Key Points
- Skeeve Stevens was convicted for a hack very similar to the Optus breach.
- He tells The Feed what he thinks about Australia's cyber security and why people hack.
In 1998, Skeeve Stevens was jailed for a hack that was described at the time as Australia's most "notorious" internet cybercrime. Today, it sounds very similar to the breach that hit Optus in September.
Under the pseudonym Optik Surfer, Stevens hacked internet provider AusNet and shared the credit card and personal details of 1200 people with journalists. His aim was to lay bare the shortcomings of AusNet's system. For his actions, he was jailed for 18 months.
These days Stevens spends his time consulting with state and federal police, intelligence agencies, the Australian Defence Force and law firms, among others, discussing the weaponisation of technology.
Here's what he wants you to know about the state of cybersecurity in Australia, who is drawn to hacking, and why they turn criminal.
Money aside, why do people hack?
Stevens told The Feed: you don't "become a hacker, you kind of always are."
It's for people who are curious, talented, but mostly, it's for people who like puzzles. Stevens just wanted to keep prodding to see where it would take him. Decades ago he hacked into Australian universities, vending machines, and even US agencies, just to see if he could.
"I thought 'oh that's cool, now if I do that, do I get that? Does this plus that equal that?" he said.
But he said hackers can veer towards criminality when their skills and talent aren't met with enough ethical guidance during their learning process.
"I've seen eight-year-old girls that are coding three [computer] languages. Some of our kids are amazing," he said.
"But are they being guided by teachers that can actually help harness and frame those skills? This is where you're going to end up with bad actors or bad hackers."
What is missing in Australia's approach?
Stevens said the first thing Australia is lacking is literacy around cyber security at various levels. He said it starts with the average Australian and extends all the way to those making decisions about data collection and storage.
"There's a lot of 'FUD' in the industry: fear, uncertainty, and doubt from officials," said Stevens, noting that companies and politicians should be clearer in their communication and messaging.
While cyberattacks are commonplace and happen every day, he fears that large-scale attacks will become normalised - with no real action made until a 'cyber epidemic' hits Australia.
Over the past month, it seems like a major Australian company is being hit by a cyberattack every week.
Australia has experienced a number of major hacks over the past few weeks, igniting conversations around its approach. Source: AAP
On 20 October, Medibank experienced a similar data breach, with patient details being held for ransom. The company said on Tuesday its data hack had taken a "distressing" turn, with customer data among the information stolen.
"My greatest worry is that [cyberattacks] will slowly ramp up and it stays that way - and we're going to tune out like anything else in the news cycle," said Stevens.
He advises people to stay engaged and set up the quick - but "tedious" - wins including two-factor authentication.
"The problem is, being personally hacked or having your data breached isn't something that most people are going to pay attention to until it happens to them," he adds.
Stevens said Australians and governments need to be asking themselves if companies really need to have as much data as they do, and if there are better ways to confirm identity or personal information.
He said something as simple as a QR code linked to a government app like myGov could store that information. This QR code could be scanned when necessary, and automatically refreshed every so often.
"From a hacking perspective - it's extremely hard, bordering on impossible for most people to hack (something that changes that quickly)," he said.
"Sometimes the problem is that we don't use a lot of the technology that is actually very useful to us."
While there are issues with having things in a centralised location - as the past weeks have shown - he said one of the shortcomings of Australia's approach is that it is reactive, not proactive.
"I mean, the hack that I was involved in 25 years ago, that included names, date of births, addresses, credit card numbers, driver's licence details. You'd think we would have come up with something in the meantime," he said.
