Cybersecurity and National Security Strategies

On Cyber Breach Incident at Medibank in 2022 affecting 9.7 million customers, Australia

Cybersecurity For Public Leadership Final Assignment

Online Course, Blatvatnik School of Government

By Sonia Lim

Source: ( Frances Mao, 2022 )

Summary

In October 2022, cybercriminals illegally accessed the database of Medibank, one of the largest health insurance providers in Australia. They then asked for a ransom payment of $10 million USD from the organization and released sensitive information from medical treatment information and other personal credentials that led to various forms of cyber harms from economic to reputational loss and exposing high safety and privacy risks of up to 9.7 million current and former customers. The resort discusses cybersecurity and national security strategies that can help improve Medibank’s position in tackling cyberthreats in the future.

Cyber Breach: Types of Cyber Harms Affecting Medibank

1. Economic Costs:

   1. Legislation: In late 2022, the parliament passed legislation that fines businesses up to $50 million for repeated serious breaches in the interests of safeguarding civilians’ safety and health ( Taylor, 2022 ). Medibank can be liable for this.

   2. Contravention of Privacy: Medibank can also be fined up $2.2 million for each contravention of privacy in a cyber breach ( Taylor, 2022 ).

   3. Compensation for Damages: Damages resulting from data breach can costs Medibank from $20,000 to $50,000 ( Taylor, 2022 ). 480,000 Medibank customers’ data have been compromised: they are eligible for up to $50,000.

   4. Ransomware Demands: Ransomware group demanded Medibank to make ransom payments of up to $10 million ( Janda and Ziffer, 2022 ).

2. Other Costs:

   1. Privacy and Safety Risks of Customers: Ransomware group released sensitive data onto the dark web which puts customer privacy and safety risks at stake ( Janda and Ziffer, 2022). They also become vulnerable to other cybercriminals who pick up their data on the dark web and use it to deploy double extortion practices such as selling fraud treatment and insurance services to them ( Kretser, Davidson and Mason, 2022 ).

   2. Reputational Damage: The cyber breach incident will likely cause loss of confidence among customers, which can economic costs at Medibank.

3. Strategic Cyber Harms:

   1. Political Espionage: According to the Australian Cyber Security Centre ( 202 ), cybercriminals would steal information for political purposes as Australia has been very involved in international partnerships and multilateral forms on a variety of issues with different countries. These kinds of theft are directed by hostile intelligence agencies to gain information about private/public networks from technological and commercial information to military and personal information of individuals in the country. The stolen information can also be used to disrupt and destruct the Australia’s essential service providers.

Threat Actors

1. Russian State Actors

   1. The Australian Federal Police Commissioner Reece Kershaw named Russia as the source of the ransomware hacking group ( Taylor, 2022 )

   2. Russian hacking groups commonly target healthcare providers, clinical researchers as well as defence and government ( Taylor, 2022 ).

   3. Sources of Russian State Actors ( ACSC, 2022 ).

      1. Russian Government and Military Organizations

      2. Russian Federal Security Service

      3. Russian Foreign Intelligence Service

      4. Russian General Staff Main Intelligence Directorate

      5. Russian Ministry of Defence

2. Cybercriminal/Criminal Groups

   1. The Australian Federal Police has stated that it will partner with Russian authorities through Interpol to protect targeted victims ( Taylor, 2022 ).

3. Non-traditional Combatants and Civilians

Australia: Attractive Cyber Target For Hostile States

1. Australia has been highly active in international forums and partnerships with allies like the US and the UK, making it an attractive target for rivals like Russia amidst the Russian-Ukraine conflict ( ACSC, 2022 ).

2. Australia also has the highest median wealth per adult in the world, also making it an attractive target for different threat actors - state actors, cybercriminal actors.and non-traditional combatants/civilians ( ACSC, 2022 ).

3. In the case of Australia, Ransomware groups target big industries that provide high value and critical services to its civilian population (ACSC, 2022 ).

4. The Australian Cyber Security Centre received around 76,000 reports in 2022, which is an increase of up to 13% from 2021 ( ACSC, 2022 ).

5. Most of the cyberattacks that happened have been attributed to online booking, shopping and business email compromise, with up to $98 million worth of financial losses in business email compromise ( ACSC, 2022 ). The average loss has also increased up to 14% compared to that in 2021.

Resources, Capabilities, Effectiveness and Approach

1. Australia has abundant resources to tackle cyberthreats. Overall, its government has continued to make vast investments to develop its cyber capabilities with substantial success. Their approach emphasizes on the importance of integrating cyber operations as part of its national security agenda. They also highlight the importance of cooperation between government, non-government actors, businesses and civil society in effectively addressing cybersecurity issues. Australia has also been ranked No. 1 by MIT for making the most progress and commitment towards cybersecurity issues in 2023 ( Brangwin, 2023)

2. Government programs and initiatives have also been made to help guide, advice and form partnerships among businesses and organizations.

   1. The Australia Cyber Security Centre is a governmental organization that addresses cybersecurity issues affecting Australian interests. It provides advice about how organizations and businesses better defend themselves.

      1. The Essential Eight Mitigation Framework is an example of a list of measures and strategies the ACSC provides different organizations to help fight different types of cyberthreats ( ACSC, 2022 ) .

   2. The Department of Defence is positioned with the ACSC and hosts computer emergency response team and espionage branch to help solve cybercrimes ( Brangwin, 2023 ).

      1. The department also collaborates with policy expertise and technological crime unit from Australian Criminal Intelligence Commission to address these issues.

   3. Australia has made $5 billion investment in the REDSPICE Program to upgrade its offensive capability of up to 3 times their current capability. It plans to strengthen this capability via blocking cyber attacks, equipping governments with offensive cyber strike capabilities and enhanced intelligence capabilities to help share information among organizations.

   4. The investment involves training up to 1900 new technologists and intelligence experts in the area to defend Australia ( ACSC, 2022 ) .

   5. The Australian Protection Doman Name System helps protect government networks against malware, spyware, phishing attacks, viruses and malicious webpages ( ACSC, 2022 ) . The system has dealt with 35 billion queries and blocked up to more than 24 million domain requests and involved 171 organizations ( ACSC, 2022 ).

Crown Jewels ( to protect ) at Medibank

The Crown Jewels at Medibank include

1. Customers Data: The credentials ranging from email addresses, phone numbers and personal details about the type of insurance and medical treatment they get need to be protected from being exploited by cybercrime.

2. Operations Systems: Medibank’s applications, softwares, webpages and technological storage systems that are needed to initiate and place orders, record/store customer data, show information and facilitate payment plans need to be protected so that they function well and operate efficiently.

3. Staff Members: Medibank’s staff members, management, experts and stakeholders need to practice cybersafety at the workplace. They need to store and save information responsibly and know how to detect/avoid social engineering incidents that try to get information from them.

4. Insurance Products and Services: Trade secrets, sensitive product and services information need to be protected for business continuity plans.

Cybersecurity Maturity Stage

1. The cybersecurity maturity framework refers to the five distinct maturity stages that indicate to what extent the organization has optimized security systems and processes ( HNS Cybersecurity, 2020 ) .When the ransomware group first gained access into its database, stole its credentials and contacted them to demand ransom at Medibank, it seems to be at stage 3. As a large insurance company that already has well implemented technological systems that store and operates based on 10 million customer credentials in its database, its management probably thought it was sufficient and ‘too strong’ for any cyber breach to happen to it. In addition, it could also indicate that cybersecurity is not one of the priorities of the organization that needs constant update/development in the organization.

2. That said, as the ransomware group progressed and released sensitive customer data on the dark net, Medibank came up with strong and resilient responses such as refusing to pay a ransom ( Taylor, 2022 ). Paying ransomware, while it has led to organizations to regain control of the systems, gives no guarantee as to whether further disruptions, attacks and leakage of data would happen again. Medibank also used good strategies such as contacting and collaborating with Australian government cybersecurity and intelligence units to share technologies, knowledge about the attack and encourage reporting ( Josh, 2022 ). They also provided advice and many support initiatives for customers whose data were compromised. They were also very transparent and fast in communicating with the public regarding what incidents happened when, what the cybercriminals are doing with the data and what Medibank has done about it. While this incident has put the organization to a test that exposed its weaknesses, its leadership has progressed and dealt with the incident in creative, wholistic and strategic ways in response to the actions of the cybercriminals (Stage 4-5 ).

Reforms/Cybersecurity Strategies Plan

1. Goals and Agenda

2. Medibank needs to prioritize cybersecurity as one of the most important agendas, its overall business goals and part of its daily tasks. Cybersecurity updates need to happen constantly at daily business meetings with team of both technical and non-technical experts to help implement measures to prevent cyberthreats all the time.

(2) Technical Capabilities

1. Medibank needs to ensure that their IT storage systems that store millions of customer data have to be updated at all times, That way, cybercriminals cannot exploit weaknesses to gain unauthorized access to its database and control the organization in their favor.

2. They need to have multi-factor authentication procedures and restrict access to relevant staff members who are trained to practice cybersafety practices such as not sharing passwords to other people ( even at work ) and spending some time to detect phishing emails before clicking malicious links in them.

3. Technical systems need to be monitored by technical and intelligence experts so that in case there is suspicious activity, they can be reported and dealt with immediately.

4. Staff Roles and Inclusive Workplace

   1. Medibank needs to have good policies and job role descriptions at the workplace that clearly outlines the tasks of the relevant staff member. It also needs to raise awareness campaigns and build a culture where they understand that cybersecurity is ‘everybody’s business’ ( not just that of tech experts ) and demonstrate how staff members can act and effectively prevent a cyberthreat within these clearly defined roles.

   2. For example, one task of a customer service representative is to input customer data into the database when the customer comes to visit. Medibank needs to make it relevant to the secretary that she/he can effectively prevent a cyberthreat within her role if she/he can responsibly carry out cybersafety practices such as rotating passwords, going through multi-factor authentication factors when logging into the database to insert information and then responsibly saving the information and logging out of the webpage when the process is complete.

5. Tests and Training Programs For Staff Members

   1. Staff members need to undergo tests and trainings every now and then ( e.g. bi-weekly basis ) to be well-informed, alert and aware of the latest kinds of cyberthreats and how to prevent it. They also need to be trained to understand about cyberthreats and how they are also linked to other kinds of incidents such as social engineering that can ‘compel’ them to share credentials and passwords ( e.g. unknown phone calls ).

6. Reporting Forums and Communications

   1. There needs to be open reporting forums and communications where staff members and key experts can share intelligence, resources, guidance, advice and the latest updates about the kinds of cyberthreats that happen externally and internally within the organization. This way, company staff are always aware about the cyber incidents and can effectively communicate, raise awareness about cyberthreats ( when it happens ) and respond to it effectively.

7. Collaboration-Focus and Open Culture

   1. Medibank needs to develop a collaborative mindset so that staff members and management are willing to work with others and openly consult and discuss strategies to effectively prevent and tackle a cyberthreat. Externally, Medibank needs to maintain and continue partnerships with the Australian government and its cybersecurity/intelligence units to share technology and intelligence and available resources to help protect itself.

Bibliography

Australian Cyber Security Centre ( 2022 ). ACSC Annual Cyber Threat Report, Australian Cyber Security Centre. https://www.cyber.gov.au

Brangwin, N ( 2023 ) National Security - cybersecurity. Parliament of Australia. https://aph.gov.au

Callinan, R ( 2021 ) UnitingCare cyber attack claimed by notorious ransom gang REvil/Sodin. ABC News. https://www.abc.net.au

HNS Cybersecurity Program ( 2020 ) HC3 Intelligence Briefing Cybersecurity Maturity Models. Leadership For IT Security & Privacy Across HNS. https://www.hhs.gov

Janda, M and Ziffer, D ( 2022). More Medibank customer data released onto dark web. Has everything now been released? ABC News. https://www.abc.net.au

Josh, T ( 2022). Medibank hackers announce ‘case closed’ and dump huge data file on dark web. The Guardian. https://www.theguardian.com

Mao, F. ( 2022 ). BBC. https://www.bbc.com/news/world-australia-63579985