Australian hospitals have been warned they could be forced to pay ransoms to criminals to keep patients safe as the cyber security threat escalates in the aftermath of "wake-up call" attacks.
Key points:
- One expert says ignoring the risk is "probably a little bit delusional"
- A joint cybercrime operation led by federal police and Australian Signals Directorate has been formed
- Organisations have been urged to take out cyber security insurance
The troubling warning is high on the list of predictions offered by cyber security experts heading into 2023 and in the wake of unprecedented hacks affecting millions of Medibank and Optus customers.
Global firm Palo Alto Networks suggests it is time hospitals, government services and businesses start discussing whether they would pay a ransom and how much they would fork out.
"What are your crown jewels and if someone wants to get access to that, how much is it worth to you?" says regional chief security officer Sean Duca.
"You've got people sitting mid-operation on an operating table and the systems around them can't actually work, do we just let the individual die because we don't want to pay the ransom?"
While Australians are increasingly aware of the consequences of cybercrime, there's not enough focus on its potential to cripple systems, Mr Duca warns.
As for organisations that refuse to believe they will be targeted: "It's a foreseeable event … and you're probably a little bit delusional."
'It's just the beginning'
Edith Cowan University senior computing and security lecturer Mohiuddin Ahmed shares the sentiment.
He not only predicts a rise in threats over the next year, he anticipates more attempts targeting Australia's critical infrastructure, with "highly digitised" hospital systems among the potential casualties.
It is "just the beginning" for cyber attempts and attacks, Dr Ahmed warns.
The recent Medibank and Optus hacks may drive criminals to consider where Australia has other vulnerabilities.
"We use lots of internet-connected healthcare devices and if those devices are hacked and remotely compromised by these cyber criminals, we'll be left in a situation where we have to pay ransom, otherwise people's lives will be at stake," he said.
"Imagine that for senior citizens using pacemakers or any other embedded or implanted devices.
"Who knows, if we do not pay attention, if we do not follow cyber hygiene, things [may] go catastrophic."
International hackers are preying on Australia partly because of its wealth and partly because it has been rendered vulnerable by the COVID pandemic, cost-of-living pressures and natural disasters including floods, Dr Ahmed says.
Cyber security researcher Mamoun Alazab likens cybercrime to a battlefield, saying it is a matter of when — not if — Australia will see data leaks affecting more people than in the Medibank and Optus hacks.
The associate professor of information technology at Charles Darwin University predicts greater government organisation in cyber warfare as it becomes part of national security.
Cyber Security Minister Clare O'Neil last month announced a 100-strong standing cybercrime operation led by federal police and Australian Signals Directorate.
Cyber attacks are expected to double in Australia within five years and the country will also experience a shortage of 3,000 highly skilled cyber security workers by 2026, according to a national plan.
Dr Alazab cautions that publicly announcing the new operation could goad criminals into further attacks.
"We focus so much on [Australia's] offensive operation — we need to focus on the defensive operation," he said.
"We are encouraging other … criminal groups to get together to prove us wrong, to cause more embarrassment."
$42b cost 'tip of the iceberg'
Australia needs to significantly scale up its cyber security investment to keep pace with crime, Dr Alazab suggests.
He points to the $42 billion cost of cyber incidents to Australian businesses in 2021, saying it was just "the tip of the iceberg".
"Did we invest 10 per cent of that in security? No, we did not," he said.
Dr Alazab predicts more individuals and enterprises will be targeted and "botnets" — a collection of hijacked computers used to launch attacks without their owners' knowledge — will become larger.
Australia could also see the arrival of what Dr Ahmed calls "ransomware 3.0", whereby cyber criminals do not bother immediately announcing they've hacked a system — instead, taking the time to identify and exfiltrate sensitive data.
Then they can suddenly strike, for example, rerouting Centrelink payments from legitimate benefactors into their own bank accounts before asking for ransom to restore the legitimate data.
"It might happen in 2023 but again, I hope it doesn't," Dr Ahmed said.
The experts say hope is not lost when it comes to Australians defending themselves against attack.
Dr Alazab says Australia needs to have a collective approach towards cyber security, building a strong public-private partnership and bolstering the workforce by filling the education gap.
He suggests small and medium organisations can also turn to resources like the Australian Cyber Security Centre's Exercise in a Box, which guides users through cyber security exercises.
All Australian organisations should also have cyber security insurance moving forward, Dr Ahmed says.
"This Medibank and Optus breach is the perfect wake-up call for everyday Australians and, more importantly, for the critical infrastructure, the government agencies and the private sector."