The Australian Government has been advised the best way to protect critical infrastructure is to conduct systematic vulnerabilities analyses and to address detected vulnerabilities using best practices.
And it has been told the private sector has a vital role to play in setting up information sharing and analysis centres that can be used to share knowledge about vulnerabilities and threat alerts with other industry players and government.
These were two of messages to come from bilateral discussions on critical infrastructure protection held in Canberra last week. Australia and the USA have been holding regular bilateral critical infrastructure protection discussions since 2000.
Last week’s forum, set up to allow the Australian Government to learn from US experiences and methods in dealing with threats to the telecommunications and information technology services sector, was the first CIP bi-lateral in Australia to address cybersecurity issues.
Karl Rauscher, Bell Labs’ Director, Network Reliability Office, an expert in Homeland Security, told attendees that since 9-11 the emphasis in the United States has moved away from critical infrastructure protection based on threat knowledge towards a best practice approach. Government and industry have recognized that since it is impossible to know when or where a terrorist attack may take place, or a major natural disaster will strike, and since government and other societies are vitally dependent on communications infrastructure, security analysts must systematically recognize all potential vulnerabilities and address each of them.
Rauscher says there is a high level of best practice implementation in the industry, the best practice approach has proved affective in promoting network reliability, and organizations failing to implement best practices are exposing themselves to considerable risk.
“I’ve led federal advisory committee groups, official federal groups in Washington, and what I’ve been stressing to them is to really recognize that most of the communications infrastructure around the world is increasingly private, and so you need to look for government-industry partnerships,” Rauscher says. “And I stress that because technology is moving so rapidly, regulations can be fairly slow to catch up, and so they cannot be as effective as best practices where you have experts coming together and identifying the best ways to address something.”
The beauty of the approach, he says, is that it ensures infrastructure is protected regardless of the nature of the threat. For a threat to have an affect, it must exercise a point of vulnerability. Before 9-11 cockpit doors on aeroplanes were a known vulnerability, but there was insufficient threat information to motivate people to take action to remove that vulnerability.
In future, he predicts we will continue to have some people in government and intelligence agencies concerned about threats, but those who protect communication infrastructure will primarily be concerned about making sure they know their vulnerabilities, and in addressing those.
Meanwhile John Sabo, Manager Security, Privacy and Trust initiatives for CA International, who is also a member of the board that advises the US federal government on information security and privacy issues relating to government information systems, says the private sector has a vital role to play in infrastructure protection.
He says in the US private companies have made substantial progress in organizing information sharing and analysis centres allowing companies in a sector to share vulnerability and threat alerts.
“These run 24 hours a day, seven days a week, and they’re becoming increasingly valuable to help those sectors like electricity and financial services and oil and gas and transportation organize to help protect against physical attacks, and cyber attacks,” Sabo says.
“I think the message, which is an important one, is that with the right set of incentives, which come both from the private sector itself and co-operation from the government, the private sector can in fact organize very well to begin working with the government for critical infrastructure protection.”
He says owners and operators of the electrical power plants, the water treatment facilities, airlines and oil companies must work co-operatively with government to provide security, rather than having government work to provide it for them.
“They’re not going to be able to provide as much security if a third party, that is the government, is managing the protection for them — it has to be a co-operative effort,” Sabo says.
The discussions were headed from the US side by Ambassador Rose Likins, Principal Deputy Assistant Secretary of State for Political-Military Affairs, US Department of State. Likins led a US delegation made up of representatives from the US federal government and US industry responsible for critical infrastructure protection.
The Australian delegation was led by Peter Ford, Acting Deputy Secretary in the Attorney-General's Department and Keith Besgrove, Chief General Manager, Regulation and Analysis, DCITA. The Australian delegation comprised representatives from the australian government, the states and territories and Australian industry involved in the protection of critical infrastructure. Most of the Australian industry and state/territory delegates are also members of the government's Trusted Information Sharing Network.
A spokesman for Attorney General says the discussions were set up to allow each country to discuss initiatives which are assisting them to protect the critical infrastructure and ways the two countries can work together to further the aims of increasing the security of critical infrastructure in Australia and the USA.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.