Australia attacked: What happened at Cyber Storm II

Communication between the private sector and government has been identified as the key lesson learned from the recent simulated cyberwar, Cyber Storm II.
Written by Brett Winterford, Contributor

Communication between the private sector and government has been identified as the key lesson learned from the recent simulated cyberwar, Cyber Storm II.

In March, some 50 private Australian companies were invited to join Federal government agencies to test their IT systems against cyber-warfare attacks.

Scenarios at Cyber Storm II included simulated attacks against the control systems of utilities such as electricity and water companies, the replicated hacking of online banking systems, and the unauthorised control of telecommunications carrier's traffic routing systems.

The exercises, says Melbourne IT chief technology officer Bruce Tonkin, were akin to the script of the fictional movie, Die Hard 4 in which terrorists gain control of key systems such as utilities, broadcasters and power companies.

Certain elements of the exercises were scripted, others unrehearsed, to test how all the key stakeholders would respond.

Participants in the event have told ZDNet.com.au that communication between stakeholders — and not technical readiness — was the key area requiring improvement among those organisations that manage the country's critical infrastructure.

Karl Hanmore, operations manager at security response centre AusCert, said the exercise demonstrated the need for ongoing communication between the government and private sector.

"We need to share information, not just say we are going to share information," he said.

Few of the privately owned organisations, for example, were aware of the instruments the government has in place in the event of cyber-attacks. As such, technologists taking part in the event acted in a way the organisers didn't anticipate.

"The thing about the IT industry is, there are a lot of ingenious people who will find a solution to the problem that you hadn't thought of," Tonkin says. "They are used to being self-sufficient."

Few involved in the exercise thought to call the National Information Infrastructure Protection Hotline (NIIPH) when they suspected that they had been victims of a state-based or terrorist cyber attack.

Not to be confused with the general public's National Security Hotline, the NIIPH is a phone number which operators of critical IT infrastructure, such as banks, telecommunications carriers, power companies and government agencies are expected to call when their IT systems are attacked.

The hotline was launched in 1999 as part of the Howard government's AU$73.6 million E-security National Agenda funding package. It is managed by an intergovernmental committee — harnessing the combined resources of the Defence Signals Directorate, the Department of Finance, the Australian Federal Police, the Department of Broadband, Communications and the Digital Economy, and the Australian Communications and Media Authority.

While AusCert is a day-to-day, high volume operation for reporting security incidents, the NIIPH is reserved for serious incidents.

AusCert was inundated with calls during Cyber Storm II, but few participants knew about the higher-level inter-agency government hotline.

"We didn't know to call it," Tonkin says. "I didn't even know it existed. Some people in the organisation must know it, but operational people don't think of using it."

Part of the challenge for technology managers is knowing what constitutes an attack serious enough to warrant calling the NIIPH, as opposed to the usual routine of reporting the matter to AusCert.

A spokesperson for the Attorney General's department said that the NIIPH hotline is set up to assist when an attack appears "sophisticated or appears to be targeting critical systems".

But as Hanmore notes, it is difficult to make such distinctions in the face of anonymous Internet attackers.

"A scan on the firewall is something that happens every day," says Hanmore. "And the nature of IT security is that you don't know if it's perpetrated by the kid next door, if it's organised crime, or if it is a state-based crime."

Tonkin said that his experience in Cyber Storm II suggests that government agencies "do have a lot of expertise in computer security".

"The challenge is not their knowledge or capability but the information flows between government and private sector and vice versa," he said.

Editorial standards