No govt defence against cyber attacks

The government will not lift a finger to help businesses under attack from hackers, unless the offence presents a high risk to national security, a senior Attorney-General's policy official says.
Written by Darren Pauli, Contributor

The government will not lift a finger to help businesses under attack from hackers, unless the offence presents a high risk to national security, a senior Attorney-General's policy official says.

Instead, Australia's security agencies will forge a response based on the "pathology of the problem", incorporating the risk the attack poses to government and the community.


(Credit: CBSi)

Mike Rothery, first assistant secretary for the National Security Resilience Policy Division in the Attorney-General's Department, said organisations must source their own capability to defend attacks.

"To be honest, we struggle to defend our own systems from the current threats — the idea that we can extend the envelope to protect the mining industry's SCADA (Supervisory Control and Data Acquisition) or the banking industry just doesn't fly," Rothery said.

"The people that will defend Westpac will be from Westpac, and Telstra will use people from Telstra. It won't be the Australian Army or Signals Corps."

Rothery said the government may offer some flavour of response depending on how the attack affects the community.

Moreover, those businesses that are attacked and attempt a counter-offensive "hack back" may breach federal laws.

Another aspect about attackers is that they can hijack computers to increase available resources or to obfuscate their identity.

"The problem is you will always trample through someone's network to get to the bad guy and it's possible the person attacking you is a victim."

Businesses have yet to claim self-defence after launching a counter-attack, which would likely be a weak case according to Rothery.

Yet, security professionals unanimously agree in a sly wink and nod that victims have retaliated for some time without prosecution.

The government provides some 400 critical infrastructure organisations with advanced online security alerts and shares information pertinent to national security through its Trusted Information Sharing Network.

Tomorrow, when the war begins

Contrary to suggestions from some security strategists, Rothery said existing military force paradigms cannot be retrofitted to cyber warfare.

He told security professionals in Canberra that the demarcation between civil attacks, such as domestic hacking, and those against nation-states, such as espionage, is blurry.

"The difference between hacking a system, owning it or installing a backdoor for when the war begins is a marginal issue. Whatever paradigm we choose will be wrong and will contain mistakes."

His comments follow a push by a top Pentagon chief that NATO should build a cyber-shield to protect its military and economic interests. US Deputy Defence Secretary William Lynn did not elaborate on the concept, but AFP reported that the US Government estimates some 100 foreign intelligence agencies or governments attempt to hack US systems each day.

The United States Government Senior Defence Analyst Brian Mazanec told a Canberra audience last week that the dissemination and rules of engagement of cyber attacks will likely mirror biological warfare, noting that certain targets like the SCADA systems protecting nuclear facilities would be off-limits.

Western governments are said to delegate cyber attacks between national and international enforcement agencies. For instance, in the UK, such attacks may be subject to the jurisdiction of the domestic forces or the MI5 intelligence agency.

But the Australian Government will focus on reducing the yield for cyber criminals, rather than "building walls", and will worry more about how a hacker broke into systems and what was compromised than the origins of attack.

Rothery said "pro-government acolytes, wannabes, criminal syndicates and hackers" will be handled similarly, irrespective of the source of attack.

By way of prevention, Rothery said the government invests in defence in depth , which maintains systems under the highest classification entirely offline.

Gov 2.0 a risky business

The Gov 2.0 plan hopes to open government to the public, but it is also exposing more weak websites to attack.

The websites and blogs of politicians and bureaucrats often have low security, some "barely adequate", according to Rothery, and offer scarce pickings for a hacker, but the government may still be damaged by a public defacement.

"The transactional costs of losing a website might be low, but the reputational [sic] costs are very high. It only looks at it from cost ... until it is taken down because some people don't like a minister's policy and tell the media. It is a big issue for Gov 2.0."

Rothery said politicians and public service staff should be aware that blogs and websites controlled off the government network are a security risk.

Rothery spoke at the Safeguarding Australia 2010 conference in Canberra last week.

Editorial standards