AGIX Discussion Cyber-Security

The Case For Regulating Information Technology Services and Products in Australia

In this article, I am arguing that a regulated Information Technology industry will result in higher quality systems and software and a new focus on security.

Australia is about to create a new cyber warfare division within the Australian Defence Force. Whilst the details are still secret, the objectives will likely be somewhat similar to those of the NSA. To attack our adversaries.

Just like the NSA, this new division will have the definite need to collect and store system vulnerabilities for future use in cyber attacks. These vulnerabilities can not be used for defence because they [the cyber warfare division] would have to make them known to the creators of computer systems in order to patch them and thus they would no longer exist as part of an arsenal. Therefore these vulnerabilities can only be used for attack and will be collected for later use. Secrets do not always remain secret and just like the effect of the Snowden documents release, those stock-piled vulnerabilities may later became accessible to others. Organisations like this new cyber-warfare division can only be used for attack. It is up to the industry more broadly through regulation to improve computer security. An important side effect is that regulation resulting in improved general information technology systems security will help national security organisations in their national defence efforts. I would encourage the new cyber warfare division to participate in hardening perimeter defences and critical systems directly and i suspect they will. However, as we will discuss below, that effort will be limited to testing and correcting in a limited way.

I am arguing that Australia needs to introduce regulation for the information technology industry with a focus on security.

As it stands, anyone can be employed within an organisation to develop, deploy and maintain computer systems without certifications and qualifications. There is no guarantees that any given certificate and course actually meets a suitable standard. We have a history of poorly written code that goes into devices we use daily. Systems that simply have not been tested to ensure they can not be misused. The fact that we get operating system (and smart phone) updates regularly as well as virus updates is testament to this fact.

The Internet of Things (IoT) is expanding the problem significantly. Estimates of the number of new devices being added to the Internet put is at around 20 billion by 2020. This is very attractive to those who build and employ bot-nets. The problems we face now are only going to get worse and at a pace we are not ready for. The problem is significant now but we are experiencing nothing near what we can expect to come. The IoT expands the attack vectors in extreme ways. There will be more devices and those devices have no (or little) quality control. They can all be considered vulnerable until proven otherwise.

The Internet of Things is touching our lives in ways we have not seen before. We are familiar with web browsers and word processors crashing from time to time. We accepted that. But when devices are more integrated into our lives (think of cars, planes, home automation, medical systems, rail networks, etc) we are involved in these devices and their reliability is critical to our physical safety.

Combine the three previously mentioned issues (poor code, massive expansion of devices online, physically interactions) and we can conclude we are not ready for the massive increase in Internet connected devices and systems. The expansion and adoption of Internet of Things is not going to slow down any time soon and if we are to profit from this movement, we are going to have to make calculated decisions now. Delaying this is not a viable option. The “market” approach to finding the right balance is not working. Ee are not getting good quality products because we are not insisting on it. There is no motivation for product makers to improve quality. We are asking for and getting getting faster-to-market products, more featured products and low cost products. All of which are a hinderance to security. We need to force good security through regulation.

More features means more complexity and complexity is the enemy of security. Faster-to-market means either more money or less quality.

This discussion paper is not on the topic of defining what regulation might look like but rather to discuss what we need to achieve. The Information Technology industry needs to follow in the footsteps of other sectors such as Health, Transport and Finance. Heath is a model we can consider. Both rely on individual professionals providing user-centric services. Both require protecting personal information. Increasingly, through the impact of IoT, both impact on our physical safety. Both have industry bodies made up of those practicing in their respective sectors. Health has incentives for high quality services and outcomes.

The risk of doing nothing is extreme and unacceptable. We are already facing realised risks to our financial, military and health services and increasingly to our populations physical safety (through IoT). We know our nations department of defence can not solve this problem because their focus must be offensive. We, as a society of information technology experts, need to take the initiative. No regulation means we contribute to the attackers capabilities which is fully counterproductive to our interests.

We have a choice. We can start the discussion now and make recommendations to our politicians or eventually they will make unilateral decisions impacting on us all. Government is not known for making wise technological decisions (think about clipper chip, the data encryption standard (DES) and the last Census in Australia which failed at “Availability” which is one of the core pillars of IT security, “Confidentiality, Integrity and Availability”). We need to put forward sensible minimal standards, a way of encouraging those standards and we must do this before – and then with – government. Government will eventually get involved but they must do so only where the industry has begun taking its self more seriously. Otherwise the outcomes will be incoherent and ideological.

If Australia was to move to enforce regulation of Information Technology, it would have immediate benefit to the country. However, the true and complete solution must be global. The hurdle is high but so is the need. If Australia moves to regulate a minimum standard in Information Technology, we would expect our businesses and organisations to have well designed, built, tested and maintained systems. If other countries do not, devices and software imported to Australia from those countries without regulation (and a lower standard to that of Australia) would mean we will have a mixture of both well designed and poorly designed system but they will at least be properly implemented, maintained and tested. Right now we have more of the latter (poorly designed) but that would change with regulation to a far superior situation and ultimately beneficial to our country.

The ideal situation we must aim for is where all Information Technology systems are designed, built, implemented and maintained to a minimum standard and, where possible, surpassing those standards. This has not happened voluntarily to date (think about the need for constant software updates to systems, and the need for antivirus systems) and wont happen at all without there being a carrot and/or stick to encourage a higher standard. Regulating the Information Technology industry is needed to solve this. It is needed urgently.

2 comments

  1. My $0.02.
    Cheaper and faster-to-market do not necessarily have to leave out security. Security can be a selling point. The Australian 4WD aid ‘Tow-pro’, made here in SA by Redarc, is more expensive than the Chinese knock-off version – but it’s safer and more reliable – 4WDers buy them in preference.

    I spoke with a doctor I work with. His take: the government don’t know what they are doing, do not do much anyway, but industry bodies (which are also self-interested) do the bulk of ensuring our healthcare is proper. The buck stops with the AMA etc., governments only intervene in cases of criminality. (Except for the TGA perhaps).

    By and large government regulation is a toothless tiger when it comes to such things – you only have to look at ACMA’s role in the communications industry or the control of the River Murray. A danger that also exists with involving government is stupid ideas about encryption back-doors and the like.

    I think the Open Source model has something to offer here. The IT community has to take ownership and responsibility. Professional, industry and standards bodies must get the message out and help organisations see that risk is assessed properly, qualified people are employed and remain qualified and then government can step in where the national interest is really at risk (as they already do via the ASD etc.).

    1. All good points. Consider that roads have no rules (no speed limits, age restrictions, driver tests, etc). These don’t stop deaths on the roads but they make the roads safer. Right now we have no rules directly governing our work. We do as we want. The only rules that ‘might’ impact our work are a) our reputation, b) the requirements of the client, and c) our insurance guidelines.

      I’m not saying i like or want regulation. I’m saying it’s coming one way or the other and we can either be ready with a plan or have a plan imposed on us when the government decides to move.

Leave a Reply to Andrew Galdes Cancel reply

Your email address will not be published. Required fields are marked *