Do we need one, or don't we? With every indication that Australia faces continuing heightened risk of terrorist attack, debate continues sporadically about the merits of establishing a cyber security tsar to oversee critical information infrastructure security.
In the wake of September 11, 2001, the National Office for the Information Economy (NOIE) considered plans to appoint a dedicated cyber security chief to protect the national infrastructure from cyber terrorism. The idea being floated was to charge this security chief with overseeing critical infrastructure initiatives and to promote joint initiatives between the private and public sectors.
Reaction from much of the private sector was reportedly far from positive. An adviser to the Attorney-General's Department, National Information Infrastructure senior adviser Michael Rothery, told Computerworld in April last year that fewer than 100 companies safeguarding Australia's critical infrastructure preferred to liaise directly with the Attorney-General's Department.
"They did not want to import a model from overseas, they wanted a framework with an Australian flavour. We are too small to have a full-time cyber tsar unlike the US which has to deal with IT security issues on a much larger scale with broader geographic reach," he said then.
So NOIE rejected the plan, instead announcing it move ahead with plans to implement a national reporting scheme to monitor security breaches within Australia's top 100 companies and strengthen the role of AusCERT (Australian Computer Emergency Response Team).
But the issue is not quite ready to go away. Symantec chief executive officer John Thompson pointed out last November how limited is the value of having a cyber security tsar in only one country (the US, where Richard Clark is now cyber security tsar) since "cyber threats do not emerge in one country".
"We need many cyber tsars. They need to be able to communicate effectively with someone (of a similar position) in other countries," Thompson said, arguing appointing someone with primary responsibility for homeland cyber security issues was as important as creating awareness of IT security threats among businesses and consumers.
Symantec's Art Wong chipped in around the same time, insisting that although Australia was taking information security threats seriously, it would benefit from getting a dedicated cyber tsar.
Rothery has said that while the American model of a "one-stop shop" for cyber security works well for them, the Australian taxpayer will be spared the cost of yet another security directorate. "The US outreach strategy for cyber security includes the creation of single points of contact or cyber tsars. We know that and that's actually part of the US strategy. We don't necessarily agree with that," Rothery said.
Rothery may well be right. Meanwhile, it is incumbent upon NOIE and federal ministers with responsibilities in this area to retain an open mind, be prepared to shift direction in an instant should the current model prove less than effective, and to work with other governments around the world to protect the global information infrastructure in an uncertain age.