Submission of the.au Domain Administration Ltd (auda) to the Australian Government's Cyber Security Review



Similar documents
Review of.au domain name policy framework Submission to.auda

A business guide to registering a web address

Before the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives

Domain Name Management

PLAN FOR ENHANCING INTERNET SECURITY, STABILITY, AND RESILIENCY

Domain Name Eligibility and Allocation Policy Rules for the Open 2LDs ( )

Internet Security and Resiliency: A Collaborative Effort

Redelegation of Country Code Top Level Domains. February 2003

Business Plan Summary

Final. Dr. Paul Twomey President and Chief Executive Officer Internet Corporation for Assigned Names and Numbers (ICANN)

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

.au Survey. Understanding the Australian Internet User

Group Strategic Plan Final Draft

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

Best Practices in Domain Name Registry Solutions Understanding the Technical Requirements of ICANN's Applicant Guidebook

IANA Functions to cctlds Sofia, Bulgaria September 2008

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

ICANN Engagement Strategy Middle East! Baher Esmat!! MENOG 13! Kuwait, September 2013!

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Microsoft Pty Ltd. Australian Financial System Inquiry: Response to request for further submissions

AusRegistry. Drop Catching Information Paper. Head Office. Level 8, 10 Queens Road. Melbourne, Victoria, Australia. Tel

Cyber-safety for Senior Australians. Inquiry Submission

AUSTRALIAN COMMUNICATIONS AUTHORITY CALL FOR EXPRESSIONS OF INTEREST FOR A TIER 1 REGISTRY OPERATOR FOR THE AUSTRALIAN TRIAL OF ENUM

ICANN STRATEGIC PLAN JULY 2012 JUNE 2015

005ASubmission to the Serious Data Breach Notification Consultation

Cyber security the facts

FAQ (Frequently Asked Questions)

ICASAS505A Review and update disaster recovery and contingency plans

Specific recommendations

Current Counter-measures and Responses by the Domain Name System Community

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

CYBERBOK Cyber Crime Security Essential Body of Knowledge: A Competency and Functional Framework for Cyber Crime Management

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Australian Government Cyber Security Review

APNIC Plans and Budget - Review

ICANN- INTERNET CORPORATION OF ASSIGNED NAMES & NUMBERS

For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE. Cyber Security

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

The Future of the Internet

Input to the Public Review of.edu.au Domain

DNS Security, Stability and Resiliency

April 10, Ms. Melissa Hathaway Acting Senior Director for Cyberspace National Security and Homeland Security Councils. Dear Ms.

Release: 1. ICANWK607A Design and implement wireless network security

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie. Developments in Security Regulation

MEMORANDUM Date Our reference Page Measures based on the action plan for improved Internet security

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Victorian Government Risk Management Framework. March 2015

Innovating with the Domain Name System: From Web to Cloud to the Internet of Things

Chiropractic Boards response 15 December 2008

Information security controls. Briefing for clients on Experian information security controls

ICANWK406A Install, configure and test network security

The registration under the.de TLD from an egovernment view

Australian Government Information Security Manual CONTROLS

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

INFORMATION GOVERNANCE POLICY

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Cloud Computing and Records Management

Action Plan for Canada s Cyber Security Strategy

TICSA. Telecommunications (Interception Capability and Security) Act Guidance for Network Operators.

Current Counter-measures and Responses by the Domain Name System Community

Consultation Paper on the Review on Administration of Internet Domain Names in Hong Kong

Declaration of Principles of the World Summit. Tunis in 2005 adopted by Heads of States and Governments stated that:

SAC075: SSAC Comments to ITU-D on Establishing New Certification Authorities

Risks and uncertainties

NZRS Technical and Business Systems Review Project. Draft -Terms of Reference for consultation with InternetNZ and.nzoc. 1 Introduction.

Ongoing N/A TBC. Baseline

Buchanan Law Communications Update

CYBER SECURITY INFORMATION SHARING & COLLABORATION

COMMUNIQUE. AFRICAN ICT MINISTERIAL ROUND-TABLE ON 42 nd MEETING OF ICANN. Hotel Méridien Dakar, SENEGAL. 21 Octobre 2011

Telecom and Internet Regulatory Challenges and Opportunities Names, Numbers, Internet Governance

Kim Davies Internet Assigned Numbers Authority

National Cyber Security Strategy of Afghanistan (NCSA)

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

655 Third Avenue, 10th Floor New York, NY , USA t: f: inta.org

National Surface Transport Security Strategy. September Transport and Infrastructure Senior Officials Committee. Transport Security Committee

External Supplier Control Requirements

Australian Government Information Security Manual CONTROLS

Our Commitment to Information Security

U. S. Attorney Office Northern District of Texas March 2013

Secure Web Applications. The front line defense

National Cyber Security Policy -2013

Verisign/ICANN Proposal in Response to NTIA Request

Inquiry into potential reforms of National Security Legislation. Cisco Systems Australia Pty Limited

Into the cybersecurity breach

Cybersecurity in the Commonwealth: Setting the Stage

CAPACITY BUILDING TO STRENGTHEN CYBERSECURITY. Sazali Sukardi Vice President Research CyberSecurity Malaysia

How To Manage Icann

Computer Networks: Domain Name System

DDoS Overview and Incident Response Guide. July 2014

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

ESKISP Conduct security testing, under supervision

Operation of the Root Name Servers

Australia s counter-terrorism laws

QUESTIONS AND ANSWERS HEALTHCARE IDENTIFIERS BILL 2010

Security in the Cloud: Visibility & Control of your Cloud Service Providers

THE WHITE HOUSE Office of the Press Secretary

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Transcription:

Submission of the.au Domain Administration Ltd (auda) to the Australian Government's Cyber Security Review About auda.au Domain Administration Ltd (auda) is the industry self regulatory, not for profit manager of Australia s.au country code Top Level Domain (cctld). As part of this role, auda: develops, reviews and enforces policy frameworks; oversees the management of critical technical infrastructure (such as nameservers) to ensure the stable and secure operation of the.au namespace; facilitates the promotion of competition, fair trading and consumer protection in.au; and participates actively in international fora related to our technical and policy mandate. auda is not an agency of government, however was formally endorsed to perform its current functions by the Minister for Communications (on behalf of the Commonwealth of Australia) in 2000. Introduction The Domain Name System (DNS) is a distributed system that facilitates the translation of Internet Protocol (IP addresses) to Internet domain names. It is critical for the stability and integrity of the model that every Internet connected device or network has a unique identifier and that every translation that occurs is accurate. The global mechanism for managing the DNS is decentralised. While it is coordinated by the Internet Corporation for Assigned Names and Numbers (ICANN), each country or territory manages its own national country code the role auda performs for.au. The physical and operational security of the servers that host the.au top level domain (TLD) and subsequent second level domains like com.au and gov.au (2LDs), as well as the communications between the.au registry and global and local DNS industry participants, are absolutely critical. With so much of Australia's communications, commerce and entertainment relying on the stability of the Internet, auda takes its role in maintaining this element of critical infrastructure very seriously. It is why we have existing networks and relationships with law enforcement and why we actively participate in a range of fora that address cyber security issues.

Given the above context, auda welcomes the opportunity to provide input to the Australian Government's cyber security review and looks forward to participating further as the review proceeds. General questions There are three broad areas that PM&C is seeking views from all organisations consulted. Roles and responsibilities, in particular the Australian Government s, in cyber security. - Do current roles and responsibilities for cyber security in Australia need clarifying and/or updating? - Do they reflect your views on the Australian Government s role and responsibilities and that of your organisation/institution? auda s interaction with the Australian Government in relation to cyber security and our administration of the.au DNS is through the following channels: the Department of Communications, for liaison on general Internet policy matters at a domestic and international level the Australian Government Information Management Office (AGIMO) within the Department of Finance, for the management of the gov.au domain space CERT Australia within the Attorney General s Department, for liaison and cooperation on cyber security incidents involving.au domain names. We believe that the roles and responsibilities of each of these parties are clear to all involved however may not be well understood by those in the broader cyber security ecosystem. auda believes that the role of government should be to maintain existing relationships and to facilitate greater awareness and more effective networking across relevant stakeholders. Challenges and opportunities. - What is the key challenge Australia faces in cyber security? What is the key challenge being faced by your organisation in cyber security? - What are opportunities for Australia in cyber security? Are we taking advantage of these? The key challenge facing Australia (and other economies) in cyber security is not a single threat or incident, but rather the rapid growth in scale, complexity and sophistication of "cyber adversaries". Our mechanisms for response and mitigation must be equally sophisticated and capable of rapid change. This is why auda advocates the maintenance of strong private and public sector partnerships and a role for government in facilitating robust networks for collaboration and communication.

From auda s perspective, the.au DNS is a piece of critical national infrastructure, and as such, it is a key target for cyber security attacks. The two most significant types of possible attack are: denial of service (DOS) or distributed denial of service (DDOS) attack on the.au primary and/or secondary nameservers, the aim being to cause severe degradation or failure of the.au DNS (.au domain names would cease to work) hacking of the registry database, the aim being to access domain name records for the purpose of hijacking or redirecting.au domain names. auda and the 2LD registry operator, AusRegistry, are constantly taking action to mitigate these risks and have critical incident response and disaster recovery plans in place to deal with cyber attacks on the.au DNS infrastructure and registry. However, one of the key challenges we face is the ability to access sufficient bandwidth to be able to absorb the volume of traffic in a sustained DDOS attack, so as to minimise the impact on the.au DNS and its users. We note that high profile gov.au domain names are likely to be a target for cyber security attacks, due to the potential to cause serious impact on users and political embarrassment for the Government. We believe it is important for AGIMO and government agencies to ensure they have taken appropriate measures to manage the risks of cyber security attacks targeting gov.au domain names. Identifying the most important missing piece of cyber security in Australia. - What would you change about existing methods of approaching / managing cyber security, and why? From auda s perspective, the missing piece is a lack of clarity over the role and responsibilities of the Australian Cyber Security Centre (ACSC) and its interaction with other organisations in this area (acknowledging that the ACSC has only been in operation for less than 6 months). At a more general level, auda observes that over the last few years, various policy and operational functions with respect to cyber security appear to have shifted between the Attorney General's Department, PM&C and other agencies. In our view, this is not an optimal situation for maintaining the stability and reliability of trust networks between government and stakeholders. Specific questions We also seek your views on a number of specific areas within the scope of the Review. Cyber security in the Australian economy. - How do you anticipate yours cyber security focus will change over the next five and ten years? - What does the cyber landscape look like in 2025 what are the opportunities and risks?

auda believes that the risk of cyber attacks on the.au DNS is ever present and likely to remain that way over the next five and ten years. This is based on knowledge gleaned from our international counterparts about their experiences in dealing with cyber attacks, as well as our dealings with the IT industry and cyber security agencies in Australia and overseas. Accordingly, our focus is on continuing to improve the security and resilience of our technical infrastructure and our operational processes. Along with the work we are doing within our own organisation, we are also committed to improving the security practices of.au registrars through our Information Security Standard (ISS) compliance and audit program (see below). International engagement - Where are the risks and opportunities for Australia engaging internationally on cyber security? We consider it vitally important that Australia engages internationally on cyber security, in both the public and private sectors. auda is an active participant in the Internet Corporation for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF), the Internet Governance Forum (IGF) and regional fora such as the Asia Pacific Top Level Domain Association (APTLD). Cyber security issues are discussed at all of these fora to varying degrees. auda also maintains strong relationships with our international counterparts in order to share information and best practice, and offer practical assistance in the event of a cyber security incident. Partnerships and information sharing. - What are your views on cyber security information sharing between governments and private sector? - What mechanisms need to be in place now in Australia that are not currently accessible / available? auda supports the sharing of cyber security information between relevant government agencies and private sector organisations, and we would welcome more clarity on the mechanisms by which this can be achieved. As mentioned previously, clear communication and effective trust networks are absolutely critical to the efficiency of Australia's response to cyber threats and the Australian Government has a key role to play in this regard. Legislation, standards, guidelines and privacy issues. - What are your views on baseline standards and/or guidelines for cyber security? - What is the right balance between standards/regulation and self determination?

auda is committed to following security best practice in DNS administration. At the end of 2014, we implemented Domain Name System Security Extensions (DNSSEC), a security extension that facilitates the digital signing of Internet communications, helping to ensure the integrity and authenticity of transmitted data. The.au TLD and all.au 2LDs except gov.au have now been signed, and.au registrants in the signed zones have the choice to deploy DNSSEC for their own domain names. In 2013, we introduced the auda Information Security Standard (ISS) for.au registrars, to encourage and assist registrars to manage and improve the security and resiliency of their own businesses, and to protect.au registrants, and the overall integrity and stability of the.au DNS. Compliance with the ISS is mandatory. auda developed the ISS in the absence of any existing industry specific standard or guideline (although it is based on ISO 27001, which is the internationally recognised baseline standard for information security management). At a more general level, auda believes that the development of technical standards is absolutely essential for the stable operation of the Internet and, by association, for the battle against cyber crime. However, the terms "standards" and "regulation" should not be used interchangeably. Standards are often developed in a collaborative environment whereas regulations or legislation may not be. While standards provide a shared understanding, regulations may serve to limit the scope and agility of a cyber security response. As such, auda believes regulations must be kept to the minimum possible level that still allows appropriate coordination. Cyber security research, development and innovation. - How can Government better support thought leadership on cyber security to drive innovation and practical outcomes in cyberspace for the Australian economy? auda has no specific comment in response to this question, though notes our earlier observation that the government should play a visible role in coordinating cyber security efforts. This would necessarily support thought leadership and deliver practical outcomes. Cyber security skills and cyber literacy. - What specific cyber security skills are in shortage within your organisation, and more broadly, what are the skills you see in demand within client organisations? - How could Government and industry work together better to address the skills shortage? - Do you undertake community engagement programs on cyber security in order to improve the Australian community s awareness and understanding of the importance of cyber security? We believe that auda has a role to play in raising awareness and understanding of cyber security issues within our own industry, which we do in a number of ways:

the introduction of the ISS for registrars and the provision of associated security training and resources the Security and Online Safety award category of the Australia and New Zealand Internet Awards (ANZIAs), which we run each year in conjunction with InternetNZ cyber security related panel sessions and workshops at the Australian Internet Governance Forum (auigf), which we host each year regular attendance and participation by senior auda staff at relevant conferences and events, such as the ACSC Conference.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information