How the Australian government is helping you fight data breaches

There has been a dramatic increase in data breaches in the past few months as hackers have taken advantage of the COVID-19 pandemic. Australia’s government is doing its part through a series of initiatives, including the Notifiable Data Breaches (NDB) scheme, a revision to its cyber security strategy, and funding of security education in universities.

In a recent threat update by the Australian Cyber Security Centre (ACSC), Australians were asked to be especially careful when opening coronavirus-themed emails and text messages because malicious cyber actors are exploiting people’s fears and searches for up-to-date information.

Australians are currently being targeted by a wide variety of phishing schemes, most designed to steal sensitive, personal information or to install malicious software on the user’s connected device. However, looking at the figures going back to July 2019, Australians had become a hacking favorite even before the pandemic struck. Between July and December 2019, the Office of the Australian Information Commissioner (OAIC) logged a 19 percent increase in the number of data breaches compared to the first six months of 2019. One in three breaches could be traced back to compromised login credentials.

Data breaches and the NDB notification rules

While Australia’s digital infrastructure is mainly owned by the private sector, its cyber security is a shared responsibility between government and industry. The government’s well-established NDB scheme gives clear guidelines in the event that data breaches should occur and have uncovered almost 1,000 data breaches during its first year, pushing both the government and the private sector to take a proactive cyber defense stance.

Australia’s NDB Scheme is regulated by law and clearly defines the mandatory notifications and control requirements around data breaches. Australia’s definition of a data breach includes any unauthorized disclosure or access to sensitive personal information.

As such, any attack that leads to access of phone numbers, banking information or medical data (even if it doesn’t exfiltrate the data) needs to be reported. The NDB scheme’s privacy amendments do provide for turnover and harm thresholds, very much in line with the US harm thresholds as well as the European Union’s GDPR data breach guidelines.

In line with the NDB scheme’s rules, an organization must alert the Australian authorities as soon as it becomes aware of a harmful breach event. The breach details, type of and amount of data accessed, and the steps those affected need to take must be provided in each report.

Should an organization fail to report data breaches on two or more occasions, the OAIC may seek a civil penalty of up to $2.1 million against the organization. That may sound severe, given that many organizations are unaware of their server or online vulnerabilities, but the remediation exceptions do give the covered entities some breathing room.

If the breached organization can show actions taken on their part involving the unauthorized disclosure or access before it resulted in serious harm, they do not need to report it. As such, many Australian organizations have adapted refined and highly structured threat modeling processes to identify, quantify and prioritize any cyber threats.

Many organizations have come to rely on alerting systems to ensure any network anomalies are picked up to stop breaches before too much harm can be done. These alerts can take many forms, but when it comes to data breaches, many configure their email environment in such a way that no emails can be automatically forwarded to external email addresses. Alerts may also be set up in such a way that it may trigger scripts to disable all accounts in order to prevent harmful behaviour.

Australia’s NDB scheme effectively acts as the public’s alerting system.

Consumer protections can undermine NDB

Whilst the NDB scheme appears to provide a rigorous model for tracking and reporting data breaches in Australia, this system does not exist in isolation, and other pieces of legislation in the country could undermine its efficacy.

Analysts have long noted that the Australian government is taking a problematic approach to data privacy. Whilst the NDB aims to protect consumers from the poor security practices implemented by the companies that collect their data, other laws in the country seem to actively undermine the right to privacy. Much of this criticism has been targeted at the recent passing of a bill that aims to prevent the use of strong encryption. The Australian government has claimed that national security can only be ensured as long as the government has access to user data, and this means that tech companies must build back doors into their encryption schemes that allow them to be decrypted.

>Even if this provision is used responsibly by the Australian government, it creates huge problems for data security. Even a basic understanding of how that encryption works is enough to show why this is the case: There is no back door that can be used by the government whilst not simultaneously being open to exploitation by hackers (or, in fact, other governments). Whilst the NDB therefore provides information to Australians on when and where their data has been made public, other aspects of their government’s approach could lead to such data breaches becoming more common.

What’s next for Australian government cyber security strategy

The Australian government is currently developing its 2020 Cyber Security Strategy that will serve as a successor to the 2016 Cyber Security Strategy. The new strategy will address the continuing rise of IoT devices and its influence on network security, smart or connected cities, the establishment of 5G networks as well as the threats that may arise due to our increasingly connected world.

The Cyber Security Strategy is also focused on their initiatives aimed at addressing critical skill-shortages. The Academic Centres of Cyber Security Excellence (ACCSE) encourages students to follow careers in cyber safety and other security-related industries. The program gives recognition to those universities that demonstrate high-level cyber security education and training proficiencies, and it will provide $1.9 million in government funding to universities to establish and develop ACCSE programs.