'Wild west' element standing in way of net protections: Coroneos

Security should be 2 percent of NBN price, says Internet Industry Association.

A hardcore, libertarian "wild west" faction was standing in the way of universal adoption of a proposed online security code of conduct for service providers that had international acclaim, said the outgoing chief executive of the Internet Industry Association.

Peter Coroneos (pictured) said he expected “the next tranche” of ISPs to join those servicing about 90 percent of Australians during Cybersecurity Awareness Week on May 30 but there were those outside the association’s membership who would never adopt the standard.

He said an ISP's decision to participate had little to do with their size but those without a security culture or who saw adopting icode as bowing to regulators were holding out.

The association’s icode was a voluntary industry standard set down last June and launched in December that had attracted the attention of US lawmakers and regulators.

One of Coroneos’ last acts before he retires in the middle of the year is to catch up with US cyber-security “czar” and former Microsoft chief information security officer Howard Schmidt to discuss how the icode could be adapted for use there.

Coroneos said that Australia was in the fortunate position of being a small country with a coherent approach to cyber security; in the US there were 19 agencies with “primary responsibility” for network security, he said, making co-ordination difficult: “You wouldn’t even know who you had to call” in the event of an attack.

The association would welcome a single point of contact for consumer complaints because many didn’t know where to turn, he said.

And he suggested that CERT Australia or another agency should pick up a "clearing house" function to alert the community to attacks (such a function was generally carried out by AusCERT at the University of Queensland).

He pointed to the National Broadband Network as a potential bringer of network chaos, linking high-speed broadband to hacker attacks, and a reason why ISPs should adopt the icode.

“If you can train a lot more packets on a target you can bring down a target faster,” he said.

And he said it was “enlightened self-interest” that ensured responsible ISPs adopted the recommendations because it reduced cost and risk to them: “It’s not in anyone’s interests to have infected users on the network”.

Although it was “no silver bullet” for stopping botnets and online fraud, Coroneos reiterated the association’s position that 2 percent of the price of the $36 billion National Broadband Network should be spent on securing it from attack.

“In an ideal world you would ensure you had end-to-end security built into the network,” Coroneos said.

“That would be the ideal outcome but whether it fits in the NBN Charter is another matter.”

He likened the spread of net security to that of car safety systems in the ‘50s and ‘60s led by US consumer campaigner and presidential hopeful Ralph Nader.

And although he stopped short of calling for the association to lead a Naderite revolution in Australian network security he said “if you have the opportunity to build another internet [NBN] then it’s very tempting before we’ve commissioned it to secure it”.

“I’m not saying IIA calls for NBN to be made secure but I do say that this is the time to have that discussion and I think if the answer is no it can’t happen then we’re back to [point solutions] and there’s no silver bullet here.”

A risk was that businesses, merchants and financial institutions such as banks may refuse to deal with people with poor security settings or whose devices were known to be active botnet participants.

But Coroneos said it was a “difficult call for the bank” that had to weigh risk against cost and which had pushed the responsibility for security on to customers.

“I don’t think we’re anywhere near the tipping point yet and ultimately I think that’s a commercial decision for them. If they woke up and found that the level of fraud was at an unsustainable level and they could point that back to negligence on the part of the user then you might think they could be tempted [to cut users off].

“But the threats have got so difficult to counter by an end-user; if its too hard for the user to manage themselves how could you punish the user?”

He predicted that the recent spate of attacks dubbed "advanced persistent threats" would grow and that trust built on standards and proven technologies and not belief systems had to prevail.

"Many organisations are compromised now; they just don't know that they are," Coroneos said. 

"We cannot move forward as a digital economy until and unless we get the security question right."