Vulnerability of Internet Exchange Points in Australia
Has the Government identified precisely where in Australia the critical points of vulnerability of our long-haul Internet infrastructure are?
In the United States, it took four years of research partly funded by the Department of Homeland Security to produce a map showing the critical points of vulnerability of their long-haul Internet infrastructure spanning at least 30 miles and connecting population centres of at least 100,000 people.
In November last year, an article by Kate Murphy in the New York Times “The Cyberthreat Under the Street” dealt with the issue of the severing of fibre optic cables that supplied telecommunications to large sections of the San Francisco Bay area in the USA, including to the Lawrence Livermore National Laboratory, the overseer of the nation’s nuclear weapons. Following each incident (and there were 16 such incidents in the area during the previous year) land and mobile calls, texts, emails and hospital records were inaccessible. Credit cards and A.T.M.s didn’t work.
The clouds and ether giving us access to the Internet and the security issues surrounding the malicious code infecting cyberspace receive, justifiably so, close media scrutiny. You may access the Internet wirelessly, but ultimately you’re relying on a bunch of physical cables that are vulnerable to attack. But the critical risk is not to the pipes comprising the millions of single or grouped underground fibre optic cables that can be – and often are – accidentally cut by electricity, plumbing and building contractors, council workers and home owners. Those inadvertent events usually result in relatively localised outages. The real problem is where the physical cables have points of vulnerability and that is at the junctures that handle vast quantities of Internet traffic. These are the “Internet Exchange Points,” or I.X.P.s, where the networks come together to trade traffic. They are points of strategic vulnerability which, if taken out by natural disaster or a strategic attack, could shut down Internet access to much of Australia.
The recent Australia-wide Telstra outages and the severing of the optic fibre cable connecting all of Tasmania earlier this year highlights the lack of path redundancy in Australia i.e. the lack of multiple transmission paths on a wireless network and the lack of separate pits and ducts for a wired network (that would have prevented the single point of failure in Tasmania). There would be critical “single point of failure” IXPs around Australia that, were they to be damaged, would have catastrophic impacts not only on medical, commercial and industrial facilities around the country, but on crucial defence capabilities as well.
So how secure are the buildings that house major IXPs in Australia? In the USA, Murphy found that many I.X.P.s are housed in “old, unprotected buildings … Often it’s possible to lease adjacent office space in the buildings. Sometimes there aren’t even security guards in the lobby. And the manholes around the buildings are also unprotected … The Department of Homeland Security, which is responsible for critical infrastructure, has no requirements for the physical protection of I.X.P.s nor does it have any rules against ownership by companies affiliated with a hostile foreign state.”
There is no reason to believe that things are any different in Australia. Are there regulations in place mandating design and construction requirements for the housing of IXP’s? More importantly, would such regulations be the appropriate way of dealing with the issue? Should government policy in this area be one which emphasizes the security and integrity of the buildings housing IXPs or one which focuses on designing a network with an appropriate level of redundancy by the building of more IXPs linking more abundant routes and exchanges so that the failure of any single IXP does not result in a catastrophic shutdown of the entire network? Does the design of the NBN adequately reduce the probability of single points of failure within the network i.e. what level of redundancy has been built into the NBN?
The issue of the identification, concentration and protection of I.X.P’s around Australia is a critical security issue as is the government’s policy regulating the construction, maintenance and physical protection of future I.X.P’s. All of these issues were raised with the Minister for Communications earlier this year. The Minister took 4 months to respond.
See his response at Minister Communications response to November 2015 email from me.