CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE. AIIA Response

Similar documents
E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

Cyber Security Strategy

Technology Strategy April 2014

A NEW APPROACH TO CYBER SECURITY

NEW ZEALAND S CYBER SECURITY STRATEGY

CYBER SECURITY STRATEGY AN OVERVIEW

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

TUSKEGEE CYBER SECURITY PATH FORWARD

ACE European Risk Briefing 2012

The UK cyber security strategy: Landscape review. Cross-government

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework

Business Plan 2012/13

Good morning. It s a pleasure to be here this morning, talking with the NZISF. Thank you for this opportunity.

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

THE AUSTRALIAN PUBLIC SERVICE BIG DATA STRATEGY. Comments from AIIA

Cyber security Building confidence in your digital future

Compliance Guide: ASD ISM OVERVIEW

S. ll IN THE SENATE OF THE UNITED STATES

techuk Cloud 2020 Vision Keeping the UK at the forefront of cloud adoption

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

SENATE STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS AUSTRALIAN FEDERAL POLICE. Question No. 100

Promoting a cyber security culture and demand compliance with minimum security standards;

Cyber Security - What Would a Breach Really Mean for your Business?

Certified Cyber Security Analyst VS-1160

An Overview of Cybersecurity and Cybercrime in Taiwan

Fostering Incident Response and Digital Forensics Research

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

National Plan to Address Cybercrime

NAPCAN s strategy is to bring about the changes necessary in individual and community behaviour to stop child abuse and neglect before it starts by:

Advanced Biometric Technology

How To Write An Article On The European Cyberspace Policy And Security Strategy

National Cyber Security Policy -2013

Securing the Nation: Creating cyber security, resilience and readiness

How To Protect Your Information Security From Cyber Threats

Cloud Computing in the Victorian Public Sector

THE PERFECT STORM WEATHERING CYBER THREATS IN THE HEALTHCARE INDUSTRY

ITU Global Cybersecurity Agenda (GCA)

Commonwealth Organised Crime Strategic Framework: Overview

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Australian Government Cyber Security Review

How To Understand And Understand The European Priorities In Information Security

National Cyber Security Strategy

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

WRITTEN TESTIMONY BEFORE THE HEARING ON FEBRUARY 4, 2014 TESTIMONY OF JOHN MULLIGAN TARGET

Internet Safety and Security: Strategies for Building an Internet Safety Wall

INFORMATION SECURITY AWARENESS & TRAINING PROGRAM

CIO, CISO and Practitioner Guidance IT Security Governance

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Into the cybersecurity breach

Terms of Reference for the Review of the OECD Guidelines for the Security of Information Systems and Networks

Cyber Security Strategy

AISA NATIONAL CONFERENCE 2015 TRUST IN INFORMATION SECURITY. 14 October 2015 OPENING ADDRESS LYNWEN CONNICK

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

The Australian Public Service Big Data Strategy

Mass Marketing Fraud Affecting Canadian Businesses

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

OECD PROJECT ON CYBER RISK INSURANCE

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

COMMISSION OF THE EUROPEAN COMMUNITIES

Cyber Security Research and Development a Homeland Security Perspective

Pacific Islands Telecommunications Association

Assessing the strength of your security operating model

As global mobile internet penetration increases the cybercrime and cyberterrorism vector is extended

Role Description Director ICT Governance, Security and Risk

ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA

Cyber Security Evolved

CYBERSECURITY HOT TOPICS

Developing National Frameworks & Engaging the Private Sector

Specific recommendations

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

How To Protect Yourself From Cyber Crime

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

Cyber security Building confidence in your digital future

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Transcription:

CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE AIIA Response 14 November 2011

INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing suppliers and providers of a wide range of information technology and communications (ICT) products and services. Its membership comprises approximately 400 of the top international corporations as well as small to medium enterprises currently supplying innovative online applications supporting the Australian economy and enhancing the citizen engagement. AIIA s National Board of Directors includes all the major corporations currently involved in developments of high-speed broadband installations across global jurisdictions, such as Telstra, Google, IBM, Intel and Fujitsu, as well as small business organisations. AIIA's role is to lead and represent the ICT industry in Australia to maximise the potential of the Australian economy and society. AIIA is acutely aware of the cyber-security risks to ongoing safe use and exploitation of digital infrastructure, and the possible loss of confidence by users if those risks are not appropriately managed. Our members participate in all relevant government programs aimed at user education and awareness, information sharing among critical infrastructure owners and real-time cyber-safety exercises involving cross-jurisdictional and international stakeholders. In addition they are constantly involved in development of tools and services aimed at educating consumers about online risks, while at the same time enhancing the user experience. Overview It is safe to anticipate that in all aspects of society the use of and reliance on information and communication technologies (ICT) will be more pervasive in the future. It is also reasonable to expect that today s ICT technologies will continue to evolve into a model that more critically depends on services hosted on the internet using interconnected technologies. The pervasiveness and advancements in mobile technology and the demands of consumers will dictate that almost 2

every new electronic device will have some form of anywhere access capacity. 1 This recognition combined with the rapid convergence of content, technologies and delivery channels, will add to the possible threat of cybercrime in the future. Safe and confident use of digital infrastructure poses one of the most serious economic and security challenges for modern governments. The genesis of our current digital environment was born out of considerations of interoperability and efficiency, not security. Increased productivity growth and related economic advantages across sectors are now well accepted by commentators. 2 So the secure and safe use of all the potential benefits delivered by digital means must be assured by governments concerned with enhancing their nations GDP for the benefit of citizens. This frequently involves a fine balance between maintaining an eco-environment for digital activities that promotes safety, security, privacy and liberties, while meeting increasing consumer demands for innovative service delivery, efficiency, prosperity and fast, free commercial intercourse. AIIA commends the government and other stakeholders for taking an ongoing and vigilant approach to all these issues. That said, it must be acknowledged that cybercrime knows no borders and detection of perpetrators is notoriously difficult; the nature of many platforms used by criminals in the digital space facilitates anonymity. Criminologists have long argued that certainty of detection, not severity of punishment, is the true deterrent for would-be criminals. So any efforts to send clear signals to cybercriminals that the national and international community is working seriously towards reducing opportunities for nefarious activities will assist. AIIA is pleased the Discussion Paper recognises that fact. Information and communications technologies (ICT) have become an integral part of almost every facet of modern, developed economies, underpinning their civil infrastructure, public safety, energy supply and management, financial networks and national security. This development has led to productivity increases and enhanced efficiencies across many economic sectors such as the financial, manufacturing and retail sectors. 1 Microsoft Australia, E-Security Review 2008, page 4. 2 Access Economics, The Economic Benefits of Intelligent Technologies, April 2009. Commissioned by IBM Australia 3

But it has also resulted in opportunities for existing crimes such as fraud, forgery and impersonation to be carried out by the ill-intentioned in new and more detection-proof ways. A new lexicon has entered the public discourse reflecting the myriad models of behaviour now open to those intent on crime: cyberstalking, cyberbullying, phishing and spamming to name a few. If the undoubted benefits of online and digital economic transactions are to be further realised, all users must have confidence that information is secure, commerce is not compromised and critical infrastructure is not infiltrated. This confidence will only be assured through constant political vigilance, enhanced governance, application of technology, new delivery platforms such as cloud computing, education and awareness programs. Cybercrime can be understood by reference to its eco-environment, cyberspace. The US has defined cyberspace as the interdependent network of information technology infrastructures, and includes the internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people. 3 By this definition, cyberspace is not just the internet; so cybercrime can occur in a much wider environment than the internet. Available Data? On the basis that governments cannot manage or regulate what they cannot measure, AIIA sees a threshold issue as the lack of credible data in this area. Credible data on the nature and prevalence of e-security risks and subsequent cybercrimes is notoriously difficult to obtain, due to a variety of reasons, including under-reporting. Victims of cybercrime under-report either through ignorance (as to what crime has occurred) or desire not to signal their organisation s poor security and so reduce their customers confidence. Banks are generally thought to fall into this group of underreporters. Under-reporting also occurs in cases of phishing and financial scams because victims do not wish to appear ignorant or gullible. 3 Cyberspace Policy Review, www.whitehouse.gov/assets/documents/cyberspace_policy_refview.final/pdf 4

In relation to theft of personal information (identity data), it is equally difficult to be definitive about nature and prevalence because in many cases victims do not know their personal data has been assumed or stolen until a subsequent crime is perpetrated against them, such as credit card fraud or some other financial incident. In this regard, estimates of the type provided by the AFP in the Discussion Paper (the risk to our economy is more than one billion dollars a year ) do not inspire confidence in our ability to come to terms with the size of the issue we face; AIIA suggests the government facilitate a more forensic analysis of the economic impact of cybercrime in Australia. Response Structure AIIA s response does not address all the questions posed in the Paper. We will instead comment on specific questions which have prompted member feedback. As a preliminary comment, AIIA members see great potential for security and privacy enhancements (and thus perhaps risk diminution) through adoption of newer delivery platforms such as cloud computing. In addition, education and awareness programs for all users at every engagement level should be enhanced by all governments. Pp 10: Issue: A growing portion of our lives and civic experience is conducted in the online environment. This environment has a unique set of characteristics, including anonymity, and allows people to interact socially unhindered by geographic distance. Question: How can we promote a concept of digital citizenship, reach agreement on acceptable online behaviour and encourage people to assume greater responsibility for that behaviour? 5

Answer: Governments can partner with the online industry to create and promote awareness programs for online risks and responsibilities; there are many examples in Australia and the US of this. Pp 11: Issue: Governments are progressively implementing online services in response to community expectations. However, many individuals do not trust their private data will be appropriately managed. Question: How can governments improve citizens and businesses trust that their private data will be secured and only used for agreed purposes? Answer: Trust comes through providing verifiable competence in securing data. In the move to online providers, governments have the opportunity to select providers with effective security, and to require those providers to be accountable for that security. Done correctly, with the right degree of certification, this approach would improve security over in-house systems and controls. Private industry is migrating to cloud delivery platforms because they realise that security is a feature of leading cloud providers product offerings it is applied throughout their environments and tested and audited regularly. Cloud delivery can focus on security as a competitive requirement, in comparison to diverse and geographically dispersed organisations, such as governments or large corporations, for whom security is often a localised effort with limitations based on awareness, system design, and available technical and personnel resources. Cloud architectures can be more sustainable from a security perspective. Corporations struggle with patch management and technology currency. Both of these issues lead to vulnerabilities that are at the root of many data security breaches. Cloud delivery offers a modern and sustainable security stack that enables corporations to focus on higher level data protection initiatives and not on low value added security maintenance activities. Pp 16: Issue: The digital economy presents both wide-ranging opportunities for increased productivity and innovation across the Australian economy and the risk of the loss of sensitive commercial data. 6

Question: How can small business awareness of commercial online opportunities be balanced with awareness of potential online risks and mitigation strategies? Small to mid-sized companies are the ones that can benefit the most from moving to the cloud. They lack the skill-set and budgets to manage complicated security issues. By moving to competent cloud offerings they lower their overall risk profile since the cloud provider assumes many of the security accountabilities. Issue: One of the primary impediments to e-commerce is consumers fear their financial or personal details may be at risk when conducting business online. Anonymity will remain a key part of the Internet, but trust and confidence in the digital economy may be undermined if people s financial and personal details remain at risk of being stolen by criminals. Question: What options are there for increasing consumers trust in conducting business online? Question: How can consumers be encouraged to take more responsibility to protect their information? Question: What are the options for broadening industry s efforts to provide customers with a greater level of trust and confidence in the security and privacy of their online transactions? Question: What information would help consumers and small businesses better protect themselves and enhance their trust and confidence online? Government agencies and industry can provide better education and awareness and ensuring that all providers meet the highest standards of data security. Industry should be required to meet a certain level of security certifications (e.g. ISO 27001). Online enterprises can contribute by posting their privacy and security statements, and by presenting awareness content for their customers and the general public. Both customers and the public should know how to contact those businesses regarding security concerns (e.g, potential email abuse). Other helpful information can include evidence of security certifications (e.g. ISO 27001). 7

Pp 19: Issue: Much of the public discussion on cyber threats and risks to date has focused on national security issues. This important dimension has inadvertently hidden the reality that at its most basic level, security and safety online is reliant on the awareness of individuals. As a result, many businesses and consumers are not as mindful of cyber threats as they could be. Question: How can the Commonwealth, states and territories and industry effectively communicate the interdependent nature of individual and national cyber security? How can the importance of individual behaviour be highlighted in creating a secure, trusted and resilient online environment for all Australians? End-user security awareness is the most difficult message to deliver effectively, such that it makes behavioral changes that result in good security practice. Online service providers should have a Security Awareness program for their employees, and customer-facing security information that is accessible and useful. Much like a public health or safety program, government can take a role in developing basic skills, promoting secure online behaviors in schools and public service announcements. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information