ArticlePDF Available

Organising cyber security in Australia and beyond

Authors:

Abstract

The Internet is an interconnected network and cyber security requires collective action. How that action is organised has important implications for national security, including the defence against cyber attacks and malicious activities. This article explains the origins and institutionalisation of cyber security in Australia—particularly ‘civilian cyber security’. The authors trace the origin of Australia’s first computer emergency response team and explain how this organisational form spread from the USA. Through it, Australia helped enable international cooperation. Domestically, however, the authors argue that the Australian government has struggled with the delegation, orchestration and abdication of responsibility for civilian cyber security, underinvesting in civilian organisations while overrelying on military and intelligence agencies. The history of this organisational field provides valuable insight into how to improve national policy and operations for cyber security.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Organising Cyber Security in Australia and Beyond
Frank Smith and Graham Ingram
1
Abstract
The Internet is an interconnected network and cyber security requires collective action. How
that action is organised has important implications for national security, including the defence
against cyber attacks and malicious activities. This article explains the origins and
institutionalisation of cyber security in Australia particularly “civilian cyber security.” We
trace the origin of Australia’s first Computer Emergency Response Team and explain how this
organisational form spread from the United States. Through it, Australia helped enable
international cooperation. Domestically, however, we argue that the Australian government
has struggled with the delegation, orchestration, and abdication of responsibility for civilian
cyber security, underinvesting in civilian organisations while over relying on military and
intelligence agencies. The history of this organisational field provides valuable insight into how
to improve national policy and operations for cyber security.
Introduction
2
Cyber security presents many challenges, including how to organise collective action
against cyber attacks and malicious activities. This is a serious problem for Australia, as it is
for most countries that are grappling with the promise and peril of networked information
technology. Now decades old, the Internet and cyber attacks have become so common that
we may take them for granted. However, cyberspace and threats therein were once new, and
within living memory. During the 1980s and 1990s, the public and private sectors started
creating new organisations to address previously unimagined threats.
How were cyber threats initially interpreted, and what models or norms for defence
against them emerged in response? To what extent did early decisions about the organisation
of cyber security subsequently enable or constrain international cooperation? Similarly, how
did national policy and operations evolve over time, especially in light of the government’s
traditional roles and responsibilities for national security?
This article helps answer these questions by explaining the origins and
institutionalisation of civilian cyber security in Australia. It is a significant case. First and
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
foremost, most of “cyber security” is “civilian cyber security.” Most of cyberspace is
connected through the Internet, and most Internet users are civilians. Most Internet
infrastructure is now built, owned, and operated by civilians. The same is true for most of the
information technology used in other kinds of critical infrastructure (ranging from the
electrical grid and financial services to telecommunications, transportation, and healthcare).
Military and intelligence agencies play a role, but even they rely on much of the same
hardware, software, and network infrastructure as civilian agencies and the private sector.
3
As
a result, the civilian side of securing the confidentiality, integrity, and availability of this
technology – for individuals and organisations in the public and private sector – is central to
what cyber security actually means in practice.
Australia is significant as well. As we document, Australians were a notable source of
early hacking: the response to which helped shape some of the world’s first organisations for
civilian cyber security. Australia also helped catalyse information sharing among its “Five
Eyes” alliance partners (i.e., the United States, United Kingdom, Canada, and New Zealand),
and it helped organise cyber incident response across the Asia Pacific (i.e., where most of the
world’s Internet users live today). Now, according to Prime Minister Malcolm Turnbull,
“improvements to cyber incident response are on our minds in Australia, thanks to a denial of
service incident on our national Census night” (Turnbull 2016). Our study provides new
evidence about evolution of national policy and operations, which hopefully can help
improve the organisation and practice of cyber security in Australia and abroad.
Our evidence is drawn from a unique combination of scholarly research and first-hand
experience. This experience includes work in the Australian government on critical
infrastructure protection and information security during the 1990s, followed by work in the
private sector on cyber security during the 2000s and 2010s. To add perspective, we
performed more than a dozen semi-structured interviews with practitioners and policymakers
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
in the United States and Australia. These interviews were coupled with other primary sources
and archival research.
4
The result is a rich analysis of a largely untold history.
First, we trace the origins of Australia’s Computer Emergency Response Team
(AusCERT). Not only was this non-governmental organisation the first in the country
dedicated to civilian cyber security; it also served as Australia’s national incident response
team for more than 15 years (e.g., helping share information, mitigate vulnerabilities, limit
damage, communicate risk, and attribute attacks or malicious activities to their source).
Australia adopted this organisational form from the United States because imitating the US
was seen as legitimate and appropriate (e.g., DiMaggio and Powell 1983; March and Olsen
1998). Second, we show how Australia influenced international cooperation, both through the
Five Eyes in preparation for Y2K and through the CERT system in the Asia Pacific. Third,
despite some successes, we argue that Australia has long struggled with the domestic division
of labour in this field. The Australian government delegated and orchestrated parts of civilian
cyber security through AusCERT during the 1990s and 2000s, forming variants of a “public-
private partnership” (e.g., Dunn-Cavelty and Suter 2009; Carr 2016). However, the
government also abdicated or neglected aspects of its responsibility to supply cyber security
as a public good and service.
Some of these outcomes were deliberate decisions. Others were due to a lack of
interest or expertise. All of them could have been different. We argue that this history helps
account for persistent policy problems, including the lack of government leadership and
funding for civilian cyber security, as well as overreliance on military and intelligence
agencies. This story is not unique to Australia. Therefore, our findings highlight several
important barriers and opportunities for improving national and international cyber security
in the years ahead.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Initial Response to Hacking Down Under
The Internet was born in the USA, but Australia was an early adopter and a hotbed for
hacking. Even before Australia established its first 56K connection to the United States in
June 1989 (Clarke 2004, 31), hackers in Melbourne were exploiting the telephone exchange
system and X.25 networks (Dreyfus and Assange 1997). They also attracted the attention of
U.S. Federal Bureau of Investigation (FBI). “As early as 1988, the FBI had made contact
with Australian law-enforcement agencies to express concern over attacks by Australian
hackers on American networks” (Norman 2003; similarly, Markoff 1990). Shortly thereafter,
the Australian Commonwealth government passed the Crimes Legislation Amendment Act of
1989, which made unlawful access and damage to computer data punishable offences. In
addition, the Australian Federal Police (AFP) created its first computer crime unit, which
coordinated with the FBI and other government agencies in the United States.
Australian hacking prompted the creation of other new organisations as well. In
October 1989, the U.S. Department of Energy and the National Air and Space Administration
(NASA) were struck by the Wank worm: an early attempt at anti-nuclear hacktivism that
protested the plutonium-powered Galileo spacecraft. Initial signs pointed to France and then
Australia (Dreyfus and Assange 1997, 50). This incident fuelled interest in international
information sharing and prompted the United States to create the Forum of Incident Response
and Security Teams (FIRST) in 1990 (Killcrece et al. 2003, 20). FIRST has since grown to
become “an international confederation,” helping hundreds of teams around the world
“cooperatively handle computer security incidents and promote incident prevention
programs” (FIRST 2003).
NASA remained a common target. In 1992, it and other government sites in the
United States and Europe were targeted by Australian hackers using computer networks at
the University of Queensland (UQ), Griffith University, and Queensland University of
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Technology (QUT), prompting further investigation by the FBI (Chester 1992a; McCosker
1992; Chester 1992b). These universities realized that they had a problem; their search for a
solution was brief (Cyert and March 1963, 169). They looked to the United States, and, in
particular, Carnegie Mellon University (Young 1992; Coulter 1993), which was home to the
Computer Emergency Response Team Coordination Center (CERT/CC).
The CERT/CC was established in 1988, following the Morris worm and a subsequent
hack of the U.S. military’s network. Post-mortem reviews of these incidents concluded that
the response had been hampered by poor communication and coordination (GAO 1989;
Killcrece et al. 2003, 18). To improve information sharing and collective action, the Defense
Advanced Research Projects Agency (DARPA) sponsored the Software Engineering Institute
– a non-profit, federally funded research and development center at Carnegie Mellon – to
create the CERT/CC. This was world’s first organisation created specifically for cyber
incident response.
Despite military funding, the CERT/CC was not a government agency. “DARPA
made the early decision that the CERT was to be a community-based organization, with no
specific delegated authority” (Sherlis et al. 1990, 501). Nor did naming it a “Coordination
Center” mean that incident response was centrally coordinated. Quite the contrary: the United
States chose a relatively decentralised, voluntary, and private approach to civilian cyber
security. From the beginning, “other agencies and constituencies were encouraged to create
and sustain their own teams” (Killcrece et al. 2003, 19).
This choice was neither inevitable nor technologically determined. At the time, the
Internet backbone was still public infrastructure; plus, the US government had long played a
central and authoritative role in defending against other threats to public health and safety
(national security being one classic example of a “public good”). Therefore, different norms
about the roles and responsibilities of government were available (Smith III 2016).
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Nevertheless, American policy preferences for a decentralised, voluntary, and private
approach to civilian cyber security were significant (Friedberg 2000), in part because other
countries followed suit. “The US… acted as a model for other governmental response[s] to
cyber issues, notably in Europe and Asia” (Choucri et al 2014, 112), and CERTs – also
known as Computer Security Incident Response Teams (CSIRTs) – were institutionalised as
a common organisational form. “What has materialized over time is a mosaic of hundreds of
independently operating CERTs across the world” (DeNardis 2014, 92), and they are now
“key actors in the cyber regime complex” (Bradshaw 2015; also Morgus et al. 2015).
Australia was an early adopter of the US model. It is doubtful that the CERT system
had fully demonstrated its effectiveness when NASA was hacked in 1992. Effective or not,
however, this model was seen as legitimate and appropriate by UQ, Griffith, and QUT.
“Driven by a logic of appropriateness and senses of identity” (March and Olsen 1998, 949),
they imitated the United States: a process known as “mimetic isomorphism” that can result in
organisational homogeneity (DiMaggio and Powell 1983, 151). Like UQ, Griffith, and QUT,
Carnegie Mellon was another university. In addition to this shared identity, the handful of
engineers and systems administrators that managed computer networks at the Australian
universities were impressed by the roles played by their perceived peers at the CERT/CC
(Interviews with Wilber Williams and Graham Rees, September 2016). They exchanged site
visits and the CERT/CC provided technical assistance on how to adopt its model.
Granted, there may have been financial incentives to imitate the United States as well.
Australia’s Internet connection was subsidised by NASA (Koporaal 2009, 30), so hacking
NASA “ultimately threatened a large amount of research funding coming into the country”
(Smith 1994, 2). But there was little consideration of alternative solutions or models for
addressing the uncertainties of hacking and ambiguous goals of security. After the Australian
government declined to sponsor an incident response team, the three public universities
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
“decided to just start it anyway, and fund it themselves,” having “determined that Australia
should take responsibility for its own security problems” and mimic the CERT/CC (Smith
1994, 2-3).
“This was the origin of cyber security in Australia” (Interview with Graham Rees,
September 2016). Housed at UQ, the Security Emergency Response Team was launched in
March 1993, accepted into FIRST in August 1993, and renamed the Australia Computer
Emergency Response Team in April 1994.
5
“It had no authority to act, it just existed” (Smith
1994, 2). Along with its lack of authority, AusCERT had limited funding. Initially, according
to one participant, “we begged and borrowed machines” or “whatever we could scrounge,”
and “we built our server from the ground up” with a fire extinguisher at the ready in case it
started burning when first switched on (Interview with former AusCERT staff, September
2016).
Humble origins notwithstanding, this seemingly obscure and non-governmental
organisation served as Australia’s de facto national CERT from 1993 until 2010, during
which time Internet users grew from less than 2% of the Australian population to more than
75% (World Bank 2015). AusCERT was not alone. Again, “the CERT model… presumes the
creation of multiple CERT organizations,” (Sherlis et al. 1990, 499), and other response
teams were eventually created (e.g., inside banks, telecommunications companies, and
software vendors). But their focus and constituencies differed. Despite the “variety of
organisations offering network security products and services on a commercial basis” in the
mid-1990s, “none of them attempt to, or are able to, serve as a single national/international
point of contact on Internet security matters(Eckermann 1996, 34). Nor did the Australian
government. Only AusCERT sought to provide “a single point of contact for dealing with
computer security incidents affecting or involving Australian networks” (AusCERT, 2002a).
Its constituency started out as Australia’s Academic and Research Network (AARNet), and
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
later consisted of subscription members in education, government, and industry across the
country.
6
The vision for AusCERT was “to be one of the world’s most authoritative sources of
trusted and impartial computer security expertise” (AusCERT 2002b). Its mission was to
supply services for cyber security. These included monitoring and evaluating malicious
software and system vulnerabilities; recommending prevention, mitigation, and recovery
strategies for incident response; sharing information and helping raise awareness through
education; and liaising with government agencies and foreign counterparts as a trusted
intermediary on sensitive issues such as technical attribution. Early contributions ranged from
automated patching and email protection on Sun Microsystems to helping the AFP
investigate hacking of the Australian Electoral Commission (AEC 1997; Interviews with
former AFP and AusCERT staff). Australia’s adopted approach to providing these services
influenced international cooperation, as well as the domestic division of labour: each of
which we will address in turn.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Australia and International Cooperation on Cyber Security
No one is an island in cyberspace because it is a global domain. The same is true for
cyber security, as illustrated by Australian hacking of overseas networks and the response
adopted from the United States. However, international cooperation on cyber security was
initially informal, tactical, and limited. AusCERT started out as a three-person team, with few
resources for foreign engagement. Similarly, the AFP established computer crimes units that
cooperated with their foreign counterparts, but these units were small, few in number, and
they enjoyed little support inside the agency (Interview with a former AFP officer, October
2015). The Australian government later noted “a need to develop cooperative arrangements
with other countries in terms of responding to attacks” against national information
infrastructure, and yet it assumed that such “solutions will, for the most part take place in the
open market” (Interdepartmental Committee 1998, 41). As a result, it was the turn of the
century before Australia had much impact on international cooperation in this field.
Five Eyes on Y2K
AusCERT hosted the annual FIRST conference in Brisbane in June 1999. The timing
of this conference proved significant: less than a year remained for the world to prepare for
the Millennium bug. Also known as Y2K, this bug or glitch was created by the common
practice of recording the year as a date using only two digits (e.g., “00,” making 2000
indistinguishable from 1900). While the intent was not malicious, it was feared that this
abbreviation would cause widespread computer failures, and this fear prompted intensive
mitigation efforts around the world (Manion and Evan 2000).
The FIRST conference agenda focused on deliberate intrusions and attacks, not Y2K
(FIRST 1999). Nevertheless, this conference was attended by Australian, American, and
British government officials who were involved with protecting their countries’ critical
infrastructure. One of these officials asked: what would happen if a computer network attack
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
was launched around 1 January but masked to look like a Y2K failure? How would you tell
the difference, and how would you respond?
Despite all of the Y2K preparations underway, this may have been the first time that
these particular questions had been raised. Neither the American, British, nor Australian
government had good answers. They asked the CERT/CC for help, and, in October, it
organised a workshop in Gatwick (International Y2K Cyber Assurance Workshop 1999).
The Gatwick workshop was attended by representatives from the US, UK, and Australia (plus
Japan). They assessed the threat and proposed strategies to mitigate cyber attacks during
Y2K. Perhaps most important, they recommended real-time monitoring and information
sharing among the group.
This was the first multilateral response to cyber threats of its kind. Given the
international dateline, a “follow the sun” approach was used to monitor Y2K, and the first
countries expected to see evidence of an attack were New Zealand and Australia. With help
from AusCERT, the Attorney-General’s Department and Australian Security Intelligence
Organisation set up a small watch office in Canberra to report and respond to cyber security
incidents on New Years’ Eve in 1999. This watch office was collocated with the Australian
Defence Force Intelligence Centre and in direct communication with Five Eyes alliance
partners (i.e. civil-military cooperation, as well as international cooperation, on the largely
civilian cyber security challenge of Y2K).
Even though no significant failures or attacks were reported on 1 January, Y2K was a
turning point for international cooperation on cyber security. It provided a proof of concept
for real time monitoring and information sharing. Preparation for Y2K also built trust through
interpersonal interaction. For example, participants at the Gatwick workshop celebrated their
comradery by sharing a wooden spoon from a local bar: a spoon that subsequently travelled
around the world in playful exchange. They used FIRST conferences over the following years
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
to build these personal relationships, discuss principles for daily watch-and-warning, and
launch pilot projects for sharing information between their CERTs (Global Network 2001a,
2001b; TAPA Accord 2002; PreFIRST 2004).
National governments eventually subsumed these pilot projects through initiatives
such as the International Watch and Warning Network (IWWN 2007; interview with Jeffrey
Carpenter, October 2015). But homage was paid to FIRST and Y2K. According to the US
National Strategy to Secure Cyberspace in 2003, “the United States will urge each nation to
build on the common Y2K experience” and “foster the establishment of an international
network,” which “can build on the capabilities of nongovernmental institutions such as the
Forum of Incident Response and Security Teams” (Bush 2003, 52). International cooperation
on cyber security remains ad hoc and limited. Still, the Five Eyes cooperate more than most,
as illustrated by the Strategic Alliance Cyber Crime Working Group formed by their “quintet
of Attorneys General” in 2008 (Australian Government 2013, 20; Legrand 2015, 980), and
inclusion of cyber attacks under the ANZUS Treaty in 2011 (Khalil et al. 2012). At least
among these allies, Australia’s role during Y2K helped catalyze real time monitoring and
information sharing, at least in a small way.
Regional Cooperation on Incident Response
Australia also helped advance cooperation in the Asia Pacific. For example,
AusCERT sponsored China’s entry into FIRST: conducting a site visit in March 2002 to
confirm that the National Computer Network Emergency Response Technical Team
Coordination Center of China was ready to participate in this professional association. This
sort of professional review or evaluation helped spread and consolidate the CERT system,
even in China, where the adoption of a US model – and some of the norms associated with it
– may be more surprising than Australia imitating the United States.
Following their site visit to Beijing, AusCERT staff attended the Asia Pacific Security
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Incident Response Conference in Tokyo. Here they proposed creating a regional task force to
“enhance Asia-Pacific and international cooperation on information sharing” (Ingram 2002;
also APSIRC 2002, 4). This proposal was supported by Japan and China, which were both
interested in improving their respective relationships and engagement in the region. 15
CERTs from 12 economies agreed to establish the Asia Pacific Computer Emergency
Response Team (APCERT), which held its first meeting in February 2003 (APCERT 2003b,
2003a; HKCERT 2013).
APCERT was the first successful regional CERT, since a European attempt failed
“due to lack of interest and funding” in 1999 (ENISA 2006, 24).
7
Nevertheless, while
Australia promoted the CERT system and thus a US model, the regional team that it helped
create also resisted aspects of American influence, particularly US membership in APCERT.
The boundaries of the Asia Pacific are open to interpretation. On the one hand, APCERT
defines its borders by a vertical slice that contains adjacent time zones, roughly
corresponding to the Regional Internet Registry (i.e., the Asia Pacific Network Information
Centre). On the other hand, APCERT also collaborates – as a formal guest – with the forum
for Asia Pacific Economic Cooperation (APEC), which includes other Pacific Rim
economies: most notably the United States.
The US reportedly wanted to join APCERT, even to the point of suggesting that the
location of Guam justified inclusion of the continental United States. APCERT demurred,
however, preferring to not include the US and thus avoid being subsumed by APEC. This
border dispute could have gone differently. For instance, APCERT could have accepted the
United States and looked more like APEC, which may have either improved international
cooperation or hindered it. Alternatively, as APCERT recommended, the United States could
have created another regional CERT in the Americas. But it did not. Here, as elsewhere,
counterfactual analysis suggests that these choices were not determined or driven by the
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
technology involved.
Moreover, American engagement with APEC had somewhat unintended feedback
effects on US cyber security policy. Under the heading of “counter terrorism and economic
growth,” President Bush signed a Joint Statement at the APEC Ministerial Meeting in 2002
that, in effect, obligated the United States to establish a national CERT. This was not the
initial intent. “The normal US policy,” according to one former official, is that “you don’t
sign up to anything that we’re not already doing” (Interview with former National Security
Council staff, September 2015). Elements of the Bush Administration mistakenly assumed
that the CERT/CC was an official, national CERT. It was not, however. Like AusCERT, the
role played by CERT/CC was de facto rather than de jure. Cyber security advocates inside the
White House used this discrepancy to “create what we don’t have,” establishing the United
States Computer Emergency Readiness Team (US-CERT) inside the new Department of
Homeland Security in 2003 (Interviews with former US-CERT and AusCERT staff, May and
September 2015). Several years passed before Australia followed suit.
Domestic Divisions of Labour
Australia chose not to create a national CERT inside government until 2010.
8
Therefore, during the 1990s and 2000s, Australia’s de facto national CERT was AusCERT.
This was a critical period in Internet history given the rapid growth in usage. Whether the
resources dedicated to cyber security – funding, attention, expertise – during this period were
up to the task is a different question.
When AusCERT was established at the University of Queensland in 1993, it was a
three-person team with a budget less than $300,000. Its constituency was AARNet (i.e.,
another academic organisation), which provided Australia’s Internet backbone. AARNet sold
this business to Telstra in 1995, thereby commercializing the Internet in Australia. This sale
mirrored changes in the United States, where the Internet – born on public infrastructure with
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
military funding – was privatized and commercialized as well. Telstra abruptly cut funding
for incident response in 1996, and this decision “placed the future of AusCERT in jeopardy”
(Eckermann 1996, 28).
“In the face of the resulting financial crisis,” the Australian government was
approached for help. Yet it did not want to shoulder this responsibility or bill. The
Commonwealth decided against having “the AusCERT function… absorbed into a
Government portfolio and funded as a matter of national importance” (Eckermann 1996, 15,
5). Instead, AusCERT was turned into a self-funding, subscription-based service.
As a subscription service, AusCERT was “heavily reliant on government clients to
remain financially viable.(Interdepartmental Committee 1998, 35). Lacking other options,
more than 60 Commonwealth, state, and local government clients relied on AusCERT, at
least enough for the federal government to argue that “the loss of AusCERT and the body of
expertise it has built up over the years is not an acceptable outcome.However, recognition
of this expertise did not cause the Australian government to reconsider the US model or
reinterpret responsibility for cyber security. It argued that:
Based on the US model, we can expect the public and private sectors to begin to
develop in house response capabilities… [and] we need to be conscious that
provision of subsidised response capabilities may, in itself, limit development of
a self-supporting market (Interdepartmental Committee 1998, 35).
This confidence in the US model is consistent with the assumed appropriateness of
that model and the associated market. But such confidence is harder to explain based on other
factors, including the information that was available about market forces in the late 1990s.
Little evidence suggests that incident response was particularly profitable at the time, in the
US or elsewhere. For example, the CERT/CC depended almost entirely on government and
military sponsors. Moreover, even the CERT/CC had started to question the US model,
noting that “techniques that have worked in the past for securing systems will not be effective
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
in the world of unbounded networks, mobile computing, distributed applications, and
dynamic computing that we are beginning to see” (Ellis et al, 1997, 2).
Australia’s reluctance to subsidise the national interest in incident response included
its intelligence community. In 1997, the Defence Signals Directorate (DSD) considered
establishing a national CERT inside government (Interdepartmental Committee 1998, 69).
Yet little action was taken, then or when the Intelligence Services Act of 2001 required DSD
to assist state and federal authorities with information security. DSD was still focused on
signals intelligence, similar to the US National Security Agency (NSA), which also
“remained all too wedded to tapping land lines, analog circuits, and intercepting radio”
throughout the 1990s (Kaplan 2016, 126). “DSD only did info [or cyber] security to appease
government and prevent someone else from taking over that role,” and its initial interest in
the Internet was limited (Interview with former Australian government official, September
2016).
Delegation, Orchestration, and Abdication?
The Australian government signed a memorandum of understanding that formally
acknowledged AusCERT’s national status and its “special relationship” with the
Commonwealth in 2006 (AGD and AusCERT 2006, 3). The government also delegated
aspects of cyber security to AusCERT through service contracts (on delegation, see Drezner
2002; Hawkins et al. 2006). Starting in 2003, for example, AusCERT was funded by the
Commonwealth to provide national alerts and incident reporting as part of the government’s
E-Security Initiative. In addition, AusCERT was sponsored to help represent the Australian
government at the APEC Telecommunications and Information Working Group (Senate
Committee 2003, 8). These government contracts helped AusCERT grow during the 2000s
from about 10 people on staff with a AU$1 million budget to nearly 20 people and $2 million
per year.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Along with explicit delegation were less formal agreements and orchestration,
whereby the Commonwealth facilitated and encouraged voluntary action through AusCERT
(on orchestration, see Abbott and Snidal 2009). For instance, in 2003, AusCERT agreed to
help combat early phishing sites through a public-private partnership that extended beyond its
service contract with the Attorney General’s Department. “Australia was one of the first
places where phishing attacks against Internet banks were seen” (McCombie et al. 2009, 42).
When Australian banks discovered that they were being impersonated by fraudulent websites
offshore, the government steered them to report to AusCERT. Working as a trusted
intermediary, AusCERT partnered with the Australian High Tech Crime Centre to contact
CERTs in the countries where these websites were hosted, analyse the code, trace stolen
credentials, and block fake websites under the authority of the AFP (AusCERT 2004).
AusCERT also participated alongside the Australian government in Cyber Storm exercises
organised by the United States, and it had “a gentleman’s agreement” to hand the response to
any state-sponsored attacks over to DSD (Interview with former AusCERT staff, September
2016).
Despite delegation and orchestration, some evidence suggests that the Australian
government still neglected or abdicated aspects of what might otherwise have been its
responsibility to support cyber security during the 1990s and 2000s. Traditionally, the
government has played a central role in providing for national security, as well as public
health and safety (even courting criticism as a “nanny state”). Yet on numerous occasions –
ranging from creating the country’s first incident response team to establishing APCERT to
reporting cyber vulnerabilities that threatened critical infrastructure – AusCERT appeared to
advance national security without corresponding support from the Commonwealth. The lack
of funding was particularly acute early on. According to one staff member, “every year, from
the beginning of AusCERT, we had a funding crisis,” and, as described by another,
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
“operating on a shoestring was hard and limited our effectiveness” (Interviews with former
AusCERT staff, September 2016).
Cyber security is hard under the best of circumstances, but insufficient support made
effective collective action more difficult when systemic risks were starting to emerge. The
supply of public goods and services suffered to the extent that the Australian government was
underinvesting or “free riding” on non-governmental capabilities and expertise. This result
was due in part to a lack of interest and attention rather than deliberate neglect. Even when
the Commonwealth deliberately decided to eschew a more active role, these decisions could
be justified “based on the US model,” as was argued during the 1990s. However, by accident
or design, the result was consequential.
The Attribution Problem
While the Australian government delegated, orchestrated, and abdicated aspects of
civilian cyber security to non-governmental organisations and the market, it still had to
organise the roles and responsibilities that remained inside the Commonwealth. This was a
novel challenge. It was not immediately apparent which agencies should be responsible for
what functions in cyberspace. Bureaucratic jurisdiction was therefore another choice to be
made rather than a foregone conclusion.
Choices about jurisdiction were also complicated by the attribution problem.
Identifying the author of an action can be more difficult in cyberspace than in other domains
(Libicki 2009; Lindsay 2015). Traditionally, however, law enforcement and security agencies
use a perpetrator’s identity and motive to decide jurisdiction. The armed forces primarily
address attacks by foreign militaries; terrorism and espionage belong to the intelligence
agencies; and the police fight other kinds of crime (esp. offenses perpetrated by criminals
motived by profit or passion and subject to domestic law). So who leads on cyber attacks?
What agency or organisation has jurisdiction in a domain where perpetrators may not only be
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
anonymous but their identity, location, and motivations may remain uncertain long after the
government is obligated to investigate and respond?
Attribution is not a purely technical problem (Rid and Buchanan 2015), and the
technical design features of cyberspace that enable anonymity did not prompt a radical
rethinking or reorganisation of government (e.g., replacing jurisdiction based on motive and
identity with functional divisions of labour better suited to this technology). Instead, change
was incremental and captive to legal and historical precedent. Starting in 2000, the Australian
government tried to solve the attribution problem with joint operating arrangements between
the defence, intelligence, and police agencies (AGD 2009). Under these arrangements, each
agency agrees to share information and responsibility until attribution is established. The
agency that first encounters a cyber intrusion or attack brings it to the others and, in theory,
they cooperate until the incident is attributed to a particular perpetrator. Their traditional lines
of authority are then applied. Since interagency coordination is notoriously difficult, its
efficacy should not be taken for granted. That said, the JOAs represent one attempt to square
the circle of using old organisations to address new problems with cyber security.
Persistent Policy Problems
The JOAs became part of the Australian government’s E-Security National Agenda,
launched in 2001 “to create a secure and trusted electronic operating environment
(MacGibbon 2009, 4). However, this agenda was not a coherent policy. It was a “light
touch”, with little government leadership or engagement, which in turn helped fuel a
proliferation of disjointed working groups, committees, and programs (MacGibbon 2009, 4;
also Dijk 2001; Warren 2003; Waters, Ball, and Dudgeon 2008, 111, 42; Australian
Government 2010, 64-7). During the 1990s, the policy machinery that might have guided
operational aspects of cyber security – including the divisions of labour between the
government and AusCERT – was largely absent. During the 2000s, a few durable programs
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
were established, but national policy was weak and fragmented, almost to the point of
dysfunction.
9
Throughout this critical period in Internet history, the Attorney-General’s Department
(AGD) was “the lead agency for cyber security policy” (Australian Government 2009a, 8).
This department may not have been a natural home. After all, the law is a retrospective
institution based on precedent, whereas networked information technology was undergoing
unprecedented change. Nevertheless, in 1998, the Australian government assumed that
protecting national information infrastructure was “similar” to the “general protective
security role” already being served by the AGD (Interdepartmental Committee 1998, 2).
The similarity between these roles was questionable, and a decade passed before the
AGD published Australia’s first national strategy for cyber security in 2009. Unlike the E-
Security National Agenda, the 2009 Cyber Security Strategy articulated a set of national
principles, priorities, and capabilities to achieve them. In particular, this strategy 1)
established a new national CERT inside the AGD, called CERT Australia; and 2) supported a
new Cyber Security Operations Centre housed in DSD, as had been called for by the 2009
Defence White Paper.
Unfortunately, both of these organisations proved to be problematic. CERT Australia
attempted to pull many of the functions performed by AusCERT into the government.
Increasing government capability for civilian cyber security was reasonable if not required.
Growing demand exceeded the services that AusCERT could supply with the resources at its
disposal; moreover, the United States had established US-CERT inside the Department of
Homeland Security in 2003, working in close cooperation with the CERT/CC. Once again,
the US model looked legitimate, and the AGD started to establish CERT Australia in 2009
with help from AusCERT (e.g., planning for a four year service level agreement, security
clearances for staff, and a purpose-built facility in Brisbane). However, what started out as a
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
partnership between AusCERT and the AGD was increasingly seen as a hostile takeover that
was ultimately rebuffed, severely damaging once trusting relationships. Plus, with an initial
budget of only $3 million per year (Blackburn and Waters 2011, 22), CERT Australia added
yet another underfunded player to the already disjointed field.
Funding was less of a problem for DSD. It planned to dwarf the civilian capabilities
available in CERT Australia and AusCERT by “employ[ing] around 130 highly-skilled
information technology experts, engineers and analysts” at its Cyber Security Operations
Centre (Defence News 2010). This Defence-based capability was initially described under the
heading of “cyber warfare” (Australian Government 2009b, 83). It later became the largest
component of the Australian Cyber Security Centre (ACSC), which was announced in 2013.
That year DSD was also renamed the Australian Signals Directorate (ASD), which placed
greater emphasis on cyber security.
Yet ASD remains an intelligence agency. Its mission – “reveal their secrets, protect
our own” – is still focused on collecting signals intelligence and protecting the sources and
methods used to do so. This one-way flow of information is almost antithetical to sharing
information with industry and the public about malicious cyber activity. Even if the ideas at
work inside ASD were not barriers to security cooperation, identity is intersubjective, and so
how external stakeholders see ASD is at least as significant as how it sees itself. Since
interpretations of identity can change, external suspicion and scepticism may wane with
increased interaction. Nevertheless, dominance of the ACSC by this intelligence agency
creates challenges for civilian cyber security and public accountability that remain unresolved
by merely changing the name of DSD to ASD.
Operational dominance by ASD and damaged relations between the CERTs were
coupled with an enduring lack of leadership after publication of the 2009 Cyber Security
Strategy (Feakin, Woodall, and Aiken 2014; Feakin, Woodall, and Nevil 2015). More than
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
six years passed before Australia updated this strategy, during which responsibility for policy
development was repeatedly shuffled. Responsibility was transferred from the AGD to the
Department of Prime Minister and Cabinet (PM&C) in 2011; a long promised white paper
was then handed off to the Department of Communications with “very disappointing” results;
the ACSC was announced in 2013, with an oversight board chaired by the AGD, but nearly
two years past before this centre – staffed largely by the ASD – was operational; and another
strategic review was launched in 2014 under PM&C (Jennings and Feakin 2013, 3; ASIO
2012, 123; Defence 2013, 21). A new Cyber Security Strategy was finally released in April
2016.
The 2016 Cyber Security Strategy appears to address several persistent problems.
Perhaps most important, it emphasizes leadership. PM&C is clearly identified as “the central
point for policy” (Australian Government 2016, 23), and almost no mention is made of the
AGD. Among other measures, the strategy also increased investment in CERT Australia
(acknowledging contributions made by AusCERT), created a new “Cyber Ambassador”
(advocating for an open, free, and secure Internet), proposed new centres for information
sharing (collocating with business and the research community), and relocated the ACSC to
increase engagement with the private sector (moving out of an intelligence building with
highly restricted access). These steps may improve policy and operations alike.
However, simply moving the ACSC may have limited impact if this centre is still
seen as part of the military and intelligence community. The 2016 Cyber Security Strategy
reinforces this interpretation:
Recognising that Defence, in particular the Australian Signals Directorate, does
much of the heavy lifting for the Government’s role in defending Australia
against malicious cyber activity, it will continue to lead the ACSC (Australian
Government 2016, 24).
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
For better or worse, public distrust of intelligence agencies following revelations by Edward
Snowden may make it a hard sell for industry to share more information with the ASD and
thus the ACSC.
CERT Australia is also part of the ACSC, and, even with increased funding, this
civilian agency remains a junior partner to ASD. This disparity in resources increases the risk
that civilian interests will fall behind military and intelligence priorities, despite the fact that
“the vast majority of cyberspace is civilian space” (Holl & McConnell, 2011). The explicit
association with ASD also stands to hinder CERT Australia’s ability to replicate the trust that
AusCERT enjoyed with industry and academia, let alone countries like China that are deeply
suspicious of intelligence collection by the Five Eyes. If so, CERT Australia may struggle to
connect with the private sector and regional stakeholders upon whom much of civilian cyber
security has come to depend.
Finally, PM&C now leads on policy, but the nature of that leadership remains to be
seen. The 2016 Cyber Security Strategy repeatedly stresses “co-leadership” with the private
sector, along with “shared responsibility,” “self-regulation,” and “voluntary governance.”
This emphasis clashes in part with the United Kingdom’s National Cyber Security Strategy,
which envisions a more muscular role for government (HM Government 2016, 26-27), as
well as with cyber security and Internet governance in Brazil, where the public-private
partnership is more clearly specified (Trinkunas and Wallace 2015). Unstated in Australia is
how the public and private sectors will actually work together in times of crisis (especially in
instances where industry or individual sacrifices are required). Some of these problems were
evident during the 2016 eCensus:
One of the government’s most respected agencies – the Australian Bureau of
Statistics (the ABS) – working in collaboration with one of the technical world’s
most experienced companies – IBM – couldn’t handle a predictable problem…
Exchanges between the ABS, the Australian Signals Directorate (ASD) and IBM
also suggest a lack of clarity in capacity, roles and responsibility for cyber
security. (MacGibbon, 2016, 3, 5)
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
The #CensusFail incident was not a major attack. Yet it demonstrates that Australia is still
struggling to solve serious collective action problems with the supply of cyber security.
The Past and Future of Cyber Security: Lessons Learned from Australia
The Australian case provides valuable insight into cyber security operations and
policy. In closing, we highlight three lessons about incident response, the role of government,
and overreliance on military and intelligence agencies. These lessons provide a foundation
for further study and policy development.
First, as an early adopter of the CERT system (and subsequent promoter of the same),
Australia illustrates how some of the oldest norms about cyber security have diffused or
spread around the world. Australia modelled its initial response to hacking on the United
States. It coped with novel threats by looking abroad, yet not too far afield, and with an eye
towards replicating what was seen as an appropriate and legitimate model at a time when
good metrics and evidence of effective incident response were lacking. In adopting this
model, Australia also accepted the underlying assumption that civilian cyber security should
be decentralised, voluntary, and mostly private. This assumption is now taken for granted.
But it was neither inevitable nor technologically determined.
Second, the CERT system worked up to a point. Through the CERT community,
cyber security practitioners established interpersonal relationships built on earned trust. These
relationships helped them share more sensitive information than might otherwise have been
feasible. Thus, on the one hand, the Australian government benefited from delegating and
orchestrating aspects of incident response through AusCERT. This non-governmental
organisation helped advanced national security and international cooperation.
On the other hand, providing public goods and services is rarely cost free, and
government leadership and support for civilian cyber security were lacking during the 1990s
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
and 2000s. When the government failed to understand or accept responsibility, non-
governmental organisations had a hard time difficulty picking up the slack. For example,
“trust relations are difficult to build,” even among CERTs, and it was increasingly apparent
that “the classical model of everybody-knows-everybody does not scale” (CERT-RO 2002,
4). Cyber threats grew faster than interpersonal trust, which also proved difficult to transfer
(as illustrated by the trust damaged during the founding of CERT Australia). The CERT
community appears to have lacked the authority and funding needed to institutionalise trust –
and thus depersonalise or professionalise it – enough to grow at scale.
Potential trade-offs between the institutionalisation or professionalisation of cyber
security versus decentralised, voluntary, and private approaches to governance warrant
further research. But most evidence indicates that neither AusCERT nor CERT Australia
enjoyed sufficient support from government or industry in their respective roles as the
national response team. While the relationship between these CERTs has improved since
2009, the potential for confusion remains. More important, Australia lacks an integrated or
unified incident response capacity for the country as a whole. It therefore risks falling further
behind in solving the collective action problems presented by cyber attacks and malicious
activities.
Finally, the Australian government has tended to perpetuate rather than compensate
for underinvestment in civilian organisations and law enforcement by relying instead on
military and intelligence agencies, particularly ASD. Australia is not alone in this regard. In
the United States, the NSA and US Cyber Command enjoy the lion’s share of government
funding for cyber security. The Department of Homeland Security houses US-CERT, but it
has never been given the money or manpower to rival the NSA in this field (Kaplan 2016,
186). Here again, this outcome was not inevitable. Although the NSA and ASD were flush
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
with funding to fight terrorism after September 11 and the 2002 Bali bombings, these signals
intelligence agencies were also slow to champion cyber security.
Nor is the effectiveness of military and intelligence agencies for civilian cyber
security self-evident, especially given the importance of information sharing and trust.
Concentrating resources in these agencies could undermine more advantageous norms as
well. For instance, building on the CERT system, an international norm may be emerging that
“states should not conduct or knowingly support activity to harm the information systems of
the authorized emergency response teams,” and “states should not use authorized emergency
response teams to engage in malicious international activity” (UN 2015). However,
honouring this norm may prove difficult if civilian teams such as CERT Australia depend so
much on military and intelligence agencies that their independence lacks credibility, their
legitimacy suffers, and they are interpreted as appropriate targets for attack. Like the
organisation and distribution of resources for incident response, these interpretations are
influenced by choices that could be different. As in the past, these choices will shape the
future of cyber security in Australia and beyond.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Abbott, Kenneth W., and Duncan Snidal. 2009. "Strengthening International Regulation Through Transnational
New Governance: Overcoming the Orchestration Deficit." Vanderbilt Journal of Transnational Law
42:501-78.
AEC. 1997. "Supplementary Submission to the Joint Standing Committee on Electoral Matters: Computer
Security."
http://www.aec.gov.au/Elections/australian_electoral_system/files/jscem/1996_election/sub128.pdf.
AGD. 2009. "Submission to the House of Representatives Standing Committee on Communications Inquiry into
Cyber Crime.” https://www.aph.gov.au/binaries/house/committee/coms/cybercrime/subs/sub44.pdf.
AGD and AusCERT. 2006. “Memorandum of Understanding.” private archive.
APCERT. 2003a. "Asia Pacific Computer Emergency Response Team: 2003 Annual Report."
http://www.apcert.org/documents/pdf/annualreport2003.pdf.
———. 2003b. "Proposal for Establishing an Asia-Pacific Computer Emergency Response Team (Draft,
version 1)." Private archive.
APSIRC. 2002. “Outline.” Private archive.
ASIO. 2012. "ASIO Report to Parliament 201112." https://www.asio.gov.au/previous-reports-parliament.html.
AusCERT. 2002a. “About AusCERT.” https://www1.auscert.org.au/render.html?cid=2
———. 2002b. “AusCERT Vision and Mission Statement.”
https://www.auscert.org.au/render.html?it=1936&template=1
———. 2004. "Fraudulent banking (“phishing”) site incident report information and terms." Private archive.
Australian Government. 2009a. "Cyber Security Strategy."
http://www.ag.gov.au/RightsAndProtections/CyberSecurity/Documents/Cyber%20Security%20Strateg
y.pdf.
———. 2009b. "Defending Australia in the Asia Pacific Century: Force 2030." Department of Defence.
http://www.defence.gov.au/whitepaper/2009/docs/defence_white_paper_2009.pdf.
———. 2010. "Hackers, Fraudsters and Botnets:Tackling the Problem of Cyber Crime." Standing Committee
on Communications House of Representatives.
http://www.aph.gov.au/parliamentary_Business/Committees/House_of_Representatives_Committees?u
rl=coms/cybercrime/report.htm.
———. 2013. "National Plan to Combat Cybercrime." Attorney-General's Department.
https://www.ag.gov.au/CrimeAndCorruption/Cybercrime/Documents/National%20Plan%20to%20Com
bat%20Cybercrime.pdf.
———. 2016. "Australia's Cyber Security Strategy."
https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf.
Blackburn, John, and Gary Waters. 2011. "Optimising Australia's Respond to the Cyber Challenge." Kokoda
Paper No. 14. The Kokoda Foundation.
Bradshaw, Samantha. 2015. "Combatting Cyber Threats: CSIRTs and Fostering International Cooperation on
Cybersecurity." https://www.cigionline.org/publications/combatting-cyber-threats-csirts-and-fostering-
international-cooperation-cybersecurity: Global Commission on Internet Governance.
Bush, George W. 2003. "The National Strategy to Secure Cyberspace." https://www.us-
cert.gov/sites/default/files/publications/cyberspace_strategy.pdf.
Carr, Madeline. 2016. "Public-private partnerships in national cyber-security strategies." International Affairs
92 (1):43-62.
CERT-RO. 2002. "Draft, CERT-RO Symposium minutes." Private archive.
Chester, Rodney. 1992a. "FBI traces NASA scare to Qld." The Courier-Mail. Private archive.
———. 1992b. "Uni hacker raid a 'springboard'." The Courier- Mail. Private archive.
Choucri, Nazli, Stuart Madnick and Jeremy Ferwerda. 2014. “Institutions for Cyber Security: International
Responses and Global Imperatives.” Information Technology for Development 20 (2): 96-121
Clarke, Roger. 2004. "The emergence of the Internet in Australia." Virtual Nation: The Internet in Australia,
edited by Gerard Goggin, 30-42.
Coulter, Alan W. 1993. "SERT: An Australian Security Response Team."
ftp://ftp.mcs.vuw.ac.nz/doc/misc/networkshop-93/net1990s/coulter.txt.
Cyert, Richard M., and James G. March. 1963. A Behavioral Theory of the Firm. Englewood Cliffs, NJ:
Prentice-Hall.
Defence, Department of. 2013. "Defence White Paper 2013."
http://www.defence.gov.au/whitepaper/2013/docs/WP_2013_web.pdf.
Defence News. 2010. "Defending cyber security."
http://www.defence.gov.au/defencenews/stories/2010/Jan/0115.htm.
DeNardis, Laura. 2014. The Global War for Internet Governance. New Haven CT: Yale University Press.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Dijk, Sandra Van. 2001. "Disputes kill key Australian govt e-security initiative." Computerworld.
http://www.computerworld.co.nz/article/512272/disputes_kill_key_australian_govt_e-
security_initiative/.
DiMaggio, Paul J., and Walter W. Powell. 1983. "The Iron Cage Revisited: Institutional Isomorphism and
Collective Rationality in Organizational Fields." American Sociological Review 48 (2):147-60.
Dreyfus, Suelette, and Julian Assange. 1997. Underground: Tales of Hacking, Madness and Obsession on the
Electronic Frontier. Melbourne: Canongate.
Drezner, Daniel W. 2002. "The Global Governance of the Internet: Bringing the State Back In." Political
Science Quarterly 119 (3):477-98.
Dunn-Cavelty, Myriam, and Manuel Suter. 2009. "Public-Private Partnerships are no silver bullet: An expanded
governace model for Critical Infrastructure Protection." International Journal of Critical Infrastructure
Protection 2:179-87.
Eckermann, Robin. 1996. "Securing the Future of AusCERT: Report to the University of Queensland." Private
archive.
ENISA. "CERT cooperation and its further facilitation by relevant stakeholders."
https://www.enisa.europa.eu/publications/cert-cooperation-and-its-further-facilitation-by-relevant-
stakeholders.
Feakin, Tobias, Jessica Woodall, and Klée Aiken. 2014. "Cyber maturity in the Asia-Pacific Region 2014."
https://www.aspi.org.au/publications/cyber-maturity-in-the-asia-pacific-region-2014: Australian
Strategic Policy Institute.
Feakin, Tobias, Jessica Woodall, and Liam Nevil. 2015. "Cyber maturity in the Asia-Pacific Region 2015."
https://www.aspi.org.au/publications/cyber-maturity-in-the-asia-pacific-region-2015: Australian
Strategic Policy Institute.
FIRST. "The 11th Annual FIRST Conference on Computer Security Incident Handling and Response: Final
Program." https://www.first.org/conference/1999/schedule.html.
———. 2003. "FIRST Vision and Mission Statement." http://www.first.org/about/mission.
Friedberg, Aaron L. 2000. In the Shadow of the Garrison State: America's Anti-Statism and its Cold War Grand
Strategy. Princeton, NJ: Princeton University Press.
GAO. 1989. "Computer Security: Virus Highlights Need for Improved Internet Management."
http://www.gao.gov/products/IMTEC-89-57.
Global Watch Network. 2001a. "Description." Private archive.
———. 2001b. "Framework." Private archive.
Halperin, Morton H. 1974. Bureaucratic Politics and Foreign Policy. Washington D.C.: The Brookings
Institution.
Hawkins, Darren G., David A. Lake, Daniel L. Neilson, and Michael J. Tierney. 2006. "Delegation under
anarchy: states, international organizations, and principle-agent theory." In Delegation and Agency in
International Organizations, Cambridge: Cambridge University Press.
Heinl, Caitriona H. 2014. "Regional Cybersecurity: Moving Toward a Resilient ASEAN Cybersecurity
Regime." Asia Policy 18:131-59.
HKCERT. "Security Blog: APCERT celebrated her 10th Anniversary."
https://www.hkcert.org/my_url/en/blog/13053102.
HM Government. 2016. "Nation Cyber Security Strategy 2016-2021."
https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
Holl, Jane, and Bruce McConnell. 2011. “A Civil Perspective on Cybersecurity.” Wired, 14 February.
https://www.wired.com/2011/02/dhs-op-ed/
Ingram, Graham. 2002. “Proposal for Establishing an Asia-Pacific Computer Emergency Response Task Force.”
Private archive.
Interdepartmental Committee on Protection of the National Information Infrastructure. 1998. "Protecing
Australia's National Information Infrastructure." Attorney-General's Department. Canberra.
http://nla.gov.au/nla.arc-21857
International Y2K Cyber Assurance Workshop. 1999. "Agenda." Private archive.
IWWN. 2007. "Draft Charter, Version 0.3." Private archive.
Jennings, Peter, and Tobias Feakin. 2013. "The emerging agenda for cybersecurity." Australian Strategic Policy
Institute.
Kaplan, Fred. 2016. Dark Territory: The Secret History of Cyber War. New York: Simon & Schuster.
Khalil, Lydia, James Lewis, Jessica Herrera-Flanigan, and James Mulvenon. 2012. "ANZUS 2.0: Cybersecurity
and Australia-US relations." Australian Strategic Policy Institute.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. 2003. "State of the Practice of
Computer Security Incident Response Teams (CSIRTs)." Carnegie Mellon University.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
Koporaal, Glenda. 2009. "AARNET: 20 years of the Internet in Australia."
http://mirror.aarnet.edu.au/pub/aarnet/AARNet_20YearBook_Full.pdf.
Legrand, Tim. 2015. “Transgovernmental Policy Networks in the Anglosphere.” Public Administration 93 (4):
973-991.
Libicki, Martin C. 2009. Cyberdeterrence and Cyberwar. Santa Monica: RAND Corporation.
Lindsay, Jon R. 2015. “Tipping the scales: the attribution problem and the feasibility of deterrence against
cyberattacks.” Journal of Cybersecurity 1 (1): 53-67.
MacGibbon, Alastair. 2009. "Cyber security: threats and responses in the information age."
https://www.aspi.org.au/publications/special-report-issue-26-cyber-security-threats-and-responses-in-
the-information-age/SR26_Cyber-security.pdf: Australia Strategic Policy Institute.
———. 2016. Review of the events surrounding the 2016 eCensus.
March, James G., and Johan P. Olsen. 1998. "The Institutional Dynamics of International Political Orders."
International Organization 52 (4):943-69.
Markoff, John. 1990. "Arrests in Computer Break-Ins Show a Global Peril." New York TImes.
http://www.nytimes.com/1990/04/04/us/arrests-in-computer-break-ins-show-a-global-peril.html.
Manion, Mark and William M. Evan. 2000. “The Y2K problem and professional responsibility: a retrospective
analysis.” Technology in Society 22 (3): 361-387.
McCombie, Stephen, Josef Pieprzyk, and Paul Watters. 2009. "Cybercrime Attribution: An Eastern European
Case Study." 7th Australian Digital Forensics Conference, Eidth Cowan University.
McCosker, Craig. 1992. "FBI called in to hunt uni hacker." The Weekend Independent. Private archive.
Morgus, Robert, Isabel Skierka, Mirko Hohmann, and Tim Maurer. 2015. "National CSIRTs and Their Role in
Computer Security Incident Response." New America.
Norman, James. 2003. "Hack to the future." The Age.
http://www.theage.com.au/articles/2003/05/24/1053585748340.html.
PITAC. 2005. Cyber Security: A Crisis of Prioritization. President’s Information Technology Advisory
Committee. https://www.nitrd.gov/Pitac/Reports/20050301_cybersecurity/cybersecurity.pdf
PreFIRST. 2004. "Agenda." Private archive.
Riley, James. 2006. "Feds lift security role of AusCERT." The Australian. Private archive.
Rid, Thomas and Ben Buchanan. 2015. “Attributing Cyber Attacks.” Journal of Strategic Studies 38 (1-2): 4-37.
Senate Committee: Environment, Communications, Information Technology & the Arts Legislation. 2003.
"Answers to estimates questions on notice, Topic: $24.9 million budgeted for E-Security National
Agenda." National Office for the Information Economy.
Sherlis, William L., Stephen L. Squires, and Richard D. Pethia. 1990. "Computer Emergency Response." In
Computers Under Attack: Intruders, Worms, and Viruses, edited by Peter J. Denning, 495-504. New
York: ACM Press.
Smith, Danny. 1994. "Forming an Incident Response Team." http://csrc.nist.gov/publications/secpubs/form-
irt.pdf.
Smith III, Frank L. 2016. "Malware and Disease: Lessons from Cyber Intelligence for Public Health
Surveillance." Health Security 14 (5):305-14.
TAPA Accord. 2002. Private archive.
Trinkunas, Harold, and Ian Wallace. 2015. “Converging on the Future of Global Internet Governance: The
United States and Brazil.” Brookings Institution, https://www.brookings.edu/wp-
content/uploads/2016/06/USBrazil-Global-Internet-Governance-web-final.pdf
Turnbull, Malcolm. 2016. “Keynote Address at the Australia-US Cyber Security Dialog.”
https://www.pm.gov.au/media/2016-09-22/keynote-address-australia-us-cyber-security-dialogue-center
UN. 2015. "Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security."
http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.
Warren, M. J. 2003. "Australia’s Agenda for E-Security Education and Research." In Security Education and
Critical Infrastructures: IFIP TC11 / WG11.8 Third Annual World Conference on Information Security
Education (WISE3) June 2628, 2003, Monterey, California, USA, edited by Cynthia Irvine and Helen
Armstrong. Boston, MA: Springer US.
Waters, Gary, Desmond Ball, and Ian Dudgeon. 2008. Australia and Cyber-Warfare: ANU E Press.
World Bank. 2015. “Internet users (per 100 people).”
http://data.worldbank.org/indicator/IT.NET.USER.P2?locations=AU
Young, Peter. 1992. "Security holes in AARNet." Computerworld.
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at:
https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
DRAFT MANUSCRIPT
1
Frank Smith is a senior lecturer with the Centre for International Security Studies at the University of Sydney.
Graham Ingram is currently an advisor to the Australian Digital Health Agency; from 2002 to 2014, he was the
general manager of AusCERT, and he previously worked for the Australian government on national security.
2
This research would not have been possible without the time and commentary generously provided by our
interview respondents. The authors would also like to thank Zoe Hawkins, Drew Herrick, Kathryn Kerr, Jon
Lindsay, and Liam Nevill for their helpful feedback, as well as the editors and anonymous reviewers of the
Australian Journal of International Affairs.
3
The lines between them may blur, but “civilian cyber security… is not focused on military or intelligence
applications” (PITAC 2005, 21).
4
The collection of grey literature, old newspaper articles, and other documents that we compiled for this
research including material from what was once the UQ Museum of IT are hereafter cited as a “private
archive.”
5
AusCERT was recently renamed again as the Australian Cyber Emergency Response Team.
6
For some time, AusCERT’s constituency also included universities, government, and industry in New Zealand.
7
At another level of regional aggregation, the Association of Southeast Asian Nations (ASEAN) has been slow
to develop a coherent approach to cyber security or its own CERT (Heinl 2014).
8
The National Computer Security Authority inside DSD was not recognized as a Commonwealth CERT
(Interdepartmental Committee 1998, 34, 46, 69). In 2005, the Attorney-General’s Department established the
Australian Government Computer Emergency Readiness Team (GovCERT). However, as the “R” for
“readiness” in this name suggests, GovCERT was “a tiny co-ordination team… with one technical staff and one
policy adviser,” not an operational response team (Riley 2006).
9
Programs from this period that endure today include the Trusted Information Sharing Network (TISN), as well
as the Australian Internet Security Initiative (AISI).
... Small nations may lack the material resources available to advance their national interests beyond their domestic borders, in which case they will use regional forums and frameworks to project their national identity and behavioral norms, as a way of reinforcing their interests [13] [14], both domestically and regionally. In doing so, they will adopt one of 3 frameworks [13]: (1.) Small nations will form an alliance with the dominant regional power, on the basis that they cannot avoid the larger nation's influence in the region; (2.) Small nations will build liberal institutions across the region, as a way of coercing influence with neighbors, (3.) Small nations will assert their identity, values, and social norms in the region -nations tend to act in line with the identity and norms that they project within their region. ...
... Regional partners' support would be expected to avoid a "one size fits all" approach and instead, provide culturally aligned resources, content and practices that supports the respective national governments' policy priorities, national interests and identity within the region (Categories 10, 12,13,14). Priority support areas are likely to include the provision of opportunities for commercial partnerships that position a national CERT as a compelling investment opportunity (Category 19), provision of education and job creation opportunities through sponsored places at universities and placements with regional cybersecurity service providers (Capabilities 17, 18) and building a brand differentiator that allows a national government to project itself as a specialist provider of defined CERT services (Categories 1, 13). ...
... Participants expressed consistent disappointment at the repeated delivery of cybersecurity policies and practices by Pacific Island national governments, based on inadequate planning and rapid, ill-informed decision making (Categories 16,19), with the intention of projecting a particular policy stance to domestic audiences ( Categories 13,14). ...
... Others joined forces and developed regional platforms -such as 'the European Cybercrime Centre (EC3)' (Europol, 2017) -in view of enhancing cross-border cooperation and information exchange. However, uncertainty reigns about organisational adaptations as there remains a lack of insight about which organisation is best in the field of cyber security (Smith & Ingram, 2017). ...
Article
Full-text available
While governments develop formal and informal structures or 'networks' to promote collaboration between governmental departments and agencies, there remains uncertainty on how to set up and develop cyber security networks. The latter is demonstrated when taking recent developments in the field of cyber security in Belgium into consideration. The 2012 decision to create the Belgian cyber security centre seems to entail a move towards a 'Weberian' hierarchical network coordination approach rather than the development of a cyber security network organisation. This article claims that - as the threats of cyber are becoming more complex - there is a growing need for governmental agencies to expand horizontal coordination mechanisms. From this follows, the growing demand for criminological research into the managerial aspects of cyber security networks. Generating knowledge on how to manage networks is required as the latter is not only decisive for the effectiveness and efficiency of cyber security networks but also contributes to the overall network cyber security governance.
Article
Full-text available
This report is the second in a series of papers on Computer Security Incident Response Teams (CSIRTs). The first publication, CSIRT Basics for Policy-Makers, offers a general examination of the history, types and culture of CSIRTs. This second report focuses on national CSIRTs (nCSIRTs) and their relevance for cybersecurity and examines how and when the principles of the CSIRT community coincide or conflict with policy objectives of other government actors. The third publication will focus on the international landscape and on how to increase the cooperation and effectiveness of the global network of CSIRTs.
Article
Full-text available
In December 1999, police fired tear gas and rubber bullets into a mob protesting the World Trade Organization meeting in Seattle. A central theme of this and similar anti-globalization protests is that the WTO, IMF, World Bank, and other global institutions are “runaway” international bureaucracies implementing a “Washington consensus” formulated by professional economists and other neo-liberals who have made their careers within these agencies (Stiglitz 2002; Rich 1994). Other critics charge that these international organizations (IOs) are imperialist tools of the powerful, exploiting poor and disadvantaged countries for the benefit of the West. Although they have not yet taken to the streets, American conservatives, at the other end of the spectrum, argue that these IOs fail to promote the interests of the United States (Meltzer Commission Report 1999; Krauthammer 2001). Meanwhile, Europeans complain about the “democratic deficit” within the European Union (see Pollack 2003a: 407–14). As the EU expands its competencies and grows to twenty-five members, critics charge that the simultaneous deepening and broadening of the union is driven by unaccountable bureaucrats in the European Commission and the highly insulated judges of the European Court of Justice. Divorced from electoral pressures, these increasingly powerful EU institutions have allegedly escaped popular control. French and Dutch voters retaliated against the Brussels-led integration project by rejecting the proposed EU Constitution in June 2005.
Article
The increasing visibility and sophistication of cyberattacks, coupled with the global interconnection and dependence of the Internet, has created a need not only for specialized skills in the prevention of and response to cyber attacks but also for cooperation on a global scale. A “cyber regime complex” (Nye 2014) is emerging as governments, the private sector, the technical community and non-governmental organizations cooperate to secure cyberspace. Computer security incident response teams (CSIRTs) are key actors in the cyber regime complex that help the broader Internet community prevent and respond to cyber incidents through incident analysis and response, information sharing and dissemination, and skills training. Teams generally agree that cooperation could be strengthened through the enhanced and timely exchange of cyber threat information. However, a number of complex legal questions and a lack of trust among community members have discouraged sharing. This paper examines the role of CSIRTs in the emerging cyber regime complex and asks what might be driving the lack of trust and information sharing within the community. The commercialization of cyber security and threat vulnerabilities, the Internet’s development as a new power domain, the growth of the CSIRT community and the emergence of a cyber regime complex are examined as factors that are giving rise to and exacerbating existing problems around information sharing and trust.
Article
Malicious software and infectious diseases are similar is several respects, as are the functional requirements for surveillance and intelligence to defend against these threats. Given these similarities, this article compares and contrasts the actors, relationships, and norms at work in cyber intelligence and disease surveillance. Historical analysis reveals that civilian cyber defense is more decentralized, private, and voluntary than public health in the United States. Most of these differences are due to political choices rather than technical necessities. In particular, political resistance to government institutions has shaped cyber intelligence over the past 30 years, which is a troubling sign for attempts to improve disease surveillance through local, state, and federal health departments. Information sharing about malware is also limited, despite information technology being integral to cyberspace. Such limits suggest that automation through electronic health records will not automatically improve public health surveillance. Still, certain aspects of information sharing and analysis for cyber defense are worth emulating or, at the very least, learning from to help detect and manage health threats.
Article
Despite its centrality in the national cyber security strategies of the US and the UK, the public–private partnership is a nebulous arrangement, which is especially problematic in the context of critical infrastructure protection. Privately owned and operated critical infrastructure that is regarded as a potential national security vulnerability raises questions about the allocation of responsibility and accountability in terms of cyber security. As with many aspects of cyber security, this issue is often discussed with little reference to previous scholarship that could provide conceptual scaffolding. This article draws on the extensive literature on public–private partnerships in order to assess the tensions and challenges of this arrangement in national cyber-security strategies. It finds that there is a serious disjuncture in expectations from both ‘partners’. The government regards privately owned and operated critical infrastructure as a key element of national security but is reluctant to claim a mandate to oversee network security. At the same time, the private sector is not inclined to accept responsibility or liability for national cyber security. This challenge for governments to manage national cyber security raises questions about how well equipped these states are to promote their own security in the information age. Acknowledging the flaws in the ‘partnership’ is an essential step towards addressing them.
Article
Cyber attackers rely on deception to exploit vulnerabilities and obfuscate their identity, which makes many pessimistic about cyber deterrence. The attribution problem appears to make retaliatory punishment, contrasted with defensive denial, particularly ineffective. Yet observable deterrence failures against targets of lower value tell us little about the ability to deter attacks against higher value targets, where defenders may be more willing and able to pay the costs of attribution and punishment. Counterintuitively, costs of attribution and response may decline with scale. Reliance on deception is a double-edged sword that provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders. Many of the properties of cybersecurity assumed to be determined by technology, such as the advantage of offense over defense, the difficulty of attribution, and the inefficacy of deterrence, are in fact consequences of political factors like the value of the target and the scale-dependent costs of exploitation and retaliation. Assumptions about attribution can be incorporated into traditional international relations concepts of uncertainty and credibility, even as attribution involves uncertainty about the identity of the opponent, not just interests and capabilities. This article uses a formal model to explain why there are many low-value anonymous attacks but few high-value ones, showing how different assumptions about the scaling of exploitation and retaliation costs lead to different degrees of coverage and effectiveness for deterrence by denial and punishment. Deterrence works where it is needed most, yet it usually fails everywhere else.
Article
Recent scholarship in public administration has drawn attention to the proliferation of transnational policy-making processes and administrative practices. Although policy transfer and transgovernmental scholars have recognized the influence of these practices on domestic policy outcomes, little is known about how distinctive configurations of cross-jurisdictional policy networks form. This article addresses this issue by exploring three novel transgovernmental policy networks situated in the Anglosphere: Australia, Canada, New Zealand, the United Kingdom and the United States. Drawing on constructivist perspectives, the article holds culture, values and norms as critical to the coalescence of Anglosphere policy networks and an important additional explanation of how transnational policy communities emerge. These hitherto unreported networks facilitate, first, the transfer of policy ideas to resolve domestic policy problems and, second, collaborative mechanisms to resolve transnational challenges. Consideration of these novel public sector ‘assemblages’ deepens our empirical and theoretical knowledge of the new spaces of transnational administration.