IIA chief slams Cyber Challenge Report

Recommendations made in a Kokoda Foundation study on Cyber challenges were premature and ill-suited for Australia, according to the Internet Industry Association's chief executive, Peter Coroneos.

Released today, Kokoda Paper No. 14 (Feb 2011) was titled "Optimising Australia's Response to the Cyber Challenge"  and was authored by John Blackburn and Gary Waters.

The paper argued that Australia's cyber security strategy is flawed.

"Australia is not keeping pace with the growing threat and as a result is placing the collective and individual security of the nation's people at risk," it said.

Coroneos [pictured] told iTnews this afternoon that he would not necessarily accept that conclusion.

"Australia is actually regarded amongst Western nations at least as having a very advanced and responsive cyber defence," Coroneos said.

"We have had AusCERT - which is very highly regarded. Many countries in the Asia region don't even have a CERT [computer emergency response team]."

Of the developed nations, Australia was at the forefront in terms of Government response, Coroneos said.

"That's not to say that more can't be done, but it's not fair to characterise Australia as following the pack."

The Kokoda report argued the need for a National Cyber Strategy and Framework - including more regulation of internet service providers and users - in response to an explosion in malware and DDOS attacks.

The authors recommended that the voluntary ISP code of practice (the icode), which came into operation in December 2010, needs to be legislated "as a matter of priority".

Coroneos, leading a lobby group that represents ISP's and the wider internet industry, did not share this view.

"We appreciate the Kokoda Foundation's endorsement of our work, but because something happens to be good, does not mean it should be made mandatory," Coroneos said.

He said the recommendation was premature and misunderstood the design of the industry code.

"Under current voluntary arrangements, we have over 90 percent of Australia's user base already protected by participating ISPs. That has occurred without the need for legislation."

Coroneos said the number of ISPs signing up will eventually grow to reach "near ubiquity".

"There are cogent reasons why we did not favour legislation. When you codify something in legislation, you tend to freeze it in time," he said. "This code, like the internet itself, is designed to be adaptable to changing conditions."

Furthermore, legislation would preclude ISPs going beyond the minimum standards already set.

"When you regulate, you force people to the lowest common denominator solution. We wanted to avoid that," he said.

Coroneos said the icode acknowledged that a large part of the problem originates with the users - not with the ISP.

"To impose a regulatory burden on the mere intermediary would be akin to holding car manufacturers accountable for people who speed."

ISPs themselves have a self-interest in complying because they will want to protect their networks, he said.

The Kokoda Foundation study also recommended that firewalls and anti-virus software be installed in all new computers as a condition of purchase and conditions of sale of computer systems.

"That's a noble idea - but impossible to enforce," Coroneos said.

The Kokoda study also argued that companies defending themselves in response to a DDOS attack may undertake certain "active defence" initiatives - opening them to charges of unlawful behaviour. It recommended that the law be clarified to reduce this risk.

Coroneos said he had seen "no evidence" of companies under attack engaging in such retaliatory measures.

"Australian corporations don't operate that way. So the risks the authors point to are largely theoretical".

Disclaimer: John Hilvert was a former policy advisor to the IIA.