The light touch

Australia's softly, softly approach to telecommunications and broadcast regulations could land this country in some heavy duty trouble

By Alastair MacGibbon

December 11, 2009

Just over one year ago, on 4 December 2008, Prime Minister Rudd delivered Australia's inaugural National Security Statement to Parliament. In it he defined national security to include the "freedom from attack or the threat of attack; the maintenance of our territorial integrity; the maintenance of our political sovereignty; the preservation of our hard won freedoms; and the maintenance of our fundamental capacity to advance economic prosperity for all Australians".

In other words, he took a broader view of national security than the traditional defence, trade and foreign policy one.
Cyber security was identified as one of the top 10 most pressing national security threats facing the nation.

For several years now, Australia's banking and financial services have been considered part of this country's "critical infrastructure" and the sector has worked with relevant government departments in a productive manner.

Recently, I was asked by the Australian Strategic Policy Institute (ASPI) to examine Australia's cyber security threats and responses and I concluded that while Australian policy on cyber security had progressed (and in the right direction), the gap between Australia's capabilities and our needs relating to cyber security is widening.

There are three main drivers for the gap.

The first one is, simply, that our uptake of information and communications technologies as private citizens, businesses and governments has been so rapid and corresponding that threats and exploits have been exponential. It is hard for government institutions to keep pace with the unintended consequences.

The second is that governments have pursued a "light touch" approach towards telecommunications and broadcast regulation (co-regulatory and industry self-regulatory models), expecting those businesses to deliver solutions greater than or equal to the threats. And they haven't.

The third is that the bureaucracy has taken a narrow definition of cyber security (based on the criminal code definition of cybercrime: unauthorised access to, or impairment of, data on computer systems), thereby excluding much of the victimisation that occurs at the consumer level. The reality of online victimisation is that it is a combination of technical and social vectors used by criminals, often undistinguishable by the victim.

This is relevant to the financial sector, even though it has been doing its bit with government for some time now.
It interests me that we have required the financial sector to address certain types of crimes over the years. Institutions enforce KYC rules for AML and CTF, for example. Yet we don't impose those same requirements on Internet registrars who are the ones registering Internet addresses.

Financial institutions are required to monitor for signs of money laundering, and to report to AUSTRAC should anomalies be found. Internet Service Providers, who deliver the bits and bytes between computers, also see traffic and patterns, including anomalous and dangerous activities, but are obliged to notify no one. Instead, a voluntary code of conduct is being drafted.

Time for a tougher regime?
Long ago, we recognised financial institutions as a cornerstone of our society. It's time we recognised information and communications technologies are too, and to set standards that will give us some comfort of predictability and order. In this regard, the "light touch" regime has probably run its course.

After all, financial institutions are already investing in the safety and security of their customers engaging in Internet banking (albeit to varying degrees), but on a system which could be made more robust.

Debating social change often becomes emotional, and involves challenging the status quo. This isn't always easy. Suggesting that there is more we can do as businesses, governments and individuals doesn't always sit comfortably.

The ASPI paper calls for a number of other changes that I have not outlined here, some you might agree with, others you might not. I'd implore you to download a PDF and have a look. Let me know what you think, we need to have an open, sometimes uncomfortable discussion on these things.

Alastair is an internationally respected authority on high-tech crime, including Internet fraud, consumer victimisation and a range of Internet security issues. Alastair is founder of the Internet Safety Institute and managing partner of Internet consultancy the Surete Group. Prior to that he headed Trust & Safety at eBay Asia Pacific.