Secured My Website with Let's Encrypt

I now have Let's Encrypt providing a free security certificate for my Tomw website. I am not doing any e-commerce transactions requiring high security, but it was annoying web browsers were issuing "Not Secure"  warnings for my web pages, so I set about fixing this. The Cpanel system provided by my web hosting provider offered several for-fee certificates. Then I saw Let's Encrypt offering a free certificate. There was a lot of complex technical detail about how to get a certificate. Instead I asked my provider if they could do it and an hour later it was done. About the only difference is that you use HTTPS, rather than HTTP (with HTTP automatically redirected to HTTPS).

Australian Joint Cyber Reserve Force

Tom Worthington
on USS Blue Ridge

The Australian government is reported to be considering "Cyber commandos for defence reserve" modeled on those of the UK (Ellen Whinnett, Newscorp, 16 August 2017). The UK Joint Cyber Reserve Force. was stood up in May 2013 and I suggested Australia do some thing similar in August 2013.

These reservists would be similar to medical specialists who can apply their civilian skills in the military. This allows the military to use personnel who they could not afford to train and retain full time. It also provides a link between those running critical national infrastructure in the civilian sector and the government organizations tasked to protect it.

As I see it, members of the Cyber Reserve Force should be issued with secure communications equipment which they keep with them during their civilian job. The members would be in constant contact about threats and ready to act on them within minutes. This contrasts with a conventional reserve, where it takes days, weeks, or months for activation.

Australian Defence Force Information Warfare Division

An Information Warfare Division (IWD), has just been formed in Australian Defence Force Headquarters (July 2017). There are four branches: Information Warfare Capability, C4 and Battle Management Capability, Capability Support Directorate and the Joint Cyber Unit. The division is headed by MAJGEN Marcus Thompson as Deputy Chief Information Warfare. MAJGEN Thompson has a PhD in Cyber Security from the University of New South Wales. He is the author of "The cyber threat to Australia" . (Australian Defence Force Journal, 2012) and other papers on cyber security.

The ABC has speculated that one target for the new unit will be the Chinese South Sea Fleet, in the South China Sea.

It happens I have been teaching Australian National University IT students using a scenario about cyber-warfare over the South China Sea. In this hypothetical, students are asked to consider the use of information warfare as an alternative to conventional military action.

 As the ABC report notes, one of the problems with a cyber-warfare unit will be attracting, retaining and paying highly skilled personnel in competition with the private sector. An option I proposed in 2013 was the use of civilian computer professionals who are military reserve officers. After brief military training these personnel would return to their day jobs, but be ready to be instantly mobilized.

ABS Tries to Blame IBM for 2016 Census Problems

In its 123 page submission to the 2016 Census Senate Inquiry, the Australian Bureau of Statistics (ABS) seeks to blame IBM for the failure of the system on Census night. Similarly, in the case of "Maguire v Sydney Organising Committee for the Olympic Games (2000)", SOCOG sought to deflect responsibility for defects in its web site to the contractor, IBM. However, this was rejected and SOCOG, not the contractor, was found responsible. In that case SOCOG was a temporary organization set up just to run the Sydney Olympics, with limited experience. In contrast, the ABS has decades of experience in statistical collection using IT systems and cannot credibly transfer responsibility to IBM. I teach IT Ethics to university students and the 2016 Census will become a useful case study on professional responsibility.

• "On the night of 9 August 2016 (Census night) the online Census, hosted by IBM, was subject to a Distributed Denial of Service (DDoS) attack that was not unusual and was anticipated, which affected the Census application system. This was not due to load from legitimate Census submissions, which at the time of the attack were running in line with ABS projections and well within the design load for the system. Around the same time, an unusual spike in outbound traffic was observed in the monitoring systems. These two events led to the closure of the online Census submission to the Australian public until the afternoon of 11 August 2016. While this caused inconvenience, protecting the information of Australians was the ABS’s highest priority and Census information was never compromised.

The online Census system was hosted by IBM under contract to the ABS and the DDoS attack should not have been able to disrupt the system. Despite extensive planning and preparation by the ABS for the 2016 Census this risk was not adequately addressed by IBM and the ABS will be more comprehensive in its management of risk in the future. However, once the system had been affected, the ABS took the precaution of closing the online Census form to safeguard and to protect data already submitted, protect the system from further incidents, and minimise disruption on the Australian public by ensuring reliable service." (From Page 4).

"The online Census DDoS attack of 9 August 2016 was against an IBM system not an ABS one. See Section 9 for further details." (From Page 7)

Senate Inquiry into Attack on Census Website

The Senate Standing Committees on Economics are holding "An inquiry into the preparation, administration and management of the 2016 Census by the Australian Bureau of Statistics", including:

"d. the shutting down of the Census website on the evening of 9 August 2016, the factors leading to that shutdown and the reasons given, and the support provided by government agencies, including the Australian Signals Directorate;" From: Terms of Reference.

I suggest the Australian Computer Society (ACS) join with Internet Australia (the Australian Chapter of the Internet Society) on this and try to widen the discussion to cover Internet security more generally. ACS and IA need not agree on every aspect, buy could loosely coordinate, as was done for the Internet regulation inquiries of the 1990s, as  described by Chen (2000, p. 161).

Reference

Chen, P. J. (2000). Australia's online censorship regime: the Advocacy Coalition Framework and governance compared. Retrieved from
https://minerva-access.unimelb.edu.au/bitstream/handle/11343/38780/65881_00000240_01_AOCR.pdf?sequence=1#page=162

Australian Cyber Security Centre Threat Report 2015

The government Australian Cyber Security Centre (ACSC) has issued its first threat report. "The Australian Cyber Security Centre Threat Report 2015" is a 29 page PDF document (issued 29 July  2015, but curiously dated 1 January 1970). The ACSC is made up of federal agencies including Australian Crime Commission (ACC), Australian Federal Police (AFP), Australian Security Intelligence Organisation (ASIO), Australian Signals Directorate (ASD), Computer Emergency Response Team (CERT) and the Defence Intelligence Organisation (DIO).

The report indicates that the number of significant compromises of federal Australian Government networks decreased from 2012 to 2014. The report includes the end of support for Windows XP and MS Office 2003 as a security risk. Hopefully individuals and organisations changing to Windows 10 will result in improved security.

Australian Cybercrime Online Reporting Network (ACORN) is listed as "the primary method for Australians to report cybercrime"  acorn.gov.au.

A major deficiency in the report is that it does not acknowledge the predominate role of the non-government sector in cyber-security. In particular there is no mention of AusCERT, a non-government organization, who have been providing coordination cyber-security services from before the creation of ACSC, AusCERT has more experience in the field and a longer track record than the governments own CERT and most other federal agencies.

Cyber Security Careers at the Australian Signals Directorate

Yesterday I was taking part in a discussion of the role of national security agencies with colleagues from the IT industry. I mentioned how when giving a seminar on computer security at the Cambridge University Computer Lab (UK) I noticed someone in the back row who did not look like a student or academic. They turned out to be from GCHQ, the UK security agency, presumably there to recruit students. Much to my surprise today I walked into seminar room N101 at the ANU Research School of Computer Science (to help get the projector to work) and found it was for staff from the Australian Signals Directorate (ASD) presenting to students on Careers at ASD.

Australian Army Considering Use of Cyber Weapons Against Terrorists

The "Future Land Warfare Report 2014" from the Australian Army's Directorate of Future Land Warfare Headquarters discusses the issue of boosting the Army's cyber capability. The most interesting point is "Military cyber operations can be as effective as precision-guided munitions against either a nation-state or a non-state actor", that is cyber-weapons can be used against terrorists. It is not quite the "Australian CyberWarfare Battalion" I proposed, but it is a step in the right direction:

Less sophisticated but highly lethal threats of the
future may seek to undermine the kinetic dominance of Western forces. To what degree is the Army prepared to rebalance its force structure into non-traditional capabilities and units (such as boosting the capability of the intelligence battalion or adding an Army cyber capability) in order to build greater capacity for intelligence-led targeting? Can the Army manage risk and reduce some traditional capabilities while relying on its ability to rapidly regrow these as required? ...

The land, sea and air domains will become further entwined with the cyber, electromagnetic and space domains. These domains will be the subject of constant competition, with land force operations increasingly enabled (or disabled) by access to digital networks. ... 

Global telecommunications networks coupled with omnipresent communications technology will continue to empower non-state and semi-state actors. The effect will be disproportionate to their size and stature and allow the formation of supra-national organisations within the cyber domain. ... 

Current cyber defence capabilities have not kept pace with technological change and the Army must develop an ability to defend critical networks against cyber attack, while also being prepared to operate in a degraded network environment. ...

Given the increasingly important role of cyber capability in conflict, land forces must constantly evaluate their professional military training to ensure that soldiers understand how to use digital systems and other emerging technologies. Military cyber operations can be as effective as precision-guided munitions against either a nation-state or a non-state actor. Legal and ethical employment of cyber capabilities requires an appreciation that friendly, adversary and civilian forces may rely on thttp://www.army.gov.au/~/media/Files/Our%20future/Publications/FLWR_Web_B5_Final.pdfhe same digital infrastructure. Understanding the second and third order consequences of preventing access to digital domains, particularly for civilians, is critical. 

28.     The trend towards inter-agency and joint operations will make the land force more integrated at lower levels. Thus the force will become increasingly enmeshed with external enabling capabilities and require much greater use of civilian infrastructure in the conduct of operations. If access to digital systems offers Australian forces a ‘competitive advantage’, interdependence will see the land force become increasingly vulnerable to disabling attacks on partner capabilities (in addition to direct attacks on military systems). 

29.     In addition to protecting its access to digital domains, the land force will also need to identify back-ups to digital technologies. To achieve this, land forces must retain skills and equipment that will provide redundancy when digital networks fail. Troops will require the ability to fight effectively without access to digital networks for limited periods of time. The Army will need to imbue its soldiers with the mindset to ‘fight for communications’. ... 

The land force may be required to develop more dispersed headquarters and decentralised logistics infrastructure in its future operating concepts to reduce exposure to long-range kinetic and cyber attacks.   ... 

The capacity of a variety of threats to collect, share and analyse data will improve the precision of attacks on our forces. These attacks will be cross-domain in nature, exploiting cyber means and traditional kinetic effects. ...

From:  "Future Land Warfare Report 2014", Directorate of Future Land Warfare Headquarters, Modernisation and Strategic Planning Division, Australian Army, April 2014

Cyber War Will Take Place

Thomas Rid's book "Cyber War Will Not Take Place" (Oxford University Press, 2013), is readable and well researched. It argues that on-line attacks on nation states will be at most an adjunct to the use of conventional military force. The limits to the effectiveness of an on-line attack are discussed, using documented cases. The conclusion is that cyber-war will not happen, because it is unreliable in its effect, cannot be well targeted and can't cause violence directly. Surprisingly, Queensland, Australia, features prominently as one place where a cyber-attack on infrastructure had a significant effect. In 2000 the Maroochy Shire SCADA system was commanded to dump millions of liters of raw sewage into waterways.

Rid soberly counters the hype around "cyber-war", but perhaps goes too far in dismissing it altogether. There are many weapons which have uncertain military value, but are nonetheless made ready for use. An example is Barnes Wallis' bouncing bomb, used to breech the Möhne and Edersee Dams in WW2. The bomb had a mostly indirect effect, by breeching the dam wall, cutting off hydroelectric power and flooding the land below. The bombs has some propaganda value, but were of limited military value.

It is unlikely there will be a pure cyberwar, but very likely that any future major conventional war will involve extensive use of on-line attacks. These will be intended to cause confusion and degrade the enemy infrastructure to make conventional kinetic attack more effective, rather than replace it.

Compared to conventional warfare, cyber-war takes little hardware. Office computers are cheap compared to missiles, submarines and supersonic aircraft. A country with a conscription army also has a ready supply of recruits, who can be screened for computing skills. Reserve personnel, who work in the ICT, can be used, with most of their technical training taken care of by their civilian employers (previously I proposed such a "Australian CyberWarfare Battalion").

Nations with less developed infrastructure may also see this as a useful form of asymmetric warfare. A less developed nation has little to fear in terms of retaliation when  disrupting the water, transport and power infrastructure of a developed nation.

RAAF Air Operations Centre

In 2011 I wrote about the design of Australian Defence Command and Control Centers. This was illustrated with images of the Defence Signals Directorate Cyber Security Operations Centre (CSOC), opened in January 2010 and depicted staffed by civilians.

The other photo was of personnel in ADF uniforms in the "Air Operations Centre in Canberra". 

There is more on the room in "Taking Command", by Joris Janssen Lok (Aviation Week, 25 June 2007).

ACS Fails to Secure the Digital Economy

The Australian Computer Society (ACS) has identified five key ICT issues to raise during the federal election campaign: Skills, Digital Literacy, Advice to Government, Data on the Digital Economy and Open Data. While these are important issues, computer security is missing from the list. In my view the security of the national information infrastructure needs to be urgently addressed, as Australia is vulnerable to on-line attack by criminals, terrorists and nation states.

One way to secure the infrastructure would be for the Australian Defence Force (ADF) to raise an Australian CyberWarfare Battalion (ACWB) of 300 personnel, to protect Australia's national information infrastructure. All but a small cadre would be reserve military personnel who have full time jobs as computer security professionals.

Australian CyberWarfare Battalion

Tom Worthington
on USS Blue Ridge

This is to propose the Australian Defence Force (ADF) raise an Australian CyberWarfare Battalion (ACWB) of 300 personnel, to protect Australia's national information infrastructure. All but a small cadre would be reserve military personnel who have full time jobs as computer security professionals.

After very basic military training, personnel would be issued with secure communications and return to their workplace. Personnel would remain in touch with each other monitoring computer security threats. In the event of a large scale attack, most of the Battalion would stay in their workplaces to protect  infrastructure,  while a small number would deploy to industry, government and military centers (including any Cyber Security Operations Centre) to coordinate operations.

Compared to an infantry battalion,  a cyberwarfare battalion would be fast to raise and inexpensive to maintain. Personnel would receive the minimum of military training, sufficient for them to be able to work alongside regular personnel in a headquarters. Use would be made of the facilities and expertise in Australia's universities, including the University of NSW Cyber Range and the Queensland University of Technology Industrial Control System Security Course.

There is provision for the ADF to work alongside the civilian administration, as described in: "Civil-Military Operations", Australian Defence Doctrine Publication (ADDP) 3.11, 1 April 2009.

Without an effective form of cyber-defence Australia could expect its government and civilian infrastructure to be crippled within a few hours of the commencement of a major on-line attack. The ADF would then be required concentrate on aid to the community, with a reduction in its capacity to undertake conventional military operations.

Current trends in Cyber Security

Greetings from the CSIRO Discovery Centre in Canberra, where Asher Jamieson from CERT Australia is speaking on current and emerging threats in the Cyber Security landscape.

Mr. Jamieson pointed out that more than half of compromised systems are not detected by the organization itself but by someone else. He also mentioned that the amount of Spam being sent has reduced in the last year, not because of measures against spammers, but because they have found more targeted messages to be more effective.  Also hackers are persistent and will continue to attack the same organization, even when countermeasures are put in place, because the risk of being caught is so low.A recent trend has been extortion, using the threat of a Denial of Service Attack (DoS).

Mr. Jamieson described "Watering Hole Attacks", where a trusted third party's website is compromised, such as a service supplier.

Mr. Jamieson  pointed out that there had been attacks on SCADA industrial control computer systems. He ended with the worrying consequences of poor security in medical devices.

The main message from tonight's talk was to install security patches on package software. That is good advice, but in my view is no substitute for an Australian cyber security strategy. The Australian government abandoned work on a cyber security white paper and no effective strategy has been put in its place. As a result Australia's national infrastructure is at risk.

Attorney General's Department is hosting Security in Government Conference in Canberra, 12 - 14 Aug, 2013. This will include a Panoply "capture the flag" cyber-security competition, where teams will compete for control of a system.

Current trends in Cyber Security

CERT Australia’s views on current and emerging threats in the Cyber Security landscape, and what ICT Professionals can do to combat them. The last 12 months have clearly shown that no company can assume that they are immune to ICT Security threats, or assume that they will not be a target. While the focus of security is usually on preventing a threat from causing damage, having effective plans to deal with the aftermath of an incident is critical to maintaining security. Topics covered will include targeted intrusions, 2nd tier targeting, industrial control systems, Distributed Denial of Service attacks (DDOS), and will include several Australian case studies.

Asher Jamieson Technical Advisor, CERT Australia Asher Jamieson has worked in ICT Security in a number of different environments and is currently working as part of the Operations team in CERT Australia. He enjoys the variety and complexity of problems that the ICT Security field offers, and doesn’t see the rate of new challenges slowing down any time soon.

ps: Due to the topic, there was a strong presence from the defence community at the meeting. One informal discussion before the meeting was about if the China Houbei-class missile boat  was based on the Australian AMD design.

US Executive Order on Cybersecurity

US President Obama signed a "Presidential Policy Directive -- Critical Infrastructure Security and Resilience". Also there is a media release summarizing the Executive Order on Cybersecurity. A similar approach could be adopted by the Australian Government for its Cyber Security Centre, emphasising information sharing and joint work not only between government agencies, but with industry.

Additional roles and responsibilities for the Secretary of Homeland Security include:

1) Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;
2) Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;
3) In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;
4) Conduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;
5) Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;
6) Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;
7) Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and
8) Report annually on the status of national critical infrastructure efforts as required by statute. ...

From: "Presidential Policy Directive -- Critical Infrastructure Security and Resilience", US President Obama, 12 February 2013.

Virtual Australian Cyber Security Centre

There are media reports critical of the level of planning and resourcing for the Australian Cyber Security Centre ("Gaps exposed in Australian Cyber Security Centre plan, John Hilvert, IT News,Feb 13, 2013 7:00 AM). However, the Australian Cyber Security Centre at present is a goal, more than a "plan". It may be that the Australian Government is waiting for release of Cyber security measures by the US White House, which are due shortly. It would make sense for Australia to coordinate its efforts with its the USA. One area not sufficiently addressed in Australian announcements so far is coordination with private industry, who operate most of Australia's critical infrastructure. It would be little consolation to Australians to know their government is still functioning after a cyber-attck, if supplies of medicine, food, water and electricity are disrupted. Also there is no need for more than a very small cyber security centre, as telecommunications can be used to securely link existing operations centres. Seconded staff in the central facility can then work with their colleagues in law enforcement, the military, government and industry across Australia and around the world.

New Australian National Cyber Security Centre

The Australian Prime Minister, Julia Gillard,  visited the Australian Defence Department's Cyber Security Operations Centre (CSOC) at the Defence Signals Directorate in Canberra to announce an "Australian cyber security centre to be established". This followed the launch of the  "Strong and Secure: A Strategy for Australia’s National Security". The centre is planned to be staffed by the Defence Signals Directorate, Defence Intelligence Organisation, Australian Security Intelligence Organisation, the Attorney-General’s Department’s Computer Emergency Response Team Australia, Australian Federal Police and the Australian Crime Commission. However, I suggest the government personnel will need to be supplemented by industry and academia, as that is where the greatest expertise in cyber-security resides and because it is the civilian infrastructure which is more vital and more at risk than government computer systems. It is not clear where the new centre will be located, when it will be established or what budget it will have. The DSD Cyber Security Operations Centre would be an obvious choice, but it may not be large enough. Also it is not clear if one physical centre is needed, or if it would be better to connect existing centres of expertise secure broadband links. A one minute video of the PM's Australian National Cyber Security Centre presentation is available;e from the Defecne Department. Interestingly, the PM mentions being "in the pit", referring to the horseshoe shaped sunken section of the centre.

Australian National Security Strategy Emphasizes Cybersecurity

The Australian Prime Minister, Julia Gillard, launched "Strong and Secure: A Strategy for Australia’s National Security" at the Australian National University in Canberra, on 23 January 2013. The 58 page document is available as a 3.4 Mbyte PDF file 3.44MB and RTF 1.37MB. Also available are a Media release on the National Security Strategy and the text of the PM's speech "Australia's National Security Beyond the 9/11 Decade". In the list of key national security risks, "Malicious cyber activity" is placed third, ahead of the proliferation of weapons of mass destruction.

The PM also mentioned that an "Australian Cyber Security Centre" would be separately announced. The policy document also mentions as a priority "Integrated cyber policy and operations
to enhance the defence of our digital networks". This would be a welcome change in the government's current approach, which is to announce cyber-security strategies, such as the Cyber Security White paper, and then  not properly resource and implement them. Also the approach has been fragmented, with different government agencies having separate uncoordinated initiatives and not involving the private sector, or state governments. The Australian Defence Department officially opened its Cyber Security Operations Centre (CSOC) at the Defence Signals Directorate in Canberra on 15 Januar 2010. Unfortunately the government chose not to support the non-government AusCERT , leaving the private sector open to attack.

Some excerpts from the "Strong and Secure: A Strategy for Australia’s National Security" document:

AUSTRALIA’S NATIONAL SECURITY STRATEGY

VISION

A unified national security system that anticipates threats, protects the nation and shapes the world in Australia’s interest

NATIONAL SECURITY OBJECTIVES

• To protect and strengthen our sovereignty
• To ensure a safe and resilient population
• To secure our assets, infrastructure and institutions

KEY NATIONAL SECURITY RISKS

• Espionage and foreign interference
• Instability in developing and fragile states
• Malicious cyber activity
• Proliferation of weapons of mass destruction
• Serious and organised crime
• State-based conflict or coercion significantly affecting Australia’s interests
• Terrorism and violent extremism

PILLARS OF AUSTRALIA’S NATIONAL SECURITY

Countering terrorism, espionage and foreign interference
Deterring and defeating attacks on Australia and Australia’s interests
Preserving Australia’s border integrity
Preventing, detecting and disrupting serious and organised crime
Promoting a secure international environment conducive to advancing Australia’s interests
Strengthening the resilience of Australia’s people, assets, infrastructure and institutions
The Australia–United States Alliance
Understanding and being influential in the world, particularly the Asia-Pacific

AUSTRALIA’S NATIONAL SECURITY OUTLOOK

Economic uncertainty and global reordering

• Ongoing global economic uncertainty and volatility
• Shift in economic and strategic weight, and trade flows towards the Asia–Pacific region creating new risks and opportunities for Australia
• Active middle powers increasingly influential in the region; but the United States - China relationship will be the single most influential force in shaping the strategic environment
• Multilateralism is becoming more important for regional security and at the same time more difficult

Continuing importance of non-state actors

• Persistent threat from terrorism and increasingly sophisticated serious and organised crime, aided by money laundering and corruption
• Technology enabling remote but pervasive threats - for example malicious cyber activity
• Increasing influence of legitimate non-state actors such as private companies

Fragility and conflict in at-risk areas

• Low likelihood of major power war, but probable ongoing low-level instability in Australia’s region
• Fragile states and instability in the Middle East and South Asia will remain a challenge
• Possibility for strategic shocks or local conflicts
• High demand for international development assistance

Broader global challenges with national security implications

• Resource security and scarcity
• Climate change
• Changing demographics
• Increasing urbanisation
• Increasing online engagement
• Resurgence of violent political groups
• Corruption

FIVE YEAR PRIORITIES

Enhanced regional engagement in support of security and prosperity in the Asian-Century
Integrated cyber policy and operations to enhance the defence of our digital networks
Effective partnerships to achieve innovative and efficient national security outcomes
...

Executive Summary

This National Security Strategy (the Strategy) is Australia’s first. It provides an overarching framework for our national security efforts, and sets priorities for the next five years. The Strategy is an important next step following the 2008 National Security Statement, which articulated Australia’s national security agenda and set in motion reforms to strengthen the national security community.
The Strategy is in two parts:

• Part I explains the national security framework - our vision and objectives, and the activities we undertake to achieve these objectives.
• Part II looks to the future - it examines the strategic outlook and sets priorities to ensure Australia embraces the opportunities and confronts the challenges of the Asian Century.

The Strategy lays out the pillars of Australia’s national security, and sets directions for the next five years. It will aid in focusing the Government’s pursuit of policies and objectives identified in the Australia in the Asian Century White Paper. The Strategy will help inform prioritisation of our resources in a time of fiscal constraint.
Importantly, the Strategy also serves to inform the Australian public, industry and our international partners of our approach to national security. The Strategy will be implemented through enhanced annual planning and budgeting arrangements across national security agencies. There will be a greater focus on partnerships that will see the strengthening of ties with states, territories and business.
Building on the existing strong foundation, our vision for Australia’s national security is for a unified system that anticipates threats, protects the nation, and shapes the world in our interests.
Chapter One discusses Australia’s national security objectives: to ensure a safe and resilient population; to protect and strengthen our sovereignty; to secure our assets, infrastructure and institutions; and to promote a favourable international environment. These objectives anchor decision-making and planning for the national security community.
Chapter Two explains the evolution of Australia’s strategic environment. Given our geography and alliances, our approach to security has always emphasised the defence of our nation and its borders. Naturally, there has been a focus on our own region. Our efforts are reflected in our many regional partnerships. Importantly, our international engagement is imbued with our commitment to liberal democratic values, such as the rule of law, human rights, and equality of opportunity.
The events of the past decade were instrumental in shaping our approach to national security. We have built our capacity to combat terrorism and transnational crime, including through an expansion of our intelligence and law enforcement capability. We developed a more integrated approach to supporting regional stability, for example through our assistance to Timor-Leste and Solomon Islands. This experience also shaped our strong emphasis on civil-military cooperation in Iraq and Afghanistan.
Chapter Two concludes with a summary of the important national security challenges that Australia will continue to face, and the opportunities we must look to seize.

Chapter Three sets out Australia’s fundamental approach to national security and how this approach reflects the current national security environment. It describes the eight pillars of our approach to national security:

• Countering terrorism, espionage and foreign interference.
• Deterring and defeating attacks on Australia and Australia’s interests.
• Preserving our border integrity.
• Preventing, detecting and disrupting serious and organised crime.
• Promoting a secure international environment conducive to advancing Australia’s interests.
• Strengthening the resilience of Australia’s people, assets, infrastructure and institutions.
• The Australia–United States Alliance.
• Understanding and being influential in the world, particularly the Asia–Pacific.

The second part of the Strategy looks to the future. In particular, Chapter Four examines the strategic outlook to anticipate challenges and opportunities in the years ahead. Most importantly, it examines the shifting geopolitical environment of the Asian Century. As the Australia in the Asian Century White Paper made clear, our approach to national security must make the most of the transformative economic and strategic changes occurring in Asia.
Asia’s economic growth will increase pressure on water resources and food and energy supplies, with implications for global markets and stability. The growing economic and political weight of China, India and other Asian powers, is also changing the established strategic order, including as a result of their increased military spending.
Neither strategic competition nor the growth in defence capabilities of regional countries makes conflict in the region inevitable or even more likely. Major regional powers understand that a war would be catastrophic. Deepening relationships between states across the region and the increasingly complex interdependencies that now underpin the Asia–Pacific also act as strong stabilising forces.

But there is no room for complacency. The interdependencies that make conflict less likely also make the potential consequences of even the most minor conflicts more far reaching.The increasing capability of armed forces in the region likewise increases the potential for minor clashes to have dangerous outcomes. A concerted effort will be required to shape a peaceful and stable order. Trust and entrenched patterns of dialogue and cooperation will be critical.The threat posed by non-state actors is also likely to evolve and possibly expand - new technology will be harnessed by criminals and terrorists, as they continue to augment their tactics and approaches.
Chapter Five considers the implications of the strategic outlook for Australia’s national security arrangements. It outlines three priorities for the next five years, to achieve our vision for our national security:

• Enhanced engagement in support of regional security and prosperity in the Asian Century.
• Integrated cyber policy and operations to enhance the defence of our digital networks.
• Effective partnerships to achieve innovative and efficient national security outcomes.

... There are also more immediate national security
challenges facing governments around the globe.
In particular, non-state actors such as criminal and
terrorist organisations pose an enduring challenge.
Organised crime is becoming more sophisticated.
Our systems, methods and tools for dealing with it
must keep pace—cyber-enabled crime in particular
requires innovative responses that protect both the
rights and security of citizens. Terrorism remains a
serious threat requiring vigilance through a proactive
intelligence effort, strong partnerships with states and
territories, across business, the Australian community
and our international counterparts.

... In recent times, new and more complex national
security challenges have received greater global
attention. The growing number of malicious cyber
incidents has juxtaposed the dangers of a
hyper-connected world against the considerable
economic and social benefits afforded by the Internet.
Our national security and law enforcement agencies
are now focusing more urgently on how best to
combat cyber-based threats, but not at the expense
of Australians’ privacy and the broader benefits the
online environment brings.

... Malicious cyber activity: Every day, Australian
governments, businesses and individuals face a
range of cyber-related threats such as state-based
and commercial espionage, identity theft, and denial
and disruption of services. If left unchecked,
cyber-related threats have the potential to undermine
confidence in our social and economic stability and
our prosperity.

... Other activities, like our efforts to promote
international norms for cyberspace, see our
diplomats, international lawyers and policy specialists
working with industry, the not-for-profit sector and
foreign governments to shape a secure, open and
accessible online environment that directly benefits
our national security, societal safety and digital
economy.

... Serious and organised crime: Serious and
organised crime can undermine our border integrity
and security. It can erode confidence in institutions
and law enforcement agencies, and damage our
economic prosperity and regional stability. It can
involve the procurement, distribution and use of illegal
weapons. This type of crime is highly adaptive and
may link to, or exacerbate, other significant issues
of national security, such as terrorism and malicious
cyber activity.

... States have always used espionage as a tool to
pursue national interests. Today, our reliance on
cyberspace has increased our exposure to this threat.
Espionage and foreign interference activities against
Australia place a range of our national interests at
risk, including: classified government information;
commercial information with direct consequences for
business and the economy; intellectual property; and
the private information of our citizens.

...

From: Strong and Secure: A Strategy for Australia’s National Security, Australian Government, 23 January 2013

Computer virus stirs cyber espionage fears

On Tuesday I was interviewed by ABC Radio about the Flame virus, see: "Computer virus stirs cyber espionage fears" (transcript and audio, Adam Rollason, ABC Radio, PM Program, Tuesday, May 29, 2012 18:35:00). Essentially I said that this was a sophisticated security threat which was designed to covertly collection information, but Australia had good protections against it, with multiple levels of security.

As far as I know it is just a coincidence that CERT Australia coming to Canberra next Tuesday 5th June 2012, to talk about Cyber Security.

Design of Australian Defence Command and Control Centers

The November 2011 edition of "Australian Defence Magazine" (ADM) has several articles on the Australian Defence Department project JP 2030 (Joint Command Support Environment) and issues of cyber security. Most interesting are "JP2030 Reaches Its Next Stage" (Gregor Ferguson, Page 40) and "The Extent of the Cyber Security Threat" (John Hilvert, page 60), "The Roles of Defence and Government in Cyber Security" (John Hilvert).
These articles are accompanied by photos of two operations centers. One is the Defence Signals Directorate Cyber Security Operations Centre (CSOC), opened in January 2010. This has operators in civilian clothing sitting in a typical operations centre room layout.

The other photos in ADM show personnel in ADF uniforms in what appears to be a room with an identical layout and furniture, but with different desktop computers, telephones and wall screens. This appears to be the same room captioned "Air Operations Centre in Canberra" by RAAF News.


As discussed previously, the design of the room does not appear optimal for space utilization or group work. The desks, at 800 mm, are deeper than needed (smaller desks could double the room capacity). The use of two screens per workstation creates a situation where the operator has to look either to the left or right, not straight ahead. There are only limited gaps between the screens cutting the operators off from those in front and behind. Also the desk rows are straight, reducing the ability of the operators to see others. Narrower semicircular rows of desks would provide a better result. These could be fabricated simply (height adjustment is not used in such centres, as is evident from the photographs). Also it might be better to provide each operator with just one large monitor (up to 30 inch).

Many of the same problems are evident in the design of the ADF Special Operations Command and Control Center in Afghanistan, as depicted in the Channel Ten documentary "First Look: Tour of Duty - Australia's Secret War" (at 58 seconds into the video). This has four rows of desks, in two columns, with a walkway down the middle, and three projection screens on the front wall. Standard office desks appear to be being used, which are not optimal for such a facility, where space is at a premium.

UK Cyber Security Strategy

The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, was released 25 November 2011, along with a ministerial statement on the UK Cyber Security Strategy by Francis Maude, Minister for the Cabinet Office. The UK approach is broadly the same as Australia, with a "GCHQ Joint Cyber Unit" having a central role (equivalent to Australia's DSD Cyber Security Operations Centre). There is also £650m over four years for a new "National Cyber Security Programme" (NCSP), a "Cyber Crime Unit" in the National Crime Agency, an expanded Centre for Protection of the National Infrastructure. The "Get Safe Online" education program will continue and a voluntary code of conduct with ISPs to warn customers their computers are compromised

Increasing the Security Skills of IT Professionals

The UK government strategy includes "Encouraging a cadre of cyber security professionals". The Australian Computer Society (ACS) also recommended this to the Australian Government for their Cyber white paper, to be released in early 2012.

The ACS Submission for the Australian Cyber Policy White Paper, was prepared by the ACS Cyber task force (which I am a member of). We pointed out that the ACS Computer Professional Education Program includes Information Security as an elective. This teaches the use of international security standards and is aligned with the UK developed Skills Framework for the Information Age. The course is offered on-line worldwide and is internationally accredited, so UK IT professionals can enroll now.

Excerpts from the UK Cyber Security Strategy

Encouraging a cadre of cyber security professionals

4.22 The pace of technological change is relentless. Keeping pace will require people who have a deep understanding of cyberspace and how it is developing. But these people are currently a scarce resource across Government and in business. There are clear and authoritative voices warning that cyber security skills and expertise in the private sector will be increasingly sought after, and that business and providers of education and training need to respond. To help boost and maintain the pool of experts in the UK and encourage the development of a community of ‘ethical’ hackers in the UK who can help ensure our networks are well protected, the National Cyber Security Programme will:

• Drive up the skill levels of information assurance and cyber security professionals by establishing programmes of certified specialist training by March 2012.
• Continue to support the Cyber Security Challenge (see below) as a way of bringing new talent into the profession.
• Strengthen postgraduate education to expand the pool of experts with in-depth knowledge of cyber.
• Strengthen the UK’s academic base by developing a coherent cross-sector research agenda on cyber, building on work done by the Government Office for Science.
• Establish, with GCHQ’s help, a research institute in cyber security, with an indicative budget of £2 million over 3.5 years.
• Commissioning research clarifying the extent, pattern and nature of the demand for cyber security skills across the private sector.

...

Contents
Introduction by the Rt Hon Francis Maude MP, Minister for the Cabinet Office
Executive summary
1. Cyberspace: Driving growth and strengthening society
2. Changing threats
3. Our vision for 2015
4. Action: Meeting threats, taking opportunities
Annex A: Implementation

• Objective 1: Tackling cyber crime and making the UK one of the most secure places in the world to do business in cyberspace.
• Objective 2: Making the UK more resilient to cyber attack and better able to protect our interests in cyberspace. Cabinet Office.
• Objective 3: Helping to shape an open, vibrant and stable cyberspace which the UK public can use safely and that supports open societies.
• Objective 4: Building the UK’s cross-cutting knowledge, skills and capability to underpin all our cyber security objectives.

References

Executive summary

The internet is revolutionising our society by driving economic growth and giving people new ways to connect and co-operate with one another. Falling costs mean accessing the internet will become cheaper and easier, allowing more people in the UK and around the world to use it, ‘democratising’ the use of technology and feeding the flow of innovation and productivity. This will drive the expansion of cyberspace further and as it grows, so will the value of using it. Chapter 1 describes the background to the growth of the networked world and the immense social and economic benefits it is unlocking.

As with most change, increasing our reliance on cyberspace brings new opportunities but also new threats. While cyberspace fosters open markets and open societies, this very openness can also make us more vulnerable to those – criminals, hackers, foreign intelligence services – who want to harm us by compromising or damaging our critical data and systems. Chapter 2 describes these threats. The impacts are already being felt and will grow as our reliance on cyberspace grows.

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses (for example, the exploitation of cyberspace can mean crimes such as fraud can be committed remotely, and on an industrial scale). Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.

Chapter 3 sets out where we want to end up – with the Government’s vision for UK cyber security in 2015.

Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.

To achieve this vision by 2015 we want:

Objective 1: The UK to tackle cyber crime and be one of the most secure places in the world to do business in cyberspace

Objective 2: The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace

Objective 3: The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies

Objective 4: The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives

That means a UK where:

• Individuals know how to protect themselves from crime online.

• Businesses are aware of the threats they face, their own vulnerabilities and are working with Government, trade associations, and business partners to tackle them. We want to see UK companies building on our strengths to create a thriving and vibrant market in cyber security services around the world. In the current economic climate the UK needs more than ever to identify and exploit areas of international competitive strength to drive growth. We believe that being able to show the UK is a safe place to do business in cyberspace can be one such strength.

• Government has: sharpened the law enforcement response to cyber crime; helped the UK take opportunities to provide the cyber security services that will be needed across the world; encouraged business to operate securely in cyberspace; bolstered defences in our critical national infrastructure against cyber attack; strengthened our capabilities to detect and defeat attacks in cyberspace; enhanced education and skills; and established and strengthened working relationships with other countries, business and organisations around the world to help shape an open and vibrant cyberspace that supports strong societies here and across the globe.

To achieve this we have set aside £650 million of public funding for a four‐year, National Cyber Security Programme. Chapter 4 sets out what Government will do, in partnership with the private sector and other countries, to deliver the vision.

As part of this action plan Government will:

• Continue to build up in GCHQ and MOD our sovereign UK capability to detect and defeat high-end threats.

• Pursue the agenda defined at the recent London Conference on Cyberspace to establish internationally-agreed ‘rules of the road’ on the use of cyberspace.

• Work with the companies that own and manage our critical infrastructure to ensure key data and systems continue to be safe and resilient.

• Establish a new operational partnership with the private sector to share information on threats in cyberspace.

• Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point.

• Help consumers and small firms navigate the market by encouraging the development of clear indicators of good cyber security products.

• Hold a strategic summit with professional business services, including insurers, auditors, and lawyers to determine the role they might play in promoting the better management of cyber risks.

• Bring together existing specialist law enforcement capability on cyber crime into the new National Crime Agency (NCA). Encourage the use of ‘cyber-specials’ to make more use of those with specialist skills to help the police.
• Build an effective and easy-to-use single point for reporting cyber fraud and improve the police response at a local level for those who are victims of cyber crime.
• Work with other countries to make sure that we can co-operate on cross-border law enforcement and deny safe havens to cyber criminals.

• Encourage the courts in the UK to use existing powers to impose appropriate online sanctions for online offences.

• Seek agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.

• Help consumers respond to the cyber threats that will be the ‘new normal’ by using social media to warn people about scams or other online threats.

• Encourage, support, and develop education at all levels, crucial key skills and R&D.

• Build a single authoritative point of advice for the public and small businesses to help them stay safe online.

• Foster a vibrant and innovative cyber security sector in the UK, including exploring new partnerships between GCHQ and business to capitalise on unique Government expertise.Because of its links to intelligence and national security, some of the activity the Government has set in train is necessarily classified. The full range of unclassified actions is set out in Annex A. ...
  

  From: UK Cyber Security Strategy: Protecting and promoting the UK in a digital world, UK Cabinet Office, 25 November 2011