ASIO Director-General, Michael Burgess, has warned that espionage and interference has become an even greater concern than terrorism, and companies are not doing enough to defend against cyber threats.
“I find it infuriating when companies say they were done over by an adversary so powerful there was no way to defend against it,” the top spy said in the annual threat assessment address last night.
“Certainly, in the cyber field, the overwhelming majority of compromises are foreseeable and avoidable.”
Flagging that the agency will take a “more proactive approach to our security advice and engagement,” comes on the back of the critical infrastructure bill passed last year, which increased the government's ability to intervene when a company responsible for critical infrastructure is under threat.
The bill expanded the industries considered responsible for critical infrastructure from four to 22 asset classes. They range from data storage to higher education.
The bill requires companies to notify authorities of serious incidents within 12 hours and permits the government to enforce external auditing of security systems or mandate that a company install a piece of software.
Burgess said the rapid transition to working, shopping and socialising online during the pandemic helped accelerate the emergence of online threats, and the last two years saw thousands of Australians with access to sensitive information, across private, government and academic sectors, targeted by foreign intelligence agents.
“On any of the popular social media or internet platforms, they [foreign spies] make seemingly innocuous approaches—such as job offers. This then progresses to direct messaging on different, encrypted platforms, or in-person meetings, before a recruitment pitch is made.”
Burgess said ASIO was even “tracking suspicious approaches on dating platforms such as Tinder, Bumble and Hinge.”
Hinge declined to comment when asked if they were aware of this threat. Tinder did not reply by time of publication.
A spokesperson for Bumble said, “we encourage any of our members who experience behaviour that makes them uncomfortable to use the block and report feature in the app to alert our team of moderators so they can take immediate action.”
Prashant Haldankar, chief information officer and co-founder of Sekuro, a cybersecurity and digital transformation consultancy firm, agreed with Burgess’s comment that many businesses could be investing more in security instead of treating it as an ‘afterthought’.
“Budgets, timelines and expenditure are still some of the aspects that organisations struggle with prioritising when it comes to cyber security activities and implementation.”
Haldankar said it remains to be seen how much of an impact the recently passed critical infrastructure bill will have on organisations, but they needed to be prepared for the government's more hands-on approach to cyber security.
“Organisations should be ready and assume legislation is switched on and make necessary arrangements to fulfil the reporting obligations. “
“In general, the biggest risk factor that needs to be looked at and organisations be prepared for includes legacy infrastructure that many critical Infrastructure would work with (water, electricity, gas and ports) and the third parties/service providers risks.”
The head spy’s speech also mentioned ASIO’s goal to be more transparent, saying it would help shield the agency against smear claims it had been unable to confirm or deny, and help drive recruitment efforts.
In addition to espionage, Burgess also listed foreign interference and radicalisation as among ASIO’s chief concerns.
Burgess detailed how the agency thwarted a wealthy Australian resident who “did the bidding of offshore masters” and attempted to recruit electoral candidates “who either supported the interests of the foreign government or who were assessed as vulnerable to inducements and cultivation.”