Cyber Security: The Roles of Defence and Government in Cyber Security | ADM November 2011
John Hilvert, with additional reporting by Gregor Ferguson | ADM November 2011
The newly appointed head of CERT-AU, Carolyn Paterson noted a three day symposium such as this would not have been conceivable five years ago: “It would have been a small part of something broader,” she said.
Established in January 2010 as the national coordination point within the Australian Government for the provision of cyber security information for Australian business, CERT-AU’s role is to be the initial point of contact between industry and government on cyber security. It also is the “go to” organisation for cyber security information nationally and internationally
Its main role is to respond to and provide information on cyber threats and vulnerabilities impacting Australian Systems of National Interest (SNI). These are systems and organisations that have high economic value or hold sensitive intellectual property (e.g. biotechnology patents, commercial data), she said.
Patterson expects the cyber security environment will continue to evolve and CERT-AU will continue to adapt and respond to the changing threat landscape.
CERT AU aims to coordinate technical responses to cyber incidents impacting Australian Business. It also promotes training for business and substantial organisations in conjunction with the Industrial Control Systems Cyber Security Advanced Training held at Idaho National Laboratories in the USA as part of the Department of Homeland Security. The Australian Government offers grants to assist with travel and accommodation and strengthen the community of those interested in industry control systems known as supervisory control and data acquisition or SCADA security.
The differences between government and the private sector, including their strengths, vulnerabilities and even jurisdictional distinctions means we should be wary of conflating cyber security issues and ‘over-securitising’ them, warned Dr Andrew Davies of the federally-funded Australian Strategic Policy Institute.
In particular, Davies said, conflating issues can make them seem intractably large and homogenous. This can inhibit cost-benefit analyses of problems and potential solutions and in turn makes effective solutions harder to find.
Cyber security represents a set of policy issues, not a single issue, with a graduating scale of threats and vulnerabilities across the private and public sectors. Close scrutiny shows there’s a logical hierarchy of policy, jurisdictional and technical responses to the cyber threat which demand a rational approach, said Davies, pointing out that a cost-benefit analysis needs to understand the costs of cyber attack properly, along with the benefits of specific approaches to cyber security. “If you’re not talking dollars you’re not talking policy,” he stated baldly.
Davies also reiterated the strong case he’d made in an earlier ASPI paper on cyber security for Australia not establishing a single cyber czar1.
The Cyber security problem is in fact best understood as a set of policy issues, rather than a single looming one that Government and industry had to deal with. It ranges from a real threat to national security down to petty crime or plain nuisances.
Because it covers, first, identity and credit card fraud it falls naturally into the issue of law enforcement at federal and state levels.
As it also includes hacking of Facebook and Twitter accounts caused by lax user behaviour or unwise site searching, it is also an educational and quasi-regulatory issue for consumer agencies such as ACMA, the Department of Broadband Communications and Digital Economy. And it is an area where commercial solutions such as anti-malware and ISP codes such as the icode were part of the solution.
And because it was also associated with malicious potentially foreign government intrusions, it was clearly an issue for Defence and the National Cyber Security Adviser within Prime Minister and Cabinet.
Davies argued that only when Defence and national security are at risk and deliberate crime involved is there a clear impetus for Governments to intervene.
While the boundaries between these three fronts was changing, and occasionally a law enforcement issue should have been better handled as a national security matter, this was no reason to abandon current remedies or approaches in favour of a new central role, Davies argued.
He forecast that consolidating the three into a single operational and strategic organisation would only lead to delays and introduce inflexible approaches to override otherwise practical approaches available in the market place. He instanced the example of how the banks cope with developing threats, and the fact that many users first learn their credit card numbers are being misused via a warning from their banks.
While Davies agreed it was important for various organisations to communicate regularly with each other to be alert to new developments in cyber crime, this was an inadequate argument for establishing a national cyber czar.
The role of the Australian Security Intelligence Organisation (ASIO) and its approach to gathering intelligence relevant to cyber security was covered by its Deputy Director-General David Fricker,
Fricker sought to explain and distinguish concepts such as cyber attack, cyber intrusions, cyber warfare and cyber-espionage. The latter, naturally, is of most interest to ASIO as espionage via covert means such as cyber intrusion was one of its major preoccupations.
His main focus for the purpose of the summit was on the espionage threat. ASIO’s job is to provide useful intelligence, so it deals with business as well as Government and has established a business liaison unit with its own web page. 2
The area of most interest for ASIO is “Cyber Intrusion”: a catch-all term for unauthorised access into a network that could compromise the network.
Understanding the reasons for those intrusions is vital, he informed the summit: “That will define how we go about constructing our responses to them.”
He cautioned that if organisations adopt a narrow view of cyber attacks, then they will adopt a narrow view of the kind of response available.
“This can be self defeating and see organisations responding in an ad hoc, reactive way to repeated seemingly random attacks and patching vulnerabilities as they become evident from the attacks.”
He explained that the goals of espionage had not changed.
“We just have a new attack vector through cyber espionage,” he said. It was a supplement and there was no evidence that cyber espionage would replace conventional espionage. However it would grow because there were fewer risks from perpetrating cyber espionage and it was often less expensive to deploy than actual physical espionage by spying directly, for example.
“Cyber Espionage means you need to think through why the attack [occurred] and possibly whether there may be physical espionage operating as well,” Fricker said.
He reported that Australia is an “attractive target” for espionage because of its alliances with the US and its influence in the region and position in the world.
He argued that if you do have an intrusion, you need to ask whether you were the target – was it just a random event or part of a broader campaign prejudicial to your organisation in some way? If you were a target, what other agencies or organisation might be targeted?
Ian Dudgeon of Ian Dudgeon and Associates P/L and co-author of ‘Australia and Cyber-Warfare’ focussed the Summit’s attention on the cyber threat to Defence and the ADF: he pointed out that some 90 per cent of the Defence Information Infrastructure (DII), such as satellites and fibre optic networks, is owned by the private sector.
In the event of open (or even cold) war an adversary would tackle the DII, and also the national and global information infrastructures (NII and GII) – the hardware, software, information and people which actually make up the networks
These components, along with the DII, NII and GII themselves, all overlap at critical junctures and are increasingly integrated and inter-dependent. The Force 2030 vision set out in the 2009 Defence White Paper promises capability advantages but also has many vulnerabilities – information assurance demands that the availability, integrity, confidentiality and authenticity of voice and data traffic flowing through the networked ADF and Defence Organisation is unbroken.
An important part of the cyber security solution is simple ‘cyber hygiene’ along with best practice in security and architectures which provide resilience against disruption, Dudgeon said.
Footnotes
1. http://www.aspi.org.au/
2. see http://asio.gov.au/ASIO-and-National-Security/Units/BLU.html
Subject: Cyber Security