Providing CERTainty

Computer emergency response teams (CERTs) were set up in the late eighties to be trusted sources of support, advice and expertise for IT security information, incident responses and planning. By and large, that reputation has stood the test of time.

However, cracks in that image begun to appear last year when the anonymising The Onion Router (TOR) network saw several relays seized by government officials in the Europol-led Operation Ononymous effort against cyber crime. 

Fingers were pointed at American CERT researchers who had discovered weaknesses in TOR that could decloak users of the service.

The irony here is that TOR started life as a government project designed to protect US Navy communications, and is still used today by US government agencies wishing to avoid surveillance on the internet.

If reports are correct that CERT was involved in the attack on TOR, the organisation may have shot itself in both feet.

That’s the complex post-Snowden reality that the new head of Australia’s independent, member-funded computer emergency readiness team (AusCERT), Thomas King, has to negotiate.

While emphasising AusCERT’s excellent relationship and cooperation with the government CERTs, King recognises that the state-run counterparts have a difficult role to play, as they are forced to consider both the defensive and offensive sides of the cyber security coin.

In that sense, life is easier for AusCERT as it is accountable only to its paying members, without national security demands clouding the waters.

Member feedback has been the focus for King, and six months into his reign he is happy with the consultation and engagement programs set in motion.

Prior criticism from members that AusCERT was slow to respond to current issues led the organisation to refocus and establish services such as the Flying Squad infosec response team to help deal with incidents.

It’s still early days, but King is already claiming the closer engagement strategy as a success.

“We’re adding a member a day,” he said.

King's practical experience - derived from running the University of Queensland's IT services department and catering for over 65,000 users - has been instrumental in understanding members' needs and how they change with the fast-shifting infosec landscape.

And, judging by last year, King and AusCERT will be very busy in 2015.

Coming up: the great user privacy battle

Two things stand out for King as game changers in 2014.

First, infosec went mainstream. Heartbleed pushed IT security into people’s living rooms with a catchy name and memorable logo, and King says the greater awareness is a good thing.

Second, large ISPs and device vendors such as Google, Apple, Microsoft, Yahoo, and Facebook started pushing back on intrusive government mass surveillance of their customers. 

These same vendors have strengthened encryption for customers to combat the surveillance, and have done so to the point that governments most likely won’t be able to decrypt scrambled communications.

But King said the stronger encryption has also meant criminals - such as child abusers - can share material with impunity.

How will the issue be resolved? That’s a question neither King nor anyone else has answered.

“That’s very unlikely,” King said, when asked if UK prime minister David Cameron’s demands for backdoors in messaging apps and communications protocols using encryption are feasible.

Most use open source components, making it impossible to introduce interception capabilities unnoticed.

What is clear is that governments have damaged their case and more importantly, citizen's trust, by operating well outside the good-faith boundaries of the infosec community.

Service providers that depend on customer trust for their business can’t be expected to betray it, and have little choice but to continue the fight against government efforts to undermine user privacy. Anything else would be suicidal.

The outcome of that battle is one that King and AusCERT will be watching closely, given the huge impact it is likely to have on the organisation's members.