Cyber Security Operations Centre operational but details lacking

Australia's Cyber Security Operations Centre (CSOC), announced earlier this year as part of the first Defence White Paper in a decade, has already reached some operational capability.

An acute lack of information on the offensive capabilities being developed by the CSOC, however, and little clarity around its governance or oversight mechanisms, has sparked calls from academics and information security analysts for greater public debate and disclosure.

The CSOC is located within the Defence Signals Directorate (DSD), staffed by Defence force and Defence Science and Technology Organisation (DSTO) personnel to coordinate responses to cyber threats.

At the time of its announcement the then Minister for Defence, Joel Fitzgibbon, described the move as a quot;major new investmentquot;.

Fitzgibbon cited a Defence White Paper, which was released in May 2009.

“While this capability will reside within Defence and be available to provide cyber warfare support to ADF [Australian Defence Forces] operations, it will be purpose-designed to serve broader national security goals. This includes assisting responses to cyber incidents across government and critical private sector systems and infrastructure," the white paper reads.

It points to increased funding (without specifying amounts) and a greater focus on developing cyber warfare capabilities. To date, little has emerged on the kind of offensive capabilities created or the legal mechanisms in place or under consideration to ensure proper oversight. Yet several high profile cyber security events have taken place.

In early November, for example, the Australian Security Intelligence Organisation (ASIO) confirmed that Internet-based attacks have been used by hostile intelligence services to gain confidential Australian Government and business information. Earlier in July, a botnet comprised of about 50,000 infected computers waged a war against US government Web sites and caused headaches for businesses in the US and South Korea.

More recently, the US has debated whether laws addressing cyber crime are adequate to address growing attacks on the government and businesses, and a much-publicised report by security vendor, McAfee raised the question of whether governments are using botnets.

Despite what is acknowledged as a very real threat by information security experts to the country and the use of tax payer funds to create the CSOC, however, Defence remains tight-lipped, refusing to provide any information except to say the new centre will be officially launched in early 2010.

Gartner research director specialising in information security practices, Andrew Walls, said this approach is likely to create mistrust among the ultimate stakeholders in the CSOC, the public, and means the success of future risk messages may become diluted.

"What we are seeing happen across multiple jurisdictions and multiple governments is a growth in cynicism of the general population and constituents who are saying 'you talk to us about security all the time and all we see is hassle and alarmist advertising campaigns and we don’t see anything really happening — we don't see the damage, we don't see what you are talking about'," he said.

Page Break

"There is a real problem for government here and it is exacerbated by another trend — if you want to get funding for your group, it really helps if you can put cyber security into a lot of your proposals,” Walls said.

"You see a lot of these programs jumping into existence but, as far as we can tell, there hasn't been a lot of deep thinking around what is it they are actually going to do? How are they going to measure their success or failure? What sort of transparency are they going to provide for appropriate legislative committees in parliament or wherever? At the end of the day, how are they going to communicate this to the population in a way that gains support?"

To date, unlike the robust discourse occurring in places like the US and the EU, Australia's CSOC has slipped under the radar of public discussion. And debate around the web of complex questions its establishment raises has been almost non-existent.

One of the questions — although certainly not the only one — relates to the oversight and governance mechanisms for the creation of offensive capabilities such as botnets, which often involve the use of computers (both personal and public) that have been infected and taken over in distributed locations around the globe.

Botnets have been used in distributed denial of service (DDoS) attacks against Estonia, Georgia, South Korea and the US. Notably, these attacks involved the use of the same non-military devices and networks used for the Internet in countries around the globe; family and personal computers along with corporate networks.

Both Walls and Director of Operations and Capablity at the Australian Strategic Policy Institute (ASPI), Andrew Davies, agree that while it would not be difficult for CSOC to create offensive capabilities like a botnet — they contend it would be quite easy — the associated governance measures to oversee such activities have not kept pace.

DSD is bound by the Intelligence Services Act 2001 and its activities are subject to independent oversight by the Inspector-General of Intelligence and Security and potentially the Defence Act, but there are no specific provisions covering offensive cyber capabilities.

"My guess is there is no single piece of legislation that enables this centre but all of the agencies that are involved would be covered by their own," Davies said in pointing out the legal complexity involved. Additionally, Defence also refuses to say whether it has the legal right to create offensive capabilities such as a botnet, or even if it has attempted to do so.

However, for University of New South Wales Cyberspace Law and Policy Centre, executive director, David Vaile, it is not immediate legislative reform that is necessary. Rather, it is more extensive debate since the issue spans a number of fields and interest groups.

"It might be that there needs to be more investigation and clarity about official understanding of the interests being protected, more visible demonstrations of awareness about the potential dangers of the cure being worse than the disease (creating a dangerous environment as a remedy for another form of danger), and commitment to recognising and protecting traditional rights and liberties while the necessary counter measures are being planned and implemented," he told Computerworld in an email. "I'm not sure about the best model for this; operational details may be necessarily somewhat limited, but governance, oversight and accountability mechanisms should be robust enough to deal with both the completely unscrupulous and almost unstoppable threats emerging and the temptation to over-react or cut corners in ways which are not sustainable.

"Public awareness of the nature of the threat is limited, so there is scope for a poorly informed public debate; either too gung ho (insensitive to risks to other interests and public values), or not appreciative of the nature of the seriousness of the threat."

But until the Defence department drops its line about not discussing its cyber capabilities, Walls claims the CSOC will have trouble getting buy-in from all stakeholders across the economy and will run into future problems.

"For the government to be successful at guarding our cyber security as a nation, they actually have to have both the government and commercial sector, which means they need to get the enthusiastic cooperation of all the business leaders out there," he said. "So they need transparency to make investments of the right type."

Sign up for Computerworld's UC newsletter here.

Got a comment on cyber warfare?Email Computerworld or follow @computerworldau on Twitter and let us know your thoughts.


Copyright © 2009 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon