Future cyber threats to cause more headaches than ‘Heartbleed’

Tomorrow’s hackers could shut down infrastructure and defraud public sector of billions according to a new report released by CSIRO at CeBIT’s Cyber Security Conference today.

  • 5 May 2014

Many of these future attacks could take advantage of vulnerabilities similar to “Heartbleed”, a major internet security flaw which allows attackers to gain access to encrypted passwords, credit card details, and other data on trusted websites including Facebook, Gmail, Instagram, and Pinterest.

Hackers could soon use similar holes in computer security to shut down energy grids, disrupt public services, and steal vast amounts of private data worth billions of dollars, unless institutions take measures today to ready themselves against future Heartbleed-like threats.

The Heartbleed’ exploit discovered recently is one of the biggest security threats the internet has ever seen affecting sites such as Facebook, Gmail, Instagram and Pinterest. It allows attackers to access passwords, credit card information and secure data that is usually encrypted on trusted websites. Hackers could soon use holes in computer security similar to ‘Heartbleed’ to shut down energy grids, disrupt public services, and steal vast amounts of private data worth billions of dollars, unless measures are taken now to prepare for such scenarios.

“Despite recently being ranked second in the Asia-Pacific region when it comes to cyber-security capabilities, we need to recognise that our increasing reliance on digital services leaves us potentially vulnerable at unprecedented scales,” said Mr James Deverell, Director, CSIRO Futures.

“The sheer complexity and interconnectedness of different elements of our digital economy means we can expect rapid exponential growth in the number, speed, and severity of breaches – far beyond what any single organisation can tackle on its own.”

CSIRO’s latest report, called Enabling Australia’s Digital Future: Cyber Security Trends and Implications, looks at how a far greater number of future online attackers – anyone from a disgruntled employee to organised cybercriminals – could cause widespread disruption and financial losses by hacking into Australia’s digital services and infrastructure, including public services like patient health records and taxation data.

The report suggests that the damage from these cyber threats could be immense, including using Heartbleed-like vulnerabilities to defraud the healthcare system of up to A$16bn by 2023; disabling energy grids at critical times, such as during heatwaves; and hacking public-sector databases to leak or sell confidential data – anything from individuals’ tax file numbers or patient records to sensitive national security and defence information.

“No system will ever be perfect, but we can prevent and minimise the impact of even extremely complex threats by approaching cyber security as a community.”

Professor Jay Guo, CSIRO Digital Productivity Flagship

“The more we rely on digital services for our basic needs like healthcare and energy, the more drastic the consequences of any breach may be,” said Mr Deverell.

“As we begin to develop and embrace these services, it’s in our national interest to ensure they’re designed with simplicity and transparency in mind from the very start.”

The report calls on businesses, public-sector organisations, and everyday Australians to:

  • Embrace more open disclosure and work together when a breach occurs;
  • Focus on simplifying digital systems, including designing “invisible” security measures that don’t hassle or slow down users;
  • Invest in new systems to verify and protect an individual's digital identities from theft or fraud. For example CSIRO is currently researching and developing digital identity frameworks for use throughout Australia and the European Union.

“As shown recently in the international response to the Heartbleed exploit, collaboration and open disclosure are essential when tackling threats that cross networks, industries, and national borders,” said Professor Jay Guo, Research Leader– Smart, Secure Infrastructure, CSIRO’s Digital Productivity Flagship.

“We need to dispel the fear of the consequences of disclosure – including those to brand reputation and shareholder value – that currently discourages Australian organisations from full openness about breaches, and share our resources and knowledge to devise more effective, timely cyber-security solutions.”

“Instead of being caught up in a digital arms race against increasingly intelligent threats, we need to design our cyber-security approaches to focus on people – anticipating their behaviours and taking advantage of their unique traits,” said Professor Guo.

“No system will ever be perfect, but we can prevent and minimise the impact of even extremely complex threats by approaching cyber security as a community.”

Read more media releases in our Media section.

James Deverell will be speaking at the CeBIT Cyber Security conference at 2.05pm at the Freshwater Room 1, Level 1 Novotel Sydney Olympic Park Olympic Boulevard (entrance on Herb Elliott Ave).

Media accreditation for CeBIT Conferences is available at CeBIT Australia - Media Pass [external link]

Background: Overview of Cyber Security Future Scenarios

Enabling Australia’s Digital Future: Cyber Security Trends and Implications contains a series of three potential cyber-security scenarios for the future, covering the following sectors:

  • Energy: By 2025, the electricity grid is highly automated and use of “smart” digital meters is widespread. A disgruntled employee, operating alone, is able to tunnel into an unprotected part of the system and shut down the grid during a heatwave, causing major power outages across the country, lost earnings in the billions of dollars, and several suspected fatalities.
  • Healthcare: Digital services are now used widely throughout Australian healthcare, but security and compliance processes have struggled to keep up. By 2023, widespread fraud from both individual practitioners and cybercrime rings is costing the system up to A$16bn in fraudulent claims – equivalent to 10 per cent of Australia’s total healthcare spending. Some criminals are even hacking into sensitive patient records and charging hospitals “ransoms” of up to millions of dollars to get control back.
  • Government: When “hacktivists” – hackers motivated by ideological or political values – breach a set of classified Government records, an unknown third party uses the same method to steal large volumes of citizen data. The Government reacts by taking every impacted department offline – resulting in widespread public outcry at the disruption caused to trade and public services, in addition to fears about identify theft and exposure of individuals’ personal data.