The challenges of building a cyber security infrastructure in Australia


300x200_0002_soldiersBy Brett Biddington

Cyber security is a hot topic. Government, the banks, large corporates all confess to being under sustained attack from State-sponsored and private entities. Many smaller organisations, including not-for profits are also under sustained attack. These systems are typically less well-defended, making them vulnerable to capture and use for the remote release of malicious code on individuals and organisations alike.

The identities of some attackers are known, although rarely announced, whilst others are masked. All, however, are involved in illegal activity and the time has come to remove the term ‘hacker’ from the lexicon and to instead use words like ‘intruder’, ‘thief ’ and ‘vandal’. The point is that, with few exceptions, the behaviour is conducted with criminal intent. We need to bring this point front and centre in the way in which we discuss such behaviours. We need to strip away any suggestions that hackers are responsible people whose actions should be admired and whose ingenuity should be acknowledged. Criminal activity is criminal activity.

Beyond changing the language and therefore the focus of the narrative, a question that is rapidly emerging is; what else should Australia be doing for the assaults on our networks that, almost certainly are going to increase in intensity and sophistication in the years ahead?

The changing cyber environment

Cyberspace is an environment, just as is the sea, the land, the air and space. Cyberspace transcends national borders and has features, as does the physical world, that constrain action and permit navigation. Like space, the high seas and possibly Antarctica, cyberspace transcends national borders, which means that regulation is difficult if not impossible at a global level.

Cyberspace is undergoing rapid transformation. Three data points are offered:

• To date, most devices on the internet have been linked more or less directly to people. Increasingly machines are talking to machines and making decisions without any human intervention

• The explosion in mobile devices and wireless access to the internet most of which are vulnerable to attack and exploitation

• The geography of cyberspace is exploding in volume – from 4.2 billion IPv4 addresses that have been available to date to an inconceivably large 3.4 x 1038 IPv6 addresses.

The combined impacts of these developments and their consequences for human activity and organisation, present challenges for policy makers, legislators and strategists which we can barely grasp. In summary, we are moving from an internet that was populated mostly by people to an internet that is mostly populated by things. People to people transactions will progressively, and quite rapidly, reduce as a proportion of the sum of all activity in the cyber environment.

Smart Grid technology is one example of a system of internet-enabled devices that has the capacity to remove humans from decision processes. Building Management Systems are another. Currently available products have major physical, electronic and logical security vulnerabilities. Resilience has not factored as an important design criterion, yet so much depends on the assured and continuous operation of these products.

Fundamentally, every major human activity conducted in the physical environments is controlled, regulated, directed, enables by commands and instructions that are conceived, delivered, acknowledged, stored, monitored and measured in the cyber environment.

Implications for Australia

Australia’s cyber defences are fragile for two basic reasons:

• The community is either unaware or in denial about the vulnerabilities we have embraced uncritically in our rush to connect and our rapid adoption on internet technologies

• There is a critical shortage of people who know how to comprehend and manage Australia’s interests and objectives in the cyber environment.

Certainly the problem is recognised by Governments at least in declaratory policy documents. The National Security Strategy, for example, which was launched by Prime Minister Gillard in January 2013, listed three national security priorities to be addressed in the next five years – one of which was; ‘Integrated cyber policy and operations to enhance the defence of our digital networks’.

There is every indication that our new Government is equally committed to securing the cyber environment in Australia’s interests, noting there are critical international dimensions.