Testing and turning on software key to curbing Optus-style hacks, says former Pentagon cyber chief
Former Pentagon cyber security chief Jonathan Reiber reveals how cyber criminals are infiltrating companies and stealing personal customer data.
Companies are failing to regularly test their digital defences and in some cases forgetting to switch on software aimed at protecting customer data, risking major breaches like the Optus hack, says author of America’s first two national cyber security strategies.
Optus has come under intense pressure after a data breach last month exposed the personal details - including Medicare, passport and driver licence data - of nearly ten million Australians, sparking a rift with the Albanese government and fuelling public anger.
Senior government figures have accused Optus of not co-operating, with Government Services Minister Bill Shorten saying the Singapore-owned telco was not moving fast enough while Anthony Albanese has demanded the company pay for the issuing of new identity documents.
But Jonathan Reiber - a former Pentagon chief strategy officer for cyber policy who now works for online security firm AttackIQ - says the government should be working more closely with businesses to fend off hackers.
“The vast majority of cyberspace is owned and operated by the private sector, yet governments are responsible for organising their countries for war,” Mr Reiber said.
“This places governments in the position of needing to engage the private sector in combined defensive operations to counter cyber attacks, often on a voluntary basis as preparations need to occur in advance of the outbreak of hostilities.”
Mr Reiber, who wrote the US’s first two national cyber defence strategies under the Obama administration - has recommended companies test frequently on the biggest hack threats and report to governments regularly on their cyber defences to bolster security.
“I think it’s better (for governments) to say ‘I want to know how effective you are and I want you to report to me quarterly at a minimum’.
“You could have a government absolving the victim of responsibility because their controls were operating at a sufficient amount of effectiveness.”
As well as not regularly testing the effectiveness of cyber defences, Mr Reiber said other weaknesses included staff turnover and human error.
“People leave their jobs or forget to sign off on a managed security service contract and so the security control lapses. Or sometimes they forget to turn something on - they would have bought a contract for capability but they only would have installed a portion of it.”
Hence why Mr Reiber believes government and businesses need to work more together to ensure cyber security systems are effective and personal details - including government-issued identity data - are protected.
AttackIQ, which is backed by Telstra’s venture capital arm, has automated security control validation for several Australian companies, including SA Power, South Australia‘s regulated electricity distributor, which supplies about 1.7 million people.
The need for testing is crucial given the increasing sophistication of cyber threats. Texas based Zimperium, a company formerly backed by Telstra Ventures which protects the mobile devices of US Troops, warned of a new trojan virus from a Iran-based hacker group.
Dubbed RatMilad, the malware is capable of malicious actions, including reading, writing and deleting files, recording sound and setting new application permissions to gain greater control of mobile devices.
But while threats are evolving, Mr Reiber said many hackers are “recycling techniques”.
“The adversary makes a lot of money through repeat performances. You can actually exercise a lot against what we already know and you can improve your performance tremendously,” Mr Reiber said.
“So if you’re the Australian Parliament, you’re going to look at an incident and you want to be able to say ‘how well are you performing today’ and ‘how would you be ready for the next attack?’
“You want to achieve that level of combat readiness and that’s to a degree the transformation that’s going on.”
Mr Reiber said Optus was not alone in being the target of a high profile breach, with hackers successfully hitting the US Treasury Department and even the Pentagon.
And while he said it was “not a question of if you are going to be breached but when’, he said companies could be better prepared for attacks.
“The analogy I like to use is you can build the best navy in the world but if you never exercise them, how would you expect them to perform against the People’s Liberation Navy if there was a contingency? You wouldn’t.
“The people would be lazy, right? The sailors would be out of shape. Then there are things that would have broken down like people would have forgotten to fill up gasoline in a certain section or forgotten to tie down certain hatches.
“And that is exactly what happens within a security team in a cybersecurity organisation.”
New cold war? America fights back over DeepSeek
China outmanoeuvred the US with the launch of DeepSeek. But the US’s biggest tech companies are fighting back to maintain dominance in the AI race.
Atlassian founders add $4bn to their personal fortunes
The personal fortunes of two of the nation’s richest businessmen rocketed by a massive $4bn on paper Friday when investors responded to their tech company beating revenue expectations.