This page considers telecommunications networks and services
in Australia and New Zealand as critical information infrastructure.
It covers -
and strategies - making sense of 'critical infrastructure',
risks and responses
and inventories - what does the infrastructure look
like and where is it located
- NII and other infrastructure protection legislation
security - hardening, access restriction and risk
analysis for protecting cables, dishes, boxes and buildings
- policymaking, coordination and monitoring bodies
- government, academic and other studies
What is required to ensure effective action by government
during times of military conflict or civil disorder and
to meet the basis needs of business, civil society organisations
and citizens? Have requirements changed as we move towards
a cashless society, product manufacture and distribution
shifts towards a glass pipelinesupply chains The emergence
of literature about cyberwarfare and increased awareness
after events such as 9/11 and the 2003 Canberra bushfire
have refocused attention on telecommunication networks
and services as 'critical information infrastructure'
that is -
to natural disasters (eg bushfires and floods in Australia,
earthquakes in New Zealand), terrorists, organised crime
and vandals.critical information
That has been reflected in claims such as
average performance of the Internet would be cut in
half if just 1% of the most highly connected routers
were incapacitated and loses its integrity with 4% of
the most connected routers destroyed. Where are these
top 1% and top 4% of routers? Are they distributed enough
that a coordinated attack would be infeasible? Are the
back up systems and redundancy of private providers
sufficient to compensate for these susceptibilities?
statements such as
Zealand's international telecommunications pass through
one of three submarine cables, or go via satellite.
Submarine cables are vulnerable to damage by anchors
and fishing gear and to sabotage. The cables were laid
some years apart. Each successive cable has many times
the capacity of its predecessor. Failure of the highest
capacity cable would thus have a severely detrimental
effect on New Zealand’s connectivity with the
rest of the world.
conceptualisation and strategies
As discussed in the Security
& Infocrime guide, the Australian government defines
critical infrastructure as that
if destroyed, degraded or rendered unavailable for an
extended period, would significantly impact on social
or economic well-being or affect national security or
The national information infrastructure (NII) is
the national network within and through which information
is stored, processed, and transported; the people who
manage and service the network; and the information
of the infrastructure is privately owned and operated.
Responsibility for critical infrastructure protection
(CIP) is spread across a range of government agencies,
quasi-government organisations and businesses (in particular
telcos and ISPs). That is consistent with overseas practice,
for example documented in the 2004 Critical Information
Infrastructure Protection Handbook (PDF)
In 2004 the Critical Infrastructure Advisory Council ratified
the National Strategy for Critical Infrastructure
an overarching statement of principles, strategies and
responsibilities for the protection of critical infrastructure
in Australia from an all-hazards perspective.
centres on the comment that
group of stakeholders will need to develop and maintain
implementation plans ... based upon or in alignment
with this strategy. Within each sector there is a need
for collaboration by business and government to define
and identify critical infrastructure, with particular
emphasis to elements displaying higher vulnerabilities
and those that are crucial for the continuity of supply
of multiple providers. The different sectors will then
need to work together to gain a better understanding
of interdependencies and how this might affect business
continuity planning. Sectors will also need to identify
their needs for research and standards to assist in
risk mitigation. Governments will need to identify critical
physical and information infrastructure relevant to
their jurisdiction and internal operations, and how
other areas of public policy inter-react with CIP policy.
This would include assisting industry sectors with understanding
the threat and consequence variables in their risk assessments.
Law enforcement and the emergency management community
should ensure that CIP is an integral part of their
planning and awareness raising.
mapping and inventories
disassociation of location has led to the common conception
that the Internet and IT are virtual entities residing
in cyberspace. This same conception has resulted in a
belief that security issues for the Internet and IT reside
solely in cyberspace as well. While cyber-security concerns
such as denial of service attacks, identity theft, and
various other forms of hacking are serious security threats,
they are not the only danger to the US information infrastructure.
The Internet and IT depend on physical fiber to connect
the various computers, servers, switches, and routers
that provide the underpinnings of the US information infrastructure.
All of these vital components have a physical location,
but since the US information infrastructure is privately
owned and proprietary these locations are most often undisclosed.
As a result there is no current map of the US information
infrastructure (Internetweek 2001). Without an aggregated
network to map there is no process by which to determine
if the network is susceptible to a targeted physical attack,
and if so what nodes and links are most vital.
National Counter-Terrorism Committee's National Guidelines
for Protecting Critical Infrastructure from Terrorism
are not publicly available. They are be provided only
to the owners and operators of businesses and assets identified
as critical infrastructure by either the relevant state/territory
or national government.
law enforcement and national security obligations
The law enforcement and national security obligations
of ISPs are to -
provide Commonwealth and state/territory officials with
"reasonably necessary assistance" in relation
to enforcement of criminal law and laws imposing a pecuniary
penalty, protecting public revenue and safeguarding
their best to prevent their network and facilities being
used in commission of offences against Commonwealth
and state/territory laws
their network or facility is able to intercept a communication
passing over it, in accordance with a warrant issued
under the Telecommunications (Interception) Act
to the prohibition on disclosure of customer information
encompass where the disclosure is
necessary" for enforcement of the criminal law
or the protection of the public revenue
to ASIO for the performance of its functions
required or is otherwise authorised under a warrant
or under law.
must give reasonable help to agencies on terms and conditions
agreed by the agency and the ISP, and on the basis that
the ISP neither benefits from (nor assumes the costs of)
giving that help.
Customer information of interest includes -
the Identity, Source, Path and Destination of nominated
Internet services, and/or
the content of nominated communications.
telecommunications cables are the underwater trunk network
connections linking the Australian telecommunications
network with other countries. They carry about 99
per cent of Australian international telecommunications
traffic and are estimated to be worth more than $5 billion
per annum to the national economy. Breakages to
these cables can result in significant data loss, loss
of business and damage to reputation.
The Telecommunications and Other Legislation Amendment
(Protection of Submarine Cables and Other Measures) Act
2005 provides for the declaration of protection zones over
cables of national significance, and for the issuing of
permits by ACMA for the installation of submarine cables
in 'protection zones' and in Australian waters other than
a protection zone or coastal waters.
Protection zones for submarine cables may be declared
by ACMA, with installation of submarine cables by carriers
gaining certain immunities from specified State and Territory
laws, prohibition of marine activities most likely to
damage cables (eg trawling and dredging) and identification
of damaging cables or engaging in prohibited and restricted
activities as criminal offences with heavy penalties.
Carriers seeking to install submarine cables must apply
to ACMA for a permit.
Details of physical security for the CII are not publicly
available but apparently take three forms -
physical hardening of some facilities, in particular
redundent infrastructure for nongovernment use
infrastructure that is restricted to government use
there appears to have been a recognition that it is neither
feasible nor, in practice, desirable, to protect all major
communication links. The regimes in Australia and New
Zealand accordingly centre on risk analysis and redundency.
The Information Infrastructure Protection Group (IIPG)
- a counterpart of the UK National Infrastructure Security
Co-ordination Centre (NISCC)
- is an Australian Government interdepartmental committee
that provides policy coordination and/or technical response
on NII-related issues.
The Critical Infrastructure Advisory Council (CIAC) coordinates
work by the Trusted Information Sharing Network for Critical
Infrastructure Protection (TISN),
established in 2002 to provide a mechanism for advice
to government on the protection of Australia's critical
The Australian Federal Police (AFP), ASIO and the Defence
Signals Directorate (DSD) have developed special joint
operating arrangements to respond to threats to the NII.
Businesses and individuals could be subject to criminal
activity. Scam emails and “phishing”
(fake emails purporting to be from banks or retailers
asking for credit card details) are now commonplace.
Viruses, worms, hackers and denial-of-service attacks
also pose a risk, and spam can be a major disruption to
In New Zealand the Centre for Critical Infrastructure
is a business unit within the Government Communications
Security Bureau. It was established in August 2001 with
a mission to provide advice and support to protect New
Zealand's critical infrastructure from cyber threats.
It primary roles are to -
24 hour/7 day "watch and warn" advice to owners
of critical infrastructure and to government departments,
and investigate cyber attacks,
to work with critical infrastructure organisations and
other sectors to improve awareness and communications
regarding information technology security.
monitors and evaluates global computer network threats
and vulnerabilities from numerous sources throughout the
year, including after hours when Coordination Centre staff
remain on-call to respond to new information in a time
critical manner. It publishes security bulletins,
drawing on information from a variety of sources, with
recommended prevention and mitigation strategies. AusCERT receives
federal government sponsorship to provide a free national
alerts and incident reporting mechanism for
information security incidents. That scheme
provides the Australian public with a free alerts service
detailing potential threats and vulnerabilities in the
information environment. It also serves as a reporting
program for security incidents.
Salient official studies include -
- Protecting New Zealand's Infrastructure report
work of value includes -
Revenge of Distance: Vulnerability Analysis of Critical
Information Infrastructure (PDF)
by Sean Gorman, Laurie Schintler, Raj Kulkarni &
perspective is provided by works such as Peter Laurie's
Beneath The City Streets (London: Allen Lane
1983), David Krugler's This Is Only a Test: How Washington
D.C. Prepared for Nuclear War (New York: Palgrave
Macmillan 2006), Guy Oakes' The Imaginary War: Civil
Defense and American Cold War Culture (New York:
Oxford Uni Press 1994), Andrew Grossman's Neither
Dead nor Red: Civil Defense and American Political Development
during the Early Cold War (London: Routledge 2001),
Laura McEnaney's Civil Defense Begins at Home: Militarization
Meets Everyday Life in the Fifties (Princeton: Princeton
Uni Press 2000) and Peter Hennessy's The Secret State:
Whitehall and the Cold War (London: Allen Lane 2002),
illustrating how the US and UK governments sought to protect
communication links, data processing and senior personnel.
Unfortunately there is no comparable study for Australia
or New Zealand, although the principles are presumably