ABSTRACT
The Internet is an interconnected network and cyber security requires collective action. How that action is organised has important implications for national security, including the defence against cyber attacks and malicious activities. This article explains the origins and institutionalisation of cyber security in Australia—particularly ‘civilian cyber security’. The authors trace the origin of Australia’s first computer emergency response team and explain how this organisational form spread from the USA. Through it, Australia helped enable international cooperation. Domestically, however, the authors argue that the Australian government has struggled with the delegation, orchestration and abdication of responsibility for civilian cyber security, underinvesting in civilian organisations while overrelying on military and intelligence agencies. The history of this organisational field provides valuable insight into how to improve national policy and operations for cyber security.
Acknowledgements
This research would not have been possible without the time and commentary generously provided by our interview respondents. The authors would also like to thank Zoe Hawkins, Drew Herrick, Kathryn Kerr, Jon Lindsay and Liam Nevill for their helpful feedback, as well as the editors and anonymous reviewers of the Australian Journal of International Affairs.
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes on contributors
Frank Smith is a Senior Lecturer with the Centre for International Security Studies in the Department of Government and International Relations at the University of Sydney.
Graham Ingram is currently an advisor to the Australian Digital Health Agency; from 2002 to 2014, he was the general manager of AusCERT, and he previously worked for the Australian government on national security.
Notes
1 The lines between them may blur, but ‘civilian cyber security … is not focused on military or intelligence applications’ (PITAC Citation2005, 21).
2 The collection of grey literature, old newspaper articles and other documents that we compiled for this research—including material from what was once The UQ Museum of IT—are listed as a ‘private archive’ in the references.
3 AusCERT was recently renamed again as the Australian Cyber Emergency Response Team.
4 For some time, AusCERT’s constituency also included universities, government and industry in New Zealand.
5 At another level of regional aggregation, the Association of Southeast Asian Nations has been slow to develop a coherent approach to cyber security or its own CERT (Heinl Citation2014).
6 The National Computer Security Authority inside the DSD was not recognised as a Commonwealth CERT (Interdepartmental Committee Citation1998, 34, 46, 69). In 2005, the Attorney-General’s Department established the Australian Government Computer Emergency Readiness Team. However, as the ‘R’ for ‘Readiness’ in this name suggests, it was ‘a tiny co-ordination team … with one technical staff and one policy adviser’—not an operational response team (Riley Citation2006).
7 Programs from this period that endure today include the Trusted Information Sharing Network, as well as the Australian Internet Security Initiative.