MELBOURNE, Australia — The Australian government presented its annual cybersecurity report on Tuesday, revealing that one of its national security contractors had suffered a breach in which it lost a “significant amount of data” last year.
Included in the report was a case study that said the government’s cybersecurity team discovered that an attacker had compromised the network of a “small Australian company with contracting links to national security projects,” adding that the attacker was on the network for an “extended period of time.”
Though the report outlined the breach as a case study, Dan Tehan, a minister tasked with advising the prime minister on cybersecurity, did not divulge specifics to the local news media about who was affected or what data might have been compromised. “We don’t know and we cannot confirm exactly who the actor was,” he said Tuesday on ABC Radio.
The revelation of the security contractor’s breach, and the lack of detail surrounding it, comes at a time of increased concern over the government’s ability to protect citizens’ personal information — especially when accounting for third parties that have access to sensitive data.
Last week, Prime Minister Malcolm Turnbull introduced a far-reaching plan to collect Australians’ driver’s license photos and distribute them across security agencies, leaving open the possibility of sharing them with private companies. Privacy advocates criticized the plan as risky, with some pointing to a hacking attack on Australian census data last year, and the revelation this year that Australians’ Medicare card details were being sold on the web for less than 30 Australian dollars, or around $23.
Experts say that private industry has been one of the most glaring vulnerabilities in Australia’s cybersecurity. Tuesday’s report, the Australian Cyber Security Center Threat Report, noted that 734 private-sector systems of “national interest” were affected by cyberattacks last year.
“Certain companies take cybersecurity quite seriously,” said Alana Maurushat, academic co-director of the Cyberspace Law and Policy Center at the University of New South Wales in Sydney. “But you have key industries to Australia who — while there may not be the same media coverage — you know through internal sources are being breached. Our mining industry has notoriously been rumored to have been breached by competitors.”
Ms. Maurushat said that Australia as a whole was not far behind the rest of the developed world’s level of cybersecurity, but emphasized concerns about its private sector.
“The crazy thing about this is that they don’t even know that they’ve been breached,” she said. “There are certain breaches that occur, and there are studies on this, where sometimes someone would be on your system for almost a year, without the breach even being noticed. That’s the stuff that keeps me up at night.”
A cybersecurity report released this year by Telstra, the country’s dominant telecommunications company, said that 59 percent of surveyed companies in Australia had detected a security breach on at least a monthly basis. A similar number reported experiencing at least one ransomware attack. Over half of Australian organizations that came under such an attack paid the ransom, the report said.
Ms. Maurushat said that, in part, Australia’s private-sector cybersecurity was lacking because of an acute shortage of skilled workers.
The government report also noted “extensive” state-sponsored activity against Australia’s government, saying that its defense contractors continued to be targeted by foreign nations’ cyberespionage efforts.
At a news conference on Tuesday, Mr. Tehan said that the government was pivoting toward offensive capabilities to “prevent and shut down safe havens for offshore cybercriminals.”
Last year, the Australian government blamed foreign actors for an attack on its online census portal.
“The whole census thing — that’s an I.B.M. mistake,” Ms. Maurushat said, referring to the technology company’s contracting role in the census. “That’s not a government mistake, that’s an industry mistake, from a company you wouldn’t expect to make those errors.”
In a settlement over the census problems, I.B.M. paid the government about 30 million Australian dollars, or about $23 million.
Not unlike vaccines and herd immunity, Ms. Maurushat said, a government’s cybersecurity is only as strong as those it chooses to share its data with.
When asked whether Australia’s lagging digital infrastructure and poor internet speeds might have a detrimental effect on its security, Ms. Maurushat said that a beleaguered attempt to speed up Australia’s internet, the National Broadband Network initiative, may prove to be a silver lining.
“It’s the opposite,” she said, adding that hackers rely on fast internet speeds. “So in some ways, if the N.B.N. is a disaster, it might be better for us.”