Cyber Security and the Wider World
Logical and Physical Identities
Data Protection Control Strategies
Policy, Action and Industry Collaboration
The Australian national Broadband Network
Australia
Author: Kevin R Beck, Melbourne Australia
2013
EXECUTIVE SUMMARY
This paper represents a contribution to the deliberations, design of and implementation ofthe Australian Government’s Cyber Security Policy.It serves as an initial information exchange offeringa personal perspective to the critical arena of the Australian Cyber Security Policy as mandated in the Review of 2008 and now managed by the Australian Department of the Attorney General. This framework will be impacted, and broadened by the implementation of the Australian National Broadband Network bringing with it a new set of challenges. Australia’s governments (all of them, federal, state, territory and local) handle, process, issue and store vast amounts of information and this should be coordinated, and centred, in a secure facility,or facilities, and operated much like a private bureau that produces driver licences, financial cards and other critical instruments.
Criminals, of all persuasion, effectively use the fractured structures and the disparity in security that exists today across the Australian nation.
This paper poses, and looks at Australia’s security, in a broader world context framing the issue of data security,and document issuance,within the sophisticated activities of criminal networks operating across borders and sovereign states, operating within legitimate, and illegitimate, cohorts and communities, blending in so to speak. I believe a sophisticated global criminal structure has been built in front of us and we do not necessarily see it. Businesses engaged in commercial activities within the arena do not readily accept that their enterprises have been infiltrated or are part of the mosaic of criminal and espionage activity.
THE LOCAL IMPERATIVES
The Australian government, through its own agencies, is a user, and issuer,of secure data, documents, services and systems, evolved out of a myriad of sources of data in-house and external. External source data may be private individual, corporate, other jurisdictions of governments and many others including international.
In terms of the Australian government itself, the question arises as to how this extraordinary amount of data can be filtered, and allocated, a security level according to its purpose. The debate may revolve, inter alia, around what data should be centralised and operated on and what can remain distributed in the field.
However I am posing here a greater and much wider risk and concern, not only with how Australian states, territories and local government manage data storage, privacy and activities but how commercial enterprise manages its own and how the whole is manipulated by criminal elements. Into this I add logical and physical identity used for multiple purposes in parliaments, commercial, government and institutions.
A disparate patch work quilt of policies and actions by government and key sectors of business enterprise (banking, utilities, telecommunications, document issuance and so on) serves to advantage criminal elements here and internationally. Whilst the Commonwealth may be leading the states and territories are lagging behind. They reduce the question to one of cost and when quizzed about their physical security of ports, airports and key assets they dissemble stating it is Commonwealth responsibility. They focus on standard protections of their computer systems and resist sharing information.
In Victoria Australia, for example, police do not have ready access to Transport driver licence, and other databases,and personal data unless the person on whom they are requesting information has been charged with an offence. They are not permitted to do 1:1 or 1:N identity scanning.
Australian states also have a view that a driver licence is not an identity instrument; it is a permit to operate a vehicle. The fact that a driver licence is part of the 100 point identity check to open a bank, or totalisator (TAB), account is somehow lost on this spurious (politically and bureaucratically contrived) proposition.
Anyone seeking to work in, or for some other purpose enter, an Australian airport or port can simply apply for a cheap low grade identity card (known as an ASIC card) through an agent - airport, airline, a shop in a rural location or other, pay a fee undergo a rudimentary identity check by an Australian government agency and then get their card.
Such disparate policies, and activities, undermine national security and policing.
As a minimum, all identities should be categorised according to criticality (logical and physical use), and mandated for not only security, as a logical data set but also as a physical form in terms of topology and security design, construct and issuance. Only assessed, accredited, security cleared and carefully monitored entities should be permitted to sell identity technologies including printers and software.
Australia’s LocalGovernment, Other Agencies and CERT Australia
I acknowledge the Australian government’s Attorney-General’s Department is the lead agency for cyber security policy across the Australian Government and it is the chair of the Cyber Security Policy and Coordination (CSPC) Committee, which is the interdepartmental committee that coordinates the development of cyber security policy for the Australian Government.
One might assume, or external parties in the private arenas described above, may claim they have a similar philosophy as the government in defining measures relating to the confidentially, availability and integrity of information that is processed stored and communicated by electronic or similar means.
They may claim to share the aim of the Australian Government’s cyber security policy in the maintenance of a secure, resilient and trusted electronic operating environment that supports Australia’s national security but only if it does not cost them a lot of money and too much effort.
Australia’s national security, economic prosperity and social wellbeing are critically dependent upon the availability, integrity and confidentiality of a range of information and communications technologies (including ICT). This includes desktop computers, the internet, mobile communications devices and other computer systems, and networks, and may I add products that are provided by external parties such as passports, employee identity, smart cards, tokens, credit cards, prepaid cards gift cards and any other instrument that deals with data.
Gift cards, and prepaid cards, are part of another paper on the dual themes of money laundering and tax avoidance.
We can all cite an increase in malicious code, attacks and criminal activity,on commercial government and personal systems as is particularly the case for financial transactions and sensitive commercial or personal identity including theft thereof, or the creation of one core document to breed others for the purpose of opening a bank account, a social security identity, a driver licence and more.
Many involved in data, privacy and protection are confronted by hysterical misrepresentations around the vexed issue of identity in Australia. Security is undermined by political and bureaucratic expediency and the risk aversion to confronting irate civil libertarians and the right to privacy. Whilst railing against the perception that any attempt to control fraud is a stealth move to introduce an “Australia Card” people are quite free with their private information on social media and other demands of the Internet, quite free with information or disregarding of what retailers and telecommunications providers, Google, Apple et al gather in. Young people particularly do not seem to care.
They may also be somewhat cavalier with the cards, passports, driver licences and other items they treat as every - day tools but which are more, and more the targets of criminals.
I am moving beyond the mere concept of a Cyber Security Centre supporting the government’s objective of cyber safety focused on protecting individuals, particularly children, from offensive content, bullying, stalking or grooming online for the purposes of sexual exploitation toa broader economic and social contexts, requiring coordination of other related policies, programmes and industry participation. There is a role for industry in this scope particular in the federation of competing interests, and knowledge awareness of federal, state and territories.
INFERENCES AND CONJECTURE
A global network of criminal elements have come together, like a new generation mafia, using whole countries (pariah states, states under sanctions and so on) integrating their way into institutional structures (government, banking, financial systems, utilities, technology and telecommunications) across the world, including Australia, to launder large volumes of money, avoid tax, to create fraud and to fund terrorism and other criminal activities.
This is not simply the transactional movement of funds involving the complicity of a bank or other structure it is the actual manufacture of the foundation for that movement beyond data transfer in computer systems and on the internet to physical instruments such as credit cards, chips in mobile devices and identity instruments. The clients of these outputs are those who embrace serious badness.
Every honest business, and person with integrity at their core, would support the National Leadership approach by the Australian government within the federationof a shared responsibility in the communication, and storage, of sensitive information (of all types) and the obligations of mutual respect for the information and systems of other users. However this federation is a reality only on paper and each state and territory wants to be independent doing what is “politically statute and easily done” without spending too much money and political capital.
Not only all of the Australian public service should be engaged,through knowledge leadership and action, in a partnership approach to cyber security across all Australian governments, the private sector and the broader Australian community is seen as essentialto this partnership along with our nation’s allies and multi-national global corporations that cross borders. Of course within the partnership we might expect infiltration by “hidden” criminal supporters.
Globalism, and technology, supports many players and is a major fillip for the criminal person and the criminal state. Just as we install systems in government to produce identity and manage data, across a myriad of agencies in Australia, all with varying,minimum or no level of security to speak of, we are now also building a mechanism (the NBN) that will be of great benefit to the criminals. Manipulating stock prices, betting odds, moving transactions quickly require high speed communications.
The Australian government, via its agencies along with federal and state Police, Regulatory Agencies, Australia’s states and territories, and companies, that have global operations can support, and add value to, the Australian Government’s international policies, strategies and initiatives.
Allbusiness, just like Australia’smultiple governments’ agencies, requiresriskmanagement in a globalised world where interoperability, and internet-connected systems, are potentially vulnerable and where cyber - attacks are difficult to detect, there is no such thing as absolute cyber or identity (logical and [physical) security.
However on too many occasions, entities (government and commercial) operate in a state of unawareness of what human, and machine,networks they are in and supporting, knowingly or unknowingly.
In concert with government, and community, everyone must be brought into the policy and the intelligence exchange, and all must apply a risk-based approach to assessing, prioritising and resourcing cyber security activities within the values paradigm of their individual operations.
Many enterprises educates customers, and others, with whom they come into contact (at exhibitions, conferences and seminars, banks on their web sites and at ATMs, the Australian Competition and Consumer Commission on scam watch) as to the cyber risks of instruments that individuals carry and use and the ability of criminals to “phish”, mask web sites to look real and so on..
As a part of their own cyber security they must operate, and maintain, secure and resilient information, and communications, technologies to protect the integrity of operations and the identity and privacy of the customers and end users. This vitally includes corporations engaged in the manufacture, and distribution of critical instruments, applications and identities.
The Australian government,and other jurisdictional agencies,can assist in educating, and empowering, all Australians with the information, confidence and practical tools to protect themselves online and in their financial and other transactions but what of the hidden criminal operations described previously that pray upon ignorance, greed and human nature? What of the criminals within legitimate enterprises and governments how do we identity, and weed, them out?
Australia’s Governments may promote security, and resilience, in infrastructure, networks, products and services across agencies, including parliamentarians, associated people, employees and communitiesusing government portals and entering agencies and parliaments, but this is but one part of the puzzle and vital mosaic of partnership that builds to protect our nation and our cooperation with like - minded sovereign states. Industry will only participate to the point where it is commercially in their interests or it suits their agenda. They like to use policing and other services without actually paying for them.
The private sector, and government agencies, the world over look to the protection of their ICT systems but to what extent do they ponder how criminal elements become embedded and institutionalised as part of those structures?
They take live (or deceased) identities, and create data, to manufacture other things for their needs and then send them out into the legitimate world.
Significant Australian companies and, more particularly, those with global operations can work with CERT Australia to assist the owners, and operators, of critical infrastructure, and systems, of national interest and add support to CERT Australia within the global community of computer emergency response teams (CERTs) to support international collaboration in regards to cyber security issues and also complement the work of the Cyber Security Operations Centre within the Australian Signals Directorate. These collaborative arrangements can also serve to make participants aware that their business can also provide the foundation and tools of crime and terrorism and to incite them to vigilance.
A sort of crime stoppers - corporate world.
The identity technology providers to which I refer above would claim to support the work of the Attorney-General’s Department,and the Australian Federal Police,in the area of identity security and production but only to the point of commercial expediency. Just as many companies work with CIT integrators who are engaged with key government agencies. They will put people onto committees as part of their interaction but when the situation becomes sticky they tend not to want to be publicly involved.
It is into these legitimate structures, committees, working groups and projects, the criminals enter masquerading as good corporate citizens.
The work of the Department of Broadband, Communications and the Digital Economy in the implementation of the National Broadband Network (NBN)was supposed to, inter alia; raise opportunities for collaborations and of particular focus for my area of interest data is to be sent across the NBN according to the user profile. The change of government from Labor to Conservative, who are focused on cost rather than benefit now clouds what value the NBN may bring and to what extent. The security of the Network itself may well be compromised a bonus for the criminals.
There is obviously an expectation that the private sector will embrace the NBN. The NBN will greatly enhance the transportability of data and the activities of the criminals. We know criminals do not wear black hats and long coats standing out.The fibre is a neutral carrier and therefore there will have to be an extensive education campaign, well beyond that which is currently carried out. If mobile and other technologies are added into the Network then security becomes more problematic.
Policy debates around wireless versus fibre landline belie the complexity of the server capability/availability and the wireless band. It is not enough that we educate citizens, everyone in government and business must be vigilant to the hidden global network that is operating out in the open.
Although the network connection between a user's web browser, and the server,might be believed to be secure, the user data is kept in cleartext at rest on the host servers, and can potentially be viewed by anyone with the correct level of access. From this they can take data files to populate the instruments I have referred to which in turn form the mechanism for movement of funds, and people, beyond the horizon of regulatory awareness and that of Australia’s agencies and international allies.
This poses problems for governments, organisations, and individuals who wish to store and exchange sensitive information, patented materials and sensitive private data, such as patient medical records, identity instruments, passports, driver licences, and credit cards, financial security instruments printed or electronic.