[LINK] The new Aussie cyber security laws

David dlochrin at aussiebb.com.au
Sun Oct 13 17:51:41 AEDT 2024 

On 12/10/24 21:40, Roger Clarke wrote:
>>  The Australian government has introduced new cyber security laws.  Here’s what you need to know
>>  By David Tuffley, Senior Lecturer in Applied Ethics &  CyberSecurity, Griffith University.
>> ...
>>  These standards will establish a baseline level of security for consumers. They will include secure default settings, unique device passwords, regular security updates and encryption of sensitive data.
>> [...]
>>  This is a welcome step that will ensure everyday devices meet minimum security criteria before they can be sold in Australia.
>
> Dreamland.
> Oh, sorry, I forgot.  David's an ethicist.  Outcomes are optional.
(:-)...  Let's hope the Signals Directorate were heavily involved and the commercial interests of Google, Meta et al were kept in perspective, but these sorts of politico-techno decisions often seem to have an ethical component.  A standout example is the proposed ban on children's access to social media, the subject of another thread here.

> The definition of 'network-connected product' is dopey - invented by a lawyer with no sense of IT architecture.  The sensible approach would be to define 'A network-connectable product' in physical-connection terms and make no mention of inter-connectability in the definition, and 'An internet-connectable product', as it is, relative to "a communication protocol that forms part of the internet protocol suite".
In terms of "physical connection"?  The old ISO 7-layer model of Open Systems Interconnection has the physical connection at the bottom of the stack because it's so general in natureand has little to do with any higher functions at all; it's just any method of signalling symbols, even Morse Code.  Bringing in "the internet protocol suite" is no help IMO because that usually means TCP/IP specifically, and it's only at ISO layers 2-3 anyway so has much the same problems.

All this illustrates the fundamental difficulty of achieving functional & legal _outcomes_ in terms of technology.  I suggest they're orthogonal dimensions of the problem.

But if we have to do so for the sake of getting something done, I think legislation has to be thought through much better at both legislative and technical levels.  And that probably begins with Privacy Laws which are much more European in tone, together with penalties which bloody well hurt and which some businesses won't like!!

Regards,
_David Lochrin_

More information about the Link mailing list