Cyber czar could create policy delays

The head of the government-sponsored Australian Strategic Policy Institute Andrew Davies has urged against appointing a single 'cyber czar' to combat internet-borne security threats.

Davies told the a summit in Canberra last week that cyber security was best understood as a set of policy issues ranging from nuisance to national security.

He said those issues currently fell under the remit of three sets of Federal and State agencies.

Any attempt to consolidate responsibility would cause delays and introduce inflexible approaches to override otherwise practical approaches, Davies said.

Federal and state law enforcement authorities became involved in cyber crime policing for identity theft and credit card fraud issues.

Issues of lax user behaviour and unwise site searching made cyber security an educational and quasi-regulatory issue, bringing it under the auspices of the Australian Communications and Media Authority (ACMA) and the Department of Broadband, Communications and the Digital Economy (DBCDE).

Because cyber security was also associated with potential incursions by foreign governments, it became an issue for the Department of Defence and for the National Cyber Security Adviser within Prime Minister and Cabinet.

While Davies agreed it was important for the various agencies to communicate regularly with each other to stay alert to new developments in cyber crime, this was an inadequate argument for establishing a national cyber czar.

Davies argued there was a clear mandate for government intervention only on issues of Defence, national security or where it was clear a crime had been committed.

His view was countered by a general consensus at the summit that the Government had been too slow implementing a cyber security strategy, putting it years behind other nations.

No national picture

A perceived lack of official statistics on cyber security was seen by summit attendees as conflating the Government's cyber security woes.

While priding itself on evidence-based policy making, statistics and a systematic national perspective on cyber security provided by the Government and its various agencies remained elusive.

Attorney-General Robert McClelland, who opened the summit, offered little in terms of hard data, reprising a previous announcement by CERT Australia of its identification of 250,000 stolen records and advising organisations to take steps to minimise damage.

Australian Institute of Criminology research analyst Alice Hutchings submitted to the summit a wide range of estimates of the cost of cyber crime varying from $345 million to over $1 billion.

She also cited survey results from 2009 on the number of businesses said to have experienced a cyber "incident".

However, the summit did not turn up a clear and credible benchmark of what was happening, whether it was getting worse and what worked best in reducing cybercrime.

Read on to page two to find out why we shouldn't worry too much about the cyber threat posed by China.

The Chinese threat

Australia ranked among the top ten targets for China’s cyber-intelligence operations.

China, thought to be behind the theft of emails from Parliamentary computers reported back in March, had the most extensive and "practiced" cyber-warfare capabilities in Asia.

However, ANU Professor Desmond Ball said that China's technical expertise was "uneven" and that the actions of private netizens ("wangmin") were often confused as those of the official cyber-warfare units.

Not all netizens were motivated by national causes, he said.

Presenting a subset of data from his “China’s Cyber Warfare Capabilities” paper, Ball said that China was the biggest victim country of hacking, with at least as many netizens seeking to attack the country's own Great Firewall as those targeting foreign network assets.

According to the National CERT Technical Coordination Centre in Beijing, more than 4600 Chinese government websites had their content modified by hackers in 2010, a 68 percent increase over the previous year.

Furthermore the vast majority of personal computers in China (over 80 percent) were infected with a computer virus, according to Ball's figures.

Ball concluded there was no evidence that Chinese cyber-warriors could penetrate highly-secure networks or covertly steal or falsify critical data. 

He rated China’s information warfare capabilities as inferior for at least the next ten years.

“China’s cyber-warfare authorities must despair at the breadth and depth of modern digital information and communications systems and technical expertise available to their adversaries," he said.

However, the threat of a China-initiated cyber war meant Australia's national security agencies needed to strengthen their protective capabilities and be ready for retaliatory and offensive operations, he noted.