12 July 2023

The ‘nightmare’ cybersecurity scenario being war gamed by government

Matthew Knott

One of Sydney Airport’s main terminals has descended into chaos. New high-tech scanners that were supposed to speed up check-in times have stopped working. It turns out a malicious cyber actor has infiltrated the system. No passengers can be screened for flights without manual intervention.

The problem begins to metastasise. Soon after the airport reports the incident to the federal government, a major airline’s check-in software starts malfunctioning. Cybersecurity experts discover a ransom note from a hacker claiming responsibility for the attack and demanding payment. Unless they get the cash, the hacker threatens that things will keep getting worse at the country’s busiest airport. Journalists are now clamouring for answers on what is clearly a major cybersecurity breach and the national security committee of cabinet wants a detailed briefing.

This incident has never occurred; it’s entirely fictional. But it’s the precise type of scenario the federal government fears could soon take place, and is preparing to respond to through a new series of cyber war games. The exercises began in April, when corporate leaders and regulators from the banking and finance sector gathered to examine how they would respond to a crippling cyberattack on one of Australia’s biggest banks.


Regulators, corporate leaders and police officers gathered at Sydney Airport for cyber exercises.CREDIT:JANIE BARRETT

The Sydney Morning Herald and The Age were granted exclusive access to the second war-gaming session, held last week in the Sydney Airport’s corporate boardroom. Sitting around a horseshoe-shaped table were two dozen participants, with a handful of others dialling in remotely from across the country.

Among those participating in, or observing, the exercise were officials from the Department of Home Affairs, the Australian Cyber Security Centre and the National Emergency Management Agency. There were executives from Sydney Airport, Qantas Airways and Virgin Australia, along with Australian Federal Police officers and representatives from AirServices Australia, the government-owned organisation responsible for the safety of Australia’s skies. Air Vice-Marshal Darren Goldie, who has just taken up the role of the country’s first cybersecurity co-ordinator, was there to observe.

Home Affairs and Cyber Security Minister Clare O’Neil had flown in directly from a meeting in New Zealand with fellow ministers from the Five Eyes intelligence-sharing network. It wasn’t yet lunchtime, but she joked that she was onto her 12th coffee of the day. She likens the exercises to “hitting the gym”: the aim is to strengthen the muscles required to respond to a major cyber breach and smash the silos separating the private and public sectors.

While millions of Australians had their data breached in the past year in attacks on Optus, Medibank and Latitude Financial, O’Neil warns “the threat can actually be worse than what we’ve experienced”.

“We haven’t seen the sort of massive disruption to services that we all rely on,” she says.

“We need to think about and prepare for a cyberattack on one of our airports, a hostile actor tampering with our water supply, cyberattacks on the electricity grid that mean people can’t turn on the lights and appliances in their home. These are all realistic possibilities for the future.”

Hamish Hansford, deputy secretary of cyber and infrastructure security at the Department of Home Affairs, says the “nightmare scenario” the government is preparing for is a successful cyberattack that brings a piece of critical infrastructure to a halt. It could be a bank or an airport or a telecommunications network.

“Australia has never faced a catastrophic attack like that: something that shuts down a segment of society,” he says.

“When an incident like this happens in real life we need a plan in place that’s exercised rather than thinking it through for the first time.”

Facilitating the exercise was Joe Smith, a senior official at the Cyber and Infrastructure Security Centre, a government entity set up to protect Australian critical infrastructure assets.

“It might feel a little bit weird,” Smith warned the participants at the outset.

In reality, Sydney Airport is running smoothly. The vicious winds that disrupted flights before the school holidays had not yet arrived: from the glass windows in the corporate boardroom, you could see planes lifting off the tarmac for Suva and Santiago and London.

Over three hours, the participants were required to suspend their disbelief and imagine the airport had been brought to a standstill.

The exercises are not highly technical: the question is how human beings would respond when something goes wrong. Who would manage logistics if hundreds of people become stranded at the airport? How would the airport communicate with the public? How would airline staff co-ordinate with government officials?

“Once you start to think about how the event cascades, it takes you into places that you wouldn’t have expected,” O’Neil says.

“If you think about an airport that can’t move people through it for a period of seven hours, you suddenly end up with literally hundreds of people at the airport with nowhere to go – that’s a massive people management problem.”

An attack on a major Australian airport, she adds, would quickly have global consequences for the movement of food and other goods as well as people.

Jeffrey Choi, Qantas’s chief information security officer, says the airline is experiencing increasingly sophisticated attempts by hackers to steal data or cause disruption.

“Running an exercise where key players come together, including government, is a great way to test the systems and protocols that we’ve often developed separately,” he says.

In the hypothetical world of the cyber war game, the disruption to check-in systems lasts for six hours while it takes between a day and two days for the screening issues to be resolved.

While O’Neil hopes such an event never takes place, she says businesses, government agencies and the public need to prepare for the worst.

“This program will be a permanent feature of our cybersecurity and national security program so that when we do have the inevitable cyberattack which causes much more widespread damage, we’re going to be able to manage it much more easily,” she says.

No comments: