Australia's new critical cyberdefender needs action rather than announcements

The newly-announced Critical Infrastructure Centre could become Australia's hub for the kind of civil cyber defence corps that have been suggested for years. Let's hope it starts with SCADA.
Written by Stilgherrian , Contributor

On Monday, the Australian government announced that it was establishing a new Critical Infrastructure Centre (CIC), dedicated to managing the "complex and evolving national security risks" to the nation's critical infrastructure.

The CIC's initial focus will be on the most critical assets in the electricity, water, and ports sectors, according to a joint media release from Australia's favourite attorney-general Senator George Brandis QC and Treasurer Scott Morrison. The federal government will consult with states and territories, industry, and investors to consider what other assets require attention.

ZDNet understands that cybersecurity will be part of that assessment. Operating networks or control systems that are integral to the operation of water, electricity, and ports assets will form part of the assessments of those assets, for example.

The CIC will develop "coordinated, whole-of-government national security risk assessments and advice to support government decision-making on investment transactions", and "a critical assets register that will enable a consolidated view of critical infrastructure ownership in high-risk sectors across the country".

An organisation dedicated to mapping out and protecting Australia's critical infrastructure has been suggested before.

In August 2015, Professor Greg Austin from the Australian Centre for Cyber Security (ACCS) at the Australian Defence Force Academy (ADFA) in Canberra suggested forming a cyber civil corps to map out critical information infrastructure, data resources, and data flows, and provide a "disciplined command structure" to coordinate emergency response.

In September 2015, James Turner, security adviser with Australian consulting firm IBRS, floated the idea of drafting cybersecurity practitioners into a cyber national service program.

And back in May 2012, critical infrastructure security expert Emeritus Professor Bill Caelli proposed forming a cyber posse when needed.

The CIC's role differs from all those proposals in that it's about the full gamut of critical infrastructure protection, not just the cyber aspects, and its additional focus on procurement and investment.

"With increased privatisation, supply chain arrangements being outsourced and offshored, and the shift in our international investment profile, Australia's national critical infrastructure is more exposed than ever to sabotage, espionage, and coercion," the media release said.

As The Australian reported, critical infrastructure protection had "attracted greater urgency" following the controversial Port of Darwin sale and the "bungled" deal to sell the NSW electricity network company Ausgrid.

"The Australian understands that FIRB [Foreign Investment Review Board] had twice sought Department of Defence advice on the NSW government's AU$9 billion Ausgrid [electricity grid] sale last year, with Defence raising no objection until FIRB identified a potential national security concern linked to the prospect of the Chinese bidder gaining control of the assets.

"The AU$500 million lease of the Port of Darwin, also given the green light by the Department of Defence in 2015, sparked controversy when the US raised objections when not told of the sale to a Chinese company with links to the People's Liberation Army. Its concern was based on the proximity of an Australian Defence Force base serving 1200 US Marines."

Another key difference is that the CIC will be formed within the Attorney-General's Department (AGD), and positioned as part of their critical infrastructure resilience program. AGD is already in charge of the organisational resilience program, and the Trusted Information Sharing Network, where government and the business sector can "share information on critical infrastructure vulnerabilities and techniques to assess and mitigate risk".

Austin had proposed that his cyber civil corps would be part of the Department of Communications, although of course that was a cyber-only operation.

The CIC has the potential to address some of the problems with Australia's cybersecurity strategy omnishambles.

It's also heartening to see that the CIC will address operational technology (OT) and other industrial control networks. The SCADA networks that control physical infrastructure are a cybersecurity danger zone worldwide. Consider the Russian attack on Ukraine's power grid in 2015, if nothing else.

But a potential danger is that the CIC is yet another government coordinating body.

How will the CIC interact with the Australian Cyber Security Centre (ACSC) for instance, which already coordinates cybersecurity issues as part of its brief?

Remember that while the ACSC has been operating for more than two years, the UK's National Cyber Security Centre (NCSC) seems to have achieved more in just a few months -- although their remits are a bit different.

The first of Australia's Joint Cyber Threat Centres was due to be opened in Brisbane in December 2016. It wasn't.

The Turnbull government also has to deal with the IT disaster at Centrelink, as well as the Australian Tax Office (ATO), and at the Australian Bureau of Statistics (ABC) in the wake of the 2016 Census debacle.

And what about the government's non-IT problems?

There's the questionable authorisation of $2.3 billion in contract payments as part of the controversial offshore processing of asylum seekers uncovered by the Australian National Audit Office (ANAO); federal ministers that continue to treat travel entitlements as a right, and not a privilege; attempting to legislate a failed trade pact; the never-ending same-sex marriage debate; and of course, the never-ending power struggles within the governing Coalition parties.

Can the already ineffective Prime Minister Malcolm Turnbull keep all these plates spinning at once?

Whatever the answer to that question, it's clear that Australia needs a good deal less cyberannouncing and a lot more cyberdoing.

Editorial standards