How to handle a cyber storm
Greg Austin: Need to invest in cyber security like we do in traditional defence.
When former Assistant Minister for Cyber Security Dan Tehan addressed the National Press Club back in 2016, he warned about the need to prepare for an imminent cyber storm because it would have detrimental effects on the country’s critical infrastructure.
However, since then the federal government has hardly kicked up a fuss about this supposed impending threat, which has been described as what will be a "complex, multi-vector, multi-waved cyber attack on our critical infrastructure."
In a move to continue the cyber storm conversation, UNSW Canberra Cyber will be hosting an international conference on the topic from 18 to 20 February, 2019 to discuss how universities and professional education institutions, such as military colleges, can address challenges of workforce formation for the cyber storm.
Ahead of the event, there is a call for papers to be submitted by international and local researchers interested in the subject. Authors of all papers accepted will be fully funded and invited to participate in the one-day policy workshop of the conference.
Greg Austin, professor at the Australian Centre for Cyber Security at University of New South Wales Canberra who will lead consideration of paper proposals, said government needs to be able to defend against a cyber storm as it does with any other war.
“There are countries like the US and China who are planning significant cyber attacks against other countries in the event of imminent war.
"However unlikely that is, countries like Australia, which can spend $5 billion on each submarine for the unlikely event of major war, need to ensure that they’re making the right investment and can provide a degree of security for these complex cyber attacks,” he told InnovationAus.com.
“If it’s worthwhile investing $5 billion in each submarine in an unlikely event of war then the same should apply for cyber attacks.”
But the government is not the only one to blame. Academia has also neglected any undertakings related to the topic, according to Mr Austin.
“Academics do almost nothing on the cyber storm. So this is a very under researched set of issues,” he said.
“In 2016, our centre did a literature review and we found in the entire world there are only two research centres who are working very closely on this, and they were both national laboratories in the US. So, we have a problem.”
However, a spokesperson for the Department of Home Affairs has jumped to defend the government’s preparedness for a cyber storm.
“Australia is increasingly becoming the target of malicious cyber actors, from our businesses, hospitals and universities, to our critical civil infrastructure and major government networks,” the spokesperson said.
“As this malicious activity increases, the likelihood of a large-scale cyber-attack that enters the physical world and shuts down communications, electrical power and everyday utilities increases in probability.
“The Australian Government has a range of cyber security capabilities to deter, mitigate and respond to large-scale (cyber attacks). We are constantly strengthening these capabilities.”
According to the spokesperson, these capabilities includes the recent establishment of a 24/7 Global Watch Office within the Australian Cyber Security Centre (ACSC) that is responsible for providing early warning of emerging cyber issues, incidents and outbreaks.
The Global Watch Office recently represented Australia in a three-day cyber security exercise, dubbed Cyber Storm VI, which was hosted by the US Department of Homeland Security.
“The Australian Government continues to strengthen our relationships with international partners and private industry to ensure our collective response is timely, coordinated and effective,” the spokesperson said.
The spokesperson added the Cyber Storm: International Conference will be another opportunity for Australia to engage with international leaders, academics and private industry to build its collective ability to respond to large-scale malicious cyber activities.
“The conference will concentrate on the role of universities and professional educational institutions in building our cyber workforce. This is a fundamental step in ensuring Australia has the tools and the capability required to prepare for a potential cyber storm.”
Mr Austin, however, believes the priority for government should be about addressing the skills shortage that exists within the cyber security sector.
He questions how the Australian Defence Force plans to eventually grow its Information Warfare Division to a 900 staff unit over the next 10 years, without the suitable talent.
He suggested that the government needs to make significant investments in technological infrastructure for education and training, claiming the current efforts are “relatively weak.”
“It’s fair to say Australian universities only teach basic and intermediate cyber security at the undergraduate and masters levels. We haven’t come to terms with how to teach this complex, multi-system preparation for the cyber storm,” said Mr Austin.
“We need new training and education solutions. At a very minimum, if we are planning for a cyber storm, we need a national training facility that can provide high level simulation capabilities, which is available at an unclassified level to key institutions in the country in the civil sector and police
“I’ve proposed we set up a cyber war college because universities can’t deliver this by themselves, and certainly not government or the private sector.”
Mr Austin also criticised the current disconnect in what information is shared – or not – by the government, especially the Cyber Security Cooperative Research Centre, and the private sector.
“Critical infrastructure is privately owned. In the law, it’s the owners of that private infrastructure who are responsible for their own cyber defence,” said Mr Austin.
“So imagine when there is a complex cyber attack on system.
“Who’s responsible for what and who sorts it out and who coordinates the mess? While people will have some answers, the answers aren’t adequate on closer inspection.”