National Security reforms needed before the Internet of Things
The half way approach putting all Australian’s at risk: Why it’s time to decide if security technology should or shouldn’t be regulated by Police and Fair Trading Departments
By Chris Cubbage, Executive Editor, Australian Security Magazine https://issuu.com/apsm/docs/asm_oct_nov_2016
This article concerns the inadequate and unworkable legislation affecting the physical and cyber security sectors in Australia, with State based legislation being applied when a national approach is required and urgent reform needed as the convergence of physical and cyber security systems continue rapidly towards the Internet of Things.
In early October, the US government formally accused Russia of hacking the Democratic party’s computer networks and said that Moscow was attempting to “interfere” with the US presidential election. The accusation marks a new escalation of tensions with Russia and came shortly after the US secretary of state, John Kerry, called for Russia to be investigated for war crimes in Syria.
Then there is Ukraine. The December 2015 Ukraine power outages, referred to in the ACSC Threat Report 2016, highlight the “vulnerabilities of critical infrastructure to sophisticated adversaries. In a well planned and highly coordinated operation, an adversary successfully compromised and affected the systems supporting three power control centres, taking down 30 substations and leaving over 225,000 Ukrainians without power for several hours. The adversary also delayed restoration efforts by disabling control systems, disrupting communications and preventing automated system recovery. These effects were the result of over six months of planning and involved a range of activities, including compromise through spear phishing, the theft of user credentials through key loggers, and data exfiltration.”
In late September, security researcher Brian Krebs' site KrebsOnSecurity got knocked offline by one of the biggest DDOS attacks ever recorded, which peaked at 620 Gbps. But the most crucial distinction from a normal DDOS strike: These bots were mostly IoT devices. The majority of the estimated 145,000 devices were CCTV cameras and DVRs. Many of these were using either default passwords or easily-guessed ones ("1234," "password," "admin").
In the ACSC Threat Report 2016 a case study described how the ACSC was notified of a cyber intrusion on the corporate network of an Australian critical infrastructure owner and operator. The report informed that “CERT Australia led the ACSC’s incident response, working alongside the AFP and ASD to determine the extent of the compromise and the identity of the responsible actor. Working onsite with the victim, the AFP identified a significant amount of data had been stolen from the network, including sensitive information relating to the organisation’s physical security and layout. The ACSC’s investigation revealed the actor used legitimate credentials belonging to a staff member and a contractor of the organisation during the compromise. The actor was able to escalate their privilege to administrator level, enabling further compromise.”
Physical access to information processing and storage areas and supporting infrastructure must be controlled to prevent, detect, and minimise the effects of unintended access. Buildings containing a designated data centre for example, will necessarily employ stricter access controls than those that do not. There are also minimum physical access controls, which should be practiced to govern access to all buildings in an effort to protect information resources. So it forms that any Information Security Consultant designing, auditing or reviewing a corporate information system, such as to ISO 27000 standards, is going to advise on the physical security components of that system. But by doing so these consultants are breaching their respective State Government’s Security and Related Activities Acts. These legislative breaches are occurring across the country. When this was raised during the review of the legislation in Victoria, the Victorian Police Minister responded to decline any attempt to reform the legislation yet confirmed enforcing the legislation would be overly burdensome and police will continue to ignore the breaches. The question is why not remove security technology from attempts of legislation and focus on the intention of these laws to control the public interface between security officers, crowd controllers and bodyguards. Why are police trying to continue to regulate security technology such as CCTV, access control and intruder detection systems in a physical environment when these systems are now controlled in an IP network environment? The convergence of IP based systems is effectively complete, despite legacy systems still around. We are now seeing the emergence of security robots and artificial intelligence in security systems – is this technology subject to legislation? By 2020-2025 the Internet of Things will be too big for police (or anyone) to control or regulate from a technology perspective. Otherwise police should start requiring Information Security Consultants to get licensed, fingerprinted and audited in each of their respective state operations. Welcome to my world!
So should the cyber security profession be regulated? In a the study, Tackling Cyber Crime: The Role of Private Security - A Security Research Initiative Report by Professor Martin Gill and Charlotte Howell (June 2016) the research addressed four key areas – the current approach to managing cyber security, the relevance of convergence between physical and cyber security, perspectives on law enforcement, and the potential role of private security in responding to cyber crime. There is now a wealth of information on the scale of cyber crime, including on the so called Dark Web, and there are a host of authorities confirming that the costs are astronomical, not least the cost of protection, that the impact can be significant, affect many, and appear to be increasing.
In addition, there is evidence that the response is inadequate, and often under resourced, leaving businesses searching for the right solutions. Eric Hansleman speaking at IFSEC 2015 highlighted the current problematic position, ‘In the last year, businesses spent $70bn on cyber security. Meanwhile criminals will have made 10-20 times that amount’. The threat is international and just by way of example, the ACSC Threat Report 2015 summarised ‘the cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of iceberg’. So what are our police and government regulators doing about this whilst stilling trying to regulate the physical security sector? Not much other than effectively restricting physical and cyber security professionals from cooperating and working together at a national level.
To highlight continued breaches of state security legislation, most commonly around the element of security technology, a WA Local Government engaged a Project Manager to handle a $200,000 public CCTV Surveillance project which is to be paid for by WA Police as part of the CCTV Infrastructure Fund. The Fund guidelines stipulate compliance to the Security and Related Activities Act. The Project Management company does not hold a security agent or security consulting licence. In WA, the security industry is bound by a WA Police Code of Conduct formulated under the provisions of Section 94 of the Security and Related Activities (Control) Act 1996. The Code of Conduct requires to follow all the parameters to be professional, truthful, ethical and with the public interest in mind and Part 8places the obligation on the licence holder to inform the Regulator of non-compliance with the Act.
Having raised this breach with WA Police licencing, the confusing and wilfully inaccurate interpretation from the Officer in Charge read as follows: “The State CCTV Strategy has been developed following analysis of crime trends involving offences against the person, not property. I have been advised the main purpose of the Strategy is to provide a surveillance role to protect against offences against the person, to create a safer community. The future positioning of cameras is based around this goal. The Security & Related Activities Act (the Act) requires an installer to be licensed to install CCTV equipment for a security purpose. While a ‘security purpose’ is not individually defined in the Act, a security officer and a security consultant is defined as a person who for remuneration watches, guards or protects property, or advises on such matters. To this end, I have interpreted a security purpose as watching guarding or protecting property, not persons. Watching persons could be described as surveillance, which is not covered by the Act. The WA Police have drafted amendments to the legislation to make the Act clearer and remove such ‘loopholes’. The drafts are not expected to be introduced before parliament until well after the State election next year, and it is intended the industry will be consulted about the amendments before that occurs in any event. While the Strategy is structured toward a surveillance purpose, they recognise the knowledge and experience of the security industry and as such have included requirements for suppliers of services to be licensed, notwithstanding the surveillance purpose rather than a security purpose. As a result, I believe no offence has been committed.” This interpretation is intentionally confusing, wilfully inaccurate or otherwise shows police don’t understand the very legislation they are duty bound to enforce.
Reports from ASQA earlier in the year on the security training sector confirmed that licensing was “a mess”. In Queensland last month the state government directed its interim training ombudsman to review security training following the deregistration of a security training organisation and advising 236 former students that their qualifications were no longer valid. ASQA had found the RTO was essentially handing out certificates without providing any training. The industry called for the inquiry to be extended to licensing and for the federal government also take a “serious look” at the mutual recognition law, and give states more power over licensing. If this could occur in a regulated environment, then what is the risk of this occurring in information security training, where there is a known and urgent skills shortage.
The frustrating aspect to this is the Federal Government was willing to call a snap meeting of state and federal energy ministers following the South Australian statewide blackout, which prompted calls from the Coalition for a nationally consistent approach to energy security and was seen as a ‘wake up call’. Regrettably this meeting only resulted in another review but the point here is those conducting this work should have the wisdom to link energy security to public safety in the full context that ‘security’ deserves. The security sector does deserve and should continue to demand this attention and having asked for reform now for the last ten years, continuing to ignore it for the next ten will only result in the formation of other crises events and yet other ‘wake up calls’.
As regional and military tensions rise along with the risk of war, Australia’s national security is interdependent and requires a holistic approach – there is no point regulating a security officer at the front door but letting an information security consultant enter without probity and vice-versa. Nor is there any point in regulating the installation of the physical intruder detection system and ignoring regulation of the network’s IDS – doing so makes the entire approach a half-hearted farce. The responsibility rests with our legislators to adopt a national approach to Australia’s security, that includes energy as well as social, physical and cyber security. Anything less is clearly inadequate and derelict of the government’s duty of care to all Australians.
By Chris Cubbage, Executive Editor, Australian Security Magazine https://issuu.com/apsm/docs/asm_oct_nov_2016
Managing Director at TechnologyCare
8 年A strong reason why the security industry may not progress beyond the neanderthal era. The reasons encapsukated in the following excerpt point to a separation between security work flow and equipment operations. They are one! Ever since the Neanderthal days age man has used tools to get on top of the food chain. Thease tools for security personnel are cctv access vontrol, etc. They form part og an approved security workflow. Anyone stating otherwise refuses to c acknowledge that the human has evolve into an intelligent beings because they use tools to perform their security work more effectively. So the statement extracted below really misses the point and chooses to force the security infustry into a neanderthal state. "While a ‘security purpose’ is not individually defined in the Act, a security officer and a security consultant is defined as a person who for remuneration watches, guards or protects property, or advises on such matters. To this end, I have interpreted a security purpose as watching guarding or protecting property, not persons. Watching persons could be described as surveillance, which is not covered by the Act"
Management Accountant | Financial Management Accountant | Business Accountant | Accounting Specialist | Xero Specialist
8 年Great share, thanks.
Program/Project/Process/Operations/Quality/Leadership/Management./Business Development/Knowledge Management/AI/Cyber/Manufacturing/Production/Governance/Security/Innovation
8 年The philosophy of security needs to be changed to correct and proper digital identification and verification of REAL PEOPLE who then hold recognised digital IDs - www.worldidverification.com; 550 billion IP points meshed on the web and growing; ID real people and then allocate equipment, permissions and governance to the correctly identified people - As we say FACE UP or BACK OFF (military Green Card, Red Card). Today it is also very hard to follow the money - get WorldIDVerification and you're well on the way to sorting your security in your business and operating in the virtual on-line environment. Great article Chris.
Intellectual Property Entrepreneur
8 年Eye Eye totally agree...
Thank you for visiting Free Slots Online:
gsn free slots