Australia's cyber security watch room is monitoring threats 24/7. Here's what it's like inside

Posted by AngelaWong, 10-07-2020

For a dedicated few, keeping Australia safe online starts in the early hours of the morning. That's when the day shift starts for analysts in the Australian Cyber Security Centre's 24/7 watch room.

Their Canberra headquarters looks like any other nondescript government building but, a few steps inside the lobby, a lattice made up of zeros and ones provides a clue as to what's going on inside.

Now more than ever, Australians are living their lives online. And every connection for work, school or leisure creates a new vulnerability.

Prime Minister Scott Morrison's unusual press conference in June declaring that Australia was under sustained attack came after months of warnings that the COVID-19 pandemic was providing a valuable opportunity for criminals.

If a determined attacker did try to turn the lights out in Sydney, or tie up a hospital's files with ransomware, the watch room team in the ACSC should be among the first to know.

"To the extent that we can … help Australians lift their defences, the better they are in terms of surviving the attempts of those that are trying to do them harm."

 
A sign against a grey wall stating the Australian Cyber Security Centre and the Australian Signals Directorate.
The Australian Cyber Security Centre is located within the nation's intelligence agency, the Australian Signals Directorate.(ABC News: Mark Moore)

One call every 10 minutes

Based in the Australian Signals Directorate, the country's intelligence and security agency, the ACSC was set up in 2014 and leads Government efforts to improve Australia's security online.

In the watch room, someone is always on deck — but we can't tell you their names or show you their faces.

Five teams work an unusual schedule of shifts: two days, two nights, and then a few days off. And there's an order to things. A handover in the early hours of the day, a daily briefing for the executive and continuous triaging of the incidents that come their way.

They try to keep on top of all the ways Australians may be targeted online, as well as working with staff from the Australian Federal Police and the Australian Criminal Intelligence Commission.

Their information may come from public sources like online forums following the activities of hackers and criminal groups, from the briefings of security partners overseas, or calls from local businesses to the hotline.

All this allows the team to make "the best picture that they possibly can", Ms Bradshaw said, of cyber-criminal tradecraft and tactics, as well as spotting where vulnerabilities may emerge across industries and the country.

Overall, the team handles hundreds of daily communications from partners and industry, as well as a new cybercrime report every 10 minutes on average.

And each day, the centre identifies and responds to multiple security incidents.

That could be reports of scanning and reconnaissance activity, when attackers look for unguarded ways to access a network, such as passwords that have never changed from the factory setting.

Then there could be phishing activity — emails or text messages that encourage people to click a link or open an attachment, allowing an attacker to get their first foothold on the network.

The COVID-19 threat

The COVID-19 pandemic has been a busy time for the ACSC. The past few months have been marked by an uptick in cybercrime, and even warnings from the Australian Government directed at nations who were using the upheaval to hack healthcare companies.

The massive, nationwide shift to working from home brought new security challenges. Fear and confusion also offered an opportunity to exploit.

It was in late March and early April that analysts started to spot COVID-19-themed websites designed to support phishing campaigns, seeking to steal personal details or install malware.

A man in Australian Federal Police uniform sits in front of a wall with a motherboard print.
Commander Chris Goldsmid oversees cybercrime operations with the Australian Federal Police.(ABC News: Mark Moore)

"We've seen COVID 19 themed phishing campaigns trying to attract people to click a link related to … government stimulus measures [and] COVID-19 testing," said Commander Chris Goldsmid, who leads cybercrime operations for the AFP.

In response, the ACSC identified IP addresses associated with the scam websites and handed them over to law enforcement. They also asked telecommunication companies to block certain IP addresses as they popped up.

Coronavirus-related scams appear to have tailed off somewhat for now. But before COVID-19, it was bushfire scams. And next month, it will be something else.

Attribution — identifying the attacker — is notoriously complicated by the fact that both criminals and nation states often use the same tools.

And it all goes on and on because, in the words of one watch room officer, "people keep clicking the link".

Bringing Australia's cybersecurity up to scratch

While the watch room tries to keep on top of online threats, Australia's overall preparedness for malicious internet activity or even cyberwarfare is hotly debated.

"There's a constant game or constant pattern of attack, defend, attack, defend," said Lesley Seebeck, chief executive of the Cyber Institute at the Australian National University

In her view, we must ensure cybersecurity does not become defined as only a question of national security, but also one of protecting civilians and business.

"We need to be able to give people, individuals, the tools they need to look after themselves," she said.

A Department of Defence review, recently obtained by the ABC, suggested Australia was unprepared for cyberwarfare, among other threats. And regular audits of the cybersecurity preparedness of government departments shows they need improvement.

In fact, the Commonwealth Cyber Security Posture in 2019 report, prepared by the ACSC, found that most Commonwealth entities had only "ad hoc" or "developing" compliance with the government cybersecurity mitigation framework.

A laptop that says "EducateNow Town Council" on a table that shows bright lights and power lines.
In the Australian Cyber Security Centre, analysts war game out attacks on a town's infrastructure.(ABC News: Mark Moore)

Australia's new and much-anticipated four-year cyber security strategy is overdue, but the Government recently announced $1.35 billion in funding allocation to beef up Australia's online security, including $470 million for 500 new jobs at the Australian Signals Directorate.

But given Australia's skill shortage in this area, Peter Coroneos, international vice president of Cybersecurity Advisors Network, assessed that goal as "very difficult".

"Where do you pull 500 cyber experts out of nowhere?" he asked.

Ms Bradshaw acknowledged that getting these new employees through the door is one of her biggest challenges.

"You might be part of a team that's pulling apart a piece of ransomware," she said.

"Or you might be a person that's preparing really practical advice for … people at home just trying to get on with their lives online."

 

More Information

Source: https://www.abc.net.au/news/science/2020-07-10/inside-the-australian-cyber-security-centre-watch-room/12430904