Mixed industry reaction to new Govt cyber centre

The newly announced Australian Cyber Security Centre has generated mixed responses from the information security industry.

Defence Signals Directorate.

The Federal Government on Wednesday announced the new coordination hub to be launched by years' end under the national cyber security strategy.

It will be staffed by the Department of Defence, the Attorney-General's Department, the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Crime Commission. 

SC understands it will encompass the existing Australian Cyber Security Operations Centre (CSOC-AU) which houses many of the same agencies that collaborate on technical IT security issues among other functions.

Speaking at the Defence Signals Directorate (DSD) yesterday, Prime Minister Julia Gillard said information security was a "principle challenge" over the next decade.

"As we've looked at the challenges ahead, the challenges in the next decade beyond 9/11, we have identified cyber security as a principle challenge," Gillard said.

The allocation of funding to the sector was broadly welcomed by security professionals and industry groups.

"Any additional focus on improving IT security for State and Federal Government as well as supporting organisations within Australia is a worthy initiative worth undertaking." Hacklabs director Chris Gatford says.

But the industry also flagged concerns about how the money will be used.

"We already have one cyber security centre (CSOC-AU); here comes another one," Sophos head of technology Paul Ducklin says.

"They they both seem set to focus on just those parts of our infrastructure that you'd think ought already to be best informed about protecting themselves, so-called 'systems of national importance'.

"I'd like to see a more holistic approach that didn't leave out the little guys."

Small merchants are an important part of Australia's information security economy, he says, pointing to the recent fraud sting first reported by SC which saw half a million cards stolen from small businesses.

For IPSec operations director Benjamin Robson, there was not enough information available on the new centre to be able to judge if it was a good investment.

"While it is good to see the federal government proposing to invest in to the information security sphere, there remain too many questions to determine whether what is proposed is helpful or even practical," Robson says.

"History has shown that governments of all flavours have struggled with the issue of information security, however policy directions have yet to achieve meaningful or practical outcomes."

Questions remain Robson says about whether the centre would aim to prevent security incidents or only react to them, what level of engagement it will have with the private sector, and how it would respond to security incidents affecting private sector networks.

He warns the Government should not attempt to "centralise the control of a decentralised internet" and must be willing to engage the private sector in its bid to take a leadership role in security.

"Australians should not see this announcement as the ability to abrogate personal information security responsibility to the government."

Resources he says should be directed to education and propping up existing agencies.

Security consultant and penetration tester Jarrod Loidl said resources should be tipped into improving strong legislation, regulation and enforcement.

"The single most limiting factor in protecting our information assets is strict legislation which mandates security controls and hard penalties for failure to implement [reasonable security controls]," Loidl says.

While other nations impose tough penalties for security breaches, Australia's culture of "she'll be right" makes it one of the softest targets out of the G20 countries, he says.

"As one of the wealthiest, most stable countries in the world, we need to do better."

Greens Senator Scott Ludlam warned that political hype around information security was dangerous.

"The notion that online security threats are 'the new terrorism' is already generating an expensive overkill in cyber security measures," Ludlam said in a statement.

"The tripling of security budgets the Prime Minister cited has entailed the expanded apparatus seeking new ways to justify its huge and growing money pot."

Copyright © SC Magazine, Australia