Saturday, June 12, 2010

CERT Australia high risk strategy

As explained by the Prime Minister in a speech at ANU, 28 May 2010, the Australian Government will now be relying on the the Attorney General's Department "Computer Emergency Response Team Australia" (CERT Australia) for cyber security information and advice, both the government agencies and the public.

The Australian Government previously helped fund the not-for-profit, non-government AusCERT based at the University of Queensland.

The ability of CERT Australia to provide authoritative advice is unproven and its ability to provide independent advice unclear. This change therefore represents a high risk strategy for protecting Australia's cyber infrastructure.

AusCERT advised that some government services, such as the National Information Technology Alert Service and National IT Incident Reporting Scheme, would be discontinued in February 29010.

However, some services funded by government agencies, such as Stay Smart Online Alert Service, funded by the Department of Broadband, Communications and the Digital Economy, would continue.

AusCERT intends to continue to offer subscription services to non-government and government organisations.

According to a media report, federal agencies using their own service will result in a loss to AusCERT of $250,000 in annual subscriptions.

However, an IT professional managing operations at a medium to large federal government agency is likely to feel it is prudent to pay for an AusCERT subscription, even though they can get free advice from the government CERT Australia. In the event of a major security breech resulting in loss of life, economic loss or sensitive information loss, the individuals involved may have to explain to a court why they failed to take sufficient steps to protect the public. That a non-expert told them they did not need independent IT security advice, even if that person is the Prime Minister, would not make a strong defence.

No comments: