Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Australian Government Cheaps Out on Identity Management, Loses Half a Billion

For many years now, the Australian Government has been prone to placing faith in technology without really understanding it. We have seen this with debacles like the near-useless COVIDSafe contact-tracing app, which cost over $A20 million in total, and identified two (2) COVID-positive cases. We saw it with the Robodebt disaster, which was not only illegal but caused misery and even deaths. We saw it in the cancellation of the Australian Apprenticeship Management System.

To this viewer outside the Canberra bubble, it has seemed as though politicians, especially Ministers, had been captured by consultants with a surfeit of political connections over technical ability. In particular, previous governments have been resistant to sound principles of identity management, such as the development of a cryptographically-based or biometric personal identity for use by citizens transacting government business. Instead, they have relied on awkward schemes based on passwords, out-of-band verification using the PSTN (mTAN's) - in other words, six-digit numbers sent as a text message - and knowledge of identifiers such as the tax file number. These schemes are weak, deprecated (see NIST SP 80063B S5.1.3.3) or just plain silly.

By contrast, many European countries have implemented electronic identity cards which carry not only biometric data but also store a private key and certificate which can be used for authentication as well as to sign and verify documents and transactions. Why did the nation which wanted to become "one of the top three digital governments in the world ... that other nations can look to for guidance and inspiration" fall so far behind? (That was a rhetorical question.)

The IAM pigeon has come home to roost rather spectacularly with reports that more than half a billion dollars has been fraudulently claimed from the Australian Taxation Office (ATO), by criminals exploiting glaring loopholes in the linkage between the hokey MyGov system and taxpayer ATO accounts.

The fraud begins with a criminal creating a fake MyGov account, and then linking the new account to a genuine taxpayer's ATO account using easily-acquired identity information such as their tax file number (TFN) or date of birth. Some of this information is available cheaply on the dark web, obtained from previous data breaches or can be obtained by social engineering. The phone number in the ATO account is then changed so that mTAN's are sent to the fraudster, not the taxpayer, and the bank and email addresses are similarly changed. The fraudster then submits fake Business Activity Statements (BAS) and tax refund claims - which are paid to the changed bank account.

In the 2021/22 financial year, more than 7,500 accounts were compromised with over $A237 million paid, while in the 2022/23 financial year, the scam netted $A320 million from 8,100 compromised taxpayer accounts. That's a total of $A557 million.

It's past time for the ATO to pension off its hokey approaches to identity and access management and start doing things properly. And it's well past time for our politicians to look outside the Canberra bubble and find some competent consultants to advise them.

Charette, Robert N.,  Australia’s Digital Transformation Stumbles Badly: A new report finds a “litany of failures” in Australia’s attempt to digitize government services, IEEE Spectrum, 6 July 2018. Available online at https://spectrum.ieee.org/australias-digital-transformation-stumbles-badly.

Curnow, Sarah and Dan Oakes, ATO reveals more than $557 million claimed by fraudsters exploiting security loophole, ABC News, 26 February 2023. Available online at https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572.

US SEC Tightens Cyber Governance, Risk Management and Incident Disclosure Requirements

The US Securities and Exchange Commission has adopted new rules requiring public companies to disclose material cybersecurity incidents and to annually provide information on their cybersecurity risk management, strategy and governance. In particular, reports of material incidents must now be made within four days, and will require a description of the material aspects of the incident's nature, scope and timing as well as its likely or actual impact on the company. The rules will require comparable disclosures by foreign share issuers.

An incident disclosure will be made in a new Item of Form 8-K and will require the following information:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the registrant’s operations; and
• Whether the registrant has remediated or is currently remediating the incident.

Annual reports will now require more consistent and informative disclosure of firms' approach to risk management, including a description of policies and procedures for the identification and management of cyber threats. Firms will also have to describe how the board and management oversee cyber risk:

• Whether the entire board, specific board members, or a board committee is responsible for the oversight of cybersecurity risks;
• The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
• Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Companies will also have to disclose whther they have a CISO and where the CISO reports, whether other management positions or committees are responsible for measuring and managing cyber risk and the processes by which they do so.

Annual reports will also require additional details of the cybersecurity expertise, if any, of board members, including prior work experience and certifications, as an aid to investors in making both investment and voting decisions. However, the Commission has also proposed a safe harbor providing that any directors identified as cybersecurity experts would not be deemed experts for liability purposes but also clarifying that the duties, obligations and liabilities of non-expert directors are not decreased, either.

Although these new rules only apply to companies traded on US exchanges, we can expect this approach to spread more widely, with other countries likely adopting similar requirements and liabilities of board members of private companies being similarly tightened. For CISO's, it means more formalisation of both risk management and incident response programs and a lot more communication with boards.

Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, press release, 26 July 2023. Available online at https://www.sec.gov/news/press-release/2023-139.

Securities and Exchange Commission, 17 CFR Parts 229, 232, 239, 240, and 249: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, final rule, 26 July 2023. Available online at https://www.sec.gov/rules/final/2023/33-11216.pdf.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.