC – comprised of 10 security, telecommunications, defence and other experts – recommends nine key focus areas as the government’s cyber security uplift moves into its second year.

Significantly, in noting that hybrid and remote working “are likely to be a more permanent feature”, the CSIAC recommended that “cyber security literacy and training should be built into standard work practices, taking into consideration remote working in the same way that Workplace Health and Safety has now become a shared responsibility by individuals.”

Other key recommendations address a broad spectrum of issues ranging from increased visibility of cryptocurrency transactions; better monitoring and tracking of cyber security maturity; better collaboration with international partners; a higher profile for the government’s Joint Cyber Security Centres (JCSCs); better engagement with the Best Practice Regulation Taskforce; and more.

The report “is a significant step in tackling the evolving cyber security requirements that are key to protecting Australia’s national security and underpins our future economic prosperity,” PwC Australia trust and risk business leader Corinne Best said, lauding the government’s efforts to engage with industry “to work together to protect all Australians from cyber security threats and to strengthen Australia’s cyber resilience".

Such collaboration will become even more important in the future as technology continues to rapidly evolve and challenge existing security models, Penn said.

For all of the committee’s recommendations about improving cyber resilience now, he advised, government bodies “need to have an eye on the role of supercomputing, advanced algorithms and AI… [to] crack the encryption codes and keys that we currently use to protect sensitive data, including financial data, the world over.”

Noting that quantum computers “will deliver dramatic advances in computational power [and] enable once unsolvable problems to be solved”, Penn said, the risk that they will be used to “challenge the cryptographic algorithms that we currently use” – experts predict the so-called ‘Q Day’ could come anywhere from 5 to 15 years from now – required the government “to start thinking about that right now”.

“We need to fully understand the level of disruption they may be bringing,” he said. “I believe this is one of the most significant threats in the longer term.”