[LINK] OzIT: GovCERT favoured over AusCERT

Roger Clarke Roger.Clarke at xamax.com.au
Tue Apr 14 12:29:24 AEST 2009

[AusCERT left out in the cold?]

National security resources opened up to business
The Australian IT Section
Karen Dearne
April 14, 2009

THE federal Government plans to massively boost technology defences 
in the private sector by sharing intelligence and security agency 
secrets with business owners.

Three key sectors -- finance, utilities and telecommunications -- 
will share sensitive information under an exchange structure to be 
managed by GovCERT, the government computer emergency readiness team.

For the first time, businesses will have access to expertise and 
resources available in organisations such as the Defence Signals 
Directorate and ASIO.

Closer dealings between private and public organisations are central 
to e-security arrangements expected to be announced shortly.

An Attorney-General's Department spokesman said that further outcomes 
of last year's E-Security Review were under consideration, "in the 
context of broader national security issues".

"The security of the Government's own systems is a high priority as 
these store information about Australians as well as classified 
information," he said.

GovCERT is responsible for advising on technology security issues in 
Australia, liaising with foreign government agencies, preparing for 
threats and responding to them.

The spokesman said greater engagement with the private sector would 
build on partnerships forged in the Trusted Information Sharing 
Network since 2003.

"In particular, the three new information exchanges will enable 
businesses and government agencies to share specific technical 
information quickly, and in a trusted manner," he said.

"They will also encourage the sharing of sensitive information 
between companies to help us all to better understand the threats and 
to allow rapid response to cyber-incidents."

However, AusCERT -- which provides critical emergency response 
support to organisations on a fee-for-service basis -- had been 
hoping it would be granted sustainable funding for its operations.

Part of the University of Queensland, AusCERT wants to offer its 
expertise to a broader range of online users and become the national 
IT security triage and co-ordination centre.

"AusCERT has a long-standing history and reputation of helping to 
protect internet security here and abroad," it told the e-security 
review last year.

It would be "counter-productive" to require GovCERT to replicate 
services and resources already provided by the non-profit 

"Building a basic national CERT capability would be a costly exercise 
and would take at least two to three years," AusCERT said.

"We have developed the experience and level of trust required to 
perform these functions over 15 years of operation."

Internet service providers can expect a larger role in e-security, 
with the review recommending the introduction of a code of practice 
for ISPs.

"The code will be developed in collaboration with ISPs and will set 
out the minimum expectation of ISPs to contribute to online security 
for all users," the spokesman said.

The Smith Review of Homeland and Border Security, released in 
December, finds that governments, businesses and individuals are 
increasingly vulnerable to electronic attack.

"The Commonwealth has a special role to play in this area, given its 
high-level capabilities in e-security and the cross-jurisdictional 
nature of the threat," review author Ric Smith said.

"It is, however, difficult to quantify the magnitude of the problem 
and the potential economic and social consequences, particularly of a 
large-scale cyber attack."

Last year the World Economic Forum estimated there was a 10-20 per 
cent probability of a major critical information infrastructure 
meltdown in the next 10 years, with a potential global cost of $US250 

The European Commission has warned that electronic attacks "have 
risen to an unprecedented level of sophistication", most notably in 
the recent assaults on Estonia, Lithuania and Georgia.

It identified the need for "shared responsibility, as no single 
stakeholder has the means to ensure the security and resilience of 
all ICT infrastructures and to carry all the related 

The EC is contemplating regulations to oblige network owners and 
service providers to strengthen security, guarantee continuity of 
supply and report breaches.

The Australian Industry Group said "improved levels of national 
e-security will increase competitiveness and productivity, and 
generate new markets and products".

It noted that investment would be needed to overcome "the fragility 
of key digital economy assets on which governments and industry 
jointly rely".

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list