Security Professionalisation in Australasia

Security Professionalisation in Australasia

Security Professionalisation is an issue that all who are involved or care about societal resilience should be concerned about. I’ve just written an article for Security Solutions Magazine talking about the efforts that a new organisation, Security Professionals Australasia (SPA) is undertaking to work with the security industry and governments to improve the state of affairs.

The article has been published in the latest edition of Security Solutions Magazine (Nov/Dc 2015) which is available at  http://www.securitysolutionsmagazine.biz/ 

(Disclosure of interest, Alex Webling is a member of SPA)

Privacy Safe Harbour and Australia

Privacy ‘safe-harbour’ and Australia

 – not safe enough?

The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.

The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.

This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland

Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.

The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.

This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.

Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.

When the big players jostle, smaller countries feel the waves.

For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.

The Internet becomes less than one – Time for an International Law of Cyberspace

The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.

Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.

This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea  achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.

 

 

 

Cyber resilience update

Cyber resilience

One of the most important aspects of resilience in the information age is understanding the environment in which we exist. Resilience is adaptability in a changing environment, the more we understand that change, the less painful it is. Here are a few  current issues that might help your cyber resilience.

Alert, but not alarmed
Alert, but not alarmed! – Photo AWebling

Cyber Security Summit – Stanford November 2013

In the shadow of the Snowden revelations about the US and UK, security experts and leaders from more than 40 countries have been at Stanford University in California, USA for a gathering on cyber security.

If you have a sense of irony, you may have listened to the debate on Syria and comparing that to the NSA / Snowden / Internet debate.
– US Secretary of State John Kerry has recently made broad and I think reasonable statements saying that

President Assad had lost the moral authority to rule Syria.

– However that same test can be made against the USA.

 The USA has lost its moral authority to control the Internet

through the activities of the NSA and other government agencies. The full text of Secretary Kerry’s Syria speech can be found here via usembassy.gov. Of course although the USA is the biggest culprit here, the UK, Canada, Australia and NZ have all been shown up.

China was prominently represented at the conference. The Minister of State Council Information spoke about China’s problems. In his speech Cal Mingzhao said that in the first six months of 2013, 20,000  websites were hacked and 8 million servers compromised. According to Minister Mingzhao this indicated a rise of 14% year on year.

China has used the conference to repeat its call for global efforts in building a robust legal system, and strengthening international cooperation. Although I am somewhat cautious about their motives. I believe that the Chinese are on the right track with this view. I have previously made my views clear here in this post about why the world needs the cyber equivalent of an international law of the sea.

It is good to read  that Scott Charney ex US Department of Justice and current Microsoft VP on privacy and security is publicly calling for the US to show more information about what it collects and what happens to that data. Few sensible people disagree that the US and its allies should use maximum efforts against terrorists.

The US has lost support because it has strayed away from its stated goal of combatting terrorists and towards industrial espionage and employed tactics which compromise the majority in the pursuit of this goal such as the backdooring of encryption algorithms.

 

In other news

The Canadian Office of the Superintendent of Financial Institutions has released a ‘Cyber-Security Self Assessment Guidance for Canadian financial institutions, but which provides some good advice to any organisation looking for a template to help them.

Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for financial institutions to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.”

Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Of course if you’re a Canadian bank trying to do business in the US..

www.offi-bsif.gc.ca

Lastly, in the ‘this might be a little insane’ category

A US (Missouri) based cyber crime prevention network is advising parents to teach their children about cyber-security from the time they are toddlers.

www.kshb.com

I can just imagine it – “Our little Johnny fixes our firewall whilst we sit him on the potty…..” But seriously, of course keeping kids safe online is important in the same way as keeping them safe in the real world, but maybe they should learn to read first.