Tag Archive for: critical infrastructure

La La Land under siege

The devastating wildfires in California have turned the City of Stars into a scene from an apocalyptic Hollywood movie.

It’s hard to fathom that a disaster of this magnitude could strike a major coastal city today, and difficult to understand how we’re still seeing widespread destruction of homes and businesses. About 12,000 structures have been lost since the fires began on 7 January, with many more likely to follow.

Like Los Angeles, Australia’s capital cities are close to national parks and are vulnerable to bushfires. In 2003 a massive fire hit Canberra. Almost 500 houses burned down, but the city lost no critical infrastructure.

Whether that was thanks to good luck or good preparations, we need to look again at protection of major cities’ critical infrastructure against increasingly frequent and severe natural disasters.

Amid the devastation in LA, some buildings remain unscathed. These structures show the importance of preparedness and attention to disaster-resistant design and resilient building materials.

Two particular examples of resilient building design and materials that have been making headlines worldwide are in Malibu and the Pacific Palisades. Buildings there incorporate a range of wildfire-proofing measures, including fire-resistant roof materials and absence of eaves and roof vents.

Internal features include tempered glass and class-A wood, which is as ignition resistant as concrete or steel. The structures also have walls that resist flame and heat for up to one hour. Externally, sparse desert-style landscaping and concrete retaining walls provide effective setbacks.

Meanwhile, the Paul Getty Museum is an example of resilient infrastructure. It sits on a ridgeline in the Santa Monica Mountains and has withstood several wildfires, with this month’s Palisades fire coming within 1.8 metres of the eastern walls. Completed in 1997, the museum features fire-resistant landscapes, materials and systems, including a network of underground pipes connects to a one-million-gallon water tank for emergency sprinkler activation.

Built to the highest fire-resistive standards, it has exterior features including 300,000 travertine stone blocks, and roofs covered in crushed stone. Interior walls are concrete, and the building’s self-contained design includes air pressure systems to separate different areas and prevent smoke infiltration.

So far, the LA wildfires have destroyed an area of about 60 square miles (approximately 16,000 hectares), an area larger than the city of Darwin. In comparison, the Australian 2019-20 Black Summer bushfires burnt more than 16 million hectares of land, resulting in a loss of about 5900 buildings and an estimated insurance loss of $1.34 billion. The economic, social and environmental impacts are still felt.

Reinsurers in Los Angeles have indicated that they will face significant losses and will seek to recover their costs. This will have affect insurance premiums globally, and any may result in rising insurance costs and difficulties in securing coverage. According to climate-change risk analysis modelling, one in 10 properties in Australia will be uninsurable within the next decade. Meanwhile, Australia is experiencing a cost-of-living crisis, where insurance is increasingly seen as a luxury expense and is often deprioritised in favour of essential needs such as housing and groceries.

As insurance becomes unaffordable, the government should shoulder the burden of protecting infrastructure. This raises an important question: how well-prepared are our major cities’ critical and social infrastructure to withstand and respond to the increasingly frequent and severe natural disasters that climate change is driving?

50 years ago, Cyclone Tracy was, at the time, the worst natural disaster in Australian history. As reflected in ASPI’s special report Cyclone Tracy: 50 years on, the disaster played a pivotal role in the development of the National Construction Code, which established a standard to enhance resilience against natural hazards such as bushfires, floods and earthquakes. It wasn’t until 1991 that an Australian standard was set for improving the fire resistance of homes in bushfire-prone regions.

The LA wildfires have shown that natural disasters do not respect boundaries set by urban planning. Many of our major cities, including major Canberra, Sydney and Melbourne, are bordered by big national parks, making the urban edges highly vulnerable to bushfires, especially as climate change makes conditions hotter and drier.

A reform of the National Construction Code and Australian fire resistance standards are needed to ensure new infrastructure can withstand major weather events. This could be similar to the implementation of sustainability and energy-efficiency standards for new buildings. Governments at all levels can lead by example by improving the disaster resilience of their own assets.

Implementation of a government-led rebate system, similar to the Australia’s solar rebate system, is an example of how government can help offset the costs of adapting existing structures to make them more resilient.

In the short term such a reform would not only reduce the loss of structures during natural disasters; it would also cut building-lifetime energy costs. Over the long term, it would help lower the cost of insurance premiums and, importantly, reduce post-disaster recovery time.

The LA wildfires have underscored the urgent need for governments to rethink their assumptions about bushfire risk and infrastructure resilience. LA is facing a long road ahead to rebuild its infrastructure and restore essential services. Australia must take steps to avoid experiencing a similar crisis.

National resilience? Hardly. We’re unprepared for crises

Three landmark reports this year have laid bare an uncomfortable truth: Australia is dangerously unprepared for crises.

Each report brings distinct yet complementary insights:

The Glasser review into disaster governance arrangements found that resilience has no dedicated home at the Commonwealth level. Its seven key recommendations emphasise the need for stronger leadership, including an elevated role for National Cabinet in coordinating resilience initiatives and the introduction of an annual National Resilience Report to Parliament, with clear metrics and a strengthened focus on climate risk.

The Telecommunications Sector Resilience Profile, of which I was the lead author, shows weaknesses at the sector level, with the concept of resilience only at an early stage of integration into federal policies. The report established a framework of seven guiding principles supported by 34 specific capabilities. This framework provides both a roadmap for enhancement and a mechanism to track progress in strengthening telecommunications infrastructure.

And the Colvin review examined disaster funding mechanisms, warning that without immediate, evidence-based investment in risk reduction, Australia faced an unsustainable rise in disaster-related costs. Its 44 recommendations, underpinned by eight design principles, outlined a more focused Commonwealth role, including new accountability measures and annual reporting requirements.

These reports converge on fundamental gaps: we lack a shared vision of success, clear lines of responsibility and ways to measure improvement. Without addressing these basics, Australia’s crisis response will remain fragmented and reactive.

The telecommunications sector perfectly illustrates these challenges. Modern networks are engineering marvels working invisibly in our daily lives, until they fail, as we saw in the Optus outage last year.

The problem runs deeper than individual failures. Our research at ANU revealed severe gaps in how we manage the interplay between markets and government regulation. When crises hit, we discover these gaps the hard way.

For example, the dependency of telecommunications on energy providers is a key vulnerability. Telecommunications providers do not often have prior warning of plans by energy providers to de-energise or re-energise the electricity grid. The Royal Commission into Natural Disaster Arrangements recommended improved cooperation between the telecommunications and energy sectors after the 2019–20 Black Summer bushfires, however current efforts have not improved the relationship, industry insiders say.

More worrying still is our diminishing ability to learn from these failures. Australia’s cyber intelligence agency has seen a decline in incident reporting. Instead, businesses are putting legal protection over transparency and collective improvement. This creates a dangerous knowledge gap: how can we improve if we don’t know what’s going wrong?

Each disruption offers lessons, yet we lack a systematic way to capture insights, implement changes across sectors and hold government and industry accountable for improvement.

The Glasser review notes differing meanings of resilience. For remote communities, it may mean preserving major employers. For national security planners, it encompasses regional security, supply chain stability, cyber threats, natural disasters and terrorism. In telecommunications, resilience can mean, for example, ensuring businesses’ revenue or students’ access to online learning.

Differing interpretations of resilience can lead to institutional inertia. Various groups can claim their expectations aren’t being met while they wait for others to act. Resilience becomes both everyone’s responsibility and no one’s.

The telecommunications sector demonstrates the difficulty of making achievement of resilience actionable for industry. As each provider defines resilience based on its commercial interests, sector-wide efforts are often at cross-purposes.

The Telecommunications Sector Resilience Profile proposed a principles-based cyber governance framework based on the UN’s Principles for Resilient Infrastructure. This practical application of the UN’s principles could inform their use in other critical infrastructure sectors.

The Colvin review makes clear we’re still trying to solve tomorrow’s problems with yesterday’s funding models. Complex funding arrangements often fail those who need help most by creating a system in which success depends more on grant-writing expertise than need. While well-resourced organisations can navigate the bureaucratic maze, our most vulnerable communities—those facing language barriers, disability or geographic isolation—are left exposed.

The telecommunications sector perfectly illustrates this brewing crisis. Major carriers cannot justify skyrocketing infrastructure costs to meet growing data demands while revenue streams struggle to keep pace. This isn’t just a business problem; it’s a national security issue. When commercial imperatives clash with resilience requirements, short-term thinking often wins.

The last few years have forced faster crisis decision-making, but speed without strategy has left us lurching between emergencies. These three reports share a common message: breaking this cycle requires more than just response plans.

Effective crisis leadership demands clear objectives that guide priorities, robust systems that ensure dependable action, and shared measures of success. Building true resilience demands more than chasing spot fires—it demands transformative thinking.

Subsea communications cables: vital but vulnerable

Most people never think of undersea communications cables.

Well, the people of Tasmania were thinking of them in 2022, when the state’s two main subsea cables were both severed within hours of each other. The disruption caused widespread outages, affecting flight schedules, cash machines and payment systems, even forcing some businesses to close.

Ensuring the resilience of the submarine cable network against disruptions is crucial.

Lying deep on the ocean floor, these fibre-optic cables can transmit massive amounts of data at high speeds with low latency, making them far more efficient than satellites, which handle only a fraction of global data transmission.  Satellites, however, do serve as backups to subsea cables in some cases and are well suited to serving remote areas, islands and mountainous regions where cable connectivity may be too difficult and expensive to install.

For most of their lengths, deep underwater, these cables are about as thick as garden hoses, with thin glass fibres at their cores to transmit data. Closer to shore, they become thicker and are reinforced with metal armour to prevent damage. Contrary to Youtube lore, marine life, such as sharks, pose minimal threat to them, thanks to improved cable designs and burial in shallow waters. The latest analysis by the International Cable Protection Committee registered no cable faults attributed to sharks between 2008 and 2014.

The biggest threats to subsea cables come from human activities. Data from 2007 to 2018 shows that anchors and fishing account for more than three-quarters of known cable faults. The damage occurs as anchors are dragged across the ocean floor or when bottom trawling fishing equipment entangles the cables. Although this is usually accidental, it could be done intentionally. Proving intention can be quite challenging.

Redundancy is a crucial part of subsea cable network resilience. If a cable is severed, redundancy enables the network to reroute the data across other links, such as other submarine cables, terrestrial cables or satellites. This minimises noticeable impact to network connectivity.

Other methods of minimising cable disruptions include preventing damage with protective measures. Physical security measures, such as making cables with armour and burying cables in shallower areas, reduce the risk of damage. Limiting access to cable landing stations, where cables come ashore and are more vulnerable, is another priority, because those points are on land and therefore accessible and because cables are concentrated at them.

Cybersecurity of the software that manages the cable network, and auxiliary systems, such as security camera networks protecting cable landing stations, and network operation centres, is equally essential.

Even with such measures, disruptions do happen, so having a repair capability is vital. Repair ships are crucial for restoring connectivity. But there are only around 70 cable ships worldwide, and only a third are set up repairs. The fleet and workforce are ageing, too. All this presents a significant challenge in maintaining cable system resilience.

In a recent report, Connecting the Indo-Pacific: the future of subsea cables and opportunities for Australia, my co-author and I highlighted the growing influence of hyperscale cloud and content providers on the industry and the broader geostrategic context of subsea communications cables for Australia, shedding light on the opportunities and challenges that lie ahead. Australia’s subsea cable resilience is generally good. This is because of several factors, including that multiple cables land at different geographic locations and offer a degree of redundancy and resilience. Another is that Australia’s enforces legislation to protect cables in the shallow waters as they make landfall, designating certain areas as cable protection zones.

However, challenges persist. The cable repair industry is the most significant gap in resilience.

Subsea cables are the backbone of our global communication system. As the economic and security value of data continues to grow, it’s crucial that we protect this critical infrastructure by enhancing physical and cybersecurity measures and invest in improving repair capabilities.

How the critical infrastructure act demands resilience measures

Time and time again, cyber attackers have shown nothing is off limits.

Healthcare, telecommunications and banking. Education, public sector and energy.

In the past few years, headlines have highlighted the scale of disruption cyber attackers will inflict, with each sector falling victim to incidents that took systems offline, exfiltrated sensitive data, or both.

Against this backdrop, successive Australian governments have implemented and tightened regulations as part of the Security of Critical Infrastructure (SOCI) Act. This legislation aims to strengthen the security and cyber resilience capabilities of Australia’s critical infrastructure industries in the face of ongoing attacks.

One of the act’s initial developments was to expand the sectors classified as ‘critical infrastructure’. These now include communications, data storage and processing, defence, energy, financial services, food and grocery, healthcare, higher education, space technology, transportation and water and sewerage.

In less than two weeks, the grace period for one of the act’s most important obligations will end, when enforcement begins for rules regarding critical infrastructure risk management programs (CIRMP). By August 17, entities specified in the act must adopt a CIRMP cybersecurity framework and must maintain and report upon their adherence.

The Department of Home Affairs will audit, monitor and enforce the obligation. Failure to maintain an approved framework can be punishable by up to $275,000 per day, and businesses will suffer reputational damage if enforcement action is taken against them.

The listed industries have had to adopt one of the act’s suggested cyber security frameworks since February 2023.

With the deadline quickly approaching, what is a CIRMP, and why is it important to critical infrastructure?

Focusing on fundamentals

At its core, a CIRMP is intended to improve security practices and ensure critical infrastructure providers take a holistic and proactive approach to identifying, preventing and mitigating material risks, whether from cyber or physical threats.

As to cybersecurity, the act specifies five frameworks, including those published by the National Institute for Standards and Technology (NIST) and the Department of Energy in the US. Frameworks from the International Organisation for Standardisation (ISO), Australian Energy Market Operator (AEMO) and the Australian Signals Directorate (ASD) have also been included.

In our conversations with local critical infrastructure providers, many have favoured adopting the last of these, the ASD Essential Eight, as it is a framework many have worked towards for some time.

The Essential Eight is a list of prioritised mitigation strategies designed to protect organisations against various cyber threats. Each strategy, which includes patching applications and operating systems, implementing multi-factor authentication and restricting administration privileges, is measured against three levels of maturity; level one is the lowest and level three the highest.

Organisations adopting this framework as their CIRMP should aim for maturity level three across the board, particularly in regard to the strategy of regular backups.

Of the eight strategies, this is the only one to address cyber resilience—limiting the impact of a successful breach and ensuring rapid recovery in the event systems are taken offline.

While the other seven are important, they focus on hardening the perimeter and preventing an attack. As recent headlines have shown, no prevention strategy can ever be 100 percent foolproof. Organisations need to be confident in their ability to recover rapidly following a successful attack.

Systems of National Significance

Under the SOCI Act, some organisations are deemed to be Systems of National Significance (SoNS). These are Australia’s most important critical infrastructure assets and are subject to enhanced cyber security obligations.

When the home affairs minister notifies an organisation it has been identified as a SoNS, it will have to implement the following controls and strategies:

Incident response plans detail how an entity will respond to cybersecurity incidents that affect its systems. This obligation will assist entities in articulating what to do and who to call in the event of a cyber incident.

Cybersecurity exercises test preparedness, mitigation, and response capabilities. Ultimately, they are designed to reveal whether an entity’s existing resources, processes and capabilities sufficiently safeguard the system from being impacted by a cybersecurity incident.

Vulnerability assessments identify gaps in systems that expose entities to particular cyber incidents. These assessments will help entities identify where further resources and capabilities are required to improve preparedness for, and resilience to, cyber incidents.

Provide system information to develop and maintain a near-real-time national threat picture.

Whether designated as a SoNS or subject to the CIRMP requirements, critical infrastructure providers can expect auditing and enforcement activities to commence this year. With ASD announcing earlier this week that the Chinese hacking group APT40 has been actively targeting Australian organisations, and geopolitical tensions rising in the region, the stakes have never been higher.

Delivering the Quad’s tech agenda 

Almost three years have passed since the leaders of the four Quad countries pledged to co-operate on critical technologies to ensure that innovation is consistent with a free, open, inclusive and resilient Indo-Pacific. With technology and geopolitics both moving quickly, the Quad needs to focus on delivering on its commitments.

The grouping’s tech agenda now spans horizon-scanning, education and research, technology design, investment, supply chain resilience, and assistance to third countries. Implementation is well underway, although the full impact of many initiatives is yet to be realised.

Take for example the Quad investors network (QUIN) established in May 2023 to facilitate, and address barriers to, investment in 10 strategic sectors such as clean energy and semiconductors. It does not have an investment fund to draw from but focuses on connecting public, private and philanthropic stakeholders. Guided by a high-powered advisory board and with support from America’s Frontier Fund, the QUIN launched the Quad Center of Excellence for Quantum Information Science, hosted a Quad Investment and Technology Dialogue at the White House in October 2023, and has announced plans to partner with Australian company Q-CTRL to provide quantum technology training.

Dialogues and announcements can give the appearance of success, but money talks. The QUIN was labelled ‘instrumental‘ in India’s Epsilon Advanced Materials’ US$650 million investment in a battery plant in North Carolina late last year. While this is an important step forward, the QUIN’s measure of success will be forging many more partnerships that would not otherwise have occurred. On that front, more movement is needed.

QUIN matchmaking is being complemented by Quad efforts to align trusted sources of private capital with government tech priorities. The Quad Technology, Business and Investment Forum, most recently held on the margins of APEC in San Francisco last November, showcased business opportunities in emerging tech. It is still early days and a step in the right direction. Public-private convergence on technology development supported by patriotic investors could have substantial payoffs, not only in the context of the Quad but also defence technology partnerships like AUKUS.

In the Indo-Pacific region, the Quad has put in place the administrative and institutional architecture to improve digital infrastructure access and resilience. The US Department of State signed a technical assistance grant with Palau to modernise its mobile network and deploy open radio access network (RAN) capabilities. Australia has established the Cable Connectivity and Resilience Centre to provide subsea cable technical assistance, particularly to Southeast Asia. While not officially a Quad activity, construction of the $135 million East Micronesia Cable is now underway, funded by Australia, Japan and the US, providing lessons and expertise for the Quad to build upon.

Quad countries have also laid out their vision for technology governance by developing principles on technology standards and technology design, development, governance and use. Improving telecommunications security and open architecture for RAN has been a key focus, including to manage risks from Chinese vendors like Huawei and ZTE. Quad members endorsed the Prague proposals on telecommunications supplier diversity, signed a memorandum of cooperation on 5G supplier diversification and open RAN, and published an open RAN security report. The Quad has also convened industry experts five times to discuss open RAN deployments and financing to push along the developing technology.

To help bring the grouping’s tech agenda to life, researchers and industry representatives across Quad nations have come together to provide thought leadership and recommendations for policymakers. The Quad Tech Network, led by the ANU National Security College with support from the Australian Government, convened experts in Canberra in September last year after releasing two series of policy papers. A similar dialogue was convened in San Diego in August, with a future dialogue expected in Tokyo.

When India next hosts the Quad leaders, possibly later this year, they will naturally want to make their mark on the tech agenda. And India is well placed to do so as an important source of talent, research, raw materials, and manufacturing.

As a budding diplomatic institution in the Indo-Pacific, however, the Quad needs to carefully navigate the way ahead. To be credible, it needs to progress initiatives that are just getting started. To be accepted, it needs to not step on ASEAN’s toes. To maintain its positive brand, it needs to be inclusive and counter Chinese disinformation. To meet the region’s needs, it needs to be ambitious and not invite Chinese retaliation. To have longevity beyond specific leaders and governments, it needs to institutionalise cooperation.

This all amounts to a complex dance.

Three years on, the Quad has an ambitious and creative tech agenda that rightly involves partnering closely with the private sector, academia, and regional partners. Now is the time to double down on implementation to realise the full potential of existing initiatives and show the region that it can deliver results.

Delivering the Quad’s tech agenda 

Almost three years have passed since the leaders of the four Quad countries pledged to co-operate on critical technologies to ensure that innovation is consistent with a free, open, inclusive and resilient Indo-Pacific. With technology and geopolitics both moving quickly, the Quad needs to focus on delivering on its commitments.

The grouping’s tech agenda now spans horizon-scanning, education and research, technology design, investment, supply chain resilience, and assistance to third countries. Implementation is well underway, although the full impact of many initiatives is yet to be realised.

Take for example the Quad investors network (QUIN) established in May 2023 to facilitate, and address barriers to, investment in 10 strategic sectors such as clean energy and semiconductors. It does not have an investment fund to draw from but focuses on connecting public, private and philanthropic stakeholders. Guided by a high-powered advisory board and with support from America’s Frontier Fund, the QUIN launched the Quad Center of Excellence for Quantum Information Science, hosted a Quad Investment and Technology Dialogue at the White House in October 2023, and has announced plans to partner with Australian company Q-CTRL to provide quantum technology training.

Dialogues and announcements can give the appearance of success, but money talks. The QUIN was labelled ‘instrumental‘ in India’s Epsilon Advanced Materials’ US$650 million investment in a battery plant in North Carolina late last year. While this is an important step forward, the QUIN’s measure of success will be forging many more partnerships that would not otherwise have occurred. On that front, more movement is needed.

QUIN matchmaking is being complemented by Quad efforts to align trusted sources of private capital with government tech priorities. The Quad Technology, Business and Investment Forum, most recently held on the margins of APEC in San Francisco last November, showcased business opportunities in emerging tech. It is still early days and a step in the right direction. Public-private convergence on technology development supported by patriotic investors could have substantial payoffs, not only in the context of the Quad but also defence technology partnerships like AUKUS.

In the Indo-Pacific region, the Quad has put in place the administrative and institutional architecture to improve digital infrastructure access and resilience. The US Department of State signed a technical assistance grant with Palau to modernise its mobile network and deploy open radio access network (RAN) capabilities. Australia has established the Cable Connectivity and Resilience Centre to provide subsea cable technical assistance, particularly to Southeast Asia. While not officially a Quad activity, construction of the $135 million East Micronesia Cable is now underway, funded by Australia, Japan and the US, providing lessons and expertise for the Quad to build upon.

Quad countries have also laid out their vision for technology governance by developing principles on technology standards and technology design, development, governance and use. Improving telecommunications security and open architecture for RAN has been a key focus, including to manage risks from Chinese vendors like Huawei and ZTE. Quad members endorsed the Prague proposals on telecommunications supplier diversity, signed a memorandum of cooperation on 5G supplier diversification and open RAN, and published an open RAN security report. The Quad has also convened industry experts five times to discuss open RAN deployments and financing to push along the developing technology.

To help bring the grouping’s tech agenda to life, researchers and industry representatives across Quad nations have come together to provide thought leadership and recommendations for policymakers. The Quad Tech Network, led by the ANU National Security College with support from the Australian Government, convened experts in Canberra in September last year after releasing two series of policy papers. A similar dialogue was convened in San Diego in August, with a future dialogue expected in Tokyo.

When India next hosts the Quad leaders, possibly later this year, they will naturally want to make their mark on the tech agenda. And India is well placed to do so as an important source of talent, research, raw materials, and manufacturing.

As a budding diplomatic institution in the Indo-Pacific, however, the Quad needs to carefully navigate the way ahead. To be credible, it needs to progress initiatives that are just getting started. To be accepted, it needs to not step on ASEAN’s toes. To maintain its positive brand, it needs to be inclusive and counter Chinese disinformation. To meet the region’s needs, it needs to be ambitious and not invite Chinese retaliation. To have longevity beyond specific leaders and governments, it needs to institutionalise cooperation.

This all amounts to a complex dance.

Three years on, the Quad has an ambitious and creative tech agenda that rightly involves partnering closely with the private sector, academia, and regional partners. Now is the time to double down on implementation to realise the full potential of existing initiatives and show the region that it can deliver results.

Building a risk management program for critical infrastructure

In Australia’s bustling cities and vast remote regions lie the critical infrastructure assets that are fundamental to people’s lives: electricity, water, health care, telecommunications, transport, food and more. Critical infrastructure is vulnerable to an array of hazards, including threats from people with malicious intent, and needs to be protected.

In recent years, owners and operators of critical infrastructure assets in Australia have faced a number of challenges, including the impacts of the Covid-19 pandemic, natural disasters, economic fluctuations, cyberattacks, supply-chain disruptions and data breaches.

To safeguard our society by maintaining the vital services we depend on, in 2022 the government introduced amendments to the Security of Critical Infrastructure Act 2018 that require owners and operators of critical infrastructure to develop and maintain a written critical infrastructure risk management program (CIRMP). The CIRMP enables the identification of risks and informs investment in measures to protect critical infrastructure against potential threats. The Security of Critical Infrastructure (Critical infrastructure risk management program) Rules 2023 outline the baseline security standards that must be met by 17 August 2023.

In navigating the road to compliance, owners and operators that are subject to the rules must provide an annual report to the Department of Home Affairs (or other relevant regulator). The report will assess the effectiveness and maturity of the entity’s risk-mitigation measures and must be approved by the entity’s board or governing body. The first report is due between 30 June and 28 September 2024.

The CIRMP must address risks across four key hazard vectors: cyber and information, personnel, supply chain, and physical and natural hazards. It is essential for critical infrastructure entities to establish and maintain processes or systems that minimise, mitigate or eliminate potential impacts arising from these hazards.

While implementing the protective security requirements outlined in the legislation may seem daunting, it also presents an opportunity to strengthen critical infrastructure enterprises. The design of the act and the rules draws heavily on the Commonwealth Protective Security Policy Framework (PSPF), which has been evolving over the past couple of decades.

The PSPF serves as a guide for government entities in implementing protective security measures. It emphasises a risk management approach rather than a compliance mindset, allowing entities to tailor their security measures to their specific goals, risk environment and capabilities. It also encourages the maturation of security measures over time, empowering management to determine the appropriate level of investment in protective security controls based on evolving threats.

It’s important to remember that there’s no one-size-fits-all template for the CIRMP: it should be customised to suit the unique circumstances and risks of each entity. However, the PSPF provides some key insights that can help entities to develop effective CIRMPs.

Integrate security into governance. Integrating security into existing business processes is key to creating a robust CIRMP. This involves fostering regular discussions and making security an integral part of organisational decision-making. Establishing clear governance at the board level ensures accountability and proper allocation of resources.

Utilise existing resources. Building on existing best practices, standards and procedures provides a solid foundation for an effective CIRMP. Identifying and prioritising efforts to bridge any gaps in security measures helps maximise the use of available resources.

Set a realistic budget. Aligning security objectives with adequate resources demonstrates a strong commitment to protecting critical infrastructure assets. It is essential to allocate a realistic budget that supports the implementation of necessary security measures.

Move beyond compliance. Moving beyond a compliance mindset is crucial for a comprehensive CIRMP. That could include a focus on understanding contextual factors and deploying dynamic security controls that adapt to evolving threats. It’s also important to cultivate a security culture that establishes clear expectations, promotes effective communication, demonstrates best practices and provides ongoing education throughout the organisation.

Establish performance metrics. Establishing specific, measurable and achievable metrics is vital to evaluate the effectiveness of security measures. These metrics should provide insights into overall enterprise activity and risk management. Regular reporting and continuous evaluation are important to monitor security maturity and drive improvements.

By incorporating these insights from the PSPF, critical infrastructure owners and operators can confidently develop robust and tailored CIRMPs that enhance the protection of their assets, bolster the resilience of their operations, and enable them to report their risk maturity in line with legislation.

Policy, Guns and Money: Cybersecurity and critical infrastructure

In this episode, ASPI’s Alex Caples speaks with Hamish Hansford, who was recently appointed deputy secretary of cyber and infrastructure security at the Department of Home Affairs. They discuss the links between cybersecurity, supply-chain security and critical infrastructure, as well as the rise in ransomware attacks, including on hospitals, and lessons learned from the Colonial Pipeline attack. They also talk about the amendments to the Security of Critical Infrastructure Act and what they mean for industry, and the role that government and industry need to play in securing Australia’s critical infrastructure.

National resilience requires a whole-of-system approach

Owners and operators of Australia’s critical infrastructure will soon be turning their minds to the annual reporting required under the government’s new risk-management program. For many, this will be a new obligation under the amended Security of Critical Infrastructure Act 2018 and one that sits within a very crowded federated reporting landscape. While there will probably be a few bumps along the way, the process is likely to highlight that an issue-specific policy focus (in this case, on critical infrastructure) won’t achieve the cross-sectoral or cross-jurisdictional action on nation-building that Australia so desperately needs.

There’s no doubt the requirements will challenge entities to better manage their security risks, which is a good outcome. Reporting will require them to identify material risks, minimise risks to prevent incidents and mitigate the impact of realised incidents. The list of entities covered is long and spans owners and operators of critical electricity, gas, liquid fuel, water, telecommunications and data storage assets. Also included are critical financial market infrastructure assets connected with payment systems, some hospitals, domain name systems, critical food and grocery assets, critical freight infrastructure assets and critical broadcasting assets.

The rules under the act identify four key hazard vectors: physical security and natural–physical security risks, cyber and information security risks, personnel and ‘trusted insider’ risks, and supply chain risks. However, this is still missing the mark that a more whole-of-system approach could achieve.

A 2020 OECD report outlines what such an approach would look like: ‘Next-generation systems analysis models have to better integrate real-world dynamics such as social and behavioural heterogeneity. This will help to represent social dynamics and complex collective decision-making and facilitate the evaluation of the effectiveness of policies and their systemic impacts.’ The key message is that policymakers should embrace interconnectedness and complexity and avoid oversimplification.

Of course, adopting a systems approach to nation-building is complex and challenging. But the point we need to appreciate is that not doing so has led us here. And not doing so will keep us here.

However, there is some movement. The joint federal and state government funding to rebuild roads and infrastructure in 26 disaster-declared councils in northern New South Wales has a ‘build back better’ focus. A joint media release says the $312.5 million package will mean that ‘roads can be not just rebuilt, but also improved to withstand future extreme natural weather events’. The federal government has allocated $980 million to 20 projects across Australia’s north that will deliver upgrades to ‘high priority roads … essential to the movement of people and freight’.

However, while the intent is admirable, the focus continues to be sector specific and fails to address the fact that the impacts of disasters aren’t abating.

In January, Western Australia’s Kimberley region was hit by extreme weather and flooding associated with Cyclone Elli. Once again, the fragility of infrastructure in Australia’s remote communities was highlighted. The defence force was called in to assist, but a C-130 Hercules aircraft intended to evacuate large numbers of people couldn’t land because of bad weather. Many remote communities were isolated for weeks and the highways connecting WA, the Northern Territory and Queensland were cut. The human impacts are shortages of food and drinking water, limited safe places to live, inability to work and financial stress.

Amendments have been proposed to the Northern Australia Infrastructure Facility that are intended to recognise that ‘sustainable and resilient economic development of northern Australia is critical to the prosperity, security and future of our nation as a whole’. These changes aim to empower the facility ‘to provide financial assistance to develop economic infrastructure for the benefit of First Nations Australians’ and will increase its investment capacity from $2 billion to $7 billion.

Many in northern Australia will welcome these initiatives. They have been waiting a long time for the message to get through about the inadequacy of roads, rail and infrastructure, and the importance of taking a whole-of-community view. We’re yet to fully appreciate the significance of these inadequacies, but given the geopolitics in our region and the concurrent and cascading natural disasters we’re experiencing, we need to get moving anyway.

Traditional approaches and dated thinking explain how we got here—and they won’t help in navigating an increasingly interconnected and complex world. The federal public service has a big role to play in embracing systems thinking to drive nation-building. However, the ‘robodebt’ royal commission has unearthed deep flaws in public sector thinking and it would be unwise to assume they’re confined to a single department or sector. There are renewed calls for the public service to provide frank and fearless advice. I’m reminded that, many years ago, a senior public servant told me that ‘Frank Fearless’ was locked in the basement. All these years later, it seems they’re still there.

The absence of expansive thinking and joint stewardship perpetuates a reliance on blunt legislative mechanisms, one-off funding boosts that address a symptom of a past problem in a specific location, and legislated expansion of mandates in an already crowded landscape. These are band-aid fixes at best.

There are a lot of challenges to navigate, including an inflationary economy, cost-of-living increases, skilled workforce shortages, climate change, geopolitics in the region and the need to transition away from fossil fuels—let alone the need to achieve on-time, on-budget delivery of defence capability. Until policymakers fully adopt a systems approach in their thinking and planning, we’ll continue to trade one priority for another.

We can and need to do better.

The threat to democracies from information insecurity

After the recent midterm elections, Americans are breathing a sigh of relief that social-media-fuelled threats of violence against voters and election officials didn’t materialise. It’s a disturbing sign of the times that a peaceful vote is a pleasant surprise.

What is driving some people to reject the legitimacy of fair elections, embrace conspiracy theories and even resort to political violence? We believe the answer lies in a novel threat to democracies around the world: information insecurity.

Information insecurity is much more than vulnerability to propaganda. It is the deliberate and systematic distortion—enabled and heightened by digital capabilities—of an entire information ecosystem.

Consider the parallels to natural disasters and climate insecurity. In the past, we dealt with hurricanes, droughts and floods as isolated emergencies. Today, we understand climate change as a threat to entire systems of agriculture, energy and public safety. Similarly, we once addressed famine with case-by-case responses. Today, we understand food insecurity as a permanent threat not only to life but also to social cohesion and political stability.

Systemic threats require systemic responses that address the enabling technological conditions. Our 20th-century tactics—isolating or blocking channels of propaganda broadcast by our adversaries—won’t suffice. Those channels were broadcast by a limited number of known sources that were easily recognisable by origin, vector and contrast to conventional media fare.

Today’s information operations are multicast across hundreds of channels—optimising speech and reach by using an interplay of broadcast and digital media, including social media, and leveraging the techniques of online advertising, targeting and algorithmic manipulation to maximise audience size. For example, the Kremlin not only pushes its Ukraine-related propaganda over state media channels, both broadcast and digital, but also relies on a large network of covert digital channels across multiple languages and platforms. These channels spread conspiracy theories about Nazis in Kyiv, blame the West for the absence of food shipments blocked by Russia and stoke unrest in the European Union over energy prices and refugees.

These tactics amplify homegrown conspiracies and blur the distinction between foreign and domestic agents. Moreover, the objective isn’t simply to persuade but to weaken confidence in facts and to sow suspicion of ‘fake news’ everywhere. Algorithms tuned to maximise attention accelerate the effect.

Autocratic governments like China respond to this threat by seizing control over both the production and distribution of media domestically. Though the authorities can’t eliminate all dissenting views online, they prevent any major disruption to the party line. Russia has chosen a similar approach—albeit with far less efficiency.

Democracies must find another way. In democratic societies, freedom of expression is essential both as a basic human right and as a principal mechanism of holding government accountable. In our response to information threats, we must ensure that the cure is not worse than the disease.

We cannot delete our way out of this problem. To respond to information insecurity without restricting freedom of expression, we must address the structure of the market and the logic of a business model that privileges controversy over integrity. This means directly engaging the big technology platforms (largely American and Chinese) that hold unprecedented control over global information distribution.

These firms didn’t cause the social problems that drive contemporary political conflict. But they are the single biggest factor in accelerating trends towards extremism. Despite their efforts to curb illegal activity and thwart exploitation of their services, their products are still designed to profit from outrage and remain vulnerable to widespread abuse.

Meanwhile, the market power they wield over advertising has gutted the commercial viability of traditional journalism, which once stabilised democratic politics by establishing a consensus about basic facts. Many traditional news media outlets have responded by joining the race to the bottom.

Democratic governments should treat information systems as critical infrastructure, just like gas, water, electricity and telecommunications. The first step is to require American platforms Facebook, YouTube and Twitter to curb the exploitation of their services by authoritarian governments mounting deliberate disinformation campaigns. To harden democracies’ defences further, we need standards for information markets against which to assess possible security risks, such as the impact of Chinese control over TikTok (the most popular platform among young people).

These standards must not be governments dictating what content is allowed and not allowed on media channels. That is a decision for private actors to make, as they have. But while every technology platform in the market today has rules governing content and behaviour as well as the collection and use of personal data, too often they do a poor job of applying their own rules. Government regulators should hold them to their promises and set additional standards for consumer protection, in the same way that we regulate the safety of food, pharmaceutical and natural resource industries.

To reconnect citizens with a common base of facts, democracies must strengthen public-service journalism. One approach is to use competition policies—such as those recently applied by Australia—that compel tech companies with market power over digital advertising to negotiate revenue-sharing agreements with news organisations. Taxes on digital transactions can also be used to boost investment in public media, local media, media literacy and journalism schools.

Rules, standards and investments in the media marketplace are not simply economic policies. They are security imperatives, alongside green energy and public health. Unless we act soon, our information security will weaken further, dividing us against ourselves. Autocrats and domestic rabble-rousers can then shape a self-serving narrative of intensifying democratic dysfunction.

US President Joe Biden’s national security strategy, released in October, identifies a set of ‘transnational challenges’ that are not ‘secondary to geopolitics’ but lie ‘at the very core of national and international security’. These challenges include climate change, food security, communicable diseases, energy shortages and inflation. Information insecurity belongs on that list, too, because it exacerbates these other challenges and poses its own grave threat to democracy.

Tag Archive for: critical infrastructure

Stop the World: TSD Summit Sessions: Technology innovation and investment with Gilman Louie

The Sydney Dialogue (TSD) is just weeks away.

To help our listeners prepare for the forthcoming discussions at TSD, we are bringing you an interview with Gilman Louie, who was the first CEO of In-Q-Tel— set up in 1999 by the CIA as an independent, not-for-profit strategic investment firm —and Commissioner on the National Security Commission on Artificial Intelligence from 2018-2021. Gilman is co-founder and partner at Alsop Louie Partners, and he is also a co-founder and CEO of the America’s Frontier Fund, so there is no one better placed to talk about strategic competition, innovation and investment.

Director of the Sydney Dialogue, Alex Caples, asks Gilman about the role of technology as a component of state power, how the innovation landscape has changed in the United States and how the government and private sector are working together on innovation and investment in the design and manufacturing of technologies.

TSD is ASPI’s flagship event for cyber and critical technologies. The summit brings together world leaders, global technology industry innovators and leading thinkers on cyber and critical technology for frank and productive discussions. TSD 2024 will address the advances made across these technologies and their impact on our societies, economies and national security.

Find out more about TSD 2024 here: ⁠https://tsd.aspi.org.au/⁠

Guests:

⁠Dr Alexandra Caples⁠

⁠Gilman Louie

Stop the World: Explainer: A quick dive into subsea cables with Jocelinn Kang and Jessie Jacob

Subsea cables have been a major focus in the media lately. Just last week at the Quad Foreign Ministers’ meeting in Tokyo, Australia announced the launch of its new Cable Connectivity and Resilience Centre—its contribution to the Quad Leaders’ Partnership for Cable Connectivity and Resilience.

So, what are subsea or undersea cables and why are they important? In this short explainer, Olivia Nelson speaks with ASPI experts Jocelinn Kang and Jessie Jacob about this vital strategic asset, where their vulnerabilities lie, and their role in Australia’s resilience.

Transcript:

Dave: Welcome to stop the world. The ASPI podcast on security and International Affairs. I’m David Wroe

Liv: and I’m Olivia Nelson.

Dave: Now, first of all, Liv, how did I not know that Tassie was completely cut off for a while in 2022?

Liv: Well you aren’t alone there, Dave. I’m embarrassed to admit that I also missed that.

Dave: Now I’m choosing not to believe that we just weren’t paying attention to our beloved southern state, but rather, there was just a lot going on that year. But thankfully, to explain all of this issue with subsea cables, we’ve got a short treat for our listeners ahead of our regular Friday programming. Liv, you’ve spoken with two of our experts here at ASPI, Jocelinn Kang and Jesse Jacob.

Liv: That’s right, Dave, I asked Jo and Jess to give us a crash course on the infrastructure we all take for granted, but about which most of us know very little. What are subsea cables? Why are they important, and what are their vulnerabilities?

Dave: So Liv, I’ve got to tell you, Jo actually explained to me the other day how the internet works, and it was bloody useful. Now you’ve done the same for subsea cables today, which I’m very grateful for, and it’s done quickly, which is just what our busy listeners need. So with no further ado from us, let’s dive into the conversation.

Liv: We’re hearing more and more about subsea cables, their strategic importance and vulnerabilities. So today, I’m pleased to be joined by ask these Jocelinn Kang and Jessie Jacob to provide a bit of an overview for our listeners. Jo, I might turn to you first, what are submarine cables and why are they important?

Jo: Thanks, Liv. Submarine cables are the conduit that carries almost all the world’s international data traffic. So if you’re listening to this podcast and you don’t live on the Australian mainland, I can almost guarantee that it traveled via a submarine cable to get to you. Now they’ve always been a strategic asset because they’ve enabled communications to far off lands, but today they’re even more critical because of how much we rely on the data that they transport for businesses, financial markets, military and civilian comms. And of course, things like Facebook and Tiktok and Google search. Submarine cables represent the most cost effective high speed way to transport massive amounts of data.

Liv: So not satellites, Jess? Isn’t that how information is communicated globally?

Jess: No, not really, and it’s really common to think that, but the vast majority is through these subsea cables. Now, this isn’t to say that satellites don’t get used. They certainly are. And they’re good for remote areas with no cable connectivity. But they don’t carry nearly the same amount of data, nor at the same speeds. They’re certainly better than nothing, and they have been used as communication backups recently in places like the Ukraine and in Tonga when they lost their subsea cable connectivity. But they don’t sort of kick in like a one to one backup like a power generator would if the mains go out. So in that regard, it’s better to focus on the resilience of sub cables themselves, rather than satellites.

Jo: To give you an example of the consequences of losing your submarine cable access, we just need to look at Tasmania in 2022 when both the main submarine cables were cut within hours of each other. This caused a widespread outage, and it meant flight delays, loss of access to ATMs and EFTPOS facilities, and that forced businesses to close.

Liv: So Jo, what do these cables look like? Well, I was fascinated to discover that, believe it or not, when they’re lying on the seabed, deep in the ocean, they’re only about the size of a garden hose. Other parts that are closer to shore, they’re a bit thicker because they have more protective armour around them. But the part that actually carries the data, they’re thin strands of fibre optic cable, and the rest of the cable, it’s actually just to give it structure, power and protection. So the power is for repeaters on the cable, so that they can amplify the light signal down the line.

(Jo misspoke here. It’s not structure, but rather insulation)

Liv: And what is the armour for? Am I right to assume that sharks are a threat to national resilience

Jo: In the very early days of having communication cables under the sea, unfortunately, whales used to get entangled in the cable lines, and sharks did actually bite the cables. But since the 1950s the industry started burying the cables in shallower areas to protect them from more frequent bits of anchors and bottom trawling fishing gear. Now, as a result, whales no longer become entangled, and shark bites have reduced. But it really should be said that shark bites, or fish bites, they only made up about 0.1% of cable faults, and since 2006 they’ve actually been no reported shark related cable faults.

Liv: It’s a pretty tiny figure. So what are the biggest threats to the cables?

Jo: Humans.

Jess: –but not humans biting cables. So the most likely cause of damage to cables is actually fishing related. As Jocelinn mentioned earlier, a boat anchor can be dragged across a line, trawling activities and that sort of thing. It’s often done by accident, but of course, could be done on purpose, and it would be pretty hard to prove.

Liv: I’m trying to visualise what happens when a cable gets damaged. Say, I’m watching Netflix and a cable gets cut, does my internet suddenly go out and my Sunday night is ruined?

Jess: Well, whether or not your night was ruined kind of depends on what you’re watching. But seriously, though, if we remove from this scenario any caching or local data storage aspects and focus on how data moves globally, the data gets rerouted away from the damage cable to a different one. And this is why redundancy is so important and a big part of resilience.

Liv: There’s that R word again, resilience. What does resilience look like when it comes to sub cables?

Jo: Well, the way I see it, a resilient submarine cable system is one that operates with minimal disruption and ideally no disruption. But that’s in a perfect world. And the reality is, cable disruptions happen, and they will continue to happen. So, resilience means we need to protect the system to try and avoid disruptions, and then in the event a disruption occurs, that we can be in a place where we can quickly recover.

Liv: So how can we do that? Jo?

Jo: There are a few ways we can protect and try to prevent disruptions, physical security for one of the cables themselves, such as putting armour around them. But even more important is protecting the areas where cables are concentrated, so the areas of ocean where they come up to landfall, and the cable landing stations where these cables are connecting to terrestrial networks. We’ve also mentioned redundancy previously. This is another way, which is about having alternate paths for the data to use in the event of a disruption. So this could mean alternate cable pathways, but also alternate modes of transport, like terrestrial fibre or satellite links. The other element of protection is cybersecurity. So protecting the cable management networks, these are the ones that control the data flows across the submarine cable network. Then, of course, in the event that a disruption occurs, we would want to be able to quickly recover, and this means having an effective and efficient repair capability. So, repair ships to restore that connectivity.

Liv: Okay, so because we don’t have major disruptions, I assume that Australia has all of these elements of protection in place?

Jess: Well, more can be done to protect cable landing stations, and I think there’s a bit of a choke point, so a clustering of cables in Sydney, but in many other areas, Australia is in a relatively good spot. We have multiple cables, and they generally land in geographically diverse locations. And Australia legislates for the protection of several areas for cables. They’re called protection zones. Now, I would say the more problematic issue is the cable repair industry. It’s kind of barely hanging on. There are a limited number of repair ships. Those are surprisingly hard to pin down, but out of about 70 cable ships worldwide, about a third of those are designated repair it’s an aging fleet and an aging workforce getting a cable repair quickly has a worrying amount of luck involved. You want to have a repair ship nearby and be high on the repair priority list.

Liv: And what about using the other ships you mentioned?

Jo: They’re busy and set up to lay new cables as we transition more to cloud and AI and then 6g and everything that enables that’s going to mean more data traffic. Now, if all that data traffic wants to move across oceans, that’s going to mean more cables

Jess: Mmm exactly, and more cables require more repair ships and a solid cable repair industry. It’s the biggest gap Australia has in the resilience piece.

Jo: It’s one of those things that when it works, it works, and you won’t even know about it, but when it doesn’t…

Liv: …everything grinds to a halt?

Jess: Yeah, I think it’s customary in the sub cables field, to quote the US Federal Reserve’s Stephen Malphrus here, who spoke in reference to the financial sector and said when the communications networks go down, it doesn’t grind to a halt. It snaps to a halt. And he said that nearly 15 years ago.

Liv: Scary stuff. Thanks Jo and Jess for explaining the importance and vulnerabilities of subsea cables to our listeners. I look forward to having you back on the podcast soon.

Jo: Thanks Liv.

Jess: Thanks.

Guests:

⁠Olivia Nelson⁠

⁠Jocelinn Kang⁠

Jessie Jacob