Defence is at “significant risk” from cyber insider threats, the department’s incoming brief to the Albanese government says.
That could include malicious, disgruntled or merely duped employees accessing Defence’s systems and threatening their security.
“Malicious cyber activity continues to grow in sophistication and scale,” the brief warned the new defence minister, Richard Marles.
One of Australia’s top cybersecurity experts says the pandemic has worsened the risk of insider threats, with more employees unhappy with their work lives and therefore likely to seek revenge.
Paul Haskell-Dowland, a professor of cybersecurity practice at Edith Cowan University, said working remotely and alone could also make it easier for employees to make mistakes that render systems vulnerable.
Malicious insiders, according to the Australian Cyber Security Centre (ACSC), could be “employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data, or sabotage your systems”.
Their reasons might include “revenge, coercion, ideology, ego or seeking financial gain through intellectual property theft or espionage”.
The incoming brief, released to Guardian Australian under freedom of information laws, said Defence “provides proactive monitoring services to detect insider threats that pose a significant risk to [Australian defence force] operations and defence business”.
“This includes investigative support to address both malicious and inappropriate use of defence ICT that threatens the security of defence systems.”
Haskell-Dowland said through Covid, and the so-called great resignation, there were people who realised there was more to life than work.
“In some cases, they may well feel they haven’t been supported in their employment by their employer,” he said.
“They may feel they’re forced to return to the office … there’s almost certainly going to be examples over the next few years, individuals who take actions as a result of their disgruntlement. In the military … that will be particularly problematic.”
Any “sufficiently unhappy individual” could cause damage by stealing data, potentially to sell on, or by destroying it, Haskell-Dowland said.
Small to medium businesses might be more at risk because they have not got the cybersecurity infrastructure of a bigger business – and many SMEs are in the supply chains for major defence projects.
Working from home could also add to the threat if people’s home systems don’t have good enough security, or if they’re more reluctant to check the veracity of a link before clicking on it.
Even accidentally deleting the wrong files could be as damaging as a ransomware attack, Haskell-Dowland said.
Happy staff less likely to cause harm, ACSC says
The ACSC says businesses should restrict access to sensitive information, create backups and require strong passwords and multi-factor authentication.
Employees should have their access removed straight away when they left.
And a better business culture can mitigate the threat, the ACSC says.
“The more integrity and transparency you have in your work environment, the harder it is to act dishonestly,” it says.
“Additionally, happy, valued and challenged staff members are less likely to act to harm your organisation.”
The defence brief also warned of the impact workforce shortages could have on defence projects, and the impact of climate change on national security.