Big challenges ahead for CIP
by Ernie Davitt, National Affairs Editor, ASM
Under the Federal Government’s evolutionary approach to protection of critical national infrastructure, Australia has some major runs on the board – but some significant challenges lie ahead, including effectively combating cyber-espionage.
The Government has been involved in frenetic activity over recent months to try to fix major vulnerabilities in internet services, information and communications systems which seem to run right across the gamut of critical infrastructure (CI) activities.
According to a recent study, 37 per cent of IT executives working in critical infrastructure said the vulnerability of their sector had increased over the previous 12 months.
The report, from global internet security specialist McAfee, said that despite a growing body of global legislation and regulation, two-fifths of executives expected a major security incident in their sector within the next year. Only 20 per cent thought their sector would be safe from serious cyber-attack over the next five years.
The report In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the US Center for Strategic and International Studies (CSIS), put the annual cost of downtime resulting from cyber-attacks on CI, including electricity grids, oil and gas production, telecommunications and transport networks, at around $US2.3 billion globally.
A survey of 600 IT security executives from CI enterprises worldwide showed that 54 per cent had already suffered large-scale attacks or stealthy infiltrations from organised crime gangs, terrorists or nation-states.
The report also found that the risk of cyber-attack was rising because many of the world’s critical infrastructures were built for reliability and availability, not for security.
“Traditionally, these organisations have had little to no cyber protection, and have relied on guards, gates and guns. Today, however, computer networks are interconnected with corporate IT networks and other infrastructure networks, which are accessible from anywhere in the world,” the report said.
“In today’s economic climate, it is imperative that organisations prepare for the instability that cyber attacks on critical infrastructure can cause,” Dave DeWalt, president and CEO of McAfee, said.
“From public transportation, to energy, to telecommunications, these are the systems we depend on every day. An attack on any of these industries could cause widespread economic disruptions, environmental disasters, loss of property and even loss of life.”
In Australia, one of the more significant positive developments has been establishment of the Trusted Information Sharing Network (TISN) where national intelligence agencies, law enforcement, governments and industry players can share information and experiences with a degree of privacy.
The major work of TISN so far has focused on banking and finance, communications, emergency services, energy, the food chain, health, mass gatherings, transport, and water supplies, all of which would be affected by attacks on information and communications technology.
Federal responsibility for cyber security is spread across a number of agencies including a new national computer emergency response team, CERT Australia, and a new Cyber Security Operations Centre (CSOC) within the Defence Signals Directorate in Canberra.
As part of its tightening of e-security, the Government is also preparing a report looking at reducing the number of Government internet gateways in Australia.
The CSOC, with an initial staff of 130 drawn from a number of agencies including ASIO, the Defence Intelligence Organisation, scientists from the Defence Science and Technology Organisation, and the AFP, is developing capabilities to gain an edge in the cyber space domain and provide better understanding of the cyber threat from sophisticated cyber attacks.
The cyber-security agencies will work with all TISN members but most closely with the Communications Sector Infrastructure Assurance Advisory Group. This consists of the owners and operators of critical infrastructure in the telecommunication, broadcasting, international submarine cable and postal sectors as well as representatives from all levels of government.
Important work contributing to CI protection is also being done towards development of a national catastrophic disaster plan by Emergency Management Australia, which, under the ‘all hazards’ approach, covers everything from terrorism incidents to major natural disasters.
ASIO’s Business Support Unit, set up to facilitate a two-way flow of intelligence between the Government and the owners and operators of critical national infrastructure, has also been making a useful but very much behind-the-scenes contribution.
ASIO does not appear to be as up-front about its activities as, say, Britain’s MI5, which, it was revealed, issued a formal warning over a year ago to British business executives that Chinese intelligence agencies were engaged in wide-ranging efforts to hack into British companies’ computers and to blackmail British businesspeople over sexual relationships and other improprieties.
The warning, in a 14-page document called The Threat from Chinese Espionage, was prepared in 2008 by MI5’s Centre for the Protection of National Infrastructure, and distributed as a restricted item to hundreds of British banks and other financial institutions as well as businesses.
The document followed public warnings from senior MI5 officials that China posed a significant espionage threat to Britain.
Open source intelligence, including speeches by top US intelligence officers, points to the Chinese Peoples’ Republic Army as the source of many cyber attacks against Western governments, including Australia.
One of the major areas of focus within TISN at the moment has been developing a new Critical Infrastructure Resilience Program, to be officially launched around May.
Mike Rothery, the Acting Chair of the Critical Infrastructure Advisory Council, told a Council meeting just before Christmas that an extensive consultation process would take place in early 2010 with the owners and operators of CI in the lead-up to developing the new program.
It would centre on two main elements: organisational resilience and support for disaster resilience.
“Organisational resilience will focus on enhancing the ability of critical infrastructure businesses to continue to deliver essential services in the face of significant and unexpected challenges,” Mr Rothery said.
“Disaster resilience will focus on the contribution businesses could make to the ability of communities to prepare for and recover from disasters. This will necessarily require organisations to take greater account of the impacts on the community of their operational decisions, before and immediately after a disaster.
“I look forward to working with the Advisory Council to create a new Critical Infrastructure Resilience program that helps build a more resilient nation – one where all Australians are better able to adapt to change, where we have reduced exposure to risks, and where we are all better able to bounce back from disaster.”
A measure of what remains to be done in sorting out responsibilities and smoother lines of communication within and between governments can be seen in the words of the joint communiqué from a Council of Australian Governments meeting in December, which has set up yet another committee:
“Critical infrastructure is essential to Australia’s national security, economic prosperity and social well-being. COAG noted that the effective protection of critical infrastructure is reliant on a strong, collaborative partnership between governments and critical infrastructure owners and operators.
“COAG noted that there are areas of common government responsibility where critical infrastructure activities need to be closely coordinated. To help achieve this improved coordination, COAG agreed to create a new committee, the National Critical Infrastructure Resilience Committee, both as a national co-ordination mechanism for critical infrastructure resilience, as well as to enhance and replace existing co-ordination mechanisms.
“The National Critical Infrastructure Resilience Committee will develop working relationships with relevant Ministerial Councils and Committees, and undertake further work in relation to the roles and responsibilities of respective governments as they relate to the concept of ‘critical infrastructure resilience.’”
It remains to be seen how successful the new resilience committee will be.
The Attorney-General’s Department has also been restructured to create a National Security Resilience Policy Division, with a key focus on looking after critical infrastructure.