Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Apr 22, 2016

Government sends Australia down the cybersecurity rabbit-hole

The Australian government's new 67-page cyber security strategy sets out to address "the dual challenges of the digital age—advancing and protecting [Australia's] interests online".

Its incomplete and arguably half-baked definitions of a few cyber terms, along with the thrust of the entire strategy and a lot of the rhetoric, indicates that the Australian government considers Australia to be under attack from [foreign] actors i.e. competent and scary [foreign] adversaries intent on causing grave economic and social damage on a national scale to Australia through the Internet [specifically].

Despite the earlier mention of advancing Australia's interests in a positive sense, the strategy is overwhelmingly defensive/protective in nature, the main thrusts being:
  • Dispensing advice on "cybersecurity", which appears to mean either old-fashioned IT/network/data security or new-fangled Internet/online security. Either way, it's evidently not information risk and information security in the broad. Exactly who is to dispense the guidance (and what gives them the credibility and capability to do so), to whom, and what they are supposed to do with it, are not clear from the strategy.
  • Encouraging businesses to disclose ("share") information on their cyber-incidents to the government, for unstated purposes. As stated, the "sharing" seems to be purely one way. The paper doesn't even hint that businesses might get something valuable in return, to offset their not inconsequential costs and risks from "sharing" sensitive information with a government that can't even be trusted keep its own cybersecurity in order.
  • Penetration testing ... that would leave tested organizations with the enormous challenge of addressing a mountain of identified technical vulnerabilities, keeping the focus away from other aspects of information risk, information security, privacy, governance, fraud, malfeasance and so on and on. [Perhaps that is itself a strategic objective? Watch the hands, watch the hands, follow the ball under the cup ...] Worse still, there are hints that the government intends to use classical network pentesting as a (if not the) mechanism for applying pressure to their suppliers, and perhaps Australian businesses in general, to improve their technical IT network/systems security, an approach known as coercion. I suspect this arises from the government having discovered the value of pentesting various government departments/agencies, but it pointedly ignores concerns such as how to go about prioritizing and addressing identified issues, and again completely disregards the fact that externally-exposed technical risks are a subset of all information risks, which is itself a subset of all risks. Pentesting does not meaningfully address insider threats, for example. Pentesting is unlikely to have identified or prevented Manning and Snowden.
  • Supporting' efforts to keep the Internet a free, neutral and open global social, commercial and governmental asset, I guess, although again the objectives are largely unstated. This aspect is quite distinct from and irrelevant to (perhaps even directly opposed to!) information risk and security, and smells to me like a lost waif and stray of a political agenda desperately searching for a home.
Despite my cynicism, I'm very impressed by the strategy website if not the strategy itself, and encourage you to peruse it for yourself. 

Comments, corrections, counterpoints and challenges are welcome. What do you make of it?  How could it have been improved?

Gary (Gary@isect.com)