Summary Organising Cyber Security in Australia and Beyond
4 views 0 purchase
Course
Unit 1 - Information Technology Systems (I.T)
Institution
Pearson (PEARSON)
Introduction2
Cyber security presents many challenges, including how to organise collective action
against cyber attacks and malicious activities. This is a serious problem for Australia, as it is
for most countries that are grappling with the promise and peril of networked information
technolo...
Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at: https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
UNIT 11-CYBER SECURITY
Organising Cyber Security in Australia and Beyond
Frank Smith and Graham Ingram1
Abstract
The Internet is an interconnected network and cyber security requires collective action. How
that action is organised has important implications for national security, including the defence
against cyber attacks and malicious activities. This article explains the origins and
institutionalisation of cyber security in Australia – particularly “civilian cyber security.” We
trace the origin of Australia’s first Computer Emergency Response Team and explain how this
organisational form spread from the United States. Through it, Australia helped enable
international cooperation. Domestically, however, we argue that the Australian government
has struggled with the delegation, orchestration, and abdication of responsibility for civilian
cyber security, underinvesting in civilian organisations while over relying on military and
intelligence agencies. The history of this organisational field provides valuable insight into how
to improve national policy and operations for cyber security.
Introduction2
Cyber security presents many challenges, including how to organise collective action
against cyber attacks and malicious activities. This is a serious problem for Australia, as it is
for most countries that are grappling with the promise and peril of networked information
technology. Now decades old, the Internet and cyber attacks have become so common that
we may take them for granted. However, cyberspace and threats therein were once new, and
within living memory. During the 1980s and 1990s, the public and private sectors started
creating new organisations to address previously unimagined threats.
How were cyber threats initially interpreted, and what models or norms for defence
against them emerged in response? To what extent did early decisions about the organisation
of cyber security subsequently enable or constrain international cooperation? Similarly, how
did national policy and operations evolve over time, especially in light of the government’s
traditional roles and responsibilities for national security?
This article helps answer these questions by explaining the origins and
institutionalisation of civilian cyber security in Australia. It is a significant case. First and
DRAFT MANUSCRIPT
,Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at: https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
foremost, most of “cyber security” is “civilian cyber security.” Most of cyberspace is
connected through the Internet, and most Internet users are civilians. Most Internet
infrastructure is now built, owned, and operated by civilians. The same is true for most of the
information technology used in other kinds of critical infrastructure (ranging from the
electrical grid and financial services to telecommunications, transportation, and healthcare).
Military and intelligence agencies play a role, but even they rely on much of the same
hardware, software, and network infrastructure as civilian agencies and the private sector.3 As
a result, the civilian side of securing the confidentiality, integrity, and availability of this
technology – for individuals and organisations in the public and private sector – is central to
what cyber security actually means in practice.
Australia is significant as well. As we document, Australians were a notable source of
early hacking: the response to which helped shape some of the world’s first organisations for
civilian cyber security. Australia also helped catalyse information sharing among its “Five
Eyes” alliance partners (i.e., the United States, United Kingdom, Canada, and New Zealand),
and it helped organise cyber incident response across the Asia Pacific (i.e., where most of the
world’s Internet users live today). Now, according to Prime Minister Malcolm Turnbull,
“improvements to cyber incident response are on our minds in Australia, thanks to a denial of
service incident on our national Census night” (Turnbull 2016). Our study provides new
evidence about evolution of national policy and operations, which hopefully can help
improve the organisation and practice of cyber security in Australia and abroad.
Our evidence is drawn from a unique combination of scholarly research and first-hand
experience. This experience includes work in the Australian government on critical
infrastructure protection and information security during the 1990s, followed by work in the
private sector on cyber security during the 2000s and 2010s. To add perspective, we
performed more than a dozen semi-structured interviews with practitioners and policymakers
DRAFT MANUSCRIPT
, Accepted manuscript for Australian Journal of International Affairs (2017)
Published version available at: https://www.tandfonline.com/doi/full/10.1080/10357718.2017.1320972
in the United States and Australia. These interviews were coupled with other primary sources
and archival research.4 The result is a rich analysis of a largely untold history.
First, we trace the origins of Australia’s Computer Emergency Response Team
(AusCERT). Not only was this non-governmental organisation the first in the country
dedicated to civilian cyber security; it also served as Australia’s national incident response
team for more than 15 years (e.g., helping share information, mitigate vulnerabilities, limit
damage, communicate risk, and attribute attacks or malicious activities to their source).
Australia adopted this organisational form from the United States because imitating the US
was seen as legitimate and appropriate (e.g., DiMaggio and Powell 1983; March and Olsen
1998). Second, we show how Australia influenced international cooperation, both through the
Five Eyes in preparation for Y2K and through the CERT system in the Asia Pacific. Third,
despite some successes, we argue that Australia has long struggled with the domestic division
of labour in this field. The Australian government delegated and orchestrated parts of civilian
cyber security through AusCERT during the 1990s and 2000s, forming variants of a “public-
private partnership” (e.g., Dunn-Cavelty and Suter 2009; Carr 2016). However, the
government also abdicated or neglected aspects of its responsibility to supply cyber security
as a public good and service.
Some of these outcomes were deliberate decisions. Others were due to a lack of
interest or expertise. All of them could have been different. We argue that this history helps
account for persistent policy problems, including the lack of government leadership and
funding for civilian cyber security, as well as overreliance on military and intelligence
agencies. This story is not unique to Australia. Therefore, our findings highlight several
important barriers and opportunities for improving national and international cyber security
in the years ahead.
DRAFT MANUSCRIPT
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller SIRTHEA. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $5.49. You're not tied to anything after your purchase.
