Lessons for Organising Cyber Security in Australia and Beyond
Australia’s 25 years of experience in combating online threats is a rich source of guidance for structuring the country’s future cyber security apparatus.
Cyber security presents many challenges, including how to organise collective action against cyber attacks and malicious activities. This is a serious problem for Australia, as it is for most countries that are grappling with the promise and peril of networked information technology.
Now that the internet is decades old, cyber attacks have become so common that we may take them for granted. However, cyberspace and the threats therein were once new, and within living memory. During the 1980s and 1990s, the public and private sectors started creating new organisations to address previously unimagined threats.
How were cyber threats initially interpreted, and what models or norms for defence against them emerged in response? Similarly, how did national policy and operations evolve over time, especially in light of the government’s traditional roles and responsibilities for national security?
Most internet infrastructure is now built, owned and operated by the private sector. The same is true for most of the information technology used in other kinds of critical infrastructure (ranging from the electrical grid and financial services to telecommunications, transportation and health care). Military and intelligence agencies play a role, but even they rely on much of the same hardware, software and network infrastructure as other government agencies and the private sector.
The Australian Computer Emergency Response Team (AusCERT) was the first non-government organisation in the country to be dedicated to civilian cyber security; it also served as Australia’s national incident response team for more than 15 years. Australia adopted this organisational form from the United States because imitating the US was seen as legitimate and appropriate.
Australia’s initial response to hacking
The US chose a relatively decentralised, voluntary and private approach to civilian cyber security. US policy preferences for a decentralised, voluntary and private approach to civilian cyber security were significant, in part because other countries followed suit. CERTs—also known as Computer Security Incident Response Teams (CSIRTs)—were institutionalised as a common organisational form. ‘
Australia was an early adopter of the US model. Granted, there may also have been financial incentives to imitate the US—Australia’s internet connection was subsidised by NASA—but the universities at the centre of cyber space saw this as the best response.
Housed at the University of Queensland, the Security Emergency Response Team was launched in March 1993, accepted into the Forum of Incident Response and Security Teams in August 1993, and renamed the Australian Computer Emergency Response Team in April 1994. It had no authority to act, it just existed. The organisation served as Australia’s de facto national CERT from 1993 until 2010, during which time the number of internet users grew from less than 2 per cent of the Australian population to more than 75 per cent.
Its mission was to supply services for cyber security. These included monitoring and evaluating malicious software and system vulnerabilities; recommending prevention and recovery strategies for incident response; sharing information and helping raise awareness; and liaising with government agencies and foreign counterparts as a trusted intermediary on sensitive issues such as technical attribution.
International approaches
International cooperation on cyber security was initially informal, tactical and limited but the Five Eyes intelligence alliance (Australia, Canada, New Zealand, US and UK) now cooperates closely. At least among these allies, Australia’s role during Y2K helped catalyse real-time monitoring and information-sharing in a small way.
Australia also helped advance cooperation in the Asia Pacific. For example, AusCERT sponsored China’s entry into the international body, the Forum of Incident Response and Security Teams (FIRST). Secondly, 15 CERTs from 12 economies agreed to establish the Asia Pacific Computer Emergency Response Team (APCERT), which held its first meeting in February 2003. APCERT was the first successful regional CERT.
Domestic divisions of labour
Australia chose not to create an official national CERT inside government until 2009. Australia’s reluctance to subsidise the national interest in incident response included its intelligence community. In 1997, the Defence Signals Directorate (DSD) considered establishing a national CERT inside government. Yet little action was taken then or when the Intelligence Services Act of 2001 required the DSD to assist state and federal authorities with information security. The DSD was still focused on signals intelligence, similar to the US National Security Agency.
The Australian case provides valuable insight into cyber security operations and policy. It highlights three lessons about incident response regarding the role of government, and the over reliance on military and intelligence agencies. These lessons provide a foundation for further study and policy development.
First, as an early adopter of the CERT system (and subsequent promoter of the same), Australia illustrates how some of the oldest norms about cyber security have diffused and spread around the world. Australia modelled its initial response to hacking on what was occurring in the US. It coped with novel threats by looking abroad, yet not too far afield, and with an eye towards replicating what was seen as an appropriate and legitimate model at a time when good metrics and evidence of effective incident response were lacking. In adopting this model, Australia also accepted the underlying assumption that civilian cyber security should be decentralised, voluntary and mostly private. This assumption is now taken for granted. But it was neither inevitable nor technologically determined.
Second, the CERT system worked up to a point. Through the CERT community, cyber security practitioners established interpersonal relationships built on earned trust. These relationships helped them to share more sensitive information than might otherwise have been feasible. Thus, on the one hand, the Australian government benefited from delegating and orchestrating aspects of incident response through AusCERT. This non-government organisation helped to advance national security and international cooperation.
On the other hand, providing public goods and services is rarely cost free, and government leadership and support for civilian cyber security were lacking during the 1990s and 2000s. When the government failed to understand or accept responsibility, non-government organisations had difficulty picking up the slack.
Potential trade-offs between the institutionalisation or professionalisation of cyber security versus decentralised, voluntary and private approaches to governance warrant further research. But most evidence indicates that neither AusCERT nor CERT Australia enjoyed sufficient support from government or industry in their respective roles as the national response team. While the relationship between these CERTs has improved since 2009, the potential for confusion remains. More importantly, Australia lacks an integrated or unified incident response capacity for the country as a whole. It therefore risks falling further behind in solving the collective action problems presented by cyber attacks and malicious activities.
Finally, the Australian government has tended to perpetuate rather than compensate for underinvestment in civilian organisations and law enforcement by relying instead on military and intelligence agencies—particularly the Australian Signals Directorate (ASD). Australia is not alone in this regard. In the US, the National Security Agency (NSA) and US Cyber Command enjoy the lion’s share of government funding for cyber security. The Department of Homeland Security houses US-CERT, but it has never been given the money or manpower to rival the NSA in this field.
Nor is the effectiveness of military and intelligence agencies for civilian cyber security self-evident, especially given the importance of information sharing and trust. For instance, building on the CERT system, an international norm may be emerging that ‘states should not conduct or knowingly support activity to harm the information systems of the authorised emergency response teams’. However, honouring this norm may prove difficult if civilian teams such as CERT Australia depend so much on military and intelligence agencies that their independence lacks credibility, their legitimacy suffers and they are interpreted as appropriate targets for attack.
Like the organisation and distribution of resources for incident response, these interpretations are influenced by choices that could be different. As in the past, these choices will shape the future of cyber security in Australia and beyond.
Dr Frank Smith is a senior lecturer at the Centre for International Security Studies, University of Sydney.
Graham Ingram is a member of the Privacy and Security Advisory Committee, Australian Digital Health Agency.
This article is an edited extract from an article published in the Australian Journal of International Affairs on 16 May 2017. It may be accessed in its unabridged form here.