In this article, I am arguing that a regulated Information Technology industry will result in higher quality systems and software and a new focus on security.
Australia is about to create a new cyber warfare division within the Australian Defence Force. Whilst the details are still secret, the objectives will likely be somewhat similar to those of the NSA. To attack our adversaries.
Just like the NSA, this new division will have the definite need to collect and store system vulnerabilities for future use in cyber attacks. These vulnerabilities can not be used for defence because they [the cyber warfare division] would have to make them known to the creators of computer systems in order to patch them and thus they would no longer exist as part of an arsenal. Therefore these vulnerabilities can only be used for attack and will be collected for later use. Secrets do not always remain secret and just like the effect of the Snowden documents release, those stock-piled vulnerabilities may later became accessible to others. Organisations like this new cyber-warfare division can only be used for attack. It is up to the industry more broadly through regulation to improve computer security. An important side effect is that regulation resulting in improved general information technology systems security will help national security organisations in their national defence efforts. I would encourage the new cyber warfare division to participate in hardening perimeter defences and critical systems directly and i suspect they will. However, as we will discuss below, that effort will be limited to testing and correcting in a limited way.
I am arguing that Australia needs to introduce regulation for the information technology industry with a focus on security.
As it stands, anyone can be employed within an organisation to develop, deploy and maintain computer systems without certifications and qualifications. There is no guarantees that any given certificate and course actually meets a suitable standard. We have a history of poorly written code that goes into devices we use daily. Systems that simply have not been tested to ensure they can not be misused. The fact that we get operating system (and smart phone) updates regularly as well as virus updates is testament to this fact.
The Internet of Things (IoT) is expanding the problem significantly. Estimates of the number of new devices being added to the Internet put is at around 20 billion by 2020. This is very attractive to those who build and employ bot-nets. The problems we face now are only going to get worse and at a pace we are not ready for. The problem is significant now but we are experiencing nothing near what we can expect to come. The IoT expands the attack vectors in extreme ways. There will be more devices and those devices have no (or little) quality control. They can all be considered vulnerable until proven otherwise.
The Internet of Things is touching our lives in ways we have not seen before. We are familiar with web browsers and word processors crashing from time to time. We accepted that. But when devices are more integrated into our lives (think of cars, planes, home automation, medical systems, rail networks, etc) we are involved in these devices and their reliability is critical to our physical safety.
Combine the three previously mentioned issues (poor code, massive expansion of devices online, physically interactions) and we can conclude we are not ready for the massive increase in Internet connected devices and systems. The expansion and adoption of Internet of Things is not going to slow down any time soon and if we are to profit from this movement, we are going to have to make calculated decisions now. Delaying this is not a viable option. The “market” approach to finding the right balance is not working. Ee are not getting good quality products because we are not insisting on it. There is no motivation for product makers to improve quality. We are asking for and getting getting faster-to-market products, more featured products and low cost products. All of which are a hinderance to security. We need to force good security through regulation.
More features means more complexity and complexity is the enemy of security. Faster-to-market means either more money or less quality.
This discussion paper is not on the topic of defining what regulation might look like but rather to discuss what we need to achieve. The Information Technology industry needs to follow in the footsteps of other sectors such as Health, Transport and Finance. Heath is a model we can consider. Both rely on individual professionals providing user-centric services. Both require protecting personal information. Increasingly, through the impact of IoT, both impact on our physical safety. Both have industry bodies made up of those practicing in their respective sectors. Health has incentives for high quality services and outcomes.
The risk of doing nothing is extreme and unacceptable. We are already facing realised risks to our financial, military and health services and increasingly to our populations physical safety (through IoT). We know our nations department of defence can not solve this problem because their focus must be offensive. We, as a society of information technology experts, need to take the initiative. No regulation means we contribute to the attackers capabilities which is fully counterproductive to our interests.
We have a choice. We can start the discussion now and make recommendations to our politicians or eventually they will make unilateral decisions impacting on us all. Government is not known for making wise technological decisions (think about clipper chip, the data encryption standard (DES) and the last Census in Australia which failed at “Availability” which is one of the core pillars of IT security, “Confidentiality, Integrity and Availability”). We need to put forward sensible minimal standards, a way of encouraging those standards and we must do this before – and then with – government. Government will eventually get involved but they must do so only where the industry has begun taking its self more seriously. Otherwise the outcomes will be incoherent and ideological.
If Australia was to move to enforce regulation of Information Technology, it would have immediate benefit to the country. However, the true and complete solution must be global. The hurdle is high but so is the need. If Australia moves to regulate a minimum standard in Information Technology, we would expect our businesses and organisations to have well designed, built, tested and maintained systems. If other countries do not, devices and software imported to Australia from those countries without regulation (and a lower standard to that of Australia) would mean we will have a mixture of both well designed and poorly designed system but they will at least be properly implemented, maintained and tested. Right now we have more of the latter (poorly designed) but that would change with regulation to a far superior situation and ultimately beneficial to our country.
The ideal situation we must aim for is where all Information Technology systems are designed, built, implemented and maintained to a minimum standard and, where possible, surpassing those standards. This has not happened voluntarily to date (think about the need for constant software updates to systems, and the need for antivirus systems) and wont happen at all without there being a carrot and/or stick to encourage a higher standard. Regulating the Information Technology industry is needed to solve this. It is needed urgently.