Tuesday, October 18, 2011

Protecting Canberra from Cyberattack

Greetings from the ACS/Department of the Prime Minister and Cabinet (PM&C) Cyber Policy consultation meeting in Canberra. PM&C issued a discussion paper “Connecting with Confidence, Optimising Australia’s Digital Future”, 15 September and ACS is helping collect input on what should be in a Cyber policy white paper to be issued mid 2012. I am a member of the ACS Cyber Task Force. There are eighteen people at the Canberra consultation and the room is booed for two hours, if anyone else would like to join in.

As the seat of national government, there are particular cyber-security issues for Canberra. The ACS had a chilling insight into the risks with hacking attack on the RSA organization as an example of an Advanced Persistent Threat (APT) to government.

Issues Raised in the Forum

  1. Do the same rules/laws apply in cyber-space as in the real world?: The consensus was that yes, the same rules apply, but they may need some tweaking, as for example where people are "anonymous" on-line and that records are retained on-line for a long time.
  2. Awareness of consumers: The issue of what the general public understood about the Internet: do children understand where the services they are using on-line come from and do consumers have an unreasonable expectation that transactions will be secure. A teacher commented that there is not enough room in the curriculum to teach all about the Internet, but security issues could be incorporated as appropriate. The . "Budd:e Cybersecurity Education" CD-ROM was held up as an example. Perhaps this could be incorporated in "Australian Curriculum Version 2" there has been previous discussion of ICT in the curriculum.
  3. Technical solutions: IPV6 was raised as an improvement in security.
  4. Profiling of consumers: The use of targeted advertising on the web was raised as as an issue.
  5. Directors Responsibilities: Apart from government regulation, it was pointed out that company directors and others in charge of organization are legally responsible, including for actions of the organizations on-line.
  6. Security certificates: Can security certificates endorsed by government be used to identify legitimate web sites and members of the public? Will this create privacy issues with data aggregation. Do we trust companies? Do we trust the government? Should we have an international system where government cross check data? Will social mechanisms be more effective?
  7. Globalisation of data: To what extent will Australian regulations be effective, if the data is in the cloud? One item which might be relevant to Austrlaia is the just signed the National Strategy for Trusted Identities in Cyberspace (NSTIC) recently signed into law by the US President.
  8. Securing Open Government: The Australian Government has a policy to make information more readily available on-line. But there is a risk of sensitive or personal information being released by accident. It happens I run an ANU course (COMP7420) on Electronic Document and Records Management for public servants to address this.
  9. Is too much security bad?: Strong encryption will allow honest citizens to protect their privacy, but also allow criminals to communicate without detection.
  10. Do Web Companies Have Too Much Power?: While much of the discussion was about the role of government, companies providing Internet services now have a very large role in what citizens see. What role is there for regulation?

No comments: