title for Australasian Telecommunications profile
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa
overview

beginnings

competition

ISPs

hosting

agencies

regulation

backbone

periphery

numbering

demand

supply

futures

CIIP

crimes

policing

crises

statistics

landmarks 1

landmarks 2







related pages icon
related
Guides:

Networks
& GII

Economy




related pages icon
related
Profiles:

auDA

dot-NZ

operators

Wireless

Telco
Bubble

Telco
Privatisation  

Making sense
of the net

Communication
revolutions

section heading icon     Critical Information Infrastructure

This page considers telecommunications networks and services in Australia and New Zealand as critical information infrastructure.

It covers -

  • introduction
  • conceptualisation and strategies - making sense of 'critical infrastructure', risks and responses
  • mapping and inventories - what does the infrastructure look like and where is it located
  • legislation - NII and other infrastructure protection legislation
  • physical security - hardening, access restriction and risk analysis for protecting cables, dishes, boxes and buildings
  • structures - policymaking, coordination and monitoring bodies
  • studies - government, academic and other studies

     introduction

What is required to ensure effective action by government during times of military conflict or civil disorder and to meet the basis needs of business, civil society organisations and citizens? Have requirements changed as we move towards a cashless society, product manufacture and distribution shifts towards a glass pipelinesupply chains The emergence of literature about cyberwarfare and increased awareness after events such as 9/11 and the 2003 Canberra bushfire have refocused attention on telecommunication networks and services as 'critical information infrastructure' that is -

vulnerable to natural disasters (eg bushfires and floods in Australia, earthquakes in New Zealand), terrorists, organised crime and vandals.critical information

That has been reflected in claims such as

The average performance of the Internet would be cut in half if just 1% of the most highly connected routers were incapacitated and loses its integrity with 4% of the most connected routers destroyed. Where are these top 1% and top 4% of routers? Are they distributed enough that a coordinated attack would be infeasible? Are the back up systems and redundancy of private providers sufficient to compensate for these susceptibilities?

and statements such as

New Zealand's international telecommunications pass through one of three submarine cables, or go via satellite. Submarine cables are vulnerable to damage by anchors and fishing gear and to sabotage. The cables were laid some years apart. Each successive cable has many times the capacity of its predecessor. Failure of the highest capacity cable would thus have a severely detrimental effect on New Zealand’s connectivity with the rest of the world.

h

     conceptualisation and strategies

As discussed in the Security & Infocrime guide, the Australian government defines critical infrastructure as that

which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on social or economic well-being or affect national security or defence

The national information infrastructure (NII) is

the national network within and through which information is stored, processed, and transported; the people who manage and service the network; and the information itself.

Much of the infrastructure is privately owned and operated.

Responsibility for critical infrastructure protection (CIP) is spread across a range of government agencies, quasi-government organisations and businesses (in particular telcos and ISPs). That is consistent with overseas practice, for example documented in the 2004 Critical Information Infrastructure Protection Handbook (PDF)

In 2004 the Critical Infrastructure Advisory Council ratified the National Strategy for Critical Infrastructure Protection (PDF) which

provides an overarching statement of principles, strategies and responsibilities for the protection of critical infrastructure in Australia from an all-hazards perspective. 

It centres on the comment that

Each group of stakeholders will need to develop and maintain implementation plans ... based upon or in alignment with this strategy. Within each sector there is a need for collaboration by business and government to define and identify critical infrastructure, with particular emphasis to elements displaying higher vulnerabilities and those that are crucial for the continuity of supply of multiple providers. The different sectors will then need to work together to gain a better understanding of interdependencies and how this might affect business continuity planning. Sectors will also need to identify their needs for research and standards to assist in risk mitigation. Governments will need to identify critical physical and information infrastructure relevant to their jurisdiction and internal operations, and how other areas of public policy inter-react with CIP policy. This would include assisting industry sectors with understanding the threat and consequence variables in their risk assessments. Law enforcement and the emergency management community should ensure that CIP is an integral part of their planning and awareness raising.

     mapping and inventories

disassociation of location has led to the common conception that the Internet and IT are virtual entities residing in cyberspace. This same conception has resulted in a belief that security issues for the Internet and IT reside solely in cyberspace as well. While cyber-security concerns such as denial of service attacks, identity theft, and various other forms of hacking are serious security threats, they are not the only danger to the US information infrastructure. The Internet and IT depend on physical fiber to connect the various computers, servers, switches, and routers that provide the underpinnings of the US information infrastructure. All of these vital components have a physical location, but since the US information infrastructure is privately owned and proprietary these locations are most often undisclosed. As a result there is no current map of the US information infrastructure (Internetweek 2001). Without an aggregated network to map there is no process by which to determine if the network is susceptible to a targeted physical attack, and if so what nodes and links are most vital.

the National Counter-Terrorism Committee's National Guidelines for Protecting Critical Infrastructure from Terrorism are not publicly available. They are be provided only to the owners and operators of businesses and assets identified as critical infrastructure by either the relevant state/territory or national government.

     law enforcement and national security obligations

The law enforcement and national security obligations of ISPs are to -

  • to provide Commonwealth and state/territory officials with "reasonably necessary assistance" in relation to enforcement of criminal law and laws imposing a pecuniary penalty, protecting public revenue and safeguarding national security
  • do their best to prevent their network and facilities being used in commission of offences against Commonwealth and state/territory laws
  • ensure their network or facility is able to intercept a communication passing over it, in accordance with a warrant issued under the Telecommunications (Interception) Act 1979

Exceptions to the prohibition on disclosure of customer information encompass where the disclosure is

  • "reasonably necessary" for enforcement of the criminal law or the protection of the public revenue
  • made to ASIO for the performance of its functions
  • required or is otherwise authorised under a warrant or under law.

ISPs must give reasonable help to agencies on terms and conditions agreed by the agency and the ISP, and on the basis that the ISP neither benefits from (nor assumes the costs of) giving that help.

Customer information of interest includes -

  • the Identity, Source, Path and Destination of nominated Internet services, and/or
  • the content of nominated communications.

Submarine telecommunications cables are the underwater trunk network connections linking the Australian telecommunications network with other countries.  They carry about 99 per cent of Australian international telecommunications traffic and are estimated to be worth more than $5 billion per annum to the national economy.  Breakages to these cables can result in significant data loss, loss of business and damage to reputation.
The Telecommunications and Other Legislation Amendment (Protection of Submarine Cables and Other Measures) Act 2005 provides for the declaration of protection zones over cables of national significance, and for the issuing of permits by ACMA for the installation of submarine cables in 'protection zones' and in Australian waters other than a protection zone or coastal waters. 
Protection zones for submarine cables may be declared by ACMA, with installation of submarine cables by carriers gaining certain immunities from specified State and Territory laws, prohibition of marine activities most likely to damage cables (eg trawling and dredging) and identification of damaging cables or engaging in prohibited and restricted activities as criminal offences with heavy penalties.

Carriers seeking to install submarine cables must apply to ACMA for a permit.

     physical security

Details of physical security for the CII are not publicly available but apparently take three forms -

  • the physical hardening of some facilities, in particular major exchanges
  • creating redundent infrastructure for nongovernment use
  • building infrastructure that is restricted to government use

Overall there appears to have been a recognition that it is neither feasible nor, in practice, desirable, to protect all major communication links. The regimes in Australia and New Zealand accordingly centre on risk analysis and redundency.

     structures

The Information Infrastructure Protection Group (IIPG) - a counterpart of the UK National Infrastructure Security Co-ordination Centre (NISCC) - is an Australian Government interdepartmental committee that provides policy coordination and/or technical response on NII-related issues. 

The Critical Infrastructure Advisory Council (CIAC) coordinates work by the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN), established in 2002 to provide a mechanism for advice to government on the protection of Australia's critical infrastructure.

The Australian Federal Police (AFP), ASIO and the Defence Signals Directorate (DSD) have developed special joint operating arrangements to respond to threats to the NII.

Businesses and individuals could be subject to criminal activity.  Scam emails and “phishing” (fake emails purporting to be from banks or retailers asking for credit card details) are now commonplace.  Viruses, worms, hackers and denial-of-service attacks also pose a risk, and spam can be a major disruption to business.

In New Zealand the Centre for Critical Infrastructure Protection (CCIP) is a business unit within the Government Communications Security Bureau. It was established in August 2001 with a mission to provide advice and support to protect New Zealand's critical infrastructure from cyber threats. It primary roles are to -

  • provide 24 hour/7 day "watch and warn" advice to owners of critical infrastructure and to government departments,
  • analyse and investigate cyber attacks,
  • to work with critical infrastructure organisations and other sectors to improve awareness and communications regarding information technology security.

AusCERT monitors and evaluates global computer network threats and vulnerabilities from numerous sources throughout the year, including after hours when Coordination Centre staff remain on-call to respond to new information in a time critical manner. It publishes security bulletins, drawing on information from a variety of sources, with recommended prevention and mitigation strategies. AusCERT receives federal government sponsorship to provide a free national alerts and incident reporting mechanism for information security incidents. That scheme provides the Australian public with a free alerts service detailing potential threats and vulnerabilities in the information environment. It also serves as a reporting program for security incidents.

     studies

Salient official studies include -

  • E-government - Protecting New Zealand's Infrastructure report (2000)

Academic work of value includes -

  • The Revenge of Distance: Vulnerability Analysis of Critical Information Infrastructure (PDF) by Sean Gorman, Laurie Schintler, Raj Kulkarni & Roger Stough

A perspective is provided by works such as Peter Laurie's Beneath The City Streets (London: Allen Lane 1983), David Krugler's This Is Only a Test: How Washington D.C. Prepared for Nuclear War (New York: Palgrave Macmillan 2006), Guy Oakes' The Imaginary War: Civil Defense and American Cold War Culture (New York: Oxford Uni Press 1994), Andrew Grossman's Neither Dead nor Red: Civil Defense and American Political Development during the Early Cold War (London: Routledge 2001), Laura McEnaney's Civil Defense Begins at Home: Militarization Meets Everyday Life in the Fifties (Princeton: Princeton Uni Press 2000) and Peter Hennessy's The Secret State: Whitehall and the Cold War (London: Allen Lane 2002), illustrating how the US and UK governments sought to protect communication links, data processing and senior personnel.

Unfortunately there is no comparable study for Australia or New Zealand, although the principles are presumably the same.






icon for link to next page   next page  (crimes)


this site
the web

Google

version of October 2005
© Caslon Analytics