While our American cousins are still marvelling at the wonders of tap-and-go in much the same way that Homo erectus marvelled at the wonders of fire, Australians confidently use the payment system for about 80 per cent of point-of-sale transactions. Cheques are set to disappear, while hard cash is likely to be relegated to emergency uses.
The RBA – which has been one of the major drivers of the digital economy through its NPP – has argued that going cashless will make the job of fighting money laundering and other financial crimes easier. That might save the country a few billion here and there, but it also makes it more vulnerable to cyberattacks.
When we talk about cyberattacks, we typically land on the Hollywood stereotype of hackers – black hoodies, green scrolling text, meaningless jargon etc. But the average cyberattacker is no longer a script kiddie working out of a grimy internet café. They’re military personnel with years of training and hundred million-dollar budgets at their disposal.
And while we have one of the better digital economies in the world, the digital and physical infrastructure that supports it isn’t exactly topnotch.
Over three-quarters of Australians bank with one of the big four. That means most of Australia’s money is held by four institutions with a pretty crummy track record on cyber security. Westpac and CBA’s breaches of AML/CTF legislation have shown the world that Australian banks are not paying close attention to what’s happening in their computer systems, and the RBA has also noted that the big four have systemic weaknesses created by their use of common third-party software. All of that combines to make them big, lucrative targets – and it’s only a matter of time until somebody decides they want a piece.
In 2016, North Korean hackers stole $100 million from Bangladesh’s central bank. Other groups tied to North Korea siphoned $10 million from the Bank of Chile and $13.5 million from India’s Cosmos Bank. These sorts of cyberattacks are actually relatively benign, driven as they are by profit motive; it’s theorised that bank fraud of this kind actually accounts for a sizeable chunk of North Korea’s GDP.
But if a hostile state wanted to do some real damage, it very easily could. For example: a co-ordinated attack on key utilities (electricity, water) and financial infrastructure that sees people unable to access their money. Any cyberattack on a primarily digital economy is likely to be substantially more devastating than those that use more physical currency for the simple fact that basic goods and services become inaccessible. Of course, the value of physical currency would likely be impacted by a large-scale cyberattack, but it probably wouldn’t cease to exist.
If we are going to be a digital economy going forward, then our financial institutions need to lift their game. Systems already suffer from blanket outages; identity fraud is becoming more sophisticated; and the fact that so much of our economy is digital means that any attack will likely have widespread ramifications.
At least part of the problem could be helped by the creation of a single secure digital identity for Australian citizens. A single digital identity – created with the government and verified by a third party – would mean that customers wouldn’t maintain dozens of passwords for different profiles and accounts containing their financial information. However, that would also create a single point of failure that might be easier for a sophisticated cyberattacker to exploit.
The Australian government and financial services should also be focusing on responses and resilience – that is, how does the infrastructure upon which the digital economy is built weather a cyberattack, and how does the government fight back? Cyberattacks are inherently deniable, but the creation of a decisive response plan based on real-world consequences could prove an effective tool at warding off future attacks.
Australia leads the world in advances in the digital economy, and it’s one of the country’s greatest achievements. But if more work is not done to modernise and protect the infrastructure that supports that economy, we could see our best work become our worst nightmare.