Most discussions of cyber security are couched in terms of protecting computer systems, especially those belonging to government and managers of civilian infrastructure. No doubt the forthcoming government white paper on cyber security will also include that sort of discussion. Based on the earlier public discussion paper, it will probably also take the opportunity to begin a more nuanced discussion between the government and the wider population about the expected behaviour of each in cyberspace. In most walks of life there is a contract—usually implicit—between the government and the populace regarding service provision and law enforcement. Cyberspace will be no different, and some parts of any compact will be familiar. But the ubiquity of the internet and the zeal with which we’ve all taken to it, there’ll be some important differences.
One interesting proposal of the cyber white paper is the agreement of a social contract tied to the concept of ‘digital citizenship’. It emphasises responsible use of the internet by encouraging people to respect rules of usage—the digital social contract—and assume responsibility for inappropriate behaviour.
Here, I think, we should tread carefully because behind the concept of ‘digital citizenship’ is the complex issue of internet governance. Using laws in the real world as an analogy, I think legal instruments can be created to police the internet to a certain extent, while safeguarding the civil liberties of all Australians; though, this is no easy task, especially now there are clear overlaps and intersections between social, economic, and national cyber security. ISPs and law enforcement agencies could partner to block users who disregard basic rules of usage of the internet.
For the government departments that already have large amounts of sensitive, personal data in their hands, the Cyber White Paper will look at how to make those systems more impregnable to cyber intrusions. This being said, there will be less innovation in the 2012 Cyber White Paper about this; the Privacy Act 1988 already stipulates government’s role in protecting and using people’s personal information. However, additional funding to hire more ICT specialists working for departments could be a simple solution.
Other areas that will definitely draw significant benefits from this white paper are small-to-medium size businesses thanks to the new focus on government and private sector partnerships. I anticipate the creation of liaison groups between organisations like CERT Australia (Computer Emergency Response Team Australia) and private businesses to train them in the basics of risk-based cyber security and how to report cyber attacks to the appropriate authorities.
Unlike the United States and the United Kingdom, Australia lacks the necessary legal tools to document cyber attacks outside the intelligence community, unless they are reported to the appropriate agencies. For instance, IT security specialists recognised that current systems controlling water, electricity, and trains can go offline for a month without being reported.
Finally, in my view, a more robust legal framework is needed to ensure cyber crime is targeted and prosecuted. However, I do acknowledge that there are many caveats to the cyber security problem, and creating effective cyber security strategies is a balancing act. A common understanding about individual responsible behaviour has to be reached to view cyber security as it is: a cooperative effort between government, corporate Australia, not-for-profits, and members of the community.
Bernardo Camejo is a student of International Security and Counter-terrorism at Murdoch University.