Dear Ms Attorney-General Nicola Roxon,
I am writing this letter in opposition to the proposed data retention schemes. I understand this is still early days and that the concept of metadata has yet to be bedded down, however I would like to offer my comments in a broad sense, about what these proposals mean and what I anticipate are likely outcomes.
While I cannot speak for the intelligence, law enforcement and government agencies in favour of such a proposition, I do believe I can speak on behalf of counterparts within the information security industry.
I have worked in this field for eight years. Not as many as some, but enough to feel I can comment on this discussion.
Our industry is very small, but we are the people who build, design, run and manage the security controls which protect the information on which our society is dependent.
We look after your email, your proxies (which contain your browsing history) and your desktops which contain your files. We guard utilities such as gas, water, power and the critical infrastructure which drives it. We look after your favourite e-commerce sites that contain your purchasing history and preferences. We look after your bank accounts that pay for it all. We also test the security of these systems by breaking into them. And when it goes wrong, when something gets hacked, stolen, leaked or printed in the media it is us who get the call to investigate.
The fact is security is a tax. How much are you prepared to pay to feel safe? The reality is it is a sliding scale, so businesses and government alike will pay up to a certain price. It never seems like it is enough and security is seldom managed or implemented as well as we would like it to be.
Too frequently, organisations fix only 'critical' and 'high' risk issues, then pat themselves on the back for a job well done. They never realise how many 'moderate' or 'low' risk issues, which could be trivial to fix, can be chained to conduct devastating attacks against computer systems.
Additionally, organisations typically investigate the security of systems piece-meal, never conducting a comprehensive assessment of the wider enterprise because it is a 'business-as-usual' (BAU) cost, not a funded project. We have glaring holes in our security because so few people take it seriously. Too often they dance around semantics to avoid doing the work rather than simply getting things fixed. Businesses and government are not prepared to pay any more to feel safe. More over, our legal and regulatory landscape does not require us to. Therefore, businesses and government will continue to invest the bare minimum, which is extraordinarily low. This bar is well below other countries and as Australia is now one of the wealthiest in the world, this makes us a very attractive and soft target.
In my time I have seen the evolution of hacking as it has gone from a hobbyist field to become, not only a professional field, but a thriving underground economy.
It has evolved from the basements of hobbyists to professional criminal syndicates, with buyers and sellers trading in anything, including malicious software (malware), and exploits for software to which there is no known fix (0 day exploits).These exploits and malware are used to compromise our systems, personal data and much, much more.
Nations are now building and developing their own cyber offensive capabilities to do the same thing for intelligence and counter-intelligence purposes, and more.
My concern is that if we cannot protect the assets we have today—our credit cards from being stolen, our home computers from being infected, and our personal data from being stolen or leaked—then what chance do we have of protecting the metadata repositories of our combined web, email, SMS and telephone history?
My deep fear is that these repositories will become targets of the same groups our intelligence and law enforcement agencies desire to prevent with such information.
This information in the wrong hands can be used for incalculable harm. People can be extorted, blackmailed, corrupted, framed and more. We have already seen advanced attacks such as Operation Aurora, penetrating deep into Google and other global enterprises, and Stuxnet used to disable nuclear reactors in Iran—and this is just the beginning.
Based on my experience, if this proposal goes ahead, I have no doubt systems will be compromised. It is simply a case of when. If there is one thing I have learned in this field, it is that nothing is ever truly safe.
Given the current legislative and regulatory landscape does not mandate strict security controls, that privacy commissioners have yet to impose serious penalties on any businesses, that government maintains exemptions from privacy legislation, that no data breach notification laws exist, and and that we are a known target of foreign powers and criminal syndicates, it baffles me that the government is proposing to increase the amount of sensitive data collected. It would be an absolute treasure trove to our enemies who already know we cannot protect what we hold today!
I beg you to engage more closely with the private sector information security industry. There are professional associations out there, such as ISACA, representing large groups of experienced professionals.
I urge you to begin consulting with us so that we can all try and understand the problems facing the agencies and how they might be addressed without compromising the values of privacy and the security of the Australian people.
Jarrod Loidl B.Comp, SCF, CISM, CRISC, CISSP, CPT