Open Letter to Attorney-General Nicola Roxon

Dear Ms Attorney-General Nicola Roxon,

I am writing this letter in opposition to the proposed data retention schemes. I understand this is still early days and that the concept of metadata has yet to be bedded down, however I would like to offer my comments in a broad sense, about what these proposals mean and what I anticipate are likely outcomes.

While I cannot speak for the intelligence, law enforcement and government agencies in favour of such a proposition, I do believe I can speak on behalf of counterparts within the information security industry.

I have worked in this field for eight years. Not as many as some, but enough to feel I can comment on this discussion.

Our industry is very small, but we are the people who build, design, run and manage the security controls which protect the information on which our society is dependent.

We look after your email, your proxies (which contain your browsing history) and your desktops which contain your files. We guard utilities such as gas, water, power and the critical infrastructure which drives it. We look after your favourite e-commerce sites that contain your purchasing history and preferences. We look after your bank accounts that pay for it all. We also test the security of these systems by breaking into them. And when it goes wrong, when something gets hacked, stolen, leaked or printed in the media it is us who get the call to investigate.

The fact is security is a tax. How much are you prepared to pay to feel safe? The reality is it is a sliding scale, so businesses and government alike will pay up to a certain price. It never seems like it is enough and security is seldom managed or implemented as well as we would like it to be.

Too frequently, organisations fix only 'critical' and 'high' risk issues, then pat themselves on the back for a job well done. They never realise how many 'moderate' or 'low' risk issues, which could be trivial to fix, can be chained to conduct devastating attacks against computer systems. Additionally, organisations typically investigate the security of systems piece-meal, never conducting a comprehensive assessment of the wider enterprise because it is a 'business-as-usual' (BAU) cost, not a funded project. We have glaring holes in our security because so few people take it seriously. Too often they dance around semantics to avoid doing the work rather than simply getting things fixed. Businesses and government are not prepared to pay any more to feel safe. More over, our legal and regulatory landscape does not require us to. Therefore, businesses and government will continue to invest the bare minimum, which is extraordinarily low. This bar is well below other countries and as Australia is now one of the wealthiest in the world, this makes us a very attractive and soft target.

In my time I have seen the evolution of hacking as it has gone from a hobbyist field to become, not only a professional field, but a thriving underground economy.

It has evolved from the basements of hobbyists to professional criminal syndicates, with buyers and sellers trading in anything, including malicious software (malware), and exploits for software to which there is no known fix (0 day exploits).These exploits and malware are used to compromise our systems, personal data and much, much more.

Nations are now building and developing their own cyber offensive capabilities to do the same thing for intelligence and counter-intelligence purposes, and more.

My concern is that if we cannot protect the assets we have today—our credit cards from being stolen, our home computers from being infected, and our personal data from being stolen or leaked—then what chance do we have of protecting the metadata repositories of our combined web, email, SMS and telephone history?

My deep fear is that these repositories will become targets of the same groups our intelligence and law enforcement agencies desire to prevent with such information.

This information in the wrong hands can be used for incalculable harm. People can be extorted, blackmailed, corrupted, framed and more. We have already seen advanced attacks such as Operation Aurora, penetrating deep into Google and other global enterprises, and Stuxnet used to disable nuclear reactors in Iran—and this is just the beginning.

Based on my experience, if this proposal goes ahead, I have no doubt systems will be compromised. It is simply a case of when. If there is one thing I have learned in this field, it is that nothing is ever truly safe.

Given the current legislative and regulatory landscape does not mandate strict security controls, that privacy commissioners have yet to impose serious penalties on any businesses, that government maintains exemptions from privacy legislation, that no data breach notification laws exist, and and that we are a known target of foreign powers and criminal syndicates, it baffles me that the government is proposing to increase the amount of sensitive data collected. It would be an absolute treasure trove to our enemies who already know we cannot protect what we hold today!

I beg you to engage more closely with the private sector information security industry. There are professional associations out there, such as ISACA, representing large groups of experienced professionals.

I urge you to begin consulting with us so that we can all try and understand the problems facing the agencies and how they might be addressed without compromising the values of privacy and the security of the Australian people.

Kind regards,

Jarrod Loidl B.Comp, SCF, CISM, CRISC, CISSP, CPT

Vulnerabilities in some Netgear router and NAS products open door to remote attacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

Tony Payne

1

Very eloquent but lacking one thing. An explanation of "metadata for dummies", as it is currently understood, despite the term not having yet been bedded down.

Tony Payne

2

Since I wrote my first comment the term "index" as a simple way to describe metadata came to mind. It doesn't encompass the concept of metadata in full, but it's a fairly close match and one that most people could relate to. You could describe metadata as being similar to an index to the actual data.

Hope this helps.

Tony P.

itsec

3

I agree with the sentiment of your article; the suggestion that I'd put forward is to view security as the necessary protection of assets in an environment.

What many seem unwilling to accept, and hence defend against, is that the attacks on computer systems can be executed from across the globe in seconds and are conducted by attackers highly skilled.

Sadly my experience responding to intrusions into computer systems reflects a simlarly grim view of the level of effort by organisations to protect their IT systems.

Dreamer

4

Alas, the current energy of our legislators seems to be soley focused on addressing the 'confidentialty' concerns of its citizens and completely missing the opportunity to equally address the 'availability' and 'integrity' concerns that need to be taken into account to provide an assurance that the IT systems that support our society are kept safe.

We can only hope that there will be similar energy spent to address the legistlative gap in addressing the shortfalls made by Government agencies and private enterprises to apply reasonable security controls to ensure the availability and integrity of our information and critical systems too.

Ymr

5

This article correctly explains the increasing dangers of cyber- warfare sponsored by nation-states who do not observe our concepts of privacy etc. .The analogy of data retention laws to taxation is valid because of the analogy about government resources to use protect citizens. But will the lower levels of data retention as favoured by civil libertarians actually deliver more protection from cyber enemies? This assertion seems to be very tenuous.

Jarrod Loidl

6

Ymr - very valid point. And the truth is I wouldn't be opposed to increased data retention for a number of reasons. . I have used metadata in other roles where it wouldn't be possible for us to detect malicious activity on the network and I know that is already true for many security operations folks - so I understand the basic argument for it. On the flipside of that however, law enforcement have not clarified the types of cases they are dealing with, the tactics used and why metadata is an essential step in the process. It is heavy handed to ask for more data, when you haven't explained why you need it.

If the legislative groundwork is in place, organisations already know what their obligations are and the consequences for failure to protect data. While I still think there is an extreme danger, it means that the level of maturity when it comes to information security is at a much higher level and we can have these discussions reasonably. Already, some countries (I'm thinking banking regulations in some countries) actually have criminal sentencing for executives who fail to meet their obligations. We need these sorts of laws before we can even think of discussing this seriously.

This then leads into the very definition of metadata - what data are they collecting, for what communication mediums, lengths of time for retention, etc. Also, would government departments and agencies remain exempt from privacy legislation should these systems be compromised? Does this data have a requirement to be de-identified in accordance with NPP? What about breach disclosure? In cases where I had access to metadata in other roles, the data was not tied to an individual and so in of itself, was not considered private. We could link it back if needed but on its' own, it couldn't be used to identify individuals. We do not know if the same holds true under this proposition.

All in all, my main point is that we - as a country - are simply not ready to even contemplate such drastic solutions. We are still too far behind in our maturity and approach towards information security.

itsec

7

Dreamer,

I'd suggest that the Government's focus on the "Confidentiality" aspect of this matter; is that unless the citizens are satisfied that the protection mechanisms are adequate then data retention laws will simply be too unpopular for the Government to implement. "Integrity" would be a secondary concern to most citizens; well atleast until they (personally) are falsely accused of a crime based on the information in the system.

The consumers of the information is this repository (i.e. law enforcement) would be corcerned about Integrity and Availability. Insufficient Integrity and they won't be able to rely upon the information in court; a lack of availability and the information they want won't be recorded or accessible when required.

Different stakeholders have different priorities on the C-I-A aspects of such a system.

des pensable

8

You seem to be adressing the problem from the point of view of a data manager looking after a company network secrets. This legislation will potentially affect millions of individual people out here on the Internat. Young girls and women making calls to their lovers, Old women and men making telephone calls to their doctors about their illnesses. To record and keep these conversations is an invasion of privacy ! Its nothing to do with computer security or company files or profits or dodgy deals. The government is breaching it;s right as a democracy and free country to invade people's houses and lives. Keeping the bastards out is akin to keeping them honest.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-2404

Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-2404

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.