ADDRESS TO THE E-SECURITY FOR GOVERNMENT 2009 CONFERENCE

Melbourne

Wednesday, 23 September 2009

CHECK AGAINST DELIVERY

First, may I acknowledge the traditional owners of the land we meet on – and pay my respects to their elders, both past and present.

Australians are becoming more and more dependent on information and communications technology (ICT) for a range of purposes and functions.

We use computers for transactions online, to communicate with others, search for information, manage finances, watch movies, and even to control equipment in industries such as mining and manufacturing.

According to the Australian Bureau of Statistics, Australia had over 7 million internet subscribers as of June last year, an increase of 800,000 from March the preceding year. Of those 7 million, 78 per cent subscribe to broadband services.

ICT is, unquestionably, a driver of economic growth, prosperity and broader social wellbeing.

This has been clearly acknowledged through the Government’s commitment to a world-class high-speed National Broadband Network.

High-speed broadband is increasingly essential to the way Australians communicate and do business.  It will help drive Australia’s productivity, improve education and health service delivery and connect our big cities and regional centres.

However, with the increased benefits that ICT delivers, there is greater vulnerability if things go wrong. 

Australia’s ever increasing dependence on ICT means the Government must remain vigilant to emerging online threats.

The Australian E-Security Landscape

We all face a growing number and range of risks online. 

There is significant criminal activity online, such as the recent theft of 130 million credit cards in the United States. Hackers, organised criminals, cyber espionage and, in the extreme, cyber warfare and terrorism are all ‘e-security’ threats.

In his National Security Statement, the Prime Minister recognised e-security as one of the top ten national security priorities for Government.

That is why the Government in the 2009-10 Budget, committed an additional $8.8 million to e-security initiatives.

But what do I mean when I talk about ‘e-security’?

I’m talking about measures to secure Australian information and systems – to protect ourselves within Government and to provide tools to all Australian internet users to protect their information and systems. E-security is also about preventing unauthorised access and protecting the integrity of our data.

The Government understands the complex nature and scale of the challenge of securing our information and communications systems and has a range of policies and programs in place.

Last year, the Government conducted a comprehensive review of its e-security arrangements.

The ‘E-Security Review’ underlined the imperative of maintaining a secure and trusted electronic operating environment for both the public and private sectors.

Importantly, the Review recommended three new core capabilities, including:

  1. the creation of a new national Computer Emergency Response Team (CERT);
  2. a study to examine options to reduce the number of gateways between Australian Government networks and the internet so as to maximise efficiency, reliability and security; and
  3. the establishment of a Cyber Security Operations Centre.

The Review also recommended a number of other initiatives, including:

  • the establishment of trusted information exchanges with sections of the private sector;
  • the creation of a code of practice for Internet Service Providers (ISPs); and
  • the development of a whole of government international engagement strategy for e-security. 

    • Today, I would like to outline some of these important new initiatives.

    The Government’s e-security focus is on three key priorities:

    1. reducing the e-security risk to Government systems;
    2. reducing the risk to critical infrastructure; and
    3. enhancing the protection of home and small business users from electronic attack and fraud.

    Reducing the e-security Risk to Government Systems

    The Government has a special responsibility to protect public information it is entrusted with. It is also our role to set an example of best practice to help influence the practices and standards of the private sector and everyday internet users in Australia.

    The Government recognises that the decentralised approach to ICT planning and procurement adopted in the past, can in some instances be ineffective and bad practice.

    In terms of security, the decentralised approach has produced disjointed systems across agencies and levels of Government.

    This approach has focussed primarily on the protection of information within individual agencies, instead of focussing on how information can be securely and reliably shared between agencies or on how to protect the personal information of citizens when they are transacting with governments online.

    We must strive for consistent security standards across government systems to facilitate more efficient cross-government communications which result in an improved consumer experience.

    That is why we are building security considerations into the approvals process for major government ICT projects – another recommendation of the E-Security Review.

    In addition to this work, the Government also announced in this year’s Defence White Paper, the establishment of the Cyber Security Operations Centre (CSOC) within the Defence Signals Directorate (DSD) to provide Government with increased cyber security situational awareness.

    CSOC will coordinate responses to cyber security incidents of national importance and maintain a 24/7 watch on cyber security activities which might threaten Australia’s national security.

    It will be staffed from agencies including the Australian Federal Police (AFP), the Australian Security Intelligence Organisation (ASIO), and my Department.

    Reducing the e-security Risk to Critical Infrastructure

    As I’ve noted on previous occasions, a business-government partnership for e-security is essential to our efforts in this area as expertise exists across all sectors and must be harnessed.

    GovCERT.au, in my Department, has been working for several years to assist critical infrastructure and key businesses to protect themselves by briefing them on sophisticated electronic attacks. 

    This work will now be strengthened under new national Computer Emergency Response Team (CERT) arrangements.

    As announced in this years Budget, the Australian Government is consolidating Australia’s existing computer emergency response arrangements into a new national computer emergency response team, or CERT. 

    It will provide a single point of contact for the public to access information on cyber threats and information on how to better protect themselves.  It will also build on the existing GovCERT’s success in providing targeted information and assistance to critical infrastructure and key Australian businesses.

    The new national CERT arrangements will be operational in early 2010 and will complement the Cyber Security Operations Centre I just discussed.

    To further support critical infrastructure and key business, three information exchanges have also been established this year.  These exchanges will enable business and government to share specific technical information quickly, and in a trusted manner. 

    The exchanges cover three critical sectors:

    1. Communications;
    2. Banking and finance; and
    3. the users of control systems in energy and water utilities.

    I note that control systems, including supervisory control and data acquisition systems (SCADA) are important because they are used for remote monitoring and control in the delivery of many of Australia’s essential services.

    To support this critical business technology, 30 participants from Australian critical infrastructure organisations and the Government, will attend a control systems advanced cyber security training workshop conducted by the United States Department of Homeland Security.

    Participants will learn how to secure control systems from attacks; understand how attacks are launched and why they work. Importantly, they will also be able to take away strategies to protect their organisations from cyber attacks.

    My Department and the Department of Broadband, Communications and the Digital Economy have provided grants totalling $120,000 to critical infrastructure organisations to attend this training.

    I am also pleased to announce that Australia will participate in the international cyber security exercise, Cyber Storm III, led by the United States to be held in September 2010.

    Cyber Storm III will test how protective cyber security information is shared, and how Australia coordinates its response during a cyber crisis. The exercise represents a practical way for business and government to test our arrangements for protecting our information from cyber threats.

    Enhancing the Protection of Home and Small Business Users

    An important aspect of the Government’s business-government partnership for e-security is the information shared with the internet industry.

    The development of a code of practice for Internet Service Providers (ISPs) is another initiative that the Government is pursuing as a result of our E-Security Review.

    ISPs sit at the gateway of the internet, which is why it is important that we work with them to develop an e-security voluntary code of practice.

    This effort is being led by the Internet Industry Association and will provide a consistent approach for Australian ISPs to help inform, educate and protect their clients in relation to e-security issues.

    This work will build upon the important Australian Internet Security Initiative, under which the Australian Communications and Media Authority (ACMA) shares data with ISPs about compromised computers on their networks so ISPs can then inform and help affected customers.  This program now covers at least 90 percent of Australian ISPs.

    To help all Australians protect their identities, privacy, finance and other sensitive information online, the Government also has the ‘Stay Smart Online’ website hosted by the Department of Broadband, Communications and the Digital Economy. 

    This website provides easy to understand, non-technical information for all Australian internet users to better secure their personal computers and have confidence when using the internet.

    Cyber Crime

    While pursuing these priorities, we must also pursue measures to deal with the threat of cyber-crime. 

    Criminals, particularly organised crime syndicates, are increasingly taking advantage of the online environment to conduct their activities. 

    Every day, we are dealing with online crimes, from the modification of a computer system to prevent it from carrying out its normal function, to traditional crimes such as fraud and theft conducted through technology.

    As an example of this activity, spam has increased from 50 per cent of all emails in 2006 to around 90 per cent in 2008.  Approximately 80 per cent of these spam emails contain malware attachments or links to malicious websites.

    The Government is committed to maintaining appropriate laws to ensure that cyber crime is addressed, investigated, and those found to be committing crimes prosecuted.

    The AFP have a specialised investigative capacity to support the identification and investigation of complex technology enabled crime offences.  In March 2008 the AFP established the High Tech Crime Operations portfolio to directly work with industry and Government in the prevention and detection of cyber crime. 

    The AFP also plays a proactive role in raising the awareness of e-security and cyber-safety risks through its Crime Prevention Team.

    The Team implements strategies that assist Australians to protect themselves online and also identifies groups committing the crimes to provide information to foreign law enforcement agencies to aid prosecutions overseas.

    Conclusion

    In conclusion, I would like to leave you with is this message: Security is an enabler of online activities. It enhances the trust and confidence of all users.

    I have spoken today about the outcomes the Government is seeking for e-security. As Government IT professionals, your efforts will be critical in translating these outcomes into practical actions, systems and business processes.

    The Government takes threats to our e-security very seriously. 

    We are committed to a holistic e-security framework to tackle cyber-crime and to ensure online security for Government, critical infrastructure and ordinary Australians at home and in small business.

    I wish you well in the Conference and commend you for your efforts.

    Thank you.