‘Consider what damage could be caused’: Government launches cyber ‘war games’ for major banks

“How would government work with that company to get services back online? If one of our big four banks is down, who can assist in providing services to those customers? How can we make sure the country continues to function properly while we solve the problem?”

The government ran a three-hour tabletop exercise with representatives from the Reserve Bank, Australian Securities and Investments Commission, Australian Prudential Regulation Authority and Australian Federal Police last month to examine how they would respond to attacks involving the theft of sensitive data and encryption of information technology.

Similar exercises will be held with individual banks before the government moves on to the aviation sector and other critical infrastructure networks.

Australian Banking Association chief executive Anna Bligh said protecting customers’ information and funds was the highest priority.

“Given the interconnectedness of the banking, finance and payments systems to the whole economy, sector-wide cyber-resilience exercises are critical for the safety of all Australians and the finance sector itself,” she said.

Tech Council of Australia chief executive Kate Pounder also welcomed the exercises, saying the cyber threat was not going to diminish.

Last month’s cyberattack on Latitude Financial led to the theft of 14 million customer records, including driver’s licence numbers, passport numbers and financial statements.

O’Neil is overseeing the creation of a cybersecurity strategy that aims to make Australia the world’s safest nation by 2030.

In a speech last week, she warned that urgent work was needed to prevent a “dystopian future” in which data breaches were replaced by “data integrity attacks, where small errors are induced in compromised sets with outsize implications, such as financial records”.

While not all cyberattacks could be prevented, O’Neil said, their damage could be mitigated if companies and government agencies were better prepared.

Loading

“What good looks like here is for Australian citizens to have no profound impact on their life when a system or a company is under cyberattack,” she said.

“We want to make this muscle so finessed and strong that when we confront cyberattacks, citizens can be confident we’ve thought through how we’re going to handle it and we are executing on a plan that we’ve set out.

“But that’s not what we’ve had before. When Optus and Medibank hit, we didn’t have plans in place, we didn’t have clear rule books about who would do what, and that’s what we’re trying to fix at the moment.”

While advances in technology such as quantum computing and artificial intelligence would make it easier for hackers to do damage, O’Neil said, they would also help governments and companies fortify themselves.

Loading

“To be clear, there are answers and solutions to all these problems,” she said. “But we have to get cracking and work out what those answers are before we’re in a crisis.”

O’Neil declined to comment on whether Australia had been affected by a damaging leak of about 100 United States Defence Department documents that included detailed accounts of the training and equipment being provided to Ukraine in its fight with Russia.

A government spokesperson said: “The Australian government is concerned about the disclosure of US classified information.