Threats to Critical Infrastructure
The Australian Cyber Security Centre 2017 threat report noted that CERT Australia responded to 734 incidents affecting private-sector systems of national critical infrastructure within the 2016-17 financial year. This equates to a significant cyber incident occurring on these networks more than twice a day. In October 2017, the US-CERT released a report that stated:
Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims' networks.
According to the Australian Security Intelligence Organisation 2017 annual report, Australia continues to be a target of espionage through cyber means. The cyber threat is persistent, it's sophisticated and it is not limited by geography. The report also notes that the clandestine acquisition of intellectual property, science and technology and commercially sensitive information is increasing. This highlights the need for a greater focus on the security of the cyber systems underpinning our critical infrastructure.
If we are to effectively safeguard our critical infrastructure, we need to think about more than the issue of who owns what and the issue of physical assets such as ports, poles and wires. We need to think beyond just the protection of critical infrastructure from a physical perspective and we need to start thinking about the protection of critical infrastructure from a cyber security perspective. As more and more essential services are managed electronically, interdependence between the physical systems and cyber networks needs to be clearly understood to ensure services continue to be provided and our national interest continues to be protected. We also need to broaden our thinking on what is classified as critical infrastructure.
Australia’s Trusted Information Sharing Network, the primary national mechanism for business-to-government information sharing and resilience-building initiatives on critical infrastructure, describes critical infrastructure as the physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security. It states that each of these critical infrastructure sectors are vital to Australia's social cohesion, economic prosperity and public safety.
Why did the government's recent Security of Critical Infrastructure Act 2018 only address four sectors as being at the highest risk? We actually have eight critical infrastructure sectors in this country. These are the sectors that have been deemed as vital to Australia's social cohesion, economic prosperity and public safety. We have eight, so why did the act only include four in it? Four sectors that are deemed as highest risk? I'll read out our eight. They are banking and finance, communication, energy, food and grocery, health, transport, water services and Commonwealth Government. Each of these identified critical infrastructure sectors have experienced some form of cyber threat in the past 12 month.
It is great that we have eight, unfortunately, all eight weren't included in the governments critical infrastructure act—but, compared to other nations, we are very, very underdone, that eight is a conservative number. The United States critical infrastructure security and resilience strategy identifies 16 sectors, the United Kingdom identifies 13 sectors, Canada identifies 10 sectors and Singapore identifies 11 sectors. The sectors that are recognised by these nations include emergency services, information technology, infrastructure, chemicals, manufacturing and electoral systems. At the very least, electoral systems in Australia should be treated as critical infrastructure, particularly given what we've seen in the US and France.
We have got to start taking this seriously. We have got to start taking our critical infrastructure seriously. It's not enough only to protect the physical safety of our critical infrastructure; or partially list those services and facilities that are vital to our cohesion, economic prosperity or public safety; or ignore international cyber security standards; or to pretend that threats end where the supply chain starts. There is so much more to do in this space. I just wish the government were listening.