In our Kokoda Foundation report in early 2011, we called for
an updated National Cyber Security Strategy together with a cyber capability
plan to be developed across government and industry. The vulnerabilities
inherent in cyberspace made it imperative for Australia to develop the
requisite strategy, capabilities, policy, tactics, techniques, and procedures
for employing the full suite of cyber operations to ensure freedom of action in
cyberspace and, to the maximum extent practicable, the safety and security of
Australian citizens using cyberspace.
So, what progress has been made with the Cyber Strategy in
the intervening two years? The Australian Government’s much anticipated 2012
Cyber White Paper was shelved and replaced with a proposal for a more general
discussion paper on the digital economy. Responsibility for the paper was
shifted from the Department of Prime Minister and Cabinet to the Department of
Digital Economy, run by Communications Minister Stephen Conroy.
This latter move did not instill us with much confidence
given that the predominance of Government cyber knowledge and expertise is
resident in other Departments. Having said this we must emphasise that we are
not arguing for the lead to be with the Australian Department of Defence. We
agree with the thrust of President Obama’s February 2013 directive that
directed the civilian Department of Homeland Security to steer improvements in
protections for private industry, instead of giving the lead to the US
military’s National Security Agency. It is important to not treat cyber
security as a “war zone”.
At the start of the Cyber White Paper development process in
June 2011, the Attorney-General had said the White Paper would build on the
Government’s 2009 Cyber Security Strategy and the establishment of the Cyber
Security Operations Centre (CSOC), CERT Australia, the Cyber Safety Plan and
the Digital Economy Strategy. Whilst the recent National Security Strategy made
some pronouncements related to cyber issues, it could not be viewed as an
updated Cyber Security Strategy and, significantly, made no additional funding
commitments to address what we view as a clearly escalating threat. Indeed, the
2013 National Security Strategy called for integrated cyber policy and
operations and identified malicious cyber activity as a key national security
risk. It is difficult to see how these points can be anything more than
rhetoric without sufficient funding. Furthermore, the Strategy argues for
engaging with business and strengthening cyber security partnerships between
government and industry. Again, these good words sound hollow without
sufficient funding tied to them.
The unprecedented sophistication and reach of recent cyber
attacks demonstrate that malicious actors have the ability to compromise and
control millions of computers that belong to governments, private enterprises
and ordinary citizens worldwide. In a useful contribution last year, Georgia
Tech in the US argued that if we are going to prevent motivated adversaries
from attacking our systems, stealing our data and harming our critical
infrastructure, the broader community of security professionals — including
academia, the private sector and government — must work together to understand
emerging threats and to develop proactive security solutions to safeguard the
Internet and physical infrastructure that relies on it.
To meet this escalating threat, we need a National Cyber
Security Strategy that seeks to maintain and enhance the benefits the nation
derives from its activities and capabilities in cyberspace while shaping the
strategic environment and strengthening the foundations of its national
capabilities. Its key objectives should be to:
- strengthen security and safety in cyberspace;
- maintain and enhance the strategic advantages afforded to Australia by cyberspace;
- energise the cyber industrial base that supports the nation;
- accelerate innovation to address the growing threat; and
- provide cyber security awareness, training and education through a coordinated national effort with the necessary resources to be effective.
An Australian National Cyber Security Strategy should draw
upon all elements of national power – economic, diplomatic, military,
informational, technological, and societal.
Armed with a National Cyber Security Strategy that sets out
strategic objectives and approaches, Australia could integrate the various
agendas that call for individual security, corporate security, national
security, and international security. Calls for action within these agendas are
likely to become more strident as cyber crime, cyber espionage, cyber attacks
and security breaches increase in frequency, complexity and sophistication.
Indeed, most indicators point to future cyber crime and cyber attacks becoming
more severe, more complex, and more difficult to prevent, detect, and address.
An emerging but rarely discussed issue is that of active
defence or cyber attack. Criminals and foreign intelligence services are
targeting Australian companies and government agencies. Unfortunately, cyber
“defence” has its limitations. Companies and agencies must be able to detect
the attackers and take more aggressive action to defend their networks and
protect their information. The setting of security standards for companies is
important, but that is only part of the equation. There needs to be more public
debate about just what companies can and cannot do to defend themselves in
cyberspace. For example, clarity is needed around what action is reasonable in
defence of one’s intellectual property.
Commentators are now talking about active defence and while
some have defined it precisely, the term continues to cover a broad spectrum.
For example, it is used to cover software that scans for viruses without
breaching systems on the one hand, while on the other, it is used to cover
tools that defend against a cyber attack by disrupting the attacker’s network.
Lying between these two ends of the active defence spectrum is the action of
hacking into a server to protect data that an intruder is trying to steal.
While Government has a key role in cyber security, it is
vital to ensure that all Australians accept the notion of shared
responsibility. However, effective deterrents to cyber crime and cyber attacks
are not known, available nor accessible to a majority of people or
organisations, many of whom still underestimate the scope and severity of the
threat. More accurate intrusion reporting to regulators, law enforcers and
national security practitioners could see issues related to cyber security,
including cyber crime, become recognised as a more immediate priority.
Businesses may be reluctant to invest fully in comprehensive cyber security
until after a catastrophic cyber event. Given the critical role of industry in
owning and operating much of our nation’s critical infrastructure, the
Australian Government has a vested interest in improving the public debate
around cyber security and in encouraging the necessary investment by the
private sector.
However, nothing to date, or in train, appears to address
the cyber-related capability gaps that would enable a current baseline cyber
posture to be developed, a consolidated view of all requirements and gaps to be
presented, and future remediation and implementation plans to be developed. As
a result, cyber capability gaps across the Australian Government will continue
to hinder the agencies’ ability to plan for and conduct effective cyber
operations.
The Australian Government acknowledged in its 2009 Defence
White Paper that new disruptive technologies that could threaten network
capabilities were likely to increase, and that the threat and complexity of
cyber warfare was also likely to increase. The Defence White Paper also argued
that the emerging threat would require significant and sustained investment in
new technology and analytical capability to guard the integrity of information
and ensure the successful conduct of operations. That new money for a whole of
Government response has not been forthcoming.
It is as vital to develop incentives to change the behaviour
of IT providers, business operators and the general public as it is to increase
the level of public awareness about potential vulnerabilities.