Public broadcasters ABC and SBS are spending up to strengthen their cyber security defences following an attack on commercial operator Nine Entertainment in late March.
Executives for both organisations said their teams had been in touch with Nine to understand the attack, which disrupted Nine’s live broadcasting ability.
ABC managing director David Anderson told senate estimates last week that the ABC had been in contact with Nine Entertainment to understand the attack that impacted Nine’s operations.
He said that in response, the ABC had decided to beef up its use of security monitoring tools, and would spend an additional $500,000 on the expansion of use.
“When it comes to the Nine incident itself, we’ve been in touch with Channel Nine to find out precisely what it was,” he said.
“We’ve taken action off the back of that, which generally means we’ve increased our spend.
“Since the Nine incident, we’ve shared information with each other about how we can fortify ourselves against [attacks].”
SBS managing director James Taylor similarly said that SBS had “sought to learn about and understand the nature of the Nine incident and checked to see whether we are vulnerable.”
The ABC’s operational cyber security costs will more than double to $3.9 million next financial year, and security is similarly eating into the budget of fellow public broadcaster SBS.
Anderson said the ABC had recently achieved level four maturity on the old scale for compliance with the Australian Signals Directorate’s Essential Eight cyber mitigations.
“We’ve only just achieved that,” he said.
“To continue at that maturity level, our costs of cyber security are going up operationally from $1.7 million in this financial year to $3.9 million next financial year.”
Anderson said that increase did not include additional capital costs that might be incurred to maintain the ABC’s cyber defences.
“There is money that you must spend on constantly making sure that you’re ahead of that curve,” he said.
“That [operational increase] excludes capital costs as well, I might add, so there’s other capital expenditure that goes with it.”
He indicated that a similar jump in operating expenses related to cyber security is unlikely the following year, though that would still mean – in the best-case scenario – that costs plateau at a much higher level than today.
“It’s a big jump from one year to the next. At the moment, we don’t see as big a jump from next year to the year after, but it is something that we plan for,” Anderson said.
“I don’t see that coming down from where it is at the moment. The best-case scenario would be that it stays where it is.
“We do look at future budgets. We have a five-year plan. We’ve costed our five-year plan over that five-year period, and things move around.”
SBS’ Taylor said that SBS had seen year-on-year increases in its own cyber security budget “in each of the last two years.”
“We’ve been focusing on cyber security, as you can imagine, for many years, and it’s a task of constant vigilance,” Taylor said.
“We’ve had not one but two internal audits which have looked deeply into our capability, in 2017 and 2021, and we have acted on the findings.”
Taylor said that in its most recent internal audit, SBS was “given the second-highest rating against the areas of cyber security they tested” when it came to compliance with the ASD’s Essential Eight mitigations.
More attacks thwarted
Australian Signals Directorate director-general Rachel Noble told senate estimates last night that it warned two additional targets of the same threat actor that attacked Nine, after recognising the presence of “precursors” to an attack.
“We were very engaged with Nine,” Noble said.
“Technical information that they were able to provide us about what happened on their network helped us – using our more classified capabilities – to warn two other entities that they were about to be victims as well to prevent them from becoming victims.”
The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, said the centre typically sought to collect indicators of compromise (IOCs) and other technical data from victims, so as to warn others who may be facing similar attacks.
“As quickly as we can, our role at the ACSC is … to take whatever indicators of compromise we can for the purpose of pre-warning other entities before they become victims,” Bradshaw said.
“We will very quickly – particularly in the case of hospitals and aged care facilities – use what IOCs we have and use our partnership networks to pass that information out quickly.
“We use the full range of ASD capabilities to determine whether or not there might be indicators of future victims.
“We have done that in a number of cases in the last 12 months where using the full range of ASD capabilities we have been able to identify precursors going down on other people’s networks, and to pre-warn those entities before they become victims.”