Curtin University cyber security expert Mihai Lazarescu said Australia was not taking the threat of cyber warfare seriously enough.

This is despite the fact that almost everyone was doing it, including Russia, North Korea and even our allies — the United States.

“In Australia we are of the opinion that we’re not that important, who would bother with us?” Associate Professor Lazarescu said.

“But we can’t expect they won’t just because we’re too small or unimportant. Even if you don’t have much, they can still use our systems to attack others, and that’s enough of a reason to go after you.”

He said people also needed to remember that Australia was a very rich country and analysis about where potential resources and minerals were located was valuable.

His comments come after the ABC reported on a massive attack on the Bureau of Meteorology.

Multiple official sources have reportedly confirmed the breach and one official placed the blame on China, although China’s officials have denied any involvement.

It will reportedly cost millions of dollars to secure the system and A/Prof Lazarescu said the scale of the attack pointed to it being state-based, as governments were the only ones who could afford to spend the time and money on finding flaws.

“According to reports it’s going to require a lot of money to fix so whoever did it figured out something no one was supposed to know — it is probably a fundamental flaw,” he told news.com.au.

The scale of the attack also indicated it didn’t come from some hacking group playing around.

“They have different motives,” he said of hackers. “In most cases they try to expose something they don’t agree with or try to steal stuff”, for example, by locking files until they receive a ransom.

One expert speculated the BOM cyber attack could have been an attempt to access climate data in the lead up to the UN talks on climate change in Paris, saying the data would be useful around the negotiating table.

But A/Prof Lazarescu disagreed, saying Australia was a minor player in the climate talks and any information gained would probably not benefit China enough to justify a significant attack.

“They are much more likely to be interested in the state of play of the weapons system that Australia is trying to procure, which is worth billions,” he said.

Thinking about what the attack has achieved, A/Prof Lazarescu said it had proven there was a flaw in the system and this is what really worried him.

He said if the Chinese managed to find something that could not be fixed without serious effort, stealing information was not the only thing to be worried about.

“If there was an attack on one of the clearance banks in Australia, the whole country would be shut down in 48 hours and that’s what worries me,” he said.

“They may have been testing their own capabilities, they didn’t go for a bank, they didn’t want to cripple the country, but they could have been after some military or intelligence secrets, it’s almost certainly nothing to do with climate change.

“The real world out there is very nasty and pragmatic and we have to wise up.”

A/Prof Lazarescu said the BOM may have been targeted because it uses one of Australia’s largest supercomputers and provides critical information to other government departments such as the Department of Defence or the Australian Security Intelligence Organisation (ASIO), potentially providing access to their systems.

Identifying and exploiting weak points is a key tactic hackers use to gain access to networks.

One American case involving a Chinese takeaway menu demonstrates this perfectly.

Hackers attached malware to the online menu of the restaurant, which it had identified as being popular with employees of a big oil company. Once the menu was downloaded the malware gave attackers a foothold into the company’s computer network, which they had previously not been able to breach.

A/Prof Lazarescu said China definitely had the upper hand over Australia due to huge amount of money it was spending on cyber security, the large number of university graduates it was training and the strict control it had over its infrastructure including its internet filter.

“In some ways you have to take your hat off to them, they are thinking 20, 30 years ahead when Australia is thinking three years ahead, it’s pathetic,” he said.

A/Prof Lazarescu said cyber security needed more federal funding and legislation to make it mandatory for companies and organisations to secure their networks.

“At the moment the controls are not very strict, in many cases it’s quite lax so it’s badly defended,” he said. “It’s frightening.”

He said businesses often looked at cyber security as a box-ticking exercise, only doing the minimum necessary to achieve accreditation. This included resource and financial institutions as well as government departments.

“I know of a financial institution that hasn’t upgraded its servers for five years,” he said.

“Cyber warfare is a reality of life and Australians have to take it seriously.”