The Australian Government has recently announced that they will establish a $3.8 billion fund in order to grow Australia’s defence export industry. The intent of the push for Defence Industry is in part, part of the Government’s overall Innovation push and ideally this should see Australian business continue to innovate and expand within the Defence industry. This will lead to greater exposure internationally of Australian businesses. This sounds great for Australian business, however as history demonstrates this presents some risks and if you’re in Cyber Security this sounds great (or bad, depending on your perspective).
The History
The Australian Defence Organisation is a secured organisation (as you would expect), however with increased reliance on contractors and outside support this has resulted in a reduced security footprint. These typically smaller Australian businesses that may contract to the larger defence orientated companies present the most risk in a Cyber sense. This is specific to the Defence industry as well, it makes sense, the larger companies have the most to lose, but they also have greater means to spend on security. The smaller you get the more likely you are to have a business with the lone IT worker trying to keep the lights on who isnt that concerned with security.
History proves this to be true. The Australian Cyber Security Centre 2017 Threat Report highlights the threats to out-sourcing and the supply chain where adversaries will target third party organisations with weaker security as their main target has a greater level of security. The ACSC Report also details of an attack on a Defence contractor in 2016 in which restricted technical information on the F-35 Joint Strike Fighter, P-8 Poseidon, C-130, Joint Direct Attack Munition (JDAM) and ‘a few naval vessels’ was stolen by an APT that has now become known as ‘Alf’. The report detailed the business as ‘A small Australian company with contracting links to national security projects’ and that the attacker has sustained to the network for an extended period of time.
Another Australian company - Codan specialise in the development of radio equipment and metal detectors tailored for the Defence market. However, in 2013 the company detailed how they were attacked in a 4 Corners episode how they were compromised via a Chinese attacker known as APT 3. In this attack the intent was to steal Intellectual Property in the form of schematics and diagrams for Codan’s metal detectors. The attacks stole the plans and commenced producing a cheaper version of the product which resulted in a loss of revenue for Codan.
The Threat
The two historical exams provided highlight the two Cyber Security risks to Defence Industry. The first example highlights to risk to national security with the use of contractors and out-sourcing. These organisations are trusted with this information in order to perform their functions for the Department of Defence, therefore the need for sound Cyber Security practices is critical.
The second example addresses stolen intellectual property and the risk this presents to Australian businesses as they look to innovate to compete on a global stage as part of the Australian Government’s Defence Industry boom. Stolen intellectual property will result in a reduction of revenue for these businesses and this in turn is not good for the Government, the security of Australia and its prosperity.
The Cyber Security Boom?
To add to this mix, The Australian Government is introducing mandatory data breach reporting from 22 February 2018. Whilst this scheme is only for personal information, I expect the introduction of the scheme and the increased media reporting on the issue will result in increased reporting of all breaches and hopefully an increased awareness of security in general.
Mandatory reporting will generate a significant amount of media coverage (like breaches do at the moment) and will increased reporting will being increased media, this will hopefully lead to increased awareness but what it will do his increase the profile and the need for Cyber Security professionals. So, perhaps along the the Defence Boom we will see a Cyber Industry Boom as well?
Conclusion
At the end of the day, Security is a sliding scale not some binary entity. It relies on the business or organisation to conduct a cost benefit analysis to determine how secure they want to be and what they can afford to lose. The greater push for Australian businesses to innovate and compete on a global scale within the Defence Industry will increase their threat level, and history proves that Defence contractors and smaller innovators are prime targets for APTs. To help mitigate these risks, perhaps Australian Businesses should look to utilise the Governments $3.8 billion fund to help secure their IT infrastructure along with advancing their innovative business goals.