Australia's chief law officer, Attorney General Philip Ruddock, has delivered the stiffest warning yet to Australia's business community that IT security must be taken seriously by the captains of industry, or enterprises will suffer the consequences.
Speaking at the IDC Australia IT security conference in Sydney, Ruddock said that the government was now backing IT security as a Cabinet level issue and that CEOs must take similar responsibility rather than palming off security to subordinates.
"I firmly believe that, in the current security environment, managers should be accountable for breaches of security. This accountability should apply in exactly the same way as it applies to all other aspects of management. This is a simple proposition. But it is a radical departure from the traditional rules-based approach to security," Ruddock said.
However, he did not let the matter rest there, saying CEOs cannot merely outsource IT security to third parties and evade responsibility.
"This outdated approach allowed managers to leave security issues to the attention of security professionals.
"This is not good enough. In today's world it has to be an all-pervasive approach which addresses the design, implementation and use of all information systems and networks," Ruddock said.
Keen as ever to reiterate risk of terrorism to Australia's national interests, Ruddock was at pains to avoid reigniting the cyberterrorism debate - frequently referred to as a digital Pearl Harbour - which was publicly discounted by his own intelligence agency ASIO in 2003.
Rather, Ruddock stressed that current IT-related terrorist threats must be considered in the context of a means to a terrorist end - rather than an end itself.
"Given their importance to our economy, we should not be surprised that our IT systems could also become terrorist targets. [Terrorists] fully understand the implications for governments and large corporations if they were able to compromise IT security," he said.
Ruddock emphasized enterprises get with the current program on offer from the government to co-fund the enterprise-focused Computer Network Vulnerabilities Assessment program.
"We are providing dollar-for-dollar funding to critical infrastructure owners and operators so they can bring in experts to check their systems for vulnerabilities, and examine their interdependencies with other computer systems," Ruddock said.
Generous as the offer is, enterprises must still fund any fixes themselves should they choose to invite in government authorized penetration testers. Unauthorized penetration testers face a different fate.
"Anyone who attacks or disrupts computer services and communications can end up in jail for up to 10 years...anyone using the Internet to hack into computer data with the intention of committing sabotage faces up to 15 years in prison," Ruddock said.
As the Minister in charge of ASIO, the Federal Police and the laws that they enforce, he probably means it too.