The Australian Signals Directorate has revealed that over the last three financial years it responded to 1097 “cyber incidents” affecting both unclassified and classified government networks.
The ASD said its tally, for FY16, FY17 and FY18, includes those incidents that were “considered serious enough to warrant an operational response”.
The agency revealed the figures in an answer to questions on notice from an inquiry into the government’s digital delivery of services. Although the inquiry wrapped up its work last year, issuing a report in June 2018 that castigated the federal government for a series of ICT failures, the ASD submitted its answer to the committee last month.
Among the cases canvassed by the digital services inquiry was an illicit darkweb service that offered access to Medicare card details, which the inquiry’s report described as a security breach, security inadequacies at government agencies revealed by scrutiny from the Australian National Audit Office, and the distributed denial of service (DDoS) attacks that led to the Australian Bureau of Statistics pulling the 2016 Census site offline for a period. The ASD was one of the key agencies involved in the investigation of the Census debacle.
The ASD is not responsible for cyber security at all federal government agencies; however, it provides advice (through the Information Security Manual, for example), raises awareness, analyses threats, and leads the operational response to serious threats.
The ASD said it “does not have visibility of all Australian Government agencies’ physical or cyber security postures and does not track information relating to the numbers of physical security intrusion attempts”. However, the agency said its “visibility of the broader government cyber picture is informed by survey instruments, intelligence, communities of interest, monitoring programs, cyber incident reporting and follow up investigations.”
The ASD said its response to an incident is required if it “achieves any degree of success, which can have varying impacts from significant data exfiltration and degradation of the network through to no harm being realised”.
For example, a report published in 2016 by the Australian Cyber Security Centre (ACSC) — which is part of the ASD — offered details of a serious attack on Bureau of Meteorology systems and the ASD response.
Then prime minister Malcolm Turnbull in April 2016 first confirmed that the bureau had been subject to a “serious cyber intrusion”. In December 2015 reports of an attack against the agency first emerged.
The ACSC’s 2016 Threat Report revealed that the ASD in 2015 identified the presence of a strain of Remote Access Tool (RAT) malware that is understood to be popular with state-sponsored cyber adversaries. That RAT was also used to compromise other Australian government networks.
The ASD found evidence that of the intruder “searching for and copying an unknown quantity of documents from the Bureau’s network,” the ACSC report said.
The ASD said the nature of its response to the 1097 incidents had varied and “ranged from telephone conversations through to deployment of staff resources and tools to assist in mitigating the incident”.
The agency said that its data was not broken down by network classification or impact, and that to provide that level of detail to the committee would “require costly manual review of every incident”.