CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE. AIIA Response

Transcription

1 CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE AIIA Response 14 November 2011

2 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing suppliers and providers of a wide range of information technology and communications (ICT) products and services. Its membership comprises approximately 400 of the top international corporations as well as small to medium enterprises currently supplying innovative online applications supporting the Australian economy and enhancing the citizen engagement. AIIA s National Board of Directors includes all the major corporations currently involved in developments of high-speed broadband installations across global jurisdictions, such as Telstra, Google, IBM, Intel and Fujitsu, as well as small business organisations. AIIA's role is to lead and represent the ICT industry in Australia to maximise the potential of the Australian economy and society. AIIA is acutely aware of the cyber-security risks to ongoing safe use and exploitation of digital infrastructure, and the possible loss of confidence by users if those risks are not appropriately managed. Our members participate in all relevant government programs aimed at user education and awareness, information sharing among critical infrastructure owners and real-time cyber-safety exercises involving cross-jurisdictional and international stakeholders. In addition they are constantly involved in development of tools and services aimed at educating consumers about online risks, while at the same time enhancing the user experience. Overview It is safe to anticipate that in all aspects of society the use of and reliance on information and communication technologies (ICT) will be more pervasive in the future. It is also reasonable to expect that today s ICT technologies will continue to evolve into a model that more critically depends on services hosted on the internet using interconnected technologies. The pervasiveness and advancements in mobile technology and the demands of consumers will dictate that almost 2

3 every new electronic device will have some form of anywhere access capacity. 1 This recognition combined with the rapid convergence of content, technologies and delivery channels, will add to the possible threat of cybercrime in the future. Safe and confident use of digital infrastructure poses one of the most serious economic and security challenges for modern governments. The genesis of our current digital environment was born out of considerations of interoperability and efficiency, not security. Increased productivity growth and related economic advantages across sectors are now well accepted by commentators. 2 So the secure and safe use of all the potential benefits delivered by digital means must be assured by governments concerned with enhancing their nations GDP for the benefit of citizens. This frequently involves a fine balance between maintaining an eco-environment for digital activities that promotes safety, security, privacy and liberties, while meeting increasing consumer demands for innovative service delivery, efficiency, prosperity and fast, free commercial intercourse. AIIA commends the government and other stakeholders for taking an ongoing and vigilant approach to all these issues. That said, it must be acknowledged that cybercrime knows no borders and detection of perpetrators is notoriously difficult; the nature of many platforms used by criminals in the digital space facilitates anonymity. Criminologists have long argued that certainty of detection, not severity of punishment, is the true deterrent for would-be criminals. So any efforts to send clear signals to cybercriminals that the national and international community is working seriously towards reducing opportunities for nefarious activities will assist. AIIA is pleased the Discussion Paper recognises that fact. Information and communications technologies (ICT) have become an integral part of almost every facet of modern, developed economies, underpinning their civil infrastructure, public safety, energy supply and management, financial networks and national security. This development has led to productivity increases and enhanced efficiencies across many economic sectors such as the financial, manufacturing and retail sectors. 1 Microsoft Australia, E-Security Review 2008, page 4. 2 Access Economics, The Economic Benefits of Intelligent Technologies, April Commissioned by IBM Australia 3

4 But it has also resulted in opportunities for existing crimes such as fraud, forgery and impersonation to be carried out by the ill-intentioned in new and more detection-proof ways. A new lexicon has entered the public discourse reflecting the myriad models of behaviour now open to those intent on crime: cyberstalking, cyberbullying, phishing and spamming to name a few. If the undoubted benefits of online and digital economic transactions are to be further realised, all users must have confidence that information is secure, commerce is not compromised and critical infrastructure is not infiltrated. This confidence will only be assured through constant political vigilance, enhanced governance, application of technology, new delivery platforms such as cloud computing, education and awareness programs. Cybercrime can be understood by reference to its eco-environment, cyberspace. The US has defined cyberspace as the interdependent network of information technology infrastructures, and includes the internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people. 3 By this definition, cyberspace is not just the internet; so cybercrime can occur in a much wider environment than the internet. Available Data? On the basis that governments cannot manage or regulate what they cannot measure, AIIA sees a threshold issue as the lack of credible data in this area. Credible data on the nature and prevalence of e-security risks and subsequent cybercrimes is notoriously difficult to obtain, due to a variety of reasons, including under-reporting. Victims of cybercrime under-report either through ignorance (as to what crime has occurred) or desire not to signal their organisation s poor security and so reduce their customers confidence. Banks are generally thought to fall into this group of underreporters. Under-reporting also occurs in cases of phishing and financial scams because victims do not wish to appear ignorant or gullible. 3 Cyberspace Policy Review, 4

5 In relation to theft of personal information (identity data), it is equally difficult to be definitive about nature and prevalence because in many cases victims do not know their personal data has been assumed or stolen until a subsequent crime is perpetrated against them, such as credit card fraud or some other financial incident. In this regard, estimates of the type provided by the AFP in the Discussion Paper (the risk to our economy is more than one billion dollars a year ) do not inspire confidence in our ability to come to terms with the size of the issue we face; AIIA suggests the government facilitate a more forensic analysis of the economic impact of cybercrime in Australia. Response Structure AIIA s response does not address all the questions posed in the Paper. We will instead comment on specific questions which have prompted member feedback. As a preliminary comment, AIIA members see great potential for security and privacy enhancements (and thus perhaps risk diminution) through adoption of newer delivery platforms such as cloud computing. In addition, education and awareness programs for all users at every engagement level should be enhanced by all governments. Pp 10: Issue: A growing portion of our lives and civic experience is conducted in the online environment. This environment has a unique set of characteristics, including anonymity, and allows people to interact socially unhindered by geographic distance. Question: How can we promote a concept of digital citizenship, reach agreement on acceptable online behaviour and encourage people to assume greater responsibility for that behaviour? 5

6 Answer: Governments can partner with the online industry to create and promote awareness programs for online risks and responsibilities; there are many examples in Australia and the US of this. Pp 11: Issue: Governments are progressively implementing online services in response to community expectations. However, many individuals do not trust their private data will be appropriately managed. Question: How can governments improve citizens and businesses trust that their private data will be secured and only used for agreed purposes? Answer: Trust comes through providing verifiable competence in securing data. In the move to online providers, governments have the opportunity to select providers with effective security, and to require those providers to be accountable for that security. Done correctly, with the right degree of certification, this approach would improve security over in-house systems and controls. Private industry is migrating to cloud delivery platforms because they realise that security is a feature of leading cloud providers product offerings it is applied throughout their environments and tested and audited regularly. Cloud delivery can focus on security as a competitive requirement, in comparison to diverse and geographically dispersed organisations, such as governments or large corporations, for whom security is often a localised effort with limitations based on awareness, system design, and available technical and personnel resources. Cloud architectures can be more sustainable from a security perspective. Corporations struggle with patch management and technology currency. Both of these issues lead to vulnerabilities that are at the root of many data security breaches. Cloud delivery offers a modern and sustainable security stack that enables corporations to focus on higher level data protection initiatives and not on low value added security maintenance activities. Pp 16: Issue: The digital economy presents both wide-ranging opportunities for increased productivity and innovation across the Australian economy and the risk of the loss of sensitive commercial data. 6

7 Question: How can small business awareness of commercial online opportunities be balanced with awareness of potential online risks and mitigation strategies? Small to mid-sized companies are the ones that can benefit the most from moving to the cloud. They lack the skill-set and budgets to manage complicated security issues. By moving to competent cloud offerings they lower their overall risk profile since the cloud provider assumes many of the security accountabilities. Issue: One of the primary impediments to e-commerce is consumers fear their financial or personal details may be at risk when conducting business online. Anonymity will remain a key part of the Internet, but trust and confidence in the digital economy may be undermined if people s financial and personal details remain at risk of being stolen by criminals. Question: What options are there for increasing consumers trust in conducting business online? Question: How can consumers be encouraged to take more responsibility to protect their information? Question: What are the options for broadening industry s efforts to provide customers with a greater level of trust and confidence in the security and privacy of their online transactions? Question: What information would help consumers and small businesses better protect themselves and enhance their trust and confidence online? Government agencies and industry can provide better education and awareness and ensuring that all providers meet the highest standards of data security. Industry should be required to meet a certain level of security certifications (e.g. ISO 27001). Online enterprises can contribute by posting their privacy and security statements, and by presenting awareness content for their customers and the general public. Both customers and the public should know how to contact those businesses regarding security concerns (e.g, potential abuse). Other helpful information can include evidence of security certifications (e.g. ISO 27001). 7

8 Pp 19: Issue: Much of the public discussion on cyber threats and risks to date has focused on national security issues. This important dimension has inadvertently hidden the reality that at its most basic level, security and safety online is reliant on the awareness of individuals. As a result, many businesses and consumers are not as mindful of cyber threats as they could be. Question: How can the Commonwealth, states and territories and industry effectively communicate the interdependent nature of individual and national cyber security? How can the importance of individual behaviour be highlighted in creating a secure, trusted and resilient online environment for all Australians? End-user security awareness is the most difficult message to deliver effectively, such that it makes behavioral changes that result in good security practice. Online service providers should have a Security Awareness program for their employees, and customer-facing security information that is accessible and useful. Much like a public health or safety program, government can take a role in developing basic skills, promoting secure online behaviors in schools and public service announcements. 8