Raymond Choo - Apr 6, 2012
Dr Raymond Choo says more investment in cyber security research is needed. Photo: Dylan Jones
The Australian Government has invested significantly in education, science and research, but there is a continuing need for further investment to enable Australian researchers to play a more significant role in securing our cyber space and help position Australia as an international leader in cyber security.
Cyber attacks are no longer a matter of if, but of when, and in our increasingly interconnected world, threats to our national security can come from unexpected sources and directions – a 360-degree challenge.
When a government or large commercial network comes under cyber attack, it is not immediately apparent whether the source is a skilful teenager, an organised cybercrime group (eg criminally, politically and issue-motivated groups), or a nation state. It may involve two or more of these. However, accurate attribution of such activities is no straight-forward task, as illustrated by recent high-profile incidents.
Although nations such as China are often singled out by scholars, commentators and key government reports as the origin of malicious cyber activities, questions such as 'How do we accurately attribute the source of a cyber attack?' and 'How can we determine whether an attack is criminal or an act of cyber war?' remain.
As malicious cyber activities often transcend national frontiers, government and law enforcement investigations can be complicated by difficulties in finding accurate answers to these questions.
For example, we are more likely to be able to infer or identify the offender in physical crimes, such as bank robberies and counterfeit pharmaceuticals, drug dealing on the street based on the physical location of the crime and/or the types of weapons and technologies used than in their cyber analogues.
Few today would challenge the assertion that globalisation has been accompanied by an increase in the voracity and volume of malicious cyber activities, and these activities can have detrimental effects on our national and cyber security.
Criminals, state-sponsored or otherwise, will go to great lengths to research and exploit new areas, technologies and opportunities in order to manipulate and exploit holes whether they be in law enforcement, regulatory, banking, legal, business, economic or online environments. Their only limitation is that of their imagination.
An open nation cannot shut down its cyber systems for fear of these threats, instead it must build the resilience needed to maintain an open yet secure cyber space. There is little doubt that cyber space cannot be simply shut down to address malicious cyber activities, and this is true not only for open and liberal nations such as Australia. Even authoritarian nations can no longer consider shutting down cyber space and other communication channels as a means of dealing with malicious cyber activities. Governments will continue to be under pressure to deliver more security with less funds, particularly in today's economic landscape.
Cyber threats and windows of vulnerability evolve over time (partly in response to defensive actions or crime displacement). Understanding the threat landscape is crucial to a nation's security agenda.
At a strategic level, findings about new and changing cyber threats provide policy makers and other key stakeholders with information to reach some consensus and decide on broad strategies, policies and resources in a timely fashion. At the operational level, findings about new or changing patterns of activity, both in Australia and overseas, support policy makers in their decisions about focusing scarce government resources in the most effective way.
Although it would be pleasing to be able to cite comprehensive statistics on patterns and trends in malicious cyber activities, this remains an elusive goal. Such activities are generally unreported and undetected, and businesses generally reveal or report breaches only when the incident receives media attention or when regulation requires disclosure.
Unfortunately, mandatory breach notification legislation has yet to be introduced in many countries including Australia. In addition, the vast majority of reports on patterns and trends in malicious cyber activities disseminated and cited are generally from commercial organisations, and such data/studies may lack the rigor typically expected of academic studies.
A 2011 article titled Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy published in the Journal of Strategic Security also warned that the 'diversity of methods used to collect information on cyber incidents can produce widely different results ...[and] this facilitates extrapolations about the scale of the problem and the cost of cyber crimes'.
It is important to develop clear national definitions and procedures for the collection of data on malicious cyber activities by undertaking a comprehensive review of current sources of data and research initiative – a much-needed research activity that has not been undertaken before in Australia, according to a report in 2010 by Australian Government House of Representatives Standing Committee on Communications.
This will contribute to a more coherent approach in collating data to ensure that government policy is responsive to malicious cyber activity trends.
Once the scale of malicious cyber activities is known, its macroeconomic effects, as well as the impact of crime prevention, effectiveness of existing policy and legislative responses can be evaluated. This would improve knowledge of the nature and dimensions of the problem, and of suitable risk management and mitigation strategies, thereby enabling governments, private sector and society to set priorities and better target scarce resources in fighting cyber threats.
There is, undeniably, a need for a greater involvement of researchers to contribute to the body of knowledge informing Australia's policy and operational choices in securing our cyber space. A similar message was echoed in the 2010 Australian Government House of Representatives Standing Committee on Communications report, which called for 'a more integrated, coordinated and concerted effort is required to combat the cyber crime that victimises ordinary consumers and private businesses. This requires a commitment to cooperation, strategic thinking and a cyber space perspective to overcome the silos of traditional institutions'.
Cyber security is a highly specialised and interdisciplinary field, which requires a deep understanding of the underlying technical and social aspects, and intimate knowledge of temporal trends – historical, recent and emerging trends. It is, therefore, essential to bring together different perspectives and approaches from different disciplines so that we can provide current and relevant policy and practice evidence with much broader international and inter-disciplinary perspectives that would inform governments' policy and operational responses to cope with the emerging cyber threat landscape in a climate of enduring fiscal restraint.
Dr Raymond Choo is a multi-award winning cyber security researcher and a Senior Lecturer at the University of South Australia and the co-convenor of the upcoming 2012 Fulbright Symposium "Securing our Cyber Future" in August, in Adelaide.