Back Home Search
Send as e-mail


Australia's Vulnerability to Information Attack:

Towards a National Information Policy

Dr Adam Cobb
Strategic and Defence Studies Centre
Australian National University

TEL: 6243 8557
Fax: 6248 0816


Tolstoy once observed that war is the locomotive of change, and yet the inter-relationship between technology and the state is one of the great under-studied subjects of International Relations. This is curious as technology plays an increasingly vital part in life from the local to the global. People have come to depend on technology in their daily lives, for work, travel, communications, entertainment, even for microwaving their evening meals. Society and its political manifestation, the state, has likewise come to rely on technology and interlinked technological systems to guide traffic, to transfer money, to distribute energy, to monitor and control immigration and welfare, to educate, to police, to make war and to create peace. In the past these were discreet activities of largely separate instruments of state authority, linked by an obvious need to sustain economic and social functions. But as the role of technology in society has intensified, in part as a consequence of the force of globalization, the interdependence between governance systems has increased. In contemporary industrialized societies, private and public life is becoming dependant upon interconnected information systems. Typically these systems are fast, efficient, easy to use, convenient, and span great differences in space and time. They are also changing the ways societies function and inter-relate to one another.

In this context, the ability of the state to wage war has recently gained considerable attention. Much of the literature on "Information Warfare" has been focused on how technology can 'improve' weapons, their delivery systems, sensors, and the systems available to commanders to exercise force - making them more accurate, potent, and lethal. The Gulf War (1991) is often discussed as a case in point. Very high-tech command and control systems, directed precision or 'smart' bombs to targets designated by sensors aboard satellites, and aircraft patrolling the skies. There is much discussion of how this 'system of systems' can now offer 'dominant battlespace knowledge' to the military commander, as well as aiding intelligence gathering, psychological operations, and a range of information-dependant military activities. Much of this discussion also takes place under the rubric of the so-called "Revolution in Military Affairs", with 'information warfare' establishing an important place within that pantheon. There is, however, nothing revolutionary in these advanced systems. They build on technological trends that in some cases span decades. What is revolutionary about new information technologies is the degree of civilian dependance on them and consequently the vulnerability of most industrialized states to attacks on their information systems.

This development comes at a time when three other trends are converging. First, warfare increasingly concentrates on civilian targets. The focus of war since the last century has shifted from being the preserve of governments and the armed forces to involve entire civilian populations. Likewise, the spectre of terrorism concentrates on 'soft' targets. Second, out of desperation, revolutionary powers have often used new technologies in innovative ways that have given them, initially at least, a decisive advantage in war. This century has observed incredible changes in technology for war-fighting purposes, from horse-drawn artillery to nuclear intercontinental ballistic missiles. As a rule, revolutionary powers have been much more imaginative than status quo powers in their development of doctrine and organizational structures coupled with new technologies. Prior to the outbreak of WWII, General Douglas Haig, the British architect of trench-warfare in WWI, stated emphatically that the coming war would be quickly won at its outset by a decisive cavalry charge. 'Blitzkrieg' combined the tank with radio, airpower, and mobile infantry, in military formations (Panzer Divisions) using new doctrine unthought of by Haig and his contemporaries.

Third, the end of the Cold War, like the end of WWI, has created a period of strategic uncertainty. With high levels of unemployment, disillusionment with traditional forms of politics and deepening divisions along racial and ethnic lines, growth of anti-immigration movements, wide-spread job insecurity, high levels of financial speculation, and an inability of conventional policy prescriptions to address any of these issues; the international political economy in some mature economies is beginning to demonstrate parallels with the inter-war years. As EH Carr convincingly argued of the period 1919-1939, the failure of the democracies to understand and overcome the destructive excesses of the policies that led to the Great Depression, left a policy-vacuum that the totalitarian powers eagerly filled. There are also parallels in the military-strategic context. Like the inter-war period, new technology currently exist in the form of 'information weapons' but, as yet, no one has formulated the comprehensive doctrine or organizational structure necessary to bring 'info-blitzkrieg' into being. As the economic outlook continues to decline for many mature economies, which also happen to be status quo powers, the chances are that revolutionary powers will seek to champion their alternative either by demonstration, or worse, force.

The 'new' subject of 'information warfare' emerges in this context. The sophistication and potential of advanced technology has presented new weapons that can target information and information systems that lie at the core of defence, the economy and society. Vulnerabilities exist across the National Information Infrastructure (NII) - thereby further eroding any remaining distinction between warfighters and 'non-combatants'. Not only is the civil/military distinction blurred at the national level, the fundamental interconnections of advanced economies and societies make the Global Information Infrastructure (GII) equally as vulnerable. Provoked by displays of advanced technological military might during the Gulf War, a number of revolutionary powers have been concentrating on developing an information-based conflict capability.

Being an advanced economy, with a well educated work-force, extensive infrastructure, a strong and growing service sector, and high levels of overseas trade and finance, Australia is well placed to take advantage of information-based economic opportunities. But with capability comes vulnerability. Much of the extant work on "Information Warfare" is of a hysterical kind - "you bring me 10 hackers and within 90 days I'll bring this country to its knees" - which plays on a general sense of vulnerability without investigating exactly how, where and why an attack might be launched. This working paper takes Australia as a case study and asks under each heading specifically how , where and why it might be attacked. This is accomplished by examining a few core elements of its NII, such as telecoms and the financial networks, to gauge whether the system is vulnerable. Having established that vulnerabilities do exist in the framework of the NII, the paper then discusses specifically how these systems might be attacked. A few significant examples of natural disaster recovery programs give an impression of the state of readiness of one key infrastructure (telecoms) and suggests what might be expected in the case of an information attack. This vulnerability assessment is then juxtaposed against the threat spectrum currently facing Australia. In this context, the key findings of a recent survey of major Australian corporations on information attack will be cited and discussed. While hypothetically much has been made of the threats and opportunities 'information warfare' presents, in the absence of a significant life-threatening attack, Australian policy-makers have been loath to devote scarce resources to investigating and preparing for conflict in the information age. Australia's appreciation of, and preparedness for, information-based conflict is consequently in disarray. Unlike past forms of conflict, the potential for information attack is not just a matter of defence planning - it spans all those aspects of national life that depend upon interlinked information systems. It would therefore be prudent to attempt to anticipate the strategies of revisionist information powers at the end of the 20th Century. Australia must develop a national information policy that integrates schemes for advancing our commercial interests, as well as providing a comprehensive system of detection and protection from attack.

Information Warfare and National Security

Competition for information is at the heart of all human endeavour. Be it in science, business, or in conflict, those with the best information, and the means to effectively act on it, will prevail. It must be emphasized that the new communication technologies offer as vast a range of benefits to the economy, culture and society, as problems. Nevertheless, the purpose of this paper is to investigate the threats the technology presents society, rather than the opportunities. In this context, information warfare is an unnecessarily loaded concept. It places too much emphasis on conflict between military systems and disregards the broader and potentially more significant threats to society.

National security involves much more than military defence. It is fundamentally about the survival of society and the creation of the necessary political, economic, social, and environmental conditions within which society might flourish. Clearly, an attack on the non-military NII, upon which economically developed societies so heavily depend, will be an attack on the security of that society. Indeed, in some respects, such an attack could be far more harmful to the stability and capacity of a society to function, than an attack on the armed forces of the state, simply because it disrupts or destroys the most fundamental infrastructural elements upon which modern society depend. It is the electronic equivalent of total war.

Consequently, the spectre of information based conflict is the most significant threat to national security since the development of nuclear weapons over fifty years ago. Yet unlike nuclear weapons, it is very conceivable that information-based weapons will be used to target and destroy society. Information based conflict foreshadows a new kind of conflict, where the overt, physical assault is replaced by ubiquitous, anonymous, and ambiguous subversion of society. No longer a matter of clearly defined spatial limits where an 'enemy' is clearly an outsider, such subversion can come from within or without. An information assault on the diverse and complex roots of society cannot simply be addressed by a compartmentalised bureaucracy designed to address the nineteenth century problems of gunboats and tank-divisions. While few ever realised it in the past, security has always been indivisible. It will be ever more so in the future, especially in the context of securing the information and information systems upon which society, domestic and international depend.

Consequently, military vulnerabilities can be better understood in the context of the NII, rather than as some stand-alone phenomena, as it has been treated elsewhere. A more useful term for the problems at hand might be Information Operations (IO), which suggests that it is an issue that is not limited to military systems with military solutions.


What is the National Information Infrastructure? For the purposes of this paper, the NII is defined as the physical and virtual backbone of an information society and includes, at a minimum, all of the following:

* Government networks - executive and agencies.
* Banking and financial networks - stock exchanges, electronic money transfers.
* Public utility networks - telecommunication systems, energy supply (military and civil), air traffic control and guidance systems (GPS, ILS).
* Emergency services networks (including medical, police, fire, and rescue).
* Mass media dissemination systems - satellite, TV, radio, and internet.
* Private corporate and institutional networks.
* Educational and research networks.

With respect to information based vulnerabilities, one might separate vital information-dependant governance systems into three distinct groupings:

1) Core state functions: executive government, and essential agencies such as defence, intelligence, foreign affairs and trade, finance, social security, national and state emergency services.

2) Core utility functions: power grids, telecommunications, petrol refineries, gas and oil storage and transportation systems, transportation and traffic systems (airtraffic control, guidance systems, meteorological support), and water supply.

3) Core commercial functions: banking and financial services, mass media, business systems and communication networks.

The NII essentially runs on the telecommunications network and is linked to the GII via submarine cable and satellite. It is also dependant on a constant supply of energy and thus elements of the NII are interdependent upon one another. Many of these systems are also dependant on support systems. In the harsh Australian summer many of these vital computer systems will depend upon air-conditioning and related environmental-control devices to function. A specific system may be very secure from information attack, but highly sensitive to changes in temperature or humidity.


The NII can be attacked in a number of ways (for specific systems or tools mentioned below see the weapons annex at the end of the paper).

* Physical attack (including EMP bombs).
* Jamming and other electronic warfare techniques
* Information interception (Van Eck radiation intercept).
* Hardware/software chipping (where special inserts are made into micro-chips at the time of manufacture to allow unauthorised access)
* Denial of service attack.
* Systems intrusion (via password cracking or exploiting operating system weakness and source code).
* Computer virus attack (logic bombs, trojan horses, worms).

There is a lot of hysterical talk of 'electronic Pearl Harbours'. Attacks on the NII are not as easy to organise as such comments suggest, but they are a lot easier than one might imagine. It all depends on the target and the scale of attack envisaged. Mass attack on the NII where all core systems are totally shut down will not be possible without a very high level of planning, intelligence, and highly-skilled personnel, only available to advanced states. The fact is that the incredible array of systems and their myriad interlinkages that comprise the NII provide a form of security in their very diversity. It would not be possible to completely disable these systems without detailed knowledge of their weaknesses and the location of critical nodes within and between them. Then only a well timed and coordinated strike might have a total effect.

This does not mean that Australia is invulnerable. On the contrary, an attack on critical nodes could bring about a chain-reaction that could have devastating effects for society. The most likely attack would focus on disruption of one or a few key systems. Even small scale disruption of key systems, without adequate recovery plans and established information hierarchies in the event of attack, could severely effect government, commerce or society. Aside from physical attack, the next easiest form of attack would be a denial of service attack. This does not require penetration of information systems (which requires password, systems, or source code cracking), but rather overloads key nodes from the outside. It is a form of data overload that overwhelms the systems' capabilities to respond, thereby effecting its internal operations as well. The most sophisticated (and consequently most difficult) form of attack is a systems penetration attack. Gaining access to systems can be a difficult and time consuming process and most high-security systems, such as those used by the military and the banks, are either 'air-gapped' from external systems or are protected by technological security solutions such as firewalls. Unless one is an insider, has chipped the soft or hardware being used, or can crack or get around the firewall (and this has been done), it is difficult to access these systems from the outside. By de-linking systems however, one loses all the advantages of advanced networked computing, such as speedy multi-user connectivity. For some that cost is too high. Consequently, in a surprising number of cases, critically important infrastructure systems are interlinked with other systems that can be penetrated from the outside, indeed some are specifically designed to be remotely accessed.

There currently exists a range of vulnerabilities in Australia's NII that could be the target of an information aggressor that if attacked, could create significant problems for the smooth functioning of day-to-day life. This paper will examine a number of critical systems and their weak points in order to draw attention to holes in the system that need to be plugged and to discount the unsubstantiated and often alarmist claims made in some quarters about the potential for information warfare.



There are two major telecommunication service providers in Australia, Telstra (formerly Telecom) and Optus. The situation after complete deregulation of the domestic market in July 1997 is as yet unclear, so this analysis will concentrate on the system pre - July 1997. In any event, it is unlikely that major infrastructure projects will be embarked upon in the short term by the companies entering the market.

Optus began operations in January 1992 and currently holds approximately 10-15% market share across all systems. Aside from a mobile phone net in most major cities and along major highways (covering 86% of the population at 30 June 1996), it has installed a fibre optic line from Brisbane to Perth, and is constructing its Optus Vision network to link selected homes and businesses with fibre and coaxial cables in Sydney, Brisbane, Melbourne, and Adelaide. Each major city also has a CBD fibre optic ring (providing direct access to corporate clients) and a switching centre. The whole Optus system is based on a synchronous digital hierarchy platform (SDH). Optus also operates four domestic satellites (discussed in a separate section below).

Telstra operates an extensive network of coaxial cable, microwave radio, optical fibre, digital radio concentrators, mobile phone cells, submarine cables and submarine fibre cables. It also has access to and uses international satellites but, unlike Optus, does not operate any of its own. There are dedicated trunk switches in every capital city in a static hierarchy configuration. Routes are tested in a routine order, with the most direct route selected first. It is possible for calls between cities to by-pass major hubs only if all lines through the hub are in use. Each hub is linked with other capital cities by two geographical routes and each capital city trunk switching centre should have access to the other capital cities without physically routing via a common building in the city.

While there is some redundancy on the eastern seaboard, there are also a number of important choke points. For example, the exchanges in Katherine NT, Woomera SA, and Ceduna SA, link central and western Australia to the east with fibre and some microwave. These are critical nodes that if attacked would sever all terrestrial communications between the west and east. Add the exchange at Camooweal QLD, and the entire centre of the continent would be severed from the outside except for satellite links and HF radio.

All major cities in the Telstra network depend upon between 2-5 central exchanges connecting the city and the city to the outside world. In Canberra, the national capital, the exchanges at Civic, Barton and Deakin service all the major bureaucracies and link Canberra to the outside world. Black Mountain Tower is a critical microwave node with a fibre optic interchange with cables from the Deakin and Civic exchanges. It is also provides one of a number of microwave links between Sydney to Melbourne. The tower services the NASA space centre at Tidbinbilla with a high volume microwave link, as does the Deakin exchange (with a low volume direct microwave link). The Deakin exchange is a critical link between the space centre at Tidbinbilla and mission control centres in the USA. The department of defence has a direct fibre optic cable to the Civic exchange (and thence onto the tower) and some limited microwave capacity. Other departments of the federal government all use either the Deakin or Civic exchange and a very few (like the AFP and ATO) have direct microwave links to Black Mountain.

Australia's marine links to the outside world depend on a handful of critical nodes. Submerged fibre optic cables and older submarine cables connect Australia to the world via Port Hedland WA, Perth (Gnangara to Indonesia), Carins (to PNG) and Sydney (Oxford Falls and Paddington to Hawaii and NZ respectively). Calls in an out of Australia on all these lines are processed through two buildings in Sydney: the Paddington exchange and the Telstra facility at Oxford Falls. Similarly, the location of specific cable entry-points into Australia are well known.

Australia is also a critical node in the international fibre network. There are three critical nodes in Asia: Japan, Hong Kong and Singapore. All South East and North East Asia connect onto this submarine fibre corridor. Links to the outside world pass from Japan to the USA, and from Singapore to India and onwards to Europe via Suez. The only other separate submarine fibre links to the US and Europe pass through Australia.Within the Asian submarine cable corridor, between the two key nodes of Japan and Singapore, Hong Kong is a critical node. If it was disabled Asia would be isolated on the north-south axis. Were Singapore and Japan taken out of service the only remaining international links pass via Australia. Consequently, Australia is a vital international node.

The satellite communication network is comprised of two core systems, one international (INTELSAT) and one domestic (Optus satellites). Australia was a founding member of the INTELSAT consortium which was established in 1964 to provide a world-wide satellite system. INTELSAT is a majority American-owned consortium which places satellites into space and then leases capacity on them to the overseas telecommunications carriers of other countries. Currently Australia is the fifth largest share-holder in INTELSAT which owns and operates over 20 spacecraft located over the Indian, Atlantic and Pacific oceans. Both Optus and Telstra operate separate INTELSAT gateways at Oxford Falls in Sydney, part of an international network of nearly 400 earth stations in over 150 countries. In addition, Optus operates an INTELSAT earthstation at Lockridge in Perth, as does Telstra at Gnangarra in WA. The Telstra facility is also a major link in the international satellite control network.

The Australian government initiated a national satellite system in 1983 when it formed AUSSAT. The first of the fleet of three geostationary Hughes HS367 AUSSAT-A satellites entered service in late 1985 (two remain in service with one to be decommissioned shortly). AUSSAT and the satellite fleet were sold to Optus communications as an integral part of the Optus licence bought from the federal government in January 1992 for $800 M. The fleet is being replaced by the Hughes HS601 Optus-B satellites. The first was launched on the 14th August 1992. The primary Optus satellite operations control facility is located at Belrose, a northern suburb of Sydney, with a back-up facility in the Perth suburb of Lockridge. A broadcast operations centre and satellite network services centre are also co-located at the Belrose facility. From Belrose, the satellites can have their position in orbit or their direction altered (as is necessary to maintain geostationary position with antennas pointed in the right direction). It is also possible to access and manipulate the signals sent and received via the Optus satellites from Belrose, and to monitor the traffic that passes through all Optus spacecraft. Clearly, Belrose is a highly critical node, with redundancy provided at only one other well-known location in Perth. Each capital city as well as Canberra and Darwin have major earth stations. In addition, most major TV stations and a number of businesses (in total about 350) possess a similar system and there are a plethora of smaller systems, mostly receive-only for TV and radio, scattered across the country. Satellite users can either provide their own equipment or route through the Optus earth stations. Transmission to the optus earth stations is most frequently through microwave. Belrose for example, is 15kms in direct line of sight from Sydney CBD.

"Although they are hidden from view, Optus' satellites are a surprisingly common part of the day to day lives of Australians and Australian businesses". In the same publication, Optus states that their satellites carry the following types of information:

* parts of the Optus and Telstra telephone systems
* extensive management data nets for banks
* remote oil and gas pipeline monitoring
* ground to air communications and air traffic control systems
* secure defence signals
* mobile satellite communications (Optus B systems only)
* the internet
* Radio and TV services

Intelsat carries similar services, however under international agreements, the military component can only be for UN approved activities. A discussion of military uses of satellite communications will be presented below in an examination of the Defence Information Infrastructure (DII).

What becomes clear from this investigation is that while there is considerable redundancy in earth stations with full transmit/receive capacity, this is not the case with the central control, transmission, and monitoring system for the domestic satellites. Additional redundancy is however, provided by Intelsat and Imarsat, although both have critical nodes in Sydney and Perth. Competition post-deregulation may possibly increase the number of earth stations linked to the international satellite system, although this is mere speculation at the time of writing.


The Reserve Bank of Australia (RBA) is responsible for the overall stability of the financial system. It is banker to the banks, and the main banker to the Commonwealth Government, and some state governments. As well as supervision of banks the RBA is responsible for the accounts used for "settlement of interbank obligations arising in the payments system". In other words, clearance of its customers cheques and electronic funds transfers are the RBA's responsibility. The RBA operates the Reserve Bank Information Transfer System (RITS) which is "an electronic transfer and settlement system for Commonwealth Government securities. It allows real time recording and settlement of transactions". RITS has recently been expanded to act as a real time gross settlement system for all accounts held by the bank. A range of associated organizations work with the RBA to ensure the smooth running of interbank, securities, equity, futures and options clearance and settlements. The RBA is either a shareholder or has representatives on these bodies. The clearance process involves consolidation of information on debts and credits and establishment of the net position between institutions. Settlement refers to "payment or receipt of value of net obligations established in the clearing process".

The clearance process is managed by the Australian Payments Clearing Association (Ltd), which is a limited liability company. Shareholders are the Reserve Bank, trading banks and the industry bodies of building societies and credit unions. Clearance of payment instructions is being organized into four functional groups:

* the Australian Paper Clearing System for cheques... and other paper-based payment instructions;
* the Bulk Electronic Clearing System for relatively low-value electronic debit and credit payment instructions;
* the Consumer Electronic Clearing System for proprietary card-based transactions, ATM and EFTPOS transactions; and
* the High Value Clearing System for high-value electronic payment instructions.

"Net obligations arising from the clearing of instruments in each of these systems are settled across accounts at the Reserve Bank of Australia". APCA have outsourced their operation to the Society for World Wide Interbank Financial Telecommunication (SWIFT), based in Brussels (further discussion of SWIFT below). This means that every day Australian banks clear their netted position with one another via a computer in Brussels which then transmits the final result to the Reserve Bank computer in Sydney for settlement on the accounts held by APCA members (eg Australian banks) at the RBA. The RBA computer is located at Head Office (at Martin Place, Sydney), and is linked on-line with the Reserve Bank's state branches in each capital city (except Darwin). There is one main computer at Head Office which is supported by a mirror system on site and one further back-up on the outskirts of Sydney which is served by a separate telephone and power grid to the two computers at Martin Place.

The banks have just 45 minutes for the clearance and settlement process - from 0800hrs to 0845hrs on each day of trading. The remaining 15 minutes before 0900 allow the RBA to intervene, if necessary, as banker of last resort in cases where a bank cannot honour its commitments arising out of the clearance process. 45 minutes is not much time to act if something goes wrong either domestically or overseas. How long could the domestic banking system survive if this delicate system were disrupted?

Many other significant transactions pass through the RBA's computer. For example, the Government Direct Entry Service is owned and operated by the RBA. The system electronically disperses government payments to over 600 financial institutions. In 1993 this system conducted up to 3 million transactions a day. The social security system, payment of government employees and other regular government payments depend on this service.

Large-scale interbank transfers and settlements worth $10,000 or more are processed through the Bank Interchange and Transfer System (BITS). It is owned and operated by the four major national banks and one State bank. In 1994 $20 billion per day went through the system (nearly a 100% increase from 1991). "BITS payments are irrevocable and deliver immediate clear funds to the account of the recipient", although they take 24 hours to be netted with positions settled across central bank accounts. Both the RBA and the four other members operate BITS computers.

Australian government securities are electronically processed in real time by the Reserve Bank Information and Transfer System (RITS). In 1994 the system held around $65 billion worth of government securities with an average daily turnover of $15 billion. In 1993 RITS serviced 95 members. It is not a trading system, but rather transfers and settles the transactions - ie it is where the money changes hands electronically. "Transactions on RITS are initiated by the two parties to the deal inputting trade details from computer terminals in their offices. The system then matches these details and confirms the deal". Austraclear provides a similar service for private securities transactions. Similar arrangements exist for equity, futures and options trading.

As with the domestic system, the bulk of large-scale international transfers from either BITS, RITS, or Austraclear are "now done using EFT [Electronic Funds Transfer] technology rather than paper-based instruments". The Australian banking system is linked to a number of international systems, including CHAPS in the UK and CHIPS in the US, using a SWIFT protocol - a standardized encrypted transmission service for international financial messages owned an managed by about 1800 member banks and financial institutions, including the Reserve Bank. Using a common architecture and system may facilitate communication, however it also exposes the banks due to the fact that a common system needs only one vulnerability for the whole system to be penetrated or attacked.

SWIFT was established in 1977 by a cooperative of 239 international banks to facilitate operational massaging between member financial institutions (funds are not transferred, only messages ordering money transfers). Currently, 4,300 member banks in over 100 countries use SWIFT to send over two million messages a day - equating to daily transactions of around US$2.5 trillion. SWIFT's electronic data interchange (EDI) system has become the global standard protocol used by banks in Australia and overseas. SWIFT is run by Unisys mainframes at three data centres sending and receiving messages via leased lines and the public-switch telecommunications network. The primary facility is located at La Hulpe (Belgium), with a back-up computer in Holland, and one in Culpeper, Virginia, USA. A security audit of SWIFT performed in 1995 by Price Waterhouse and reproduced in the SWIFT Annual Report stated that

Certain security control weaknesses were identified relating to the systems directly supporting SWIFT... Although we believe that these weaknesses cannot be exploited to compromise the confidentiality or integrity of message data passing through SWIFT systems, these weaknesses can be exploited to create a situation in which SWIFT cannot manage, operate or monitor the [SWIFT] application. This in turn creates the potential for intentional or unintentional disruption to the availability of the [SWIFT] services

In many cases with domestic personal banking electronic transactions, network members agree their net obligations bilaterally and notify their positions to the Reserve Bank. Consequently, all major banks have central data processing centres connected to one another and the main system at the Reserve Bank. Similarly, all ATMs and EFTPOS systems are linked by one of two national networks using common systems architecture.

The RBA is not alone in having a fairly basic information infrastructure. The Australian Stock Exchange (ASX) is situated in the Macquarie Bank building at 20 Bond St, in the Sydney CBD. On September 29, 1995, there were 17,717 transactions totalling $1,395,697,766.71 in value. There are also stock exchanges in Brisbane, Melbourne, Perth and Adelaide that act as 'front ends' for the central exchange in Sydney with on-line networking to the Sydney exchange. The ASX introduced electronic trading in 1987. The ASX use VAX computers and have two sites servicing the Sydney exchange, one on site at Bond St, and another at Bondi in Sydney's eastern suburbs. The two sites operate in one cluster with the Bond St site running the trading and clearing systems. The Bondi operation is for daily operations of employees of the ASX and acts as a shadow to Bond St. As information is processed at Bond St it is simultaneously written to a duplicate disk at Bondi. Until recently the two sites were linked by two microwave telecommunication towers (the second is a back-up). The Sydney exchange is linked to the other state exchanges by Optus fibre optic cable. Should that system fail the ASX switches to Telstra fibre optic (via a different exchange) or microwave and occasionally satellite transmission. There is also a major relocation of ASX systems currently underway. A brand new facility is being built at North Ryde, a Sydney suburb, which is an EMP hardened, dedicated data centre and will take-over the current Bond St operation. A new facility will also be built for the Bondi operation. The ASX have under taken some extensive disaster recovery measures, in addition to security features in their new data centres, bearing in mind the vital public focus on the exchange given the damage an attack or disaster could do to business confidence. The chief disaster recovery officer of the ASX has stated that while they had received information attacks in the past, it had been possible to quickly redress what little damage had been done. Nevertheless, it is interesting to note that the ASX found it necessary, or at least prudent to re-locate their back-up facilities and build them from scratch with information attack in mind.

Trillions of dollars in funds and securities are transferred daily by electronic communication mechanisms. With the Reserve Bank at the centre of this frenzy of electronic financial interaction relying on one central computing facility (with only one back-up), a question might be asked as to how secure such a system can be? Commenting on financial systems in general, a leading computer security expert observed that we face

severe risks from accidental or deliberate alteration, substitution, or destruction of data. The risk is compounded by interconnected networks and the increased number and sophistication of malicious adversaries.

Banks calculate that the risk of the system being attacked is not significant enough to warrant more costly redundancy being put in place. However, this calculation should be reviewed in light of the glaring inadequacy of extant systems to cope with a moderately serious and calculated information attack. It is perhaps ironic that just as information attack capabilities have increased, massive systems are being made lean operations for reasons of efficiency. If they are too simple in design, then they will be that much easier to attack. Only having one back-up may not be enough and certainly not when its location is known. Similarly, moving towards a global protocol (as in the case with SWIFT) exposes all parties in the system in the event that someone works out how to crack the single system upon which the global banking system operates, let alone Australia's part of it. Likewise, the potential for trouble generated by those on the inside with access to these systems, in these times of down-sizing, could be of a serious magnitude.


Energy distribution in New South Wales is the responsibility of TransGrid. "TransGrid's high voltage electricity transmission network is large by world standards, involving approximately 11,500 km of transmission lines and 73 substations... [and six area headquarters at] Tamworth, newcastle, orange, Metropolitan, Yass and Wagga".

Information systems and communication links [are] also required to enable TransGrid to manage its market operation responsibilities. The real time nature of electricity delivery involves continuous changes to achieve balance between supply and demand. Accordingly, prices, generation dispatch instructions, market information and other matters are determined each half hour leading to the need to frequently update and communicate a large amount of data. In short, the market in its present form could not operate without computerised information systems and communication links.

The entire NSW power grid, including generators, distribution and the six area headquarters are controlled from the System Control Centre at Carlingford, a Sydney suburb. There are two central power sources feeding the state. One is the coal-powered Hunter Valley system, situated north of Sydney. The other is the Snowy Mountains Hydro Scheme, situated from just outside Canberra to the boarder with Victoria, and comprising six main power stations located at dams in the region. The power generated from this region is channelled through one key point, Yass, before it can reach Sydney. The Hunter system does, however, provide an alternate supply, with greater diversity of routes into Sydney. Nevertheless, with the Snowy Scheme out of action, the subsequent pressures on the Hunter would probably overwhelm the system.

The National Capital, Canberra, is serviced by one main sub- and switching station. That station is in turn connected to only two other substations, located at Yass and Cooma. In addition, two dams feed the Canberra substation on direct lines. Within the city, most major government agencies are dependant on two smaller substations located in the city (City East zone and Kingston zone) and there are precious few transformers available in reserve to service the city. The computers operating the power grid can be accessed via a number of routes, including the direct dial-in diagnostic system used by technicians to monitor, detect and fix problems across the breadth of the grid. These are serious vulnerabilities. Few sections within even the department of defence, for example, have an alternate energy supply to the city grids! Similarly, the joint force commanders are all located in Sydney and aside from limited reserves, rely on Sydney's power supply as well as effective communication links between themselves and HQADF in Canberra.

Australia's major cities are serviced by two or three natural gas fields via extremely long pipelines that are controlled by computer. Two key pipelines feeding both Sydney and Adelaide originate from the Moomba oil and gas fields. Similarly, Perth is fed from the far north west of WA by two lines, Brisbane is dependant on one line, while Melbourne relies on lines emanating from the Bass Strait platforms. In all cases, the pipelines span thousands of kilometres over uninhabited sections of the outback. The lines are policed in terms of physical protection, for example, one of the main role's of the RAN's patrol boat flotilla is to very publicly patrol the Bass Strait rigs. However, the pipelines and the systems that drive them, ie., the SCADA system (Supervisory Control and Data Acquisition), are designed to be remotely access and enable the system to be monitored and operated from a distance. With vast systems spanning thousands of kilometres operated by computers that are remotely accessed, the possibility of an electronic intrusion becomes a real threat. What if the system controlling the Moomba gas lines to Sydney and Adelaide were closed down?

Computers cannot operate without telecommunications or power. The interdependency of these parts of the NII complicate efforts to defend them.


The 1987 Defence White paper identifies the most likely Area of Operations (AO) for the Australian Defence Force (ADF) as the top end of Australia and the sea-air gap to the north. In a detailed study of the defence communications infrastructure, Colonel Danny O'Neill observes that "the ADF's terrestrial communications systems are... limited and there are not sufficient resources to provide quality wide-band links through large areas of the AO". He also notes that in the AO the civilian infrastructure is little more than an "inflexible and vulnerable linear capability". In the south of the country, or Support Area (SA), "the civil communications infrastructure plays a large part in support of the ADF". Supply, logistic and administrative support are vital to modern combat effectiveness and deterioration of these civilian-dependant communication systems could have a major effect on the ability of the ADF to conduct operations in the AO. Aside from satellites (discussed below) and the extant civilian infrastructure, the ADF operates what is known as the Defence Integrated Secure Communications Network (DISCON) which "provides a basic defence owned and operated message (telex) capability between capital cities, anchor stations for mobile and transportable HF stations, and connections to the Allies communication systems". However, for reasons of efficiency ADF HF radio facilities have been scaled-back to reduce 'unnecessary duplication' between civilian and military systems. HF radio is also limited in carrying capacity. This is problematic in an age where there are increasing demands on military systems to carry a range of data (voice, text, and imagery) in addition to the high-demands of automated information systems. Mobile fibre optic cable is also used between commanders over short distances in the AO, however considerable dependency on civilian information infrastructure exists - "it has been Army doctrine since 1981 to use civil facilities whenever possible".

The ADF also leases transponders aboard the Optus domestic satellites and owns a relatively small number of associated fixed and mobile transceivers. But this system also has limitations, not the least of which is as Col. O'Neill points out "the dependance of SATCOM systems on vulnerable control stations", which is a reference to the Optus Belrose facility (discussed above). The ADF also has access to Intelsat and Inmarsat systems, which unlike the domestic satcom system, can reach outside of littoral Australia. However, they have strict limitations on their use for belligerent purposes. There is also limited use of Allied satcom facilities, such as the RAN's use of the USN's FLTSATCOM system, although these systems may not be the best solution for ADF users. For example, if the United States disagreed with Australian military objectives in a case where Australia was acting alone, would the US allow Australia to use its satellite capacity? If there was a shooting war involving both the US and Australia as allies, would the US devote scarce SATCOM resources to Australia? Bearing in mind that SATCOM resources were overloaded to such an extent in the Gulf War (1991) that the US military had to resort to civilian systems for a significant amount of their traffic, it would be safe to say that Australian access to US capacity would not be automatic. As noted above, Australia could not independently use the international satellite system for belligerent purposes other than those approved by the UN Security Council. Consequently, Australian defence SATCOM resources are both quite limited and vulnerable because they rely on the Belrose facility and cannot project past littoral Australia. At the same time, Australian access to international or allied systems is not assured in the case of a military conflict.

As the above discussion has shown, defence communications rely significantly on various civilian systems. For example, one of the key terrestrial nodes in the defence network is a fibre-optic cable direct from the Russell complex to the civic telephone exchange. Like the Belrose satellite control station, the civic exchange in Canberra is a critical node in the defence communications network. If so much of the DII depends on the NII, especially in the AO, and the latter is vulnerable, as has been shown above, then the DII is itself vulnerable. In the past the requirement of defence communications to use civil systems as much as possible may have made good economic sense. However in the context of information operations, efficiency cannot be the sole criterion upon which to base the DII. Ironically, the drive to efficiency proposed by the Wrigley report and as discussed in Col. O'Neill's excellent paper, may have created significant vulnerability by reducing redundancy.

Examples of natural disaster recovery

How might relevant organizations respond to an information attack? In the absence of an attack there is no definitive way of answering the question. However, in the past, natural disasters have disrupted elements of the NII. Therefore an examination of responses to disasters can be taken as a rough guide to how organizations involved in the operation of the NII might respond to information attack.

In Australia, the states and territories are responsible for disaster planning (displan) and relief operations (usually conducted by police, fire and ambulance as well as volunteer groups such as the State Emergency Services (SES), in conjunction with a range of associated agencies and companies, such as Telstra). There is also a federal coordinating agency - Emergency Management Australia (EMA), however it does not intervene in state affairs unless inter-state action is needed, or a state is overwhelmed by a particular event. EMA is also responsible for a federal disaster plan (Comdisplan). There is no provision for an information attack in any current government displan. Telstra has its own displan, but the national coordinator admitted that there is no plan for an information attack, and speculated that another department in the organization should have a plan but he was not aware of one, nor whom to contact. Subsequent enquiries have not revealed any further information.

The available evidence from Telstra on telecom system restoration times in the case of three recent natural disasters suggests that information attacks could cause significant disruption, especially if more than one locale is effected. In the case of the NSW bushfires (1994) and a severe storm in 1991, both of which ravaged northern Sydney, the physical telecoms infrastructure was not badly degraded. Rather, the system suffered severe localised congestion, in conditions similar to a denial of service attack. In both cases Telstra experienced some difficulty in provision of service, but it was not significant beyond 48 hours after each event as the problem was localised and short-lived. Nevertheless, in the reports covering the two events, much mention was made of the necessity to lower the volume of traffic by all available means so that vital emergency services would not be disrupted. Had the denial of service lasted over a longer period or was spread over a number of critical nodes, the evidence suggests that the consequences could have been much more severe. It was noted in the report on the fires that Optus similarly had no plan or capacity to aid the emergency services.

While the storm and fires in NSW did not cause major damage to the telecom infrastructure, the 1990 Nyngan flood was an entirely different matter. Nyngan is a medium sized country town in the North Western district of NSW. The telephone exchange at Nyngan was totally disabled for over a week from the 23rd of April 1990, as flood waters swept into the building. For the first week after the flood the only communication capacity available was by radio and one Iterra satellite dish, flown in from Brisbane, offering 6 lines to the emergency services. It took over 3 weeks to fully restore service to the town and surrounding districts which had depended on the exchange. The flood caught the staff completely by surprise - "we had no disaster plan for the telephone exchange... nobody had thought about it". The report also highlights how few spare parts were available, some of it coming from thousands of kilometres away - "cable came from everywhere... luckily [it] was available.. It was a huge job for our staff". Reading the report, one begins to question what the implications might have been had a number of exchanges been disabled at diverse locations. With no planning and few spares available, the consequences could have been far-reaching.

The evidence suggests that an information attack (of a physical or electronic kind) could seriously disrupt the telecommunications infrastructure if it were to be prolonged and took place simultaneously at a number of diverse critical nodes. Even the most basic kind of attack, a denial of service attack, could seriously impair the ability of the system to cope with regular traffic. Clearly, the system does not have to be totally disabled. It is also of some concern that if there is a displan for electronic attack, it is not well publicised within the organization.


None of the vulnerabilities discussed above will be important if there is not a significant threat posed to Australia. As threats change over time it is necessary to distinguish between short and long term threats. There are three broad areas that are of concern now and in the future. In ascending order of importance they range from military information operations (IO), Info-terrorism, and cybercrime. It must also be remembered in identifying likely threats that in any threat assessment scenario there must be four core elements in place: motive, opportunity, capability and the willpower to execute a decision to act.

Currently Australia faces no threat from other states in the region. This premise has been the basis of strategic guidance and defence planning for quite some time and there is no immediate reason to challenge this strategic convention. However, the long term trends in the Asia-Pacific region are of some concern. A pessimistic reading would focus on the potential for the end of the golden years of East Asian prosperity to create tensions both within states and between them that, combined with growing military budgets and increasingly sophisticated military arsenals, could presage a difficult and confrontational future. This possibility will be compounded if current attempts to establish lasting security regimes in the region fail. There are also fears of the consequences of the rise of China and the various disputes that country has with many of its neighbours. If the United States were to further withdraw from the region in response to a new isolationism at home, what might the likely response be from the major powers in the region, such as China and Japan?

information operations offers some advantages to less developed states. Less dependant on information systems in their day to day existence their vulnerability is reduced to an attack. With freely available information on the techniques of IO and with low entry costs, IO will no doubt be an attractive option. This is compounded when one considers the spiralling costs of conventional weapons and the requisite logistic, training and support expenses of keeping those forces in battle readiness. With increasing regional tensions even the smallest, least developed countries could develop the motive, opportunity, capability and the willpower to launch an IO attack. Unlikely as it may now appear, who knows how things might look in 2010? IO would be a less attractive option for peer competitor states however. The consequences of attacking the financial system of a neighbour are just as likely to rebound on the attacker as they are likely to disable the defender when significant interdpendencies exist between them. In addition, the systemic unintended consequences could be great and effect all manner of systems upon which the attacker depends, as well as causing friction within alliances.

Much of the writing on IO suggests that it will be used in isolation from other forms of military action. Suggesting that are some interesting parallels between early air power theory and early information warfare texts. Yet what would be the point of a substantial large-scale coordinated attack on Australia's NII if it was not as a precursor to an invasion? The aims of terrorism might be well serviced by the chaos created by such an attack, but it would not profit another state's military objectives short of invasion. This raises a number of interesting questions regarding proportionate response and escalation control in the event of an information attack. Would an assault on a country's financial system be an act of war, presuming the attack and the attacker could be identified? How might a country respond?

These questions are further complicated in the case of info-terrorism. As suggested above, the interests of terrorists would be well served by IO. Again, low entry costs, difficulties in identifying an attack and its origins (anonymity and ambiguity), and the potential for extreme chaos throughout governments, corporations, and society in general, all offer rich opportunities to terrorists. Terrorists will also be attracted to the fact that conventional notions of deterrence will be increasingly irrelevant in the context of IO as counter-targeting becomes difficult when an attacker launches an assault via a number of different national or international jurisdictions, using anonymous or spoofed ID, and from a mobile laptop - possibly from within the country the terrorist is targeting.

New information technologies also offer terrorists fantastic propaganda opportunities. There is an old internet joke from the New Yorker magazine that has two dogs sitting at terminals across from one another and one says to the other "this is great - on the internet no one knows you're a Dog". The implication for terrorists is that with just as much access and opportunity to put their case as anyone else, they can attempt to attract and convert people on the strengths of their unmeditated arguments. Previously their message was interpreted and delivered through the filters of the news media. Now they can tell their story to anyone willing to tune in. Of course this kind of exposure might just as easily work against them as for them if they are unable to make a good case.

An interesting example of a highly educated, motivated, dedicated and ruthless terrorist who could have used new information technologies to great effect is the 'Unabomber'. With adequate resources to fund acquisition of a computer and modem, and a profound grudge against society - a Unabomber-type terrorist could wreck all kinds of damage. Certainly they would have a motive, could seek an opportunity, easily obtain a capability, whilst already possessing the willpower to act. If they go undiscovered as the original Unabomber was able to do for so long, the potential implications for the society the terrorist loves to hate could be phenomenal. Such a terrorist would be capable of researching critical nodes (freely available in open sources) and mis-representing themselves to gain access to codes and passwords (human engineering), thereby gaining access to vital systems used to run the society against which they hold a grudge. In the age of 'down-sizing', job insecurity, government cuts to welfare as well as a range of other services (including the Universities - remembering that the Unabomber was a Harvard mathematics whiz), Unabomber-type terrorism is likely to increase, especially in open societies like Australia and the USA when more than ever before individuals have access to and knowledge of vital NII systems and the means to attack them. It would be all the worse if the proposed Unabomber-type terrorist also happens to be the systems manager of a critically important system.

In the past, Australia has been very fortunate to be spared many terrorist incidents. However, with the continued and painful rationalization of the economy and the associated social impact of those measures, which inter alia, has to some extent helped create an environment for the emergence of the new right in the form of the One Nation Party (ONP), Australia might not be so lucky in the future. Extremists, or fundamentalists of all stripes, are a problem both in Australia and overseas. The ONP espouses ideas familiar to fascists around the world. Jean Marie Le Pen in France and David Duke in the USA for but two examples, would be very familiar with the ideological contours of the ONP party line. Could an ONP member get so angry that they might turn to terrorism either by themselves or as part of a small disaffected group? Consider a hypothetical example. Say an ONP fanatic, unemployed for 10 years, who was recently forced to hand in all his/her beloved guns under new legislation following the Port Arthur massacre, and was then forced off the land due to a bank foreclosing on a loan unrepayable because of drought, got frustrated and angry enough to seek vengeance using computers as their new weapon? Banks beware!

It is not that far fetched. Consider that ASIO's annual budget for the assessment of threats to the leader of the ONP was spent within a few months of the start of the financial year. Clearly, the country's leading domestic intelligence organization underestimated the significant threat already surrounding the activities of the ONP. While this indicator suggests a threat to the ONP, it is also indicative of the highly charged environment surrounding the activities of the ONP. Perhaps if they or their leader were attacked, then they would find recourse to retaliate? This is pure speculation, however the trends are there and they are not good.

The other key opening for a terrorist act in the near future is the Sydney Olympics in 2000. While law enforcement organizations are concentrating on physical security they have not canvassed cybersecurity issues. An attack could be mounted against Australia or more likely against another country participating in the globally televised sports extravaganza. A wide range of targets and opportunities present themselves in the Olympic scenario. With the world looking on and with the year 2000 computer 'bug' providing 'cover', one single large-scale act could ruin the games and profoundly damage Australia's reputation. Remember also that Australia's relatively safe past may have conditioned people to discount some more extreme scenarios and that even a small scale attack could have a lasting effect both domestically and internationally. What if a 747's GPS and ILS systems were infiltrated to cause it to crash at Sydney's already limited capacity international airport? The political and psychological effect of an act of that kind in the Australian context is hard to calculate.

The third and currently most significant area of information operations activity is in the realm of crime. Criminals and organized crime groups have been quick to seize the opportunity afforded by new communications technologies and their rapid spread throughout society. Of the three areas of potential threat identified above, crime is currently the most common area in which to find the active utilization of IO techniques and strategies. In information operations the techniques for attacking an air traffic control system are essentially the same as those used to attack a bank. Consequently, statistics on cybercrime are valuable indicators as hard evidence does not exist for terrorist or military information warfare. Early in 1997 the Office of Strategic Crime Assessments (OSCA), within the Attorney Generals Department, conducted an excellent study entitled 1997 Computer Crime and Security Survey. The study canvassed a number of Australia's top 500 companies, government departments and other large organizations, and investigated the type, frequency and kind of information attacks these organizations have experienced in the past and fear in the future. The results make for interesting reading and suggest what might be expected in the future from terrorists and the military's competitors.

The survey notes that Australian law enforcement agencies have reported significant increases in both the sophistication and number of of external attacks on Australian companies in the past 18 months, a trend that is supported by AUSCERT statistics. "Financial systems and confidential corporate data were the two most frequently attacked information types.... a number of respondents... expressed concern as to the vulnerability of their financial systems to attack". The survey shows the following motivations for the attacks: extortion and terrorism (10%), espionage (26%), financial gain (10%), malicious damage (4%), and curiosity (49%). While the majority of attacks came from within (employees, contractors and consultants), "the threat from outsiders is growing at an alarming rate". This Australian finding is consistent with international studies. External attackers accessed information systems via internet (25%), remote dial-in (16%) and 'other' routes (19%). A compliance and fraud officer of a major bank estimated the cost of information attack to their organization to be "in excess of $500,000".

What can be done?

Until recently, it has been very hard to raise the profile of information security because it has been viewed as a technical issue, something computer managers should be aware of but not line managers, let alone those concerned about national security. But societal dependance on information systems demands that urgent attention be paid to information security. Because Australia possesses many advantages as an information economy, the response must be multi-faceted, concentrating on how to best exploit the opportunities presented in the 'information age' as well as seeking the best possible protection from the vagaries of informational dependance. The stronger and more secure Australia becomes as an information-base the more attractive it will be to investors seeking a safe and reliable space within which to conduct their business.

Because it is so poorly understood, infinite resources, human and otherwise, could be spent on attempts to secure the NII. Certainly, some key nodes identified in this paper could be hardened if those intimately involved thought that protection warranted - as it appears to the interested observer. However, there are three main proposals that could be easily adopted with minimal expense that will be canvassed here. First, human rather than technological solutions play an important part in enhancing information security. Second, corporate plans must be revised to include information system-related contingencies. Third, a national monitoring agency is badly needed.

When one thinks of information security the immediate response is to think 'firewall'. However studies as well as expert opinion have shown that in many cases the most important safeguards start with simple security procedures in offices and homes, such as hiding passwords. What is really needed is a change in office culture that respects the gravity of information security demands. The best way to advance new thinking on corporate information security is through awareness programs and supplementation of training regimes that emphasise the implications of getting basic computer security wrong.

In the immediate future it is vital that corporate plans are developed to cope with an information attack contingency. For example, if the telephone exchanges upon which the department of defence rely for terrestrial communications were attacked, does defence have a plan to prioritise its communication needs with the remaining available systems? What if in addition to communications, the energy supply from the Canberra grid were to collapse, putting further pressure on a wide range of defence systems? Is there a plan at ADFHQ that is practised regularly that prioritises the operations of the organisation so that it can still function when core energy and communications systems are degraded? The same question can be asked of the banks or any other vital part of the NII. Rather than having a solution to these problems imposed from above, information assurance plans are best designed at the organisation level. However, that does not prohibit cooperation or coordination with others, either locally or internationally, on best practice in the event of a failure of a part(s) of the NII.

There is a trade-off between diversity and connectivity in information systems. Similarly, diversity in information systems equates with security, however it also complicates monitoring activity within a system and across the interconnections between systems. Because information attacks, if detected at all, are both potentially anonymous and ambiguous, a monitoring function is vitally necessary. It is proposed that a monitoring organisation is developed with the cooperation of all those involved in the NII, as the security-oriented backbone of a National Information Policy (NIP) that seeks to exploit Australia's advantages as an emerging information economy.

This core organisation would benchmark existing systems, and monitor, on an anonymous basis, any suspicious activity. On discovering a flaw in a system or the evidence of an attack, the organisation would notify users to whatever problem was encountered and develop solutions to overcome the attack. Anonymity in reporting events would be vital for commercial and military confidence to be maintained. We stand on the threshold of a new era, where conventional approaches to new problems and opportunities will not assuage the forces of change. In this context the response to the new era must incorporate both government and private enterprise, locally and internationally. Overseeing the work of the organisation would be a committee comprised of representatives of the participating businesses and government agencies whose role it would be to develop recommendations to government on regulatory strategies to enhance the security of the NII. The government conduit would preferably be a cabinet-ranking minister. It would not be preferable, nor necessary, to create a new ministry for this purpose. Rather, the role should be delegated to an existing portfolio. Likewise, the monitoring organisation need not be invented. A pre-cursor organisation already exists in the form of AUSCERT.

Superficially, one might suspect that various competitors would not be enthusiastic in participating in such a scheme. In exchanging information they could also be exposing their position. However the initial trends suggest that most of the organisations at the heart of the NII realise that coordination will be vital to both their individual interests as well as those of the group. Indeed, never was security so mutually dependant as in the realm of information technology. As the OSCA survey demonstrates, when anonymity is assured, participants are eager to learn from each others experiences. The OSCA research is particularly compelling as it drew on both corporate and government examples and demonstrated that the two groupings are willing to work together on this vital issue.

To date, a number of organisations in Australia realise the pressing importance of security of the NII. However, none of them have been given the resources or the authority to do anything about the problems that already exist. Many interested government agencies are located within traditional security circles (such as DSD, ASIO, PSCC etc), whose interest in protecting the NII tends to generate suspicion in other agencies or outside. A problem also exists in the fact that securing the NII straddles commercial-government and inter-agency responsibilities. No one can decide who should be responsible. While suspicions surround the role of the intelligence agencies, in some respects they are best placed to cope with the technical issues involved. However, as almost every expert will agree, solutions to many of the problems concerned have a human as much as a technological basis. Notwithstanding this, members of the government agencies interviewed by the author have all noted that until a major catastrophe occurs the government is unlikely to divert much attention to protecting the NII. Can Australia afford to wait for a major event, say at the 2000 Olympics, to galvanise the government into action?

As Australia's role in the GII suggests, an approach that focuses solely on the domestic front will be sorely inadequate in the face of global developments. Consequently, based on a robust domestic NIP, Australia could take a leading role in international negotiations designed to coordinate common strategies regarding the use and abuse of new communication technologies.

As mentioned above, these security issues should be part of a comprehensive NIP that seeks to build on Australia's various advantages as a potential niche information competitor nation. Indeed, as an open society with an excellent infrastructure, an educated work-force, a stable economy, currency and polity, with strong trading and commercial relationships in the region and beyond, Australia has much to recommend itself to the world in the coming 'information era'. Security of the NII could act as a multiplier to these extant advantages. Investors and companies are bound to be attracted to places where commerce can flourish in open and secure environments.


Australia is vulnerable to information attack. There are many exposed critical nodes in key elements of the National Information Infrastructure (NII) that could be exploited by aggressors. Interdependency between systems, such as telecoms, energy, and financial networks, as well as a general dependency in modern life on interconnected information systems, present new challenges to a wide range of government and corporate authorities. Criminals and organised crime already utilise weaknesses in the NII at a significant and growing cost to society. There are grounds to believe that potential threats to the NII exist which are likely to increase in time as terrorists and aggressive states seek to exploit new technologies that can cripple societies while permitting a degree of anonymity to the attacker. Nevertheless, there are a range of strategies that can be adopted to protect both specific units as well as the system that comprises NII. Some are quite simple solutions, others require more coordination but they do not have to be prohibitively expensive. A comprehensive strategy for Australia which seeks to build on its strengths as an information economy, complemented by making its NII more robust, would be a good starting point to enable Australia to successfully engage in the economy and society of the new millennium

Weapons Annex:

1. EMP Bombs -
Electro Magnetic Pulse bomb - could burn out the electronics systems with in a certain range - similar to that experienced during a nuclear detonation. They operate under the same principle as HERF Guns; however, they are thousand times more powerful. Imagine the bombing of the World Trade Centre in NY used an EMP bomb!
2. HERF Guns -
High Energy Radio Frequency - direct a blast of high energy radio radiation at a pre-selected target.
3. Viruses -
programs that infect systems and cause damage. They are usually hidden within safe looking programs. Marco virus sequence of commands that, once loose within the system, can destroy it or shut it down.
4. Logic bombs -
Virus that infiltrates a system anonymously and waits until a pre-set trigger sets it off to destroy the system.
5. Trojan Horses -
program that enables the user to gain entry to the system that it penetrates. Unlike a virus which multiplies itself thousands of times, a trojan horse is designed to gain access to systems without detection. A Trojan horse concealed in a random game program downloaded from your favourite newsgroup can read any file you have read access to, and mail it anywhere in the world. It can erase, or just shuffle around a few bytes in, any file you can write to. It can send obscene messages to the White House, or post embarrassing things to random newsgroups.
6. Chipping -
the production of computer chips and other components vulnerable to destruction by designing built-in weaknesses.
7. Back doors -
secret access built into programs and/or systems that allow creators undetected access.
8. Spoofing -
similar to military techniques but designed for computer systems - (web spoofing - shadow web site "In the worst possible case, a criminal could use a false Web site to discover passwords and account numbers, assume the victims' identities, possibly defraud them or merchants, or access or modify victims' private data" Edward Felten, Prof computing science Princeton (Australian 12-13/4/97, pp. 1 & 6).
9. Sniffers -
allows collection of sensitive data like passwords and codes to gain access to all systems without being detected.
10. Van Eck radiation -
all electronic equipment emits radiation. Specialized receivers can intercept this radiation and tap into a wealth of data. There are effective counter-measures available.
11. Video morphing -
Psyop technique (a la Forrest Gump).
12. Microbes -
in the same way micro-organisms eat garbage, some Pentagon officials believe that microbes can be bread to eat electronics and computer components.
13. Worms -
Program that infests a network environment and exponentially multiplies itself thereby using larger and larger amounts of memory and disk space until it brings the system to a halt. There is no hard line between viruses and worms; in general, if the spreading entity is a self-sufficient program, it will be called a worm, whereas if it embeds itself inside other programs or boot code, it will be called a virus.
14. Cryptology -
encompasses both cryptography and cryptanalysis. Major issue in the US - Netscape is classed as munitions and sophisticated encryption systems are freely available.
15. Cookies -
tiny bits of data that track a user through the internet monitoring destinations and time spent there. Electronic footprint.
16. Cancelbots -
automated search program capable of searching for certain postings and cancelling on-line assess to them.
17. Freeloader -
A freeloader is a program that uses some system or server resources to survive and possibly benefit its creator, without paying for them. Servers may provide some minimal service for free, in order to attract paying customers, or unintentionally, as an unintended effect of complex cost structures; there may be ways to arrange for some transaction charges, especially small ones, to be lost in the shuffle. A freeloader exploits these sorts of things to operate free of charge.
18. Flying Dutchman -
Named for the legendary ghost-ship, a Flying Dutchman is a freeloader that manages to become effectively immortal, without paying for the resources that it uses to survive. A Flying Dutchman may move from host to host, never quite using enough resources to be killed; it may spawn a copy of itself on another host just before it is terminated, ensuring an unending gene-line.


Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com
Submit articles to:
Voice: 727-556-0833 Fax: 727-556-0834