The Australian government has introduced its first standalone Cyber Security Bill, which — among other things — will require businesses to up their reporting standards and adhere to new regulations.
The bill comes in an age of increasing scams and cyberattacks on organisations, not least those in the mining industry.
Evolution Mining in August got hit with a ransomware attack
Months earlier, Northern Minerals reported a cyber-attack when a group called BianLian accessed the company's systems, operational details, research and development data, financial information, personal data of employees, shareholder information, and high-ranking executives' email archives.
The data was then offered for sale on the dark web.
In March 2023, Rio Tinto was hit with one of the biggest cyber-attacks in the mining industry's history when hackers accessed a wealth of company data, also with the intent of leaking it on the dark web.
Employees' family and financial information, payroll information, and other critical data was extracted from Rio's systems.
The latest data from the Australian Signals Directorate (ASD) shows that one cyber-attack report is made in Australia every six minutes, with each attack costing large businesses just under A$72,000.
These figures are from fiscal 2023. Cybercrime has since continued to expand and evolve.
And mining companies are becoming increasingly juicy targets. According to data from cybersecurity firm Darktrace, 40% of METS businesses in Australia have been hit with some form of cyber-attack in the last year.
"We've seen some prevalent ransomware attacks, but also insider threat attacks, in organisations over the last year, specifically in mining," Darktrace ANZ regional vice president Sushant Arora told MNN.
While technology advancements and the growing use of artificial intelligence have made cybersecurity more effective than ever, Arora said the problem was criminals who carried out these cyber-attacks were also taking advantage of new technologies — meaning there's something of a competition between companies and cyber attackers to leverage the newest technologies first.
"The threat landscape keeps on changing, new vulnerabilities pop up, and it's hard for organisations to keep up," he said.
"It's a race in terms of defending yourself because the attacker is also using new techniques."
Old threats, new methods
And though the techniques are new, the end goal is the same. One of the most common kinds of cyber-attack is still ransomware, where attackers access sensitive data, encrypt systems and lock them down, then demand a payment to unlock the network.
Unless a business has recent full-system backups, the quickest and often cheapest way to get systems back online is to simply bite the bullet and pay the criminal, giving in to their demands.
A new issue becoming more prevalent is what Arora said was known as "double extortion"; bad actors are not only encrypting data and holding systems for ransom, but they're also exfiltrating data outside of the information and copying it into their own systems.
It means even if a company pays up, the attacker still has the data and can sell it on the dark web.
What does the new bill propose, and who is impacted?
The new cybersecurity bill proposes stronger reporting obligations for businesses, with any "reporting business entity" that pays a ransomware fee to be required to notify the ASD and the Department of Home Affairs within 72 hours of payment.
Currently, it's not necessarily clear how many ransomware attacks are carried out each day; a large miner, for example, might pay a (relatively) small ransom that's not significant enough to impact its bottom line and decide not to report the attack.
Under the new proposed laws, reporting will be a legal obligation.
"We probably will start to see more reporting of cyber incidents than we have historically in the past, so we'll hopefully get more accurate data," Arora said.
The bill also proposes the establishment of a Cyber Incident Review Board to investigate cybersecurity incidents.
Notionally, the CIRB will look into how the attacks occurred, what companies could have done to better prevent or better respond to it, and what kind of technologies are in use by attackers.
These findings can then be shared with other businesses to improve cybersecurity frameworks across the board.
Manufacturers of internet-connected devices will also be required to comply with new security standards as the ‘internet-of-things' landscape evolves.
Minister for Cyber Security Tony Burke said Australia was in need of a "clear legislative framework" to address new and emerging cyber threats.
"We need a framework that enables individuals to trust the products they use every day. We need a framework that enhances our ability to counter ransomware and cyberextortion," he said in his speech for the second reading of the bill.
"We need a framework that enhances protections for victims of cyber incidents and encourages them to engage with government, and we need a framework that enables us to learn lessons from significant cybersecurity incidents so that we can be better prepared going forward."
Why do mining companies get targeted?
Essentially, hackers don't want to waste time on companies that don't have the money to pay up when they make their demands.
Mining companies — and particularly publicly listed ones — are known to hold big balance sheets. Even junior explorers often have several millions of dollars in the kitty, so if a malicious cyber group can get a few hundred thousand here and a few hundred thousand there, it can make for a lucrative endeavour.
And METS and mining companies are often more likely to pay up because they need their tech systems operational for processing, smelting and refining. A lack of access to operation technology for even a day or two can have devastating impacts on profits.
It makes them prime targets for hackers because the cost of giving in to the hackers' demands to get their operations back online can be far lower than the opportunity cost of mining downtime.
Arora said for mining companies, in particular, many of their operational tech systems perform certain tasks exceptionally well but are decades old because it takes a lot of time, effort and money to buy and learn a new system.
Beyond this, performing a cyber-attack is simply becoming easier, and with the help of AI, bad actors can carry out scores more attempts than they could before. The sheer increase in the volume of attacks means more mining companies are being targeting simply by chance.
AI: A double-edged sword
The growth of AI has drastically improved cyber defence capabilities.
Darktrace, for example, uses advanced AI to examine and learn customer trends and subsequently identify any anomalies in typical behaviour — which are often early indicators of suspicious activity — to detect threats and deal with them before they can encrypt information.
The AI also enables automated responses triangulated on the threatened area, so entire systems don't need to be paused while a threat is handled.
Inversely, cyber-attackers also have access to AI. They can use new technologies to automate their own attacks or to learn about particular individuals in a company and starting building rapport with them until they let their guard down and open themselves up to an attack.
The advancement of AI means bad actors are far more efficient and far more effective, so if defence systems don't respond in kind, they're behind in the race against cyberthreats.
Who ultimately stands to lose?
Companies can suffer reputational damage, data loss, and blows to profits if they fall victim to a cyber-attack.
Customers can have their sensitive data leaked and personal information shared online.
And investors can lose out if a company they back gets hit by an attack given the impact to profits and reputation directly affects share prices.
Thus, it's a company's duty to its shareholders — the owners of the business — to stay on top of cybersecurity.
It's a business imperative.
And, with the introduction of the new cybersecurity bill, it could soon be a legal imperative, too.
