[ISN] Our high-priced security lock

From: InfoSec News (isn@private)
Date: Mon Jul 25 2005 - 22:40:50 PDT


http://australianit.news.com.au/articles/0,7204,16021509%5E15382%5E%5Enbv%5E,00.html

James Riley
The Australian
JULY 26, 2005  
 
IF the London terrorist attacks highlight the need for improved
computer security for the operation of essential services, they also
served to demonstrate the potentially enormous cost large computer
users will have to bear in the war on terror.

But it is not yet clear how the protection of these computer systems
will be paid, nor indeed who will bear the cost of that protection.

For private sector technology users, the national security policies
developed by government have huge implications.

No-one argues that these systems should not be the focus of the
Government's critical infrastructure protection programs.

But the debate about who should pay for these security improvements
has not yet started.

The government's dollar-for-dollar funding of threat assessments is
one thing. But there

are much greater costs to come in implementing some of these policies.

In the US there is an active discussion about giving companies
responsible for the maintenance of critical infrastructure a tax
concessions on the investment required to protect it.

Though there has been no direct discussion within government about a
similar tax concession program in Australia, it is not something that
has been ruled out by the Attorney-General's department either.

Telstra is a member of the Communications Sector Infrastructure
Assurance Advisory Group and actively participates in the TISN for
Critical Infrastructure Protection.

These are national bodies governing the security of national
infrastructure, with representatives from relevant industries as well
as state and federal government departments and agencies.

As the dominant communications company in Australia, Telstra's
infrastructure is clearly critical to the well-being of the economy as
well as the overall health of the society.

But, through the TISN network, Telstra has been working with other
communications companies to improve the network redundancy provisions
available in emergency where parts of the nations communications
capability is knocked over through terrorist attack.

Ruddock says the Communications Group had "already been responsible
for an agreement between telecommunications carriers to share
different sources for their timing signals." It is two years since
Attorney-General Philip Ruddock established the Trusted Information
Sharing Network for Critical Infrastructure Protection (TISN), which
aims to improve information sharing between public and private sector
organisations about risks and how to deal with them.

But it is only now that the owners of that critical infrastructure are
beginning to understand the cost burden that comes with protecting it.

The complicating factor for government is that, according to the
Attorney General, 90 per cent of Australia's critical infrastructure
is owned by the private sector.

The TISN initiative was set up to improve the flow of security
information between the private sector and government - in particular
its police, security agencies and emergency services - as well as
between private sector companies that may be competitors in the
marketplace.

Water utility Yarra Valley Water is one of the few organisations
prepared to discuss critical infrastructure protection issues on the
record.

Two weeks ago, Ruddock announced dollar-for-dollar funding grants of
$60,000 each for Brisbane Water and Yarra Valley Water to conduct
assessments of their computer networks.

The two companies are among the first to receive funding under the
Attorney-General's departments $8 million Computer Network
Vulnerability Assessment program.

Yarra Valley Water managing director Tony Kelly says the funding will
be used to assess its SCADA (supervisory control and data acquisition
systems) potential against vulnerabilities.

"The challenge for all businesses is being able to implement and show
our customers that we have done everything necessary to protect our
information assets," Kelly says. "With an increasing focus on
information security, physical security and business continuity in
case of unforeseen disaster, we want our customers ... to know we're
working to the highest standards." .

Whatever vulnerabilities are exposed by the assessment will determine
how much will need to be invested in improving security arrangements.

For IT departments within large organisations, that cost burden will
be significant. Collectively it will certainly be measured in the tens
of millions of dollars.

The critical infrastructure protection program will have an impact on
the operation of IT departments, as new security procedures and
protocols are put in place to improve network redundancy issues.  
Private sector organisations are being asked to co-operate with each
other to an unprecedented extent on security issues, even though they
might remain fierce competitors in the open marketplace.

Utilities companies, for example, are working together to assist each
other disaster recovery and redundancy capabilities, and
communications companies have already come to broad agreements on ways
to better back-up each others network in the event of some
catastrophic failure – or targeted attack.

IT departments are central to the critical infrastructure protection 
plans, because technology cuts across all areas of government's 
protection plans. 

"Computer network vulnerability is a very significant issue in 
relation to every area of critical infrastructure," Ruddock says. 
"This is a critical program about ensuring these computer (systems) 
that manage our essential assets can resist exploitation and perform 
appropriately under a range of challenging conditions." 

The TISN initiative covers nine areas considered critical to the 
economy and the well-being of society, from banking and finance to 
communications, emergency services, health, the food chain and 
emergency services. There won't be a large IT organisation that is 
left untouched by these national security plans. 

Information technology is as central to the nation's 
telecommunications network as it is to the food chain, or the delivery 
of electricity and water. 

"This means that if one source fails, they have backup," he says. 

Telstra is reluctant to discuss the arrangements it has already put in 
place as a result of critical infrastructure protection programs and 
won't discuss costs. 

But through the TISN network it is in regular contact both with other 
communications providers, other private sector companies responsible 
for critical infrastructure in other parts of the economy, as well as 
government security agencies. 

"We have a range of processes through which we regularly review our 
security arrangements," Telstra spokesman Warwick Ponder says. 

"These processes are designed to comply with both industry standards 
and government requirements (and) include regular communication and 
interaction with government and security agencies," he says. 

"At a time of heightened risk we have the ability to review and 
upgrade our security requirements as necessary." 

Ruddock has not publicly addressed the issue of who will pay for 
private sector investments in critical infrastructure protection. 

It is thought the Government believes the cost should be borne by the 
companies themselves, as security is simply a cost of doing business. 
The critical infrastructure protection should then be passed on to 
customers. But there are some who believe that, as a national security 
exercise, the taxpayer should pay for at least parts of the program. 

Two weeks ago, Ruddock said critical infrastructure protection was an 
evolving issue, and that the public has been "supportive of additional 
measures targeted at key vulnerabilities". 

Just as people are more understanding about the inconvenience of more 
stringent security when entering strategic buildings such as airports, 
the thinking is that the public also will be understanding of costs 
that are passed to customers in the interests of national security. 



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 23:06:01 PDT