Cyber security Tsar needed to lift Australia’s defences?

The appointment of a US-style cybersecurity tsar could be of major benefit to the Australian Government as it looks to increase the security of government infrastructure and data, according to the global CIO of security company Symantec.

Speaking with CIO, David Thompson, in Sydney for a series of customer events, said initiatives taken by the Obama administration around increasing cybersecurity could be modelled in Australia.

“The president of the United States has noted an increase in cyber crime and noted it as a top initiative; which is a significant step forward,” Thompson said. “The other thing he has done of unique value is to appoint a cyber tsar responsible for coordinating all efforts, spending and initiatives around protecting US infrastructure.

“That is something that can be noted around the world — government leaders need to take responsibility for making [security] a top priority and protecting their infrastructure. Also appointing individuals to head those initiatives up, otherwise your efforts are spread so thin across so many areas that your really don’t get the value. It’s an area that needs increased focus, but also increased spending to secure and manage our government entities.”

The comments follow a DDoS attack on the prime minister’s site — pm.gov.au — last night by the protest group Anonymous.

In its submission to the House of Representatives Standing Committee on Communications New Inquiry into Cyber crime, Microsoft Australia said trends in security pointed to the need for a comprehensive and coordinated national strategy around cyber crime as well as greater Government-to-Government collaboration on cross-jurisdictional crime.

“When one recognises the breadth of the challenge and the need for a massively decentralized but coordinated response among the federal, state and territory agencies, we believe that the Committee should consider whether or not Australia’s national cyber security strategy and its implementatin should be led by a single coordinating authority at the highest Executive level, like the Department of Prime Minister and Cabinet or through an appointed “cyber security czar”,” the submission reads.

“As the Committee would be aware, the US is moving to a similar model, where their national cyber security strategy will be led and coordinated by the White House… So too, we need to better understand the threat landscape and to evolve and focus the public-private partnership model as well as international collaboration.”

The company also argues for a legislative model designed to ensure that greater regulation, if enacted, protects innovation while providing appropriate government oversight of cybersecurity issues.

“Finally, Microsoft maintains that the Internet needs an appropriately deployed identity meta-system if we are to make the Internet dramatically more secure but protect important social values, such as privacy and free speech.”

Page Break

Graham Ingram, general manager at the Australian Computer Emergency Response Team (AusCERT), said the creation of role to head national cybersecurity was a current topic of discussion between industry and government. However, more important than a government-based cybersecurity co-ordination role, is the realisation of a true integration and partnership between the private sector and the government on IT security, Ingram says.

“In the past in the US, the people in those kinds of [cybersecurity] roles have been from the private sector and have significant credentials and carry a lot of capacity to talk both in government and with industry,” he said.

“That’s what we need in this country more than a [government] coordinating role. . . as the people who run the Internet and the infrastructure is industry, so how could you address some of these [security] issues without their involvement?”

In its submission to the inquiry, NetChoice, a coalition of trade associations and e-commerce businesses, argued that the two most effective means for government to address e-crime are stronger law enforcement and more education for business and users.

While welcoming efforts along these lines, the group cautioned against measures that while well-meaning, create additional regulatory burden for the e-commerce community.

“E-commerce is a young, dynamic industry,” the group’s submission reads. “But it is characterised by small companies who are poorly placed to absorb the deadweight cost of unnecessary regulations.”

More submissions can be read here.