Future cyber threats to cause more headaches than ‘Heartbleed’
Tomorrow’s hackers could shut down infrastructure and defraud public sector of billions according to a new report released by CSIRO at CeBIT’s Cyber Security Conference.
Many of these future attacks could take advantage of vulnerabilities similar to “Heartbleed”, a major internet security flaw which allows attackers to gain access to encrypted passwords, credit card details, and other data on trusted websites including Facebook, Gmail, Instagram, and Pinterest.
Hackers could soon use similar holes in computer security to shut down energy grids, disrupt public services, and steal vast amounts of private data worth billions of dollars, unless institutions take measures today to ready themselves against future Heartbleed-like threats.
The Heartbleed’ exploit discovered recently is one of the biggest security threats the internet has ever seen affecting sites such as Facebook, Gmail, Instagram and Pinterest. It allows attackers to access passwords, credit card information and secure data that is usually encrypted on trusted websites. Hackers could soon use holes in computer security similar to ‘Heartbleed’ to shut down energy grids, disrupt public services, and steal vast amounts of private data worth billions of dollars, unless measures are taken now to prepare for such scenarios.
“Despite recently being ranked second in the Asia-Pacific region when it comes to cyber-security capabilities, we need to recognise that our increasing reliance on digital services leaves us potentially vulnerable at unprecedented scales,” said Mr James Deverell, Director, CSIRO Futures.
“The sheer complexity and interconnectedness of different elements of our digital economy means we can expect rapid exponential growth in the number, speed, and severity of breaches – far beyond what any single organisation can tackle on its own.”
CSIRO’s latest report, called Enabling Australia’s Digital Future: Cyber Security Trends and Implications, looks at how a far greater number of future online attackers – anyone from a disgruntled employee to organised cybercriminals – could cause widespread disruption and financial losses by hacking into Australia’s digital services and infrastructure, including public services like patient health records and taxation data.
The report suggests that the damage from these cyber threats could be immense, including using Heartbleed-like vulnerabilities to defraud the healthcare system of up to A$16bn by 2023; disabling energy grids at critical times, such as during heatwaves; and hacking public-sector databases to leak or sell confidential data – anything from individuals’ tax file numbers or patient records to sensitive national security and defence information.
“The more we rely on digital services for our basic needs like healthcare and energy, the more drastic the consequences of any breach may be,” said Mr Deverell.
“As we begin to develop and embrace these services, it’s in our national interest to ensure they’re designed with simplicity and transparency in mind from the very start.”
The report calls on businesses, public-sector organisations, and everyday Australians to:
(1) Embrace more open disclosure and work together when a breach occurs;
(2) Focus on simplifying digital systems, including designing “invisible” security measures that don’t hassle or slow down users;
(3) Invest in new systems to verify and protect an individual’s digital identities from theft or fraud. For example CSIRO is currently researching and developing digital identity frameworks for use throughout Australia and the European Union.
“As shown recently in the international response to the Heartbleed exploit, collaboration and open disclosure are essential when tackling threats that cross networks, industries, and national borders,” said Professor Jay Guo, Research Leader– Smart, Secure Infrastructure, CSIRO’s Digital Productivity Flagship.
“We need to dispel the fear of the consequences of disclosure – including those to brand reputation and shareholder value – that currently discourages Australian organisations from full openness about breaches, and share our resources and knowledge to devise more effective, timely cyber-security solutions.”
“Instead of being caught up in a digital arms race against increasingly intelligent threats, we need to design our cyber-security approaches to focus on people – anticipating their behaviours and taking advantage of their unique traits,” said Professor Guo.
“No system will ever be perfect, but we can prevent and minimise the impact of even extremely complex threats by approaching cyber security as a community.”