http://australianit.news.com.au/articles/0,7204,16021509%5E15382%5E%5Enbv%5E,00.html James Riley The Australian JULY 26, 2005 IF the London terrorist attacks highlight the need for improved computer security for the operation of essential services, they also served to demonstrate the potentially enormous cost large computer users will have to bear in the war on terror. But it is not yet clear how the protection of these computer systems will be paid, nor indeed who will bear the cost of that protection. For private sector technology users, the national security policies developed by government have huge implications. No-one argues that these systems should not be the focus of the Government's critical infrastructure protection programs. But the debate about who should pay for these security improvements has not yet started. The government's dollar-for-dollar funding of threat assessments is one thing. But there are much greater costs to come in implementing some of these policies. In the US there is an active discussion about giving companies responsible for the maintenance of critical infrastructure a tax concessions on the investment required to protect it. Though there has been no direct discussion within government about a similar tax concession program in Australia, it is not something that has been ruled out by the Attorney-General's department either. Telstra is a member of the Communications Sector Infrastructure Assurance Advisory Group and actively participates in the TISN for Critical Infrastructure Protection. These are national bodies governing the security of national infrastructure, with representatives from relevant industries as well as state and federal government departments and agencies. As the dominant communications company in Australia, Telstra's infrastructure is clearly critical to the well-being of the economy as well as the overall health of the society. But, through the TISN network, Telstra has been working with other communications companies to improve the network redundancy provisions available in emergency where parts of the nations communications capability is knocked over through terrorist attack. Ruddock says the Communications Group had "already been responsible for an agreement between telecommunications carriers to share different sources for their timing signals." It is two years since Attorney-General Philip Ruddock established the Trusted Information Sharing Network for Critical Infrastructure Protection (TISN), which aims to improve information sharing between public and private sector organisations about risks and how to deal with them. But it is only now that the owners of that critical infrastructure are beginning to understand the cost burden that comes with protecting it. The complicating factor for government is that, according to the Attorney General, 90 per cent of Australia's critical infrastructure is owned by the private sector. The TISN initiative was set up to improve the flow of security information between the private sector and government - in particular its police, security agencies and emergency services - as well as between private sector companies that may be competitors in the marketplace. Water utility Yarra Valley Water is one of the few organisations prepared to discuss critical infrastructure protection issues on the record. Two weeks ago, Ruddock announced dollar-for-dollar funding grants of $60,000 each for Brisbane Water and Yarra Valley Water to conduct assessments of their computer networks. The two companies are among the first to receive funding under the Attorney-General's departments $8 million Computer Network Vulnerability Assessment program. Yarra Valley Water managing director Tony Kelly says the funding will be used to assess its SCADA (supervisory control and data acquisition systems) potential against vulnerabilities. "The challenge for all businesses is being able to implement and show our customers that we have done everything necessary to protect our information assets," Kelly says. "With an increasing focus on information security, physical security and business continuity in case of unforeseen disaster, we want our customers ... to know we're working to the highest standards." . Whatever vulnerabilities are exposed by the assessment will determine how much will need to be invested in improving security arrangements. For IT departments within large organisations, that cost burden will be significant. Collectively it will certainly be measured in the tens of millions of dollars. The critical infrastructure protection program will have an impact on the operation of IT departments, as new security procedures and protocols are put in place to improve network redundancy issues. Private sector organisations are being asked to co-operate with each other to an unprecedented extent on security issues, even though they might remain fierce competitors in the open marketplace. Utilities companies, for example, are working together to assist each other disaster recovery and redundancy capabilities, and communications companies have already come to broad agreements on ways to better back-up each others network in the event of some catastrophic failure – or targeted attack. IT departments are central to the critical infrastructure protection plans, because technology cuts across all areas of government's protection plans. "Computer network vulnerability is a very significant issue in relation to every area of critical infrastructure," Ruddock says. "This is a critical program about ensuring these computer (systems) that manage our essential assets can resist exploitation and perform appropriately under a range of challenging conditions." The TISN initiative covers nine areas considered critical to the economy and the well-being of society, from banking and finance to communications, emergency services, health, the food chain and emergency services. There won't be a large IT organisation that is left untouched by these national security plans. Information technology is as central to the nation's telecommunications network as it is to the food chain, or the delivery of electricity and water. "This means that if one source fails, they have backup," he says. Telstra is reluctant to discuss the arrangements it has already put in place as a result of critical infrastructure protection programs and won't discuss costs. But through the TISN network it is in regular contact both with other communications providers, other private sector companies responsible for critical infrastructure in other parts of the economy, as well as government security agencies. "We have a range of processes through which we regularly review our security arrangements," Telstra spokesman Warwick Ponder says. "These processes are designed to comply with both industry standards and government requirements (and) include regular communication and interaction with government and security agencies," he says. "At a time of heightened risk we have the ability to review and upgrade our security requirements as necessary." Ruddock has not publicly addressed the issue of who will pay for private sector investments in critical infrastructure protection. It is thought the Government believes the cost should be borne by the companies themselves, as security is simply a cost of doing business. The critical infrastructure protection should then be passed on to customers. But there are some who believe that, as a national security exercise, the taxpayer should pay for at least parts of the program. Two weeks ago, Ruddock said critical infrastructure protection was an evolving issue, and that the public has been "supportive of additional measures targeted at key vulnerabilities". Just as people are more understanding about the inconvenience of more stringent security when entering strategic buildings such as airports, the thinking is that the public also will be understanding of costs that are passed to customers in the interests of national security. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 23:06:01 PDT