Skip to main content

Abigail Bradshaw CSC, Head of Australian Cyber Security Centre, interview with Fran Kelly on ABC Radio National, 31 March 2021.

FRAN KELLY: Well, Nine Media is recovering from what’s been described as quote “a significant and complex cyber attack”, that forced it to stop live broadcasts over the weekend and gave editors major headaches as they tried to get the newspapers published this week. The attack has again drawn attention to the risks of cyber security, with our major banks the latest to be warned it’s only a matter of time they’re hit with a major breach.

The Australian Cyber Security Centre is given the job of protecting the country from cyber threats. It’s been investigating the Nine hack and a separate attack targeting Parliament House last week as well. Abigail Bradshaw is the head of the Cyber Security Centre. Abigail Bradshaw, welcome to Breakfast.

ABIGAIL BRADSHAW: Good morning, Fran, thanks for having me.

FRAN KELLY: We know that Nine Media called you in to help respond to the hack it suffered, which has been described as a ransomware attack. How series was this incident?

ABIGAIL BRADSHAW: Well, Fran, firstly what I’d say is the great part about being in the Australian Cyber Security Centre is that we provide assistance and advice to all Australians, and part of that, the basis on which that assistance is provided, is that we do that in a non-judgemental and confidential way. So talking about specific entities before they’re ready to do so really undermines our business model, and it’s super important that we stay strictly in our assistance role.

FRAN KELLY: Sure, I understand that. But if quote the company’s Chief Information Technology Officer describing the attack as a significant, sophisticated and complex attack. I mean, were you surprised by the scale and sophistication of this attack?

ABIGAIL BRADSHAW: I would say that I agree with his assessment of that. But I would also say that it’s extremely early days. We’re talking about something that occurred on the weekend and it’s now Wednesday. And what some people might not understand is that unlike in the movies, when within a few key strokes and mouse clicks you might be able to determine and undo a complex cyber attack, the truth is that it takes a lot of people a lot of analysis. There’s a long process of inspecting logs and disk images and indicators of compromise. And our priority at the moment is to assist Channel Nine in the way that best suits them, to close out the vulnerability to ensure that any malicious actors are out of the system and to get them back up and running.

FRAN KELLY: Okay. So what kind of assistance can the Cyber Security Centre offer a company like Nine when this happens? Do you send in your technical experts to work in it? Is that what you do?

ABIGAIL BRADSHAW: We are very fortunate to have some of the best technical minds in Australia in the Cyber Security Centre and, of course, we are part of the Australian Signals Directorate, which means that we have awesome links with our Five Eyes partners and international counterparts. And that can be very useful in terms of understanding global trends, global bad actors, because, of course, cyber actors don’t operate on the basis of borders. Sometimes we can draw from their experience or our own when we’ve seen specific compromises or trade craft used before. And, as I said, our first priority is to try and work out how an actor got in to close that door and then to ensure that the actor is out. And that’s the sort of technical assistance that we would provide to any entity that came to the ACSC.

FRAN KELLY: And so in terms of how – and I know you can’t betray Nine media and their systems – but if it’s been described as Nine itself, and you’ve agreed, as significant, sophisticated and complex, then, you know, basically you’re saying these hackers were able to get in not just because of some sort of random password game they were playing, but something much more sophisticated than that? And does that suggest a state actor?

ABIGAIL BRADSHAW: Well, what I’d say is I’d go back to my point about it being early days and the need for that very careful forensic analysis. I think what we have seen is a large conflation of cyber attacks as if they’re all homogenous and they’re not. A variety of attacks that had recent media coverage involve a range of different vulnerabilities. So, for example, you had the Microsoft Exchange vulnerability. That was what we call a zero day vulnerability, which means a piece of software that has a vulnerability that no-one knew about, but provides access to a range of different actors that might be able to exploit it. And then in the case of ransomware there are multiple variants and there are multiple ways in which ransomware could be laid down on a system. So they include most commonly spearfishing, so an email which appears in our inbox and which might be disguised as coming from a trusted person which someone clicks on, or the use of an existing vulnerability or bug in a piece of software. So that’s the sort of analysis that normally goes on in a cyber incident in the first instance, to try and work out what method of entry was used.

FRAN KELLY: And you can’t tell us what method was used here?

ABIGAIL BRADSHAW: No.

FRAN KELLY: Okay.

ABIGAIL BRADSHAW: It’s very early days.

FRAN KELLY: When we talk about World Backup Day I’ll come back to some of this that you’ve just been speaking of. But are you ruling out that this was a state actor attack?

ABIGAIL BRADSHAW: At the moment, as I said, our entire focus is on trying to identify what the point of entry was, closing that down, ensuring the actor is out, and then getting the systems up and running again. Analysis on who did what is a much lower priority and actually, as I sort of went through those various ways and various vulnerabilities – you know, ransomware, zero day vulnerabilities – my experience – not my assessment, but my experience – is there are different actors which will use those particular methods.

FRAN KELLY: Okay. I think most of us perhaps aren’t as aware as we should be of how commonplace this is. I think your office says there’s roughly one attack every 10 minutes reported to your security centre. The head of Australia’s banking regulator, Wayne Byres, says it’s only a matter of time until an Australian bank, insurer or super fund suffers a major attack. ANZ says it’s been hit by up to 10 million attacks a month. I mean, how great do you put the risk facing our banks, and what could happen if one does see a major breach? Can you spell that out for us?

ABIGAIL BRADSHAW: Yeah, sure. So what I would say in a general sense is that there’s been a major uptick in the adoption of digital services by Australians, and that’s been amplified through the COVID pandemic as Australians have gone online to access services or information. And what that means is the consequence of that is a much larger threat surface as more of us place our information or are paying services online. And what that means is we’ve seen an increase in bad actors prosecuting digital means in order to obtain financial advantage or information. And certainly we saw that through COVID where there were specific criminal syndicates that were pivoting their businesses very quickly towards COVID-related services or advice.

In our threat report that we issued last year we reported that we’d looked at just over 2,000 cyber incidents that were reported to us – people coming to us for assistance – and around 60,000 reports of cyber crime. We’ve seen increasing reports of ransomware, so about 450 of those cyber crime reports were around ransomware attacks. And we’ve also seen, as played out in sort of the first quarter of this year, a number of sophisticated compromises such as the SolarWinds, which was a supply chain compromise of a cyber security provider, the Microsoft Exchange vulnerability which was, as I said, what we call a zero day vulnerability, and we saw the Accellion file transfer application which also had a vulnerability that was prosecuted by cyber criminals. So it’s undoubtedly complex and it’s changing all the time. That’s not just an Australian issue; it’s a global issue. We have the same conversations with Five Eyes and international partners.

In terms of the banks, we work really closely with the banks. They’re awesome partners in terms of really getting our cyber security advice out. And the fact that we collaborate closely and we have got those relationships means that I know that they’ve got a great understanding of what the risks are and the need for really good cyber security posture. And, of course, you’ve got the critical infrastructure and systems of national significance legislation moving – introduced into parliament last year, which its intent is to get that systematic increase across critical infrastructure providers to increase cyber resilience and cooperate with us.

FRAN KELLY: And that’s for the banks and the corporation. But that brings us back to today being World Backup Day, encouraging all of us to back up our data. Is that useful for keeping the attacks out, or simply because then you’ve got your data backed up, you might have a portable hard drive or something, so if you do get attacked it’s not a problem? And a lot of people contacting us as we speak to say, “How do you do that?”

ABIGAIL BRADSHAW: Sure. It’s a great question, and I hope you’ve all got balloons up in the office – we do for International Backup Day today. What the backup day is about is making sure that you’ve got a second copy of all your important files. So if you’re an individual, that means making sure that your family photos or your home videos, your documents and your emails are backed up somewhere. And if you’re a business that means having a second copy of your corporate files or your customer details or your ordering data.

So we have two priorities – the first is to prevent the malicious actor getting into your system, and the normal advice, very sound advice, that we give to people is to prevent access. You should do really simple things like have great passphrases, not simple passwords; put multi-factor access an all of your devices, and lock down the access to only those who need it.

Backups is about being resilient. It’s about making sure that if you are the victim of malicious cyber activity you’ve got the capacity to get yourself back up on your feet.

FRAN KELLY: And just on that, Abigail – because we’re almost out of time now – but just briefly, people are saying if it does happen, who do you contact? How do you get help?

ABIGAIL BRADSHAW: Well, you can always contact the Cyber Security Centre. We’re on cyber.gov.au. And you’ll find on there, your listeners can find great advice on how to do backups and where you might go. You know, it simply means placing another copy somewhere safe. It could be a USB, it could be a hard drive, it could be a separate server or a lot of people use the cloud these days.

FRAN KELLY: Okay.

ABIGAIL BRADSHAW: But cyber.gov.au is the place to go for advice. And if you are the victim of a cyber incident, 1300 CYBER1, and our 24/7 watch team will always be on the end of the line.

FRAN KELLY: All right. Look, thank you very much, Abigail Bradshaw.