Critical infrastructure protection (CIP) refers to safeguarding essential services from harm. CIP has gained recognition as a priority area on the national security agendas of many countries in recent years, most notably Australia, due to events that have compromised the critical infrastructure (CI) of other nations. The importance of the CIP process is evidenced extensively in the related literature, where the major phases of the process are discussed. Traditionally, the CIP focus is on the three major stages of vulnerability identification, risk assessment and risk management. A study conducted by Breeding in 2003 introduced the risk of ‘sensitive but unclassified’ data to America’s infrastructure, viewing the threat on CIP from an alternative viewpoint. ‘Sensitive but unclassified’ data refers to information that may not on its own appear harmful but when amalgamated with additional data elements can be truly revealing about CI, thus posing a threat to CIP. This study adapts Breeding’s research to an Australian setting, in an attempt to determine the threat of public data availability on the CIP process in Australia. The methodology involved an observational study on the nature of the public data availability situation through a structured public data collection process, an evaluation of data protection mechanisms using a content analysis, and a survey of security experts in Australia. The ultimate objective of the study was to attempt to provide a solution to the censorship versus open information access debate, which is presently a prominent dilemma. That is, should certain CI-related information be restricted from the public arena in the interest of national security? The outcomes of the public data collection phase, the content and the survey revealed that a balance between open data access and restriction is required, supporting the existing view in the reviewed literature. A Stakeholder Matrix was devised as a crucial component of public data protection, providing a sensitivity-based grading system. Additionally, a structured approach in the form of the Public Data Protection Lifecycle was proposed, which recognised that current security mechanisms (primarily written documentation) do not offer adequate protection for CI-related public data. A comprehensive, and multi-faceted approach is required, which considers the Stakeholder Matrix, current written documentation (licence agreements), and technical security mechanisms as instrumental to protecting public data from potential misuse, and ensuring that the threat of public data availability on the CIP process, and Australia’s CI is minimised.
Unless otherwise indicated, the views expressed in this thesis are those of the author and do not necessarily represent the views of the University of Wollongong.