Month: March 2019

‘Change now or pay later’: RBA’s stark warning on climate change

by Risk Frontiers

by Ryan Crompton, Andrew Gissing, Thomas Mortlock and Paul Somerville, Risk Frontiers

The following article, by Eryk Bagshaw and Nick Bonyhady, appeared in the Sydney Morning Herald on 12 March 2019. The last line notes that “companies disclosing climate risks need to adopt a level of commonality or risk that information not being useful to investors.”

Worth noting is there are two types of climate change risks posed to business. The first is the physical risk posed to direct business operations and supply chains and the second is transitional risk of adapting operations to a climate changed future. Climate change risk disclosure is still at an early stage in Australia with no regulation at present. Most disclosures at present focus on the immediate physical risks to business and do not include transitional risk.

A recent paper by Allie Goldstein and co-authors looked at the private sector’s climate change risk and adaptation blind spots by reviewing more than 1,600 corporate adaptation strategies in the US. Some interesting findings from the paper, relevant for Australia, are:

  1. The magnitude and costs of physical climate change risks are being underestimated by companies. Companies need further guidance on estimating more realistic costs.
  2. Climate change risks to business beyond direct operations are not being considered.
  3. The costs associated with climate change adaptation strategies are being under-reported.
  4. Non-linear climate impacts, and extreme climate scenarios, are not being considered by companies in disclosures.

Risk Frontiers’ goal is to provide an objective assessment of these risks to assist companies (including those in the insurance industry) and governmental organisations in achieving that level of commonality mentioned in the Sydney Morning Herald article, reproduced in part below.

The Reserve Bank has warned climate change is likely to cause economic shocks and threaten Australia’s financial stability unless businesses take immediate stock of the risks.  The central bank became the latest Australian regulator to tell business that they must analyse their investments on Tuesday, as the Coalition grapples with an internal battle over taxpayer-funded coal fired power and energy policy.

In a speech to the Centre for Policy Development in Sydney, the Reserve’s deputy governor Guy Debelle said challenges for financial stability may arise from both physical and transition risks of climate change. “What if droughts are more frequent, or cyclones happen more often?” he asked. “The supply shock is no longer temporary but close to permanent.  That situation is more challenging to assess and respond to.”

Financial stability could be put at risk if businesses remained unaware of anticipated insurance payouts, pollution-driven reputational damage, legal liability and regulation changes that could cause valuable assets to become uneconomic. “All of these consequences could precipitate sharp adjustments in asset prices, which would have consequences for financial stability,” he said.

Dr Debelle said the increasing number of extreme climate events was also changing public opinion. “One of the things that is causing change in public opinion around this is just the straight-up occurrence of extreme events,” he said. “It’s not the way you would actually like this to come about unfortunately … [but] it has changed the general public view.”

Dr Debelle said the bank was speaking about the issue because of the size of the impact climate change would have on the economy. “Some of these developments are actually happening now,” he said. Dr Debelle said the current drought across large swathes of the eastern states has already reduced farm output by around 6 per cent and total economic growth by about 0.15 per cent. “We need to think in terms of trend rather than cycles in the weather. Droughts have generally been regarded as cyclical events that recur every so often. In contrast, climate change is a trend change.”

That has an impact on monetary policy, Dr Debelle said, citing the temporary shock of banana prices surging after Cyclone Yasi in 2011, which in turn boosted inflation by 0.7 percentage points. But he said future events may not be so one-off, with repeated climate events and the transition of the economy likely to have a longer-term impact. “We need to be aware that decisions taken now by businesses and government may have a sizeable influence on that transition path,” he said.

Dr Debelle said the transition posed challenges and opportunities. Industries especially exposed to the consequences of changes in the climate will face lower costs if there is an early and orderly transition, some will bear greater costs from the transition to a lower carbon economy, while others such as the renewables sector, may benefit “There has been a marked pick-up in investment spending on renewable energy in recent years,” he said. “It has been big enough to have a noticeable impact at the macro-economic level and affect aggregate output and hence the monetary policy calculus.”

In comments that are likely to be used against some pro-coal Nationals MPs urging the Coalition to build a taxpayer-funded power station, the deputy governor said the renewable sector was a good example where price signals have caused significant behavioural change. “There has been a rapid decline in the cost of renewable energy sources,” he said. Dr Debelle said the cost of generating electricity has declined in the case of wind and solar to the point where they are now cost-effective sources of generation. He added that storage and transmission remained relevant costs.

Despite coal being one of Australia’s top exports, Dr Debelle said opportunities remained as China transitioned away from coal. “Natural gas is expected to account for a larger share of its energy mix, and Australia is well placed to help meet this demand,” he said.

He endorsed comments by Australian Prudential Regulation Authority executive Geoff Summerhayes in London in January, which warned tackling climate change had become a “financial necessity”. In the speech to the UN’s sustainable insurance forum, Mr Summerhayes lashed government inaction, arguing the summer’s extreme weather, severe drought and floods were all fuelled by climate change, but Australia still lacked the political consensus needed to respond to the threat.

Giving the example of data on when different parts of the Gold Coast would stop being viable, Blair Comley, a former secretary of the federal Department of Climate Change and Energy Efficiency, said the lack of data on the impact of climate change made it harder to plan for. Dr Debelle said while the Reserve Bank was not responsible for developing climate policy, it had a role to play in ensuring there is adequate data.

Where there is inadequate data for the bank to make the decisions it needs to, “we can call out that,” Dr Debelle said. And he emphasised that companies disclosing climate risks need to adopt a level of commonality or risk that information not being useful to investors.

References

Goldstein, A., Turner, W.R., Gladstone, J., and Hole, D.G. (2019). The private sector’s climate change risk and adaptation blind spots. Nature Climate Change, 9, 18-25.

Sydney Morning Herald (2019). ‘Change now or pay later’: RBA’s stark warning on climate change. Available here, accessed 14 March 2019.

 

 

Cyber Attack on the Australian Parliament and the Lessons Learned

by Risk Frontiers

The following article was published by the Australian Outlook on March 4th, 2019. It highlights some of the most important technical and political points regarding the recent cyber attack against the Australian Parliament Network and other political parties.

Risk Frontiers are a partner in the Optus Macquarie University Cyber Security Hub focusing on quantitative risk modelling of cyber risks.

Synopsis:

In the lead up to the federal election, the Australian Parliament and multiple political parties have been hit by a sophisticated cyber attack. Experts are divided on who is to blame but the attackers had clear motives and there are some key lessons to learn from this incident.

By Associate Professor Christophe Doche, Dr Stephen McCombie and Dr Tahiry Rabehaja

On February 8, reports emerged regarding an attempt to infiltrate the Australian Parliament network, which is primarily used to exchange emails and store data. On February 18, Prime Minister Scott Morrison and Opposition Leader Bill Shorten addressed the Parliament to acknowledge the attack. The next day, the Australian Cyber Security Centre (ACSC), which is now part of the Australian Signals Directorate (ASD), confirmed that a cyber actor gained illegal access to the networks of the Liberal, Nationals and Labor parties.

Since then, investigations have revealed that the attack was sophisticated and most likely state-sponsored. It is understood the initial breach was the result of a phishing campaign, where a staff member opened an infected document attached to an email. Once the criminals got a foothold on a computer attached to the network, they scanned and infected other targets, including intranet servers. They were then able to redirect network traffic in order to exfiltrate data. They also erased logs to cover their tracks and placed additional malware to maintain control of the infected systems for later use.

digital forensics analysis has shown that the attack relied on a series of malware and exploits, which happened to be in several cases slight modifications of existing open source tools. That is what fooled primary anti-virus software. Many of these open source tools are ironically used by the ethical hacking community to find vulnerabilities in computers and systems with the aim to report and, ultimately, fix them. They are written in the popular language C# for the .NET framework. All these factors indicate there was a clear desire from the attackers to remain undetected for as long as possible and to make attribution – the identification of the perpetrators of the attack – a difficult task.

Figure 1: Reverse engineering some parts of the malware used by the hackers shows that they leverage on well-known penetration testing tools (source: Yoroi).

Although there is no clear evidence – at least none that has been released – the media speculation is that China is most likely behind this attack. China has a long history of cyber espionage operations globally and also locally against the Australian Government, our defence sector, mining industries and even universities. This incident happened on the back of the banning of Huawei from Australia’s 5G network, recent tensions in regard to trade and multiple claims of improper Chinese influence on Australian political parties. There have also been reports that Iran may have been the perpetrator but it is difficult to see what they would gain in Australia from such an action. They have been active in recent times against US targets and perhaps may see Australia as a way into the Five Eyes intelligence alliance or alternately our close relationship with Israel (their bitter enemy) and plans to formally recognise West Jerusalem as the capital of Israel may have made us a target.

Perhaps most surprising is that this attack was actually successful at getting into the Parliament and Australia’s major parties, despite the amount of warning of the potential for such attacks to occur. Attacks on the Democratic National Committee in the United States in 2016, which accessed multiple email accounts including that of Hillary Clinton’s campaign director, by Russian Military Intelligence (GRU) are well known and documented. In the aftermath, members of the Democratic Party visited a number of European countries and spoke to political parties to specifically warn of the risk of such cyber breaches. Similarly, the ASD briefed political parties on threats to our elections in 2017. In July 2018, the Australian Government also offered $300,000 to help political parties shore up their cyber security. In addition, the Government has significantly grown the scope and size of the ACSC and other cyber capabilities. Despite this, these attacks have penetrated our Parliament and major political parties just months before a highly contested election where matters of relations with China are likely to be debated.

One key observation here is that the Government has a very large cyber risk footprint. It employs tens of thousands of employees and human beings have always been part of cyber security issues and solutions. This incident is no exception. Governmental networks are complex, shared and scaled infrastructures, which greatly increases the chance of overlooking security lapses and facilitates the propagation and replication of attacks to other agencies cheaply and quickly. Government agencies are also very attractive targets. They hold a large volume of confidential and personally identifiable information, they are the top target for politically motivated attackers and cyber warfare, and they are amongst the main victims of cyber espionage. This means that they are attracting multiple categories of threat actors ranging from organised cyber criminals looking for financial gains to advanced persistent threats backed by state actors. The Australian Parliament network incident emphasises these three points, but also highlights the Government’s large cyber attack surface area, since such an attack could have occurred in any one of the many interlinked agencies’ digital information and infrastructure.

Although the response to this incident has been swift and there is no evidence that any data has been leaked, the ACSC has warned that the actor, whoever it may be, will probably further target other Australian Government departments. The Government needs to understand, build and protect its digital infrastructure, and associated exposure, with the appropriate controls and responses. The NSW Government and the Government Chief Information Security Officer have taken a leading role in this area by releasing in February 2019 the NSW Cyber Security Policy. Among other measures, this policy mandates every agency to identify its crown jewels – its most valuable or operationally vital systems or information – and implement regular cyber security education for all employees, contractors and outsourced ICT service providers. These two measures alone will go a long way to improve the cyber resilience of NSW Government agencies.

 

Associate Professor Christophe Doche is executive director of the Optus Macquarie University Cyber Security Hub, the first initiative of this kind in Australia, linking academics in information security, business, criminology, intelligence, law and psychology together with cyber security experts from industry. As part of his role, he oversees research, education and thought leadership activities in cyber security.

Dr Stephen McCombie is a senior lecturer in Cyber Security at Macquarie University. His current research interests are in digital forensics, cyber threat intelligence and information warfare. His research draws on a diverse background in policing, security and information technology over the last 30 years. He has also held senior positions in information security with IBM, RSA, National Australia Bank and most recently SecureWorks.

Dr Tahiry Rabehaja is a Software Engineer at Risk Frontiers and research fellow at the Optus Macquarie University Cyber Security Hub specialising in quantitative risk modelling. He has a background in information security and formal program verification and, in particular, the development of mathematical models for quantifying confidentiality in programs. His current research is on the quantification of cyber security risk.