[LINK] Australian Government Cyber Security Strategy
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Nov 24 10:44:14 AEDT 2009
At 10:08 +1100 24/11/09, Tom Worthington wrote:
>The Federal Attorney-General, Robert McClelland has released an
>Australian Government Cyber Security Strategy:
><http://www.attorneygeneral.gov.au/www/ministers/mcclelland.nsf/Page/MediaReleases_2009_FourthQuarter_23November2009-AustralianCyberSecurityStrategyLaunched%27>.
>
>This is a high risk strategy as it proposes transferring the functions
>of the successful and experienced non-government AusCert to an
>inexperienced government body. A better strategy would be to resource
>AusCert so it can provide services to non-government bodies and work
>with DSD to look after government and military computer security.
...
Karen Dearne's article is here, with a three-para. extract below the URL:
http://www.theaustralian.com.au/australian-it/government/government-overhauls-national-cyber-security-arrangements/story-fn4htb9o-1225802579568
The new government-owned Computer Emergency Response Team -- CERT
Australia -- will become the single contact point on cyber security
issues, locally and for international agencies.
...
CERT will draw on the expertise of AusCERT, the University of
Queensland-based independent technology security unit that has
provided CERT services for subscribers for 15 years, for everyday
alerts and operational support.
"We have approached AusCERT to provide a range of services to support
the new national CERT under contract, and those arrangements are
being finalised," Mr Rothery said.
1. AusCERT's Role
My reaction was that this just might be good news.
Possible scenario:
Some twerp in the government agency or the Minister's office, some
time ago, committed the Minister to creating a new body.
Later, they came to the realisation that there was already an
organisation doing what the new body was supposed to be created for.
The Minister can't be seen to renege, nor to employ twerps.
So a new body has to be created.
So the solution that's found is to announce a new pseudo-body, whose
first function is to act as a funnel for a contract with the existing
body.
(Or maybe they've re-announced GovCERT; that would be the
spin-doctor's equivalent of the doosra. There are some functions
that do need to be performed within a central government agency
rather than in AusCERT).
A second strand (see a couple of the other paras. in the Oz article)
could be that someone (possibly for perfectly sensible reasons) wants
to adjust the revenue model that supports the existing body.
I have no inside info, and I'm not saying the above is what happened.
But things like that happen far too often. Some of the best work
that senior people in government agencies end up doing is waving a
magic wand, at just the right time, so that a complete cock-up turns
into an at least vaguely sensible outcome. ('Yes Minister'
demonstrates several variants). In this case, the wand may have
produced the *right* result as far as AusCERT is concerned.
2. DSD's Role
What I'm disappointed about is that DSD will continue to be directly
involved. That results in approaches that make sense in a defence
context, but are irrelevant elsewhere, being foisted on government
agencies, and quite possibly on some parts of the private sector as
well.
What we need is a civilian framework for IT and data security that
makes sense in civilian contexts. It needs to be **informed by** a
lot of aspects of DSD's work; but DSD staff should not be dictating
frameworks, criteria, security classifications or business processes
for non-defence government and business.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list