Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Security in a borderless world: address [to] Second World Conference on Information Security Education.



Download PDFDownload PDF

Back to Speeches Menu

July 2001

Security in a Borderless World Second World Conference on Information Security Education Edith Cowan University, 2 Bradford Street, Mount Lawley, Western Australia 9:45am, Thursday, 12 July 2001

Introduction

I am pleased to be with you today at the opening of this conference on information security education. The fact that so many international speakers are here to participate in the conference highlights that information technology issues no longer respect national borders.

Our ease of access to information technology, and especially the Internet, has removed many boundaries. At the same time it has given us a new set of challenges in securing the information delivered to us. As professionals in the information security field you play a vital part in protecting this information and ensuring it does not fall into the hands of people who could misuse it.

Importance of Information Security

We are all increasingly reliant on information systems. The technological revolution has dramatically changed the way in which both the private and public sectors go about conducting their business. I see from the program that this conference will be dealing with such disparate issues as intelligence, distance education and e-commerce.

In Australia the Federal Government wants to make sure that the nation and its citizens benefit from the advantages of information technology.

User confidence has been identified as a critical factor in the uptake of electronically delivered services, especially e-commerce. As a result security can no longer be seen as a costly add-on. It is a fundamental part of business activity. Management will need to be involved in the decision making process in respect of security and be aware of the benefits arising from sound information security management.

There have been a number of instances of the theft of credit card details from computerised databases. The most notable recently must have been the theft in February of details relating to some of the world’s richest and most powerful people, including Bill Gates, Yasser Arafat, Yoshiro Mori and George Soros, who were attending the World Economic Forum meeting in

Davos.

Consequently, people are becoming more reluctant to transact business using their credit cards. In Australia, the Attorney-General’s Department is working on national and international initiatives to protect electronic transactions. However, these measures will not necessarily protect material such as credit card numbers that are held in insecure databases.

Business also has a key role to play. A business that can demonstrate compliance with recognised standards, will have a marketing edge as individuals will have more confidence in dealing with them.

Integrity is the assurance that information has been created, amended or deleted only by the intended and authorised manner. It is of concern where information is susceptible to alteration and where that change would have negative consequences. The need for integrity applies not only to the information being stored, processed or transmitted but also to any systems, especially information technology systems, performing those functions.

In other areas rapid technological development presents new challenges for security practitioners, particularly testing their responsiveness to potential global and domestic security threats. People who once had only a few outlets for their political and ideological views are now easily able to exchange their opinions around the globe via the Internet. The new technology has allowed disparate groups to form associations which can react quickly to international events and trends. The World Economic Forum and related anti-globalisation protests, such as those in Seattle, Melbourne and Davos signify a new trend and emerging threat to democracy. Cyberterrorism is an emerging threat for which we must be prepared.

How do we protect Government information and assets?

There are many challenges in regulating information on the internet.

At the most fundamental level, simply determining whether an attack on a Government’s computer network is criminal, and therefore within the jurisdiction of the police, or politically motivated and also within the ambit of the intelligence agencies, is potentially daunting.

Who is the enemy? What is their motivation? The ‘hacker’ is just as likely to be a child sitting alone in his or her bedroom in another country, wreaking havoc in Australia, as it is to be an ideologically-driven political extremist.

Government is taking the lead in information security

I would like to tell you what the Australian Government is doing to protect its own information. The methods being used, I believe, provide an example of best practice, and lead the way for all Australian organisations.

The Australian Government collects, receives and develops large quantities of information. We expects our agencies, and the people who use and keep this information, to recognise that it is a valuable official resource, which they hold on behalf of the Australian people. Government functions and official resources must be safeguarded from hazards that would weaken, compromise or destroy them. To do this our policy is to promote a security ethos and awareness amongst all our staff and service providers.

In September last year I approved the introduction of a new Protective Security Manual (PSM) for Australian government agencies. This sets minimum standards for the protection of all official information, resources and people.

The guidelines provide that information contained in government systems must be handled with due care and only in accordance with authorised procedures. The information must be made available only to people who have a legitimate need to know to fulfil their official duties or contractual responsibilities. And that it is only to be released in accordance with the policies, legislative requirements and directives of the Government and the courts.

I should stress that the ‘need-to-know’ principle does not apply to members of the public exercising their rights under legislation such as the Freedom of Information Act 1982 .

I should mention that Australia’s State governments have expressed an interest in adopting the Protective Security Manual’s standards, rather than developing their own. This would facilitate the flow of information between Australia’s different levels of government and would build on the cooperation and coordination which is vital to good government.

The Australian Government is also committed to developing capabilities in both the public and private sectors to respond to any attack on information systems. With this in mind, we maintain a continuous review of its protective security arrangements. We have also supported the development by Standards Australia of national standards for information security management, which I launched last year. Australian/New Zealand Standard 4444 will be a major factor in providing business security and in improving the confidence of users who interact with business.

Privacy

The development of information technology and the Internet has dramatically increased the quantity of information available in digital form. This has resulted in a proliferation of uses of personal information. Some of these have major implications for the privacy of individuals. The inherent limitations of paper-based systems provide a certain level of privacy protection but the migration of personal information to IT systems has made possible a far greater range of uses of personal information, making it easier to transfer information from system to system. The Internet also makes it easy to solicit and collect information.

Whilst the privacy of information held by the Australian government has been strictly controlled for many years, information in the private sector is only just starting to be regulated.

The Privacy Amendment (Private Sector) Act , which comes into force later this year, amends the Privacy Act 1988 and establishes a co-regulatory scheme in relation to the protection of personal information held by private sector organisations. It provides legislative benchmarks for the handling of personal information, called the National Privacy Principles. It also allows for the development of privacy codes that can be approved by the Privacy Commissioner. Where there is an approved privacy code, the code operates in place of the legislative standards. If an organisation has not subscribed to an approved privacy code, the legislation applies.

Model Criminal Code

Unfortunately, the same advances in technology that are changing the way business is conducted

are also providing new opportunities for crime. It is therefore essential that the responses governments and businesses make to the challenge of privacy protection do not inhibit the investigation and prosecution of e-crime.

The Federal Government has sponsored the introduction of a new Model Criminal Code. Because Australia is a federation, its States and Territories all need to update their laws to cover new forms of crime. The Model Criminal Code, when enacted by all States and Territories, will provide a set of uniform offences.

New South Wales, Victoria, Tasmania, South Australia, the Northern Territory and the Australian Capital Territory, have all implemented parallel Acts. A bill is currently before the Queensland Parliament and here in Western Australia, where a previous bill lapsed because of State elections, I expect a new bill to be introduced later this year. These Acts provide that the ‘unauthorised impairment of electronic communications’ is an offence which carries a maximum penalty of 10 years imprisonment.

Australia recognises that cyber-crime is an international issue and is keeping a close watch on developments with the draft Council of Europe Cyber Crime Convention, which is being drafted in an effort to develop a common international approach. As far as possible the model Australian offences will be consistent with that approach, although we cannot afford to delay implementation of the new offences.

Protection of the National Information Infrastructure (NII)

Just as in the past we had to protect our traditional infrastructure, such as dams, roads, railway lines, oil wells, today we have to protect our information infrastructure. The National Information Infrastructure comprises essential services such as telecommunications, banking and finance, transport and distribution, energy and utilities, information services and critical government services.

With Australia’s increasing reliance on information technology and the online environment, it is vital that the NII is protected from viruses, hackers, denial of service attacks and information warfare. The Government has established the E-Security Coordination Group to help make certain these security issues are addressed strategically. The group consists of representatives from key government agencies and in addition to focusing on security standards, works on incident reporting, awareness raising and skills shortages.

Our strategy is to build cooperative arrangements between the public and private sectors. Because much of the NII, and much of the technical expertise required for its operation, is in the private sector, cooperation is essential to formulating the necessary framework of protective security and response capabilities. For this reason we established a Consultative Industry Forum, comprising representatives of all the constituent parts of the NII.

An obvious first step is to raise awareness. Despite increasing publicity about the Internet and electronic commerce and their potential security problems, there is still little awareness in Australia of threats and vulnerabilities or of defensive measures required to meet them. In addition, many organisations are not aware that their operations are even part of the NII. The Industry Forum has agreed that steps must be taken to raise awareness levels through education

campaigns. Any campaign must highlight the need to balance security effectiveness with economic advantage. This is a classic case of risk management.

The Government approach to protecting the NII is one of coordination rather than regulation. However, the Government is well placed to make links between what may seem totally unconnected attacks on individual information systems and is able to contribute significant technical expertise to complement that in the private sector.

Overseas trends in NII protection

Australia is playing a significant role in international developments in NII. Within the OECD Australia - or more specifically, Peter Ford, First Assistant Secretary of the Information Security and Law Division of the Attorney-General’s Department - chairs the Working Party on Information Security and Privacy. This party has undertaken a review of the 1992 OECD Security Guidelines to make them more relevant to today’s environment of interconnected and interdependent information systems.

Australia must engage other countries which are actively pursuing critical infrastructure protection. This may take the form of mutual awareness of each others’ activities, pursuit of international standards, training, and research and development. To this end we will continue our engagement with US agencies responsible for responding to e-crime and national infrastructure protection. The UK, Canada and New Zealand have all recently made significant announcements regarding critical infrastructure protection. While they have all taken different approaches, Australia will endeavour to establish appropriate links to each.

Australia is also monitoring the European Commission policy recommendations to address existing and emerging Internet security threats, which was developed to create a strategy for more secure Internet use through the European Union countries.

Conclusion

I would like to emphasise that the Australian Government is well aware of the need for security in the information technology field. This is necessary not only to protect publicly-held information and government resources, but also to protect the rights of the individual and the critical parts of the economy which are in private hands.

Security is essential if governments, corporations and members of the public are to have faith in on-line facilities.

For individuals, this means being confident that any personal information provided, such as credit card details, is held securely and only used for the purpose for which it was given. For corporations and governments, it means information is only available to those people who need, and are authorised, to access it.

As experts in the field, you have a responsibility not just to promote information security, but to ensure that all users of the technology can understand why systems need to be secure and take steps to make them secure.

Without adequate security there may well be no future in information technology. With adequate security society will continue to enjoy the great benefits it brings.

I hope you find your conference informative and enjoyable.

 

Back to top • Back to Speeches Menu