In the US, government CIOs are on the front lines defending IT infrastructure and information security. But the rules of engagement are still emerging here.
September 11, 2001. Newspaper headlines told us that it was "the day that changed everything". Sure, it was a cliche, yet in many ways it has since proved to be true. Politically, economically and militarily, the world is now a different place.
If America's government IT sector had previously been more complacent about terrorism than its counterparts elsewhere in the world, as its critics have alleged, since September 11 it has been anything but. Here in Australia things are moving much less dramatically.
Within days of the Al-Qaeda attacks on New York and Washington, America's National Association of State Chief Information Officers (NASCIO) had circled the wagons. On September 19, the organisation issued a statement announcing that it would place a greater emphasis on security and infrastructure problems.
One month after the attacks the association met in Washington, DC to develop its unified response to future terrorist threats. At that meeting an action plan was drawn up to kick-start technology and information-sharing practices for state-to-state communications and for further interaction between US federal and local governments.
While the terrorist attacks in the US certainly brought about a heightened awareness of the general security issues impacting Australia, Environment Australia CIO David Anderson says there was no knee-jerk reaction. "We were already looking at our IT security and disaster recovery at the time of the attacks. Since then we've built on what we were doing, looking closely at our potential weaknesses," he says.
Anderson likens the renewed focus on security to the Y2K process. "We've been taking a structured, systematic approach. At the same time central agencies have been taking a whole-of-nation approach." He says these agencies are pooling and sharing intelligence about security threats and the advice coming from these agencies is quite comprehensive. One example: Web pages providing ample guidance on how to handle anthrax.
Paul O'Rourke, PricewaterhouseCoopers' (PwC) director of sales for identity management and security practice, concurs with Anderson that there was no pressing need to change direction. He says Australia's entire government IT sector was already focused on security at the time of the attacks. "Our government has been on top of this for the past two or three years. It's actually quite advanced; the banks are only now moving in on this."
Yet while not disagreeing with the general principal that Australian government IT security does not need a radical overhaul, Steve Bittinger, Gartner's Canberra-based research director, says he has definitely noticed an increased awareness of security issues amongst Australian CIOs since the September attacks. Earlier this year he spent a lot of time travelling the country explaining those issues and their implications to clients. "More than anything else, the World Trade Centre attack clearly demonstrated there will always be some vulnerability that we don't expect. The question is how do you deal with that?" Bittinger says.
Like Anderson and O'Rourke, Bittinger believes the lessons to learn from September 11 are more about business continuity and disaster recovery than any specific security threats from cyberterrorism. "There was a wake-up call," says Anderson, "but it was for disaster recovery. We're now looking at issues like the physical security of our buildings."
Australia's general approach is in stark contrast to the way things are shaping up in the US. Over there, everything is being reassessed.
Of course, America's more dramatic and immediate reaction to the terrorist attacks is understandable. Relentless TV coverage and the sheer scale of the destruction at the World Trade Centre make it is easy to overlook the point that the Pentagon building in Washington was also attacked - a move that struck right at the heart of government and directly affected US public service information technology.
And the US has been undeniably quick to react. On one level the idea is to develop a grand strategy to deal with any kind of attacks on US government computers. On another there are moves to remove impediments such as privacy laws restricting some agencies from sharing data with state and local governments. Also on the agenda is a move to examine the way states assess the vulnerability of their systems, extract the best practices and then standardise those procedures, building a template for all states to follow.
As a consequence, security issues have moved to the top of the agenda for US federal government CIOs. The Information Technology Association of America's (ITAA's) annual survey of federal CIOs carried out earlier this year found that the focus of federal government CIOs has shifted sharply away from issues to do with electronic government towards information security and infrastructure.
A February press release from the ITAA states: "The overriding issue facing the CIO community is its efforts to address the broad security concerns raised by the war on terrorism. These efforts fall into four categories: securing the Internet against terrorist acts; providing integration of appropriate data to better fight terrorism; ensuring that Internet information content does not aid the enemy; and ensuring a robust infrastructure with particular emphasis on telecommunications."
The same set of issues applies in Australia, but there are some significant differences of emphasis. As already mentioned, there is some debate here about the specific nature of the risk. The Australian Security Intelligence Organisation (ASIO) is the organisation charged with evaluating and advising government about security risks. ASIO is not saying much publicly, but in a transcript of a speech made by its director-general Dennis Richardson to a government task force meeting in March involving government and private industry interests, Richardson played down the immediate threat to Australia's information systems.
In his speech he told delegates that while there has been much talk of cyberterrorism, so far ASIO has not seen much evidence of it. "Most prevalent in the world of political propaganda is the defacement of Web pages with political messages. We would consider this equivalent to graffiti on a wall," he said. Richardson dismissed threats to credit card and other personal information as forms of extortion and blackmail rather than cyberterrorism. However, he went on to outline a less obvious security threat posed by the Internet.
"It is not unreasonable to believe future acts of terrorism may target the critical networks on which we depend - networks for producing and distributing energy, information, water, food and government services. The energy system has high-value nodes like refineries and substations. Simultaneous attacks could be mounted - their locations are often on the Internet. Some of the systems are mapped for anyone to find and interdependencies with other systems are explained. And that is something you should consider when putting information on a Web site," Richardson said.
Richardson said that computers left behind by Al-Qaeda members in Afghanistan show evidence that terrorists used the Internet to research critical infrastructures in the West. He said they were, and probably still are, looking at Web sites with information about nuclear reactors, water supplies, bridges and the like. One of the problems with controlling this information is that it often lies outside the government orbit. Companies wishing to promote their services often provide information on commercial Web sites either to impress shareholders or in an effort to win further business.
Richardson said that both government and business Web site operators should apply three tests before providing information. First, ask if someone intent on causing harm could misuse the information. Second, determine if the information could be dangerous if used in conjunction with other publicly-available information. Third, ask if the information could be used to target personnel or resources.
ASIO's director-general might not consider the hacking attacks to be the most immediate threat, but that is not the only opinion. Figures from AusCERT, the Australian Computer Emergency Response Team, show that the number of reported hacking attempts climbed from 1300 in 1998 to more than 8000 in 2000.
In recent years the Australian Department of Defence has been working with other government agencies and private sector companies to scope the extent of the threat from cyberterrorism and information warfare. And last year the government allocated $2 million to create the E-Security Coordination Group.
Some of the threats look very real. For example, Bittinger was giving a security presentation in Australia last year on the day the news broke about Chinese hackers defacing US government Web sites and taking the White House site off-line. He says there was quite a strong reaction to the news from the audience. "Some of the attacks were traced back to IP addresses allocated to Chinese government sites. Of course, one of the favourite hacker ploys is to cover trails by using intermediate machines."
Environment Australia's Anderson agrees with the ASIO line that hacking attacks cannot really be seen as a form of terrorist activity. "We're more concerned about international hacking and what comes from that. Our concern is to maintain the network and its integrity."
Nevertheless, he says that hacking has not really been a major problem for his department, though he admits this may have more to do with the fact that Environment Australia does not use Microsoft e-mail or Internet products, which are the favourite and relatively vulnerable targets of hacker groups. Another reason his organisation is out of the firing line is that it is a policy department and therefore not a prime target.
Most Australian government IT people and the security industry that services them say that simpler problems like computer viruses appear to be more persistently troublesome than hacking. Gartner's Bittinger says the speed of virus infection is increasing. "They used to take months or weeks to circulate; the Code Red virus was spread around the world in hours; future attacks will spread in minutes."
He says there's a real need to develop more rapid responses to all these threats. "System operators should take moves to build fortress walls - but this is not the whole answer. There will always be new ways to attack. The key lies in getting good security advice and being able to apply that in real time."
Outsourcing Security Issues
Perhaps the most controversial aspect of Australian government IT security is the way the issue intertwines with outsourcing.
Last year ASIO conducted a threat and vulnerability study in conjunction with the National Office of the Information Economy (NOIE), the Defence Signals Directorate and the Australian Federal Police. The study wasn't directly concerned with government IT - it actually looked at commercial industry sectors - yet ASIO's Richardson says one of the issues to emerge was the need for a greater focus on IT security, including within outsourcing contracts.
To date most of the debate concerning security and government IT outsourcing contracts has centred on data privacy concerns, but more general security issues also apply. As Bittinger says, "If an outsourcer is dealing with sensitive information, how can I know they are protecting my data?"
Naturally, companies selling outsourcing services to government tend to include a security component in their contracts. For instance Anderson, whose department is part of the Group 8 outsourcing consortium, says security depends on the arrangement. "It's not a question of being easier or harder. We need to be clear about what the vendor is doing for us. The vendor has responsibility, but we tend to be proactive and ask questions about what is being done," he says.
PwC's O'Rourke says he sees Australian government and commercial organisations moving on from a simple focus on security threats towards risk minimisation with an emphasis on matters such as audit compliance and business continuity issues. As one of the commercial organisations accredited by NOIE to provide Gateway digital certification, he says PricewaterhouseCoopers has seen dramatic growth in identity management and business continuity strategies right across the board. However, he says this is driven as much by the new privacy legislation as by straight security concerns.
Ultimately it appears the events of September 11 have done little to change the general thrust or much of the specific detail of government information security strategies in Australia. On the other hand the events did a great deal to concentrate minds on the bigger picture with more focus on continuity and managing the risk.
As Bittinger says, this starts with recognising the very real nature of the threat. "Yes, something will happen in future. But the world's a big place, so it isn't likely to hit your organisation first. However, it's important to be prepared and that means tapping into the world's best practice security." FNo Security Czar for OzTop 100 face security breach reporting schemeComputerworld reports the federal government has abandoned plans to appoint a dedicated cyber security czar to protect Australia's national information infrastructure (NII). Attorney-General's Department NII senior adviser Michael Rothery said there was little private sector support for a dedicated security czar, because there were fewer than 100 companies safeguarding Australia's critical infrastructure and they preferred to liaise directly with the Attorney-General's Department.
"They did not want to import a model from overseas, they wanted a framework with an Australian flavour. We are too small to have a full-time cyber czar unlike the US which has to deal with IT security issues on a much larger scale with broader geographic reach," he said.
However, the publication reports the government is moving ahead with plans to implement a national reporting scheme to monitor security breaches within Australia's top 100 companies.
The role of AusCERT (Australian Computer Emergency Response Team) will also be strengthened to provide a reporting scheme for companies outside of the essential services sector.
AusCERT currently provides a subscription service for security alerts, but Rothery said new services will be introduced free of charge and support offered to encourage companies to report breaches, so threats - and how they specifically impact Australia - can be measured.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.