[LINK] Security

Stephen Loosley stephenloosley at outlook.com
Tue Aug 26 13:40:59 AEST 2014

Another perspective regarding security ...


ONE of US President Barack Obama’s national telecommunications security confidants says the Abbott government’s proposed mandatory data retention ISP policy should include banks, insurance and retail as well.

David DeWalt, who sold McAfee to Intel for $US8 billion, said retaining data had a number of “broad applicabilities”, beyond combating terrorism.

Mr DeWalt also called for security standards for the “internet of things” — where mere objects can communicate directly with each other over a network — saying even smart TVs could be hijacked virtually to launch a denial of service attack.

He sits on the US National Security Telecommunications Advisory Committee, which provides recommendations to the President on telecommunications and IT infrastructure security and protection issues.

The government controversially wants internet service providers to retain subscribers’ IP addresses for two years, a scheme that is part of anti-­terrorism laws to be introduced later this year.

The third-largest ISP, iiNet, estimates it would cost about $100 million to administer.

Mr DeWalt, CEO and chairman of IT security firm FireEye and former president and CEO of McAfee, said while he backed data retention laws, he questioned the length of time ISPs would be made to hold the information.

“I’m an advocate of data retention rules,” he told The Australian during a visit to Sydney last week. “Is two years the right number? I’m not sure.’’

Mr DeWalt said one year seemed “a little bit more appropriate”. He emphasised that data retention for a certain period of time was “absolutely” important.

He said ISPs should not be the only ones subject to the laws.

“I think it should be a wider mandate across other infrastructure assets,” Mr DeWalt said, citing examples of organisations with consumer contact such as banking, insurance and retailers.

He said the most important metadata that should be retained was “whatever is needed to safeguard my personal identifiable information”, or data related to personally identifiable information such as a health record or the equivalent of the US social security number.

Holding “every single transaction” created was excessive but could include “the most germane information about my accounts”, credit ratings, social security number or patient information, he said.

Mr DeWalt said the practice had a “number of broad applicabilities”.

“(Fighting) crime can be one, terrorism can be another. It all depends on how you define terrorism,” he said.

He said the lack of built-in security in the internet of things was a major concern since “literally trillions of IP-addressable devices that can connect to the internet” offer no protection from hackers.

“When you start to look at the gentrification of our infrastructure to the internet, it’s amazing to watch,’’ he said.

“Our dependence on the internet is tremendous and if there’s an outage, crisis or (cyber) attack of (a device’s) information, it could have catastrophic ramifications.”

A smart TV, in-car GPS, smartwatch or smartphone could be used to launch denial of service attacks, Mr DeWalt said.

“Your smart TV is essentially an operating system that is internet connected,” he said.

Hackers could place a malicious object in TVs and have them “call out a thousand times to your favourite website that does commerce for your retail bank”. This would create a massive denial of service attack as every television in the world would call that website, which would block access.

Mr DeWalt lamented the fact that consumer electronic manufacturers did not “put any security into these things”.

“We end up with smart televisions with over-the-top IP capabilities … you’ve just attached another computer to the internet,” he said.

Mr DeWalt said these manufacturers should have security standards and have features like a kill switch to disconnect the device from the internet in the event of a problem.

“Mobile phones from Google and Apple have kill switches built into their phones. Does your smart TV have that?”

He hopes the absence of standards will not lead to a catastrophic disaster.

“I’m very worried that the pace and change of innovation without thinking of security and risk related to that is something globally we need to be prepared for,” he said.


More information about the Link mailing list