Homeland Security
Homeland Security
In the concluding part of our two-part special on Australia's national security and IT's role in maintaining it, Heinrich de Nysschen examines Australia's level of preparedness for a terrorist attack, and talks to two senior IT figures with expertise in countering cyber-terrorism and associated computer crime, who offer their thoughts on the level of risk
There is no single document that lays out Australia's strategic plan. All 130,000 Australian public service employees, including those 20,000 across 30 agencies directly involved in the national counter-terrorism strategy, have a role to play in the "whole of government" approach to national security.
However, there are a number of publications which build it up, including DFAT's Advancing the National Interest White Paper, the Defence's 2000 White Paper and 2003 Update, and PM&C's Protecting Australia Against Terrorism book.
Following the Hilton Hotel bombing in Sydney in 1978, the then Prime Minister, Malcolm Fraser, announced the establishment of a committee, which would include Commonwealth and State agencies.
The principal aim would be to establish a set of national arrangements and agreements to respond to threats or acts of politically motivated violence. The Standing Advisory Committee on Commonwealth/State Cooperation for Protection Against Violence (SAC-PAV) was established in February 1979.
Following 9/11, Australia re-assessed its security arrangements to deal with the new and uncertain security environment. The Leader's Summit on Terrorism and Multi-Jurisdictional Crime, in April 2002, delivered significant outcomes to strengthen our national security arrangements. The Leaders' Summit agreed that SAC-PAV would be reconstituted as the National Counter Terrorism Committee (NCTC), giving the NCTC a broader mandate to cover prevention and consequence management issues.
This included Ministerial oversight arrangements. The NCTC was established by the Inter-Governmental Agreement 22 October 2002 signed by the Prime Minister, Premiers and Chief Ministers.
The role of the NCTC is to contribute to the security of the Australian community through the coordination of a nationwide cooperative framework to counter terrorism.The Department of the Prime Minister and Cabinet, Attorney General's Department, Transport and Regional Services, Australian Federal Police, ASIO, Department of Defence, Department of Finance and Administration, Australian Protective Service, Emergency Management Australia and the Department of Foreign Affairs and Trade represents the Australian Government.
State and territory representatives include senior officials of the Premiers' and Chief Ministers' departments, and deputy police commissioners and senior New Zealand representatives attend the meetings as observers.
The ICT industry perspective on homeland security
Neil Campbell joined Dimension Data in October 2002 as national security practice manager. Campbell is responsible for managing and developing Dimension Data's security practice, which consists of more than 45 security professionals nationally. His IT security experience spans 12 years, ranging from prevention and assurance to detection and response, including six years with the Australian Federal Police Computer Crime Team.
As a result of his experiences, Neil developed a sound knowledge of computer crime law, the balance between the need for security/law and the rights of the individual; and in the use of security-related technology.
According to Campbell, when he joined the AFP Computer crime team in 1992 there was nothing at the time in legislation to deal with IT attacks effectively. Campbell states: "There was also a lot of computer hacking coming out of Australia into US Military and NASA and they tried to have something done about it."
In 1988, the Australian Commonwealth Government passed legislation in 1988 to outlaw computer hacking.
The legislation to deal with hacking and similar attacks was fairly progressive at the time-sentences of up to 10 years for offences such as the insertion, deletion or modification of data were included.
Campbell says: "Back then; forensics was a fairly new field. Investigators had investigative skills, but not necessarily the IT skills required". At the time, Campbell combined his investigative skills with the IT skills of the victims (companies would provide the technology) until a later time when security specialists became more proficient with technology and started to apply their forensic skills.
Asked to identify the main IT threat to business, Campbell says it is "the threat to our clients which exists to this day, that is; their approach to risk management." He indicates businesses are good at understanding business risk and competitive risk, but less effective in understanding and dealing effectively with IT risks.
Campbell states: "The relationship between forensic auditor and the client in private investigation and audit is the same relationship the police have with their complainants. There is a strong focus on fulfilling computer security risk audits from an internal perspective."
Campbell emphasises: "The main threat to our clients which exist to this day is the business approach to risk management or the lack thereof."
Businesses are generally good at understanding business risk, understanding regulatory risk and all the typical risks you would consider in a business plan that a responsible business would consider as part of effective corporate governance processes.
Campbell states, however: "Translating general risks into IT risk, IT being a relatively young industry, one finds the level of maturity in applying a risk management approach to IT is significantly lower than in other parts of the business."
Campbell ascribes this to a maturing IT industry and differences between traditional risk management programs and IT risk management programs.
"When you have a risk management program, you might have a detailed program of risk analysis and of risk management from traditional areas of the business, but when you come to IT, this occurs only occasionally.
"Again, less and less often, you would encounter IT as a general risk, not drilled down into the specific risks of IT, but we recognise that we have IT risks. To really understand where your risks are, you need to drill down into the assets within a business."
Campbell sees a lack of focus or understanding as being a central issue. Traditional risk managers are not IT people. As a result, the status quo was being maintained. Campbell does, however, see some light in the tunnel and change taking place, albeit slowly.
What are the identified IT security risks?
Whilst strategic risks are important, we also need to focus on some of the major IT security and safety threats and risks associated with IT and critical infrastructure, including cyber-terrorism and measures being implemented to mitigate these to secure our safety. Campbell identifies the biggest IT security risks.
"The biggest threat (subject to qualification) to any organisation is malware (computer worms and viruses, Trojans etc.)-things that are going to take the network out.
"As people rely on the availability of network infrastructure to generate revenue, worms and viruses will impact more and more. If you are a bank and a worm takes out your internal network for two days, that is going to have a pretty significant and measurable effect."
Some Australians may acknowledge that our society and the world around us is changing as part of the ongoing IT development process. Commercialisation and the creation of more transparent and permeable borders between countries forms part of this ongoing transformation.
With a marked increase in international trade and tourism, and with the rapid development of new technologies, we are facing an increasing number of complex, new IT security threats, and these threats could have significant consequences for those that fail to put effective preventative security measures and responsive safety measures in place.
IT security threats are diverse and far ranging including malicious hacking using viruses, worms, Trojans and 'phishing' to steal identities and sometimes even to compromise IT systems and networks of potential target organisations.
Hackers attempt to gain illegal access to systems, either for financial gain, to commit potential sabotage, identity theft to commit fraud, or for other purposes of theft or espionage.
IT security threats could also include Distributed Denial of Service (DDoS) attacks to flood target servers with downloaded information in an effort to deny user access to that organisation's online presence.
Identified terrorist suspects have been found to use encryption techniques to transmit encoded messages and instructions, hidden in image files, between members of terrorist organisations on the Internet.
The Internet is being used as a powerful propaganda weapon by supporters of known terrorist organisations to communicate images glorifying horrific terrorist acts in order to sway public opinion and to raise funds through support networks.
Hackers are actively targeting and attacking key defence, security and large business computer networks on a daily basis, be it for criminal or terrorist purposes to gain illegal access to these networks.
With the links between terrorist organisations and crime, the Internet has become another tool to communicate with compatriots, to organise resources and to transfer illegal or laundered funds.
Identity theft through phishing and the use of stolen identities to access banking networks has become a major security threat for most international banks and financial institutions.
Effective responses to manage IT homeland security risks
Overall company losses due to sabotage average $200,000, so organisations cannot afford to be complacent.
Last year, anti-virus software vendor Trend Micro released a report which estimated that PC viruses cost businesses worldwide approximately $55 billion in damages in 2003. The same calculations in were done in 2002 and 2001, returning figures of $20 billion and $13 billion respectively, so the problem is growing and there is an ever-increasing price to pay.
Increasingly, terrorism is taking on different shapes and forms, and IT infrastructure is a prime target for potential cyber-terrorists. Terrorism is certainly not the newest or the only serious safety and security threat that we are faced with today, however, newer and different types of terrorism, such as cyber-terrorism need to be taken seriously if we are to avoid the serious consequences of potential future terrorist actions.
The other types of serious security risks facing IT organisations, private sector and Government users of IT technology, such as increasing cyber-crime, organised identity theft and theft or fraud using illegal access to computer networks of banks, companies and government organisations are presenting new challenges also requiring appropriate and effective responses from the Government and the business sector.
The Australian Government recently announced the implementation of the Computer Vulnerability Computer Project (CNVA). This project, from within the Attorney General's Department, aims to determine definitively if the cyber vulnerabilities of Australia's critical infrastructure are as significant as claimed.
By using 'red teams', penetration testing and a host of other IT techniques, the project will assess the vulnerability of various infrastructures. For example, it may examine if a hacker can actually shut down the electricity grid, switch points on rail lines in front of trains, or take over the airspace control systems.
The recent election policy National Security-The First Responsibility of Government recently stated that a series of six major, multi-jurisdictional counter-terrorist exercises would be run if the Coalition was re-elected. These exercises provide an indication of what the Coalition views as the most likely major terrorist attacks in Australia, including: airline hijacking, bio-attack, attack on the food chain, attack on a ferry, attack on an offshore oil rig and attack on the national electricity grid.
The Government will contribute about $1.5 million per annum for the CNVA project, with additional contributions expected to come from the companies or sectors being tested. The funding is contingent on the test's generic results being made available to other relevant enterprises in that sector.
It could be suggested there is a trend towards a blending of security threats, as the motives for those that use IT as a means to further their criminal ends become mixed in the process of implementing their terrorist or criminal actions.
Recently, a prominent US private database company said hackers commandeered one of their databases, gaining access to the personal files of as many as 32,000 people.
Campbell says: "This is a new area of IT development likely to provide huge benefits but it isn't necessarily easily understandable by risk managers, when it comes to the down side of working with IT within an organisation. IT risk is still the biggest issue. People are really coming to grips with the risks in the IT environment and addressing the risks for what they really are."
However, Campbell does sees some general changes in business to address IT security risks effectively, such as a general trend of change and an increasing engagement of risk managers and IT people. Security awareness is a major part of this general change.Campbell affirms; "With September 11, we all expected a massive increase in security awareness, and I think we have seen a gradual increase, not a knee jerk reaction. I think the industry expected a knee-jerk reaction across the board, but I have seen a continued gradual raising of awareness."
Some Australian companies in the private sector and government departments are tightening their security with the deployment of stronger user authentication and identity management for their IT systems.
Sebastian Moore, as area vice president for RSA Security Asia Pacific, provides an alternative perspective in effective responses to mitigate key security risks.
RSA Security helps organisations protect private information and manage the identities of people and applications accessing and exchanging that information. It has more than 14,000 customers around the globe, together with more than 1,000 technology and integration partners.
Moore has more than 13 years industry experience. In addition to his work at RSA, he spent 11 years with Hewlett Packard as enterprise sales manager for the New South Wales district and in Singapore as director of HP's channel organisation for Asia Pacific.Moore says that RSA is providing smart authentication and access solutions using two-factor authentication based on something you know (a password or PIN) and something you have (an authenticator)-providing a much more reliable level of user authentication than reusable passwords.
RSA's solution offers enterprises a wide range of user authentication options to help positively identify users before they interact with mission-critical data and applications through secure ID tokens, to smart cards to digital certificates-to help customers positively identify users before granting them access to protected information and resources.
Using time-synchronous software, user authentication security is raised to a higher level for IT systems to prevent unauthorised access.
Moore says "From a compliance and security standpoint, two-factor authentication provides much stronger authentication than just username and password identification."
Conclusion
To summarise, although the Australian Government and business have been proactive in establishing risk management guidelines and international risk management standards, in future a concerted effort will have to be maintained, building on current efforts, involving all stakeholders, to develop proactive and reactive IT risk management strategies. Only then could we ensure that Australian IT systems, infrastructure and assets are secure, and able to effectively mitigate the impact of potential future security incidents.
Related Article: