Government weighs up lessons learnt in the wake of HWL Ebsworth hack

In a single hack in May last year, Russian cyber criminals managed to steal and then leak about four terabytes of sensitive data from law firm HWL Ebsworth’s network.

The leaked data impacted several government agencies and private companies, all clients of HWL Ebsworth in some form or another. Included in the 2.2 million stolen files were legal advice, personal and client data, and documents relating to law enforcement and national security matters.

Sixty-two government entities were affected, and multiple departments were involved in coordinating the response.

The leak was considered so damaging that the national cyber security coordinator – Air Marshal Darren Goldie at the time, and a position created after the HWL Ebsworth incident – called for a lessons learnt review process to be enacted once the fallout of the hack had been effectively dealt with and – where possible – mitigated.

The national cyber security coordinator called the case closed on 17 August 2023, and a formal debrief on the coordination of the response to the hack was convened on 15 November.

Here’s what it found.

The good

One of the key takeaways from the overall incident response was that collaboration is key, especially in tandem with some form of “a centralised coordination function”. This allowed government stakeholders and HWL Ebsworth representatives to better manage their time, and reduced “engagement fatigue”.

VIEW ALL

Given the long time frame of incident response, having some central coordination meant the ongoing work was sustainable while still managing to keep all parties in sync.

The review also found that breaking up stakeholders into distinct working groups allowed for “thematic discussion on various aspects of the incident”, though some in HWL Ebsworth did feel that a “reduced cadence” of meetings may have helped during incident analysis.

The centralised approach to managing the response also allowed for a “harmonised approach” when it came to getting the right message across to the public.

One thing that the review found that may have not been quite so necessary post-incident was the activation of national coordination mechanisms (NCMs). These were seen, in hindsight, to have been unnecessary in any meaningful sense.

“However, there was value in briefing senior stakeholders together for situational awareness,” the report said. “This reinforces the value of NCMs where broad-reaching and specific consequences at a national level are identified – such as implications for service delivery, or where a larger cohort of Australians have had significant PII exposed.”

The bad

Of course, the review found that the government response and how it was conducted did throw up some challenges.

Managing time frames was one key challenge, especially when it came to actually triaging the immense amount of data that had been affected. The report found that clearer communication on expected time frames for analysis could have made the process smoother, especially when it came to decision making.

With so many groups working together and so much information to be collated, the report also found that some stakeholders probably didn’t need to be included in certain working groups. It also found that the dissemination of information worked best when it was done with an expected and regular cadence.

A discrete “data and risk management” working group could have been useful, particularly when it came to assisting HWL Ebsworth in assessing the scope of impacted data. In a similar vein, while some working groups could have been trimmed, other stakeholders should have been included or new groups stood up. Of course, that comes with its own challenges to overcome

“Some government entities suggested that additional working groups or forums could have enabled a broader range of interested stakeholders to receive information, support situational awareness, and identify any issues which could be resolved collectively. However, this would have been particularly challenging in the context of the sensitivity of the impacted entity being a legal services provider, and the need to consider client privacy considerations,” the report said.

In a similar vein, the report also found that separate working groups for some regulatory agencies may have assisted in keeping them up to speed on the nature of the advice they were expected to provide.

“In doing so,” the report said, “careful articulation and calibration will be required to involve regulators where their powers or specialities are needed to resolve an incident comparative to their investigatory and/enforcement functions”.

Finally, the report noted that how the response process is ceased is just as important as how it is managed. Some stakeholders felt that the cessation of the coordinated response was too abrupt and that better messaging is called for when it comes down to “the cessation of coordinated activities during future incidents”.

The curious

The report found a couple of curiosities to ponder as well.

Surprisingly, the National Office of Cyber Security feels that the granting of an injunction against accessing the stolen data – granted by the Supreme Court of NSW – was a net positive. At the time, it was thought that such a move was not unlike bolting the barn door after the horse had bolted, but the government feels otherwise.

“Overwhelmingly, this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response,” the report said.

“HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.”

The report also noted that support services are essential given the sometimes highly personal nature of the data impacted by such events.

Lessons learnt, actions to take

The National Office of Cyber Security (NOCS) feels there are five key steps to take ahead of future incidents of a similar scale, which it is working on immediately:

1. Publish resources on the role of NOCS during a cyber security incident and how impacted organisations can request coordinated support to manage the consequences of incidents.

2. Develop a playbook for the professional services sector, which will outline how government and industry can work together to respond to an incident impacting the sector.

3. Develop processes to support broader engagement with industry and enable other directly impacted industry entities to benefit from a coordinated response to an incident.

4. Improve processes for the disclosure of relevant information relating to the coordination of incidents impacting Australian government entities.

5. Engage with state and territory governments to better integrate their interests into coordinated consequence management activities, especially when multiple government entities within a jurisdiction are impacted by an incident.

You can read the full report here.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.