Security News

Does Australia even know what it’s doing with its cybers?

As a person who loves the technical specifics of how criminals invade networks, exploit vulnerabilities, and do all the bad stuff that vendors love to scare you with, I'm often dismayed by what we hear from the government. I'm sure it's the case with most government initiatives — don't drown people in the specifics — but after looking through the update to Australia's National Digital Economy Strategy for how we're going to secure ourselves, I'm left wondering, is that it? And didn't we already have something like this previously? The strategy is meant to be a blueprint for how Australians are going to use the National Broadband Network (NBN) and take advantage of the digital economy to prosper. It's probably a good idea to look into the online space, considering we're building this big network for it and the rocks are going to run out, but I get the feeling we're still this young, naive country that might have a good deal of intelligence, but no street smarts. The strategy lists safety and security as one of the eight enablers for Australia's digital economy, but that section of the report might as well have been about education. It sounds promising on the surface — a national plan to actually combat cybercrime — but, reading into it, the government is actually talking about big red help buttons, "cyber" bullying, and raising general awareness about installing antivirus software and patching. Granted, these are significant social issues, but where's our national strategy for actually doing something about these attacks? The big red button is more of a big red line in the Department of Broadband, Communications and Digital Economy's books, at a cost of AU$136,000 in 2010. It didn't even get accepted by Apple's iTunes App Store. Which wouldn't be too bad if it could just tweak the source of it. But it doesn't even own the code. A key part of the national plan I mentioned before is the Australian Cybercrime Online Reporting Network, which was actually proposed by the National Cybercrime Working Group (NCWG). What does the NCWG do? It was created in 2009-2010 under the Attorney-General's Department to "promote a nationally consistent approach to combating cybercrime", according to the department's 2009-10 annual report. So if we're only getting part of the national plan after three to four years, how far behind are we? At the same time, we have a federal Cyber Security Strategy (PDF) that we dreamed up in 2009. It also looks at making sure that Australians are aware of the dangers of the internet. What seemed to be a pretty good idea at the time was the Cyber White Paper, titled "Connecting with Confidence: Optimising Australia's Digital Future". That sounded like another paper to help tackle the issue of securing Australians on the internet.

After all, the attorney-general responsible for it at the time, Robert McClelland, said that online criminal activity is such an important national security issue that "there is a need for a cybersecurity whitepaper", and that "our cyber capacity is relevant to our strength as a nation". If you can bear with the overuse of "cyber", the paper was originally meant to cover topics including "cybersafety, cybercrime, cybersecurity, and cyberdefence". Today, try going to the original URL for the Cyber White Paper, and you're met with a 404 Not Found error message. That's because despite the need for a paper on online security, it's been renamed to the Digital White Paper, and has had its scope changed entirely. And what of the confusion over the local computer emergency response teams? Not-for-profit group AusCERT has been pretty much replaced by CERT Australia. But that's OK, because they'll probably be working together in the Cyber Security Operations Centre. Or is that the Australian Cyber Security Centre? The one that, initially, will be staffed mostly by Department of Defence officers? The point is, I've probably only covered a few of the initiatives, plans, proposals, and centres that Australia has in place to counter the scary threat of cyberterrorism, and yet years after we've made it a big deal, we're still talking about educating people, getting strategies in place, and getting our heads around the problem.

And even then, it doesn't look like we're doing a very good job of it. For example, a colleague of mine put me on to an AAP article today that seemed to be especially alarmed that the Department of Defence was seeing 1,800 "cyber incidents" in the last year. I can tell you now, if we think we're only exposed to a little under five attacks a day, we're screwed. I don't mean to belittle the efforts of the Australian government with its well-meaning reports, but coming out with a report in 2009 saying we need to establish a cybersafety group, then doing pretty much the exact same thing in 2013 makes me wonder if we know what we're doing. The fact that we're only now beginning to do things such as polling the private sector for attacks screams that we are blind, oblivious to what's happening, and we're spending millions, if not billions, on a problem we don't actually understand. Then again, I'm sure the folk at the Defence Signals Directorate know what they're doing. Oh, wait, that one's supposed to be called the Australian Signals Directorate now.