Yet business seems increasingly concerned about a lack of communication with government, according to a report broadcast on ABC TV's Lateline in September. Reporter Margot O'Neill claimed the federal government's key mechanism for helping business protect against such attacks is under fire, with a range of security experts telling Lateline that businesses involved in critical infrastructure are increasingly frustrated by the lack of useful information from the government, which they say is undermining Australia's homeland security readiness.

The ABC TV report detailed how Qantas manager for crisis planning and response Carl Sullivan made an extraordinary public criticism of the federal government last March for failing to provide useful counter-terrorist intelligence to the private sector. Sullivan told Lateline: "The intelligence we do get is often not timely, it's usually never relevant and typically the answer we get when we ask a question is that it's not available."

O'Neill reported that a year after the government announced a special network of business leaders with whom counter-terrorist intelligence would be shared, some business leaders are so frustrated with the banal nature of the information being passed on that they are refusing to attend the meetings - ". . . some security consultants say the government is failing to provide critical information needed to help business deal with such challenges", she said.

O'Neill added that some major companies were now installing their own intelligence units as an alternative.

The CIO Trap

In his April 2003 report called "What's Critical in Critical Infrastructure Protection", written seven months after Gartner and the US Naval War College held a war game to examine scenarios for cyber-attacks on national critical infrastructure, Gartner analyst French Caldwell had a sobering view of what infrastructure protection takes.

Protecting IT infrastructure requires much coordination and collaboration, Caldwell noted. A knowledge management background helps. Leaving it to IT security is likely to promote a battle of firewalls, intrusion detection, authentication, identification, security patches and so on, with the focus largely on "walling out" intruders. Sadly such measures also complicate the task of legitimate users trying to collaborate, access systems and share information and data. As if it were not already hard for IT security professionals to wall out intruders, end users often look for ways around the walls, or coerce the IS department to open holes in the walls, so that they can get their jobs done, Caldwell pointed out.

Symantec's Donovan points out that it is often up to the CIO to pull together all the disparate sets of information from different security architectures and security point solutions and make it meaningful to allow the organization to develop a much more solid response.

However, Donovan says too many CIOs are falling into the trap of looking at band-aid solutions for solving security problems, rather than considering security holistically. It is not enough just to consider technologies like antivirus and intrusion detection software; the organization must develop and manage a security policy and work out how to manage the data being generated by those disparate systems. The organization needs early warning systems, and the CIO must understand his or her role as intelligence professional as well, he says. Like homeowners developing a security system, the intelligent ones will move beyond fortifying their house then sitting in a rocking chair with a shotgun and hoping for the best, to taking note of what else is going on in the neighbourhood by reading Neighbourhood Watch reports and talking to colleagues.

"And I think that's where the CIOs are getting better, but where they need to become better still," Donovan says. "It's not a question of who can spend the most money, or who is quickest at employing best-of-breed technology; that's only a very small part of the equation, and doesn't necessarily mean whoever spends the most will be the most secure. It's who manages the data best, and whoever integrates the roles and responsibilities of security management within the organization will be the most secure."

The CIO also has a critical responsibility to interact with the folks in the energy management system area. Steadfast's Lord notes the lack of interaction between these two groups had a great deal to do with the aforementioned great northeast blackout in the US. The blackout started in the area surrounding Cleveland, Ohio. The electric utility serving that area suffered an EMS failure several hours before New York lost its power. The EMS failure was software-related so the IT network administration folks came in to fix it. They dutifully failed-over the errant workstation to its backup, observed proper performance for a few minutes and retreated to their stations. Eleven minutes later that workstation also failed, with no backup. According to the records, the IT folks assigned to fixing the EMS never informed the operations folks about the problem.

The result? For more than 90 minutes, energy management system operators watched their multiple monitors and wall screens and seeing no new alarms, assumed everything was well with the network, even as 345,000 volt lines were dropping off line and generators shutting down. Cleveland lost power, then Detroit. Lord says the EMS operators' first real clue to the impending disaster was when the lights blinked in their control centre. That is when all power was lost and the control centre automatically switched to a standby power source.

Too few CIOs have taken the time to investigate and fully understand the operational networks now interconnected with IT - specifically, EMS and SCADA systems - Lord says.