From: The Drum/opinion

Matthew Warren

The threat of cyber attacks to governments, businesses and individuals is real, and the creation of an Australian Cyber Security Centre is a major step forward in taking it seriously, writes Matthew Warren.

This week, Prime Minister Julia Gillard released Australia’s first National Security Strategy, Strong and Secure: A Strategy for Australia’s National Security. This strategy reinforced the importance of the protection of Australian’s against many security threats including cyber threats.

It is hard for us in Australia to imagine the consequence of a cyber attack: an extended loss of power or the failure of related systems such as ATMs, the internet and medical equipment; the failure of public transportation systems; water treatment plants being non-functional; or a lack of food at the supermarkets due to the malfunction of food distribution systems.

These potential risks are why governments in all countries are so concerned about cybersecurity threats.

Within the Australian context, there a number of new key areas that the government’s strategy addresses. It is proposed that within the next five years, the government will develop an integrated cyber policy and operations approach, meaning we could see a broader and more unified cybersecurity policy approach covering a range of areas such as cyber safety, critical infrastructure protection and resilience managed under a single strategic policy theme.

The Australian Government’s strategy acknowledges the threat of cyber espionage and foreign interference and the threat to “classified government information; commercial information with direct consequences for business and the economy; intellectual property; and the private information of Australian citizens”.

This is a major acknowledgement that cyber threats now impact every Australian and have become an issue not only for governments but for individuals and their online information.

The need to “Strengthen the resilience of Australia’s people, assets, infrastructure and institutions” against cyber attacks has also been recognised. This means the issue is not just one of protecting against cyber attacks, but also the ability to rebuild systems quickly after a cyber attack and minimise their impact.

Tied up with the new strategy was the announcement of the creation of a new Australian Cyber Security Centre which will be in operation by the end of 2013 and which aims to improve partnerships between government and industry.

This will combine the existing Defence’s Cyber Security Operations Centre, the Attorney-General’s Computer Emergency Response Team (CERT) Australia, ASIO’s Cyber Espionage Branch and parts of the AFP’s High-Tech Crime unit into a single centre hopefully allowing for a faster sharing of information between government and industry.

The centre will have the ability to protect against new and developing cyber security threats in real time and allow for information to be shared quickly, so any cyber risks can quickly be mitigated. This is a major step forward in the cyber protection of Australia.

We have also seen the Australian Government accept the need for international cooperation to deal with cyber threats, and the need to expand Australia’s cooperation with the United States of America in the cyber domain in terms of sharing information, being part of joint training exercises, and coordinating cyber defence responses.

Many critics dismiss the cyber threat to Australia as being “hype or overstated”, but that is far from the truth. In 2007, cyber attacks on Estonia resulted in the failure of Estonia’s online infrastructure; in 2010, we saw the development of Stuxnet malware (in this case a worm) that had the ability to disrupt certain types of SCADA (Supervisory Control And Data Acquisition) systems that support key industrial systems, such as power supplies and water treatment facilities.

In Australia, 438 cyber incidents occurred between 2011-12 which required a significant response by the Australian Government, Cyber Security Operations Centre; and in 2012, we saw the hacking group Anonymous steal personal information of hundreds of thousands of Australian AAPT customers and disclose that information online.

While this strategy might be a positive move by the current Government, future governments will need to ensure adequate funding for the Australian Cyber Security Centre and ongoing related activities.

While funding is important, the human resource consideration is essential. The Australian Computer Society has highlighted IT skills shortages in a number of areas including cyber security, and they have highlighted the decline in Australian students studying information systems and information technology at Australian universities. Appropriate steps would have to be taken to address the current and future skill shortages.

The Australian Federal Government’s announcement is a positive step towards protecting Australian against current and future cyber security threats. The Strong and Secure: A Strategy for Australia’s National Security is a high level vision, however, and we can expect further details to be forthcoming over the next few months – as always, the devil is in the detail.

Matthew Warren is a Professor of Information Systems at Deakin University. View his full profile here.