The Policy and Politics of E-Security

June 25, 2002 | By Kate Lundy | Posted in Public Speeches

The Policy and Politics of E-Security

INSTO
Keynote Address
25 June 2002
Westin Hotel, Sydney

There probably is not a word that is more representative or more relevant to our current social, economic and cultural mood.  Security is both a sentiment and tangible.  It cannot be compromised.  It is sacred.  It is an issue that is emotionally charged and goes to the core of our confidence in our government and our individual and collective future.

For me, it is a very broad definition.  Most obvious is national security and the war against terror.  But it also relates to more prosaic issues:  job security, financial security and family and personal safety.

With the politics of security at the forefront of debate in some way at all levels of government, it is little wonder that e-security has risen fast in the priority list.  However, the sense of urgency to address e-security has not been matched by an incremental upgrade in understanding the why, what, where and how of e-security in the cabinet rooms and board-rooms.

Being an expert in e-security is particularly challenging. Why? Because we are dealing with a highly emotive, politically sensitive and very current issue.  Unfortunately, this means we often see short term decision making,.  Add to this the rising incidence of cybercrime.  Add this to the reality of political and corporate decision makers having little knowledge in the field, and suddenly it is the experts that carry the burden of crucial aspects of Australia’s e-security in their hands.

This responsibility is as much the more esoteric moral obligation of professional technologists responding to the needs of a relatively ignorant client, as it is the transfer of risk associated with the defined contractual obligations.

The sector needs to be aware of this, and resist the temptation to exploit it.  You need to be the leaders now: at least until decision makers build their knowledge.  As with every new phase of technological innovation that has a profound impact on the social and political structure of society, the outside experts are relied upon to provide leadership in a vacuum.  You will do this by tackling problems through giving advice, providing solutions and delivering outcomes for e-security.

In the meantime, I think leaders and decision makers have a social, moral and professional responsibility to keep themselves informed.  Rapid technological change is, after all, nothing new.  We have lived with it all our lives.

With respect to political leadership, this challenge requires Ministers to rise above bureaucratic empires, legacy systems, lobbyists’ lines and corporate spin, and deliver outcomes in the broader public interest, as well as inspiration to the corporate sector.

With respect to corporate leadership in private business, this challenge requires Executives to rise above their own bureaucratic empires, legacy systems and corporate spin and deliver outcomes for their customers and shareholders.

To be able to do all these things it is necessary to understand the technology enough to know what in fact are the essential elements of an effective e-security strategy.

In the real world with the Coalition in power, this hasn’t happened.

Evidence of this lies in myriad independent reports that have reflected on various aspects of e-security over the last few years.

One such report is the Australian National Audit Office performance audit of the Coalition’s IT outsourcing debacle.  This report informs the view the Coalition does not grasp the capability and potential of information technology systems: be it hardware, software applications or the internet.

Further, I suspect if it weren’t for the Audit Office Report into IT Outsourcing and another into Internet Security, to which I will refer later, making strong recommendations on IT security matters, I doubt whether there would have been any policy on e-security emanating from this government at all prior to September 11.

The findings in the IT outsourcing report identified inconsistencies in the approaches of department to their security obligations as well as significant lapses in compliance with security obligations.

Incredibly, in what is an obvious serious lapse in security, one vendor advised the Audit Office that:

Specific security requirements need to be settled consistently with the solution, in consultation with the ESP [external service provider, or vendor], customer and certification authority.  In accordance with their operational and procedural requirements, PM&C security requirements were agreed shortly after transition. (Footnote Page 228)

What this means is that security issues were not resolved or appropriately certified prior to hand-over.  The vendor claims that this was in ‘accordance with operational and procedural requirements’, demonstrating that the flaw was contractual.  The fact that PM&C is the Prime Minister’s own department, handling the most sensitive information makes this scenario almost unbelievable.

In a blunt assessment about the security vulnerabilities created by the Coalition’s mishandling of IT outsourcing, the Department of Defence, in the course of providing comment on the audit report, advised the Australian National Audit Office that:

A conclusion to be drawn from the DSD experience and also from the report, is that given the present state of the industry in Australia, outsourcing the management of high security networks would be a risky and also costly business.  External service providers are not experienced in managing networks to national security standards, as commercial risk drivers do not equate readily to government accountability requirements, let alone to managing counterintelligence threats.  The identification and then oversight if contractual obligations would therefore be even more resource-intensive than for conventional government networks.  (Page 230)

As a result, the Audit Office recommended that, where appropriate in outsourcing IT infrastructure services, agencies develop, in consultation with the Defence Signals Directorate, an integrated security architecture strategy that addresses operational security issues, identifies the necessary security safeguards and the required timetable for their implementation by the external service provider.

The Department of Defence and the Department of Finance and Administration, on behalf of all other agencies and departments, agreed with this recommendation.

The Coalition responded to these harsh criticisms by belatedly creating an e-security policy. This policy is coordinated through the E-Security Coordination Group, which is chaired by the National Office for the Information Economy.

A number of government departments and agencies are involved, including:

  • Attorney-General’s Department
  • Department of Defence, Defence Signals Directorate
  • Australian Federal Police
  • Australian Security Intelligence Organisation
  • Department of Prime Minister and Cabinet
  • Department of Foreign Affairs and Trade
  • Department of Transport and Regional Services
  • Department of Industry, Science and Resources
  • Australian Transactions Reports and Analysis Centre (AUSTRAC)
  • Australian Securities and Investments Commission
  • Department of the Treasury
  • Centrelink
  • Australian Bureau of Statistics.

It was only in November 2000, two months after the tabling of the two audit office reports that exposed security deficiencies, that the government acknowledged the urgent need for a national approach to e-security.  Citing, “an increasing reliance of government, business, citizens and consumers on networked technologies”, this national approach outlines the strategic goal of creating a trusted and secure electronic operating environment for both the private and public sectors including through:

1.  defining and protecting the National Information Infrastructure (NII), including identifying potential incidents of a critical nature;

2.  maintaining and enhancing law enforcement, national security, regulatory and revenue protection capabilities in the electronic environment; and

3.  pursuing these goals on an international basis.

The Government’s strategy for security of Commonwealth systems is directly related to their ability to deliver services online.  The Government itself stated that part of meeting their somewhat dubious stated policy commitment to deliver services online, agencies must also comply with a range of privacy and security-related legislation, standards and guidelines.
These include:

a.   The Commonwealth Privacy Act 1998;

b.   The Protective Security Manual (PSM) -for physical, information and personnel security;

c.   Since June 2000, Australian Communications-Electronic Security Instructions 33 – maintained by DSD;
These provide the formal basis for agencies to design and implement effective IT and website security practices.

d.   Enhanced online reporting of IT security intrusions as required under the incident reporting system maintained by DSD. (ISIDRAS)

e.   Agency Chief Executive Officers must report on compliance with existing Commonwealth security standards.  A security checklist assists agencies with the degree of comprehensiveness required in complying with the necessary standards.

On this issue of compliance, once again the Australian National Audit Office has played a role in exposing weaknesses and prompting a more effective e-security strategy within government.  In their performance audit of September 2001 titled Internet Security within Commonwealth Government Agencies, the principal objective was to form an opinion on the adequacy of Commonwealth agencies’ management of Internet security.

The audit office assessed protection against viruses, malicious code, website debasement, denial of service attacks, data theft or destruction and breaches of privacy.

Included in some 45 specific findings, the Audit Office found that six of the 10 agencies audited were found to manage websites containing significant vulnerabilities, potentially exploitable by a malicious user over the Internet. In addition, the audit team identified other security issues in all sites.

The Audit office also found that for Commonwealth websites were hosted and managed using in-house resources, the level of co-ordination and communication between relevant groups was substantially better than when site management was contracted to an external service provider.

A series of general recommendations arose from this report, many of which appear to have been adopted in government policy.  Once again the audit office prompted policy movement.

And I am pleased to report that I this has had an effect. There is a security strategy in place at least in the Parliament House IT systems and networks, which like may other organisation, suffered an attack from the NIMDA virus.

However if there was a lesson to be learnt it is about ensuring that users are advised of the strategy at least as far as the impact on their use of the technology goes.  I found out the hard way when trying to participate in online chat with university students.  Justifiably chat ports had been closed to protect against attacks, but they could have been opened to allow the chat session, had I known enough to notify the technical officers.

Protection against virus attacks also highlights the need for Computer Emergency Response Teams, or CERTs.  It is one thing to be aware of the risks and vulnerabilities, it is another altogether to be able to deal with emergency situations when they arise.

I would now like introduces another major focus of my presentation today – the relationship between privacy and security.

For many engaged in political debates about security, there is an assumed dichotomy between the interests of security and the interests of personal privacy.  This assumption often ensures the debates become polarised around the respective advocates:  national security organisations in one corner, civil libertarians in the other.

This is an obvious over simplification of the issues.  But, like many issues in politics, once debates have been characterised in a certain way, it is very difficult to change that character in the eyes of the politicians, let alone in the eyes of the electorate.

For those familiar with the Hollywood movie ‘Enemy of the State’, would understand the deep passions, and indeed conspiracy theories that can be ignited the use of surveillance technologies.  This is where the competing interests of privacy and security collide.

However in this movie there is something for everyone.  On the surface, the message is one of surveillance being the vehicle for corrupt and criminal activity, but ultimately it is surveillance that leads to the inevitable justice that only Hollywood can deliver.  In what was in my view an otherwise mediocre effort, this paradox is one of the features of the debate.

Security, of which surveillance is merely one aspect, is OK whilst the threat is real.  Security is oppressive if it is considered excessive to the perceived threat.  So what is a reasonable balance?

Finding this balance is part of the political challenge.  So is moving beyond the polarisation and understand that achieving a high level of e-security for a nation and a high level of personal privacy is not mutually exclusive.   The key lies in the technological tools that can be designed and built to respect and manage privacy in the same way they can be built and managed to provide security.

Once again an understanding of the capability of information technology is required at the political level to inform the scope and potential of policy that will achieve both objectives.

Perhaps more than any other bill in recent times, the Security Legislation Amendment (Terrorism) Bill 2002 and associated bills presents itself as a case in point.  Like many parliaments around the world, this bill has focussed the debate around the need to improve national security and the need to respect democratic freedoms, of which privacy is one.

It is testimony to a robust democracy like Australia that the Senate Committee process managed to produce a bi-partisan report recommending substantial changes to the original bills.  I can also report that as a result of considerable public debate, there has been considerable movement on behalf of the Government.  This has resulted in a comparatively constructive debate about necessary improvements to laws relating to terrorism in this country, without abandoning the democratic principles of a civil society.

For example the proposal to weaken the type of search warrant required by law enforcement agencies to access emails stored on servers by creating a different definition for ’stored communications’ appears at this stage to have been abandoned by the Coalition.  Labor had pushed for, and subsequently welcomed this change.

Privacy legislation did not fare quite so well, however.  When the Government introduced privacy bills for the private sector after years of procrastination, it was described by one expert in the field as the ‘world’s worst privacy legislation.’  Having come into force only recently, this Act is seen less as weighted towards the interests of security, and weighted distinctly in favour of private interests seeking to use information technology in the pursuit of exploitative marketing techniques.

For the US, the dilemma is also very real.  The need to maintain an equilibrium between the expanded powers of the government to use technology, especially information technology, for investigative purposes and the protection of privacy and Fourth Amendment rights is a particular concern. When signing the PATRIOT Act, which broadened the US government’s powers of search and seizure of digital information, President Bush said, “Today, we take an essential step in defeating terrorism while protecting the constitutional rights of all Americans.” If this statement is to hold true, the government must effectively exercise these broad powers without violating privacy and Fourth Amendment rights, and thereby preserve and protect the public’s trust.

In the UK, the Government has embarked upon a comprehensive e-security strategy under the banner of UK Online: Digital Vision with the Office of the e-envoy having announced plans to examine the use of digital signatures and smart cards.  In fact, through out the European Union, member states are required to legislate in compliance with a raft of Directives, including Data protection, Privacy of personal Data, Lawful Interception of Communications and the Community framework for electronic signatures.

Multilateral agreements also form part of this e-security landscape with the OECD Cryptography Policy Guidelines, the Communique from the Ministerial Conference on Combating Trans-national Organised Crime, the Waasenaar Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies.  And finally the Council of Europe Draft Convention on Cybercrime.

And what about the role of the private sector in pursuit of higher levels of national e-security? A US-based initiative called the Information Sharing and Analysis Centre, or ISAC is a mechanism to allow private IT companies to share threat and vulnerability data.  Three sectors seen as critical by the US government, banking and finance, energy and IT, have established ISACs.  The idea is that by sharing information about threats and vulnerabilities will reduce the likelihood of them developing into real security problems.  The policy message is here is that openess is encouraged and ’security by obscurity’, is definitely not the way to go.

Public/private relationships in Australia have focussed on the Consultative Industry Forum, however in response to criticisms about the unwieldy nature of this group, the Government has flagged a more collaborative arrangement.  I will refer to the information contained on the National Office of the Information Economy’s (NOIE’s) web site which says:

As a result of ongoing discussions with industry, it has been decided to pursue a collaborative relationship with industry along the following lines:

a.   Annual summits to be held in five states bringing together industry, government and academic interests to exchange information, discuss technological developments and challenges and review policy;

b.   Encouraging the development of small trust-based information-sharing groups with links to the Commonwealth in key sectors;

c.   Ongoing consultation with industry interests on specific policy initiatives as they arise, including any relevant proposed legislation;

d.   Facilitation of industry involvement in international fora dealing with e-security issues (including APEC and OECD).

The NOIE web site goes into further detail regarding the Governments agenda, and I know that you will be hearing from NOIE tomorrow, so in summary, there is an awareness raising effort which will pursue a comprehensive communications plan which will seek to reach organisations and individuals with the key message of e-security being a core business and risk management issue, not merely an issue for IT managers.

Skills rate a mention with NOIE identifying a significant shortage of e-security-skilled personnel in Australia.  To address these issues, the government is planning to work with institutions, like the Defence Science and Technology Organisation, and relevant industry bodies to promote the inclusion of core security knowledge in all IT/computer science courses and assist industry to develop a certification scheme for e-security professionals.

Finally NOIE also refers to the need for more research and development (R&D) in e-security but does not offer any programs outside of the generic offerings, like R&D Start, which, as a well-known successful Canberra-based ICT SME entrepreneur remarked recently, should be called R&D Stop because of the freeze of grant allocations.

To their credit, NOIE is investigating “additional means of augmenting these policies and programs, including through facilitating linkages between researchers in commercial, government and academic sectors”.

Finally, I want to turn to the issue of the potential of the Australian companies that are in the e-security space.  I am unambiguous about this.  I believe Australia can be the best in the world in niche areas of ICT.  E-security is one such an area that is worthy of promotion.  Given the political priority it now has, the vast room for improvement, and Australian minds and technology driving development and growth in the sector, there are vast opportunities.

Recently I was fortunate to be present at an excellent presentation by Austrade that provided an insight into the opportunities in the US market in e-security.

This presentation showed the extent to which the War Against Terror and the increasing scope and sophistication of internal and external security threats has driven demand for information security services to new heights.  The International Data Corporation (IDC) has predicted that the worldwide demand for security consulting, implementation, management, and training services will increase at a rate of 26 per cent to US$17.2 billion in 2004. The USA will represent nearly half of the worldwide spend, accelerating from US$2.8 billion (1999) to US$8.2 billion (2004). IDC predicts that in the USA, managed security services and security education and training will drive much of the spending – the 1999-2004 growth in these two segments is forecast to reach 28 per cent and 26 per cent, respectively.

The President’s 2003 budget initiatives and priorities include a total of $50 billion for information technology investments across the entire federal US government.  “Securing the Homeland’ can account for some $37 billion of this.  Through a mechanism called a Broad Industry Announcement, the US government has called for expressions of interest from e-security firms world-wide.  Through this process, Austrade have determined that the statistical success rate so far of Australian companies gaining funding is ten in one hundred.

Finally, I would like to make the point that how the Australian federal government procures its security requirements is a very important issue.  For Australian companies, a government contract is often the crucial export credential they require to break into new export markets.  Given there is a heightened awareness and indeed direct political pressure for government departments and agencies to get their act together with e-security, there is a unique opportunity to solve the security challenges with innovative, Australian solutions, and at the same time provide the growth opportunity to allow our best and brightest in the field to grow into an expanding global market.

In conclusion, the politics and policy of e-security are here to stay, so please think about the responsibilities that lie with the experts.  Security in one form or another is on everyone’s mind and our collective social wellbeing is best served by sharing knowledge, educating the decision makers and finding real solutions to some very complex challenges.

Good luck and thankyou for listening.

AUSTRADE PRESENTATION: Charlene Mahoney, Business Development Manager – Australian Embassy, Washington and Aurelio Azpiazu, Assistant Director Defence Industry, Office of the Counsellor Defence Materiel

Share and Enjoy:
  • email
  • PDF
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • LinkedIn
  • Identi.ca
  • Twitter
  • Reddit

Tagged:

Post a Comment

Your email is never shared. Required fields are marked *

*
*

  • Most Recent Content

  • Content

    Please use the following categories to browse the website content:

  • What I'm Doing...

    • Gungahlin Shopping centre this morning with our local alp sub-branch on a stall: lots of people! 1 day ago
    • OK that is Ashley Fiolek: what a great gold medal win! 1 day ago
    • Just watched Ashley Fiolet win gold at the US Xgames womens supercross on ESPN. She also happens to be deaf! I'm impressed! 1 day ago
    • Nat. Museum of Australia: the multimedia exhibits in the Canning Stock Route exhibition are incredible! I've never seen anything like it! 2 days ago
    • My campaign stall at O'Connor shops has been foiled by the rain! Never mind. We'll be back. 2 days ago
    • More updates...

  • Enrol to Vote

    Economic Stimulus Plan

    Budget 2009-10

    Work and Family Fresh Ideas

    Australian Job Search

    Australia.Gov

  • Archives