A false path to cyber security

The aftermath of Monday’s revelations about the designs of ASIO’s new Canberra headquarters being leaked to foreign powers showed how naïve we are about information security and the strange obsession Australian governments have with secrecy.

Illustrating this obsession was the 'Media are not allowed' message for hapless scribes arriving to cover the keynote speech of Joe Franzi, the Assistant Secretary Cyber Security of the Defence Signals Directorate at yesterday’s CeBIT conference in Sydney.

This was despite the room being full of IT workers, managers and other members of the public – most without security clearances but all with smartphones.

Some used those smartphones to tweet out the key points of what was by all accounts a fairly pedestrian speech with nothing that wasn’t publicly available, including references to the DSD’s excellent Information Security Manual, which thankfully isn’t secret and is a good guide to the basics of keeping your IT systems safe.

A vacuous secrecy obsession

An obsession with keeping information secret is a trait of all Australian governments and reaches ludicrous heights such as a Canberra bookshop having a 1920s military manual taken off the shelves last year on national security grounds, despite the fact the Australian War Memorial was happily selling the booklet from its gift store.

State governments are just as secrecy obsessed. In the past we’ve even seen bus timetables and bushfire locations kept from the public in a perverse quest to protect bureaucrats and politicians from the harsh light of accountability.

Former US government chief information officer Vivek Kundra this week emphasised just how important open government is, citing freely available information as being essential for breaking down government silos, allowing entrepreneurs to build new industries and citizens to fight corruption.

On a grander scale, Kundra believes that governments making the Global Positioning System and the Human Genome Project open to the public are two of the biggest advances in modern civilisation.

In Canberra on the other hand, the quest is on not just to keep information out of the hands of the public but to even gather more data on citizens.

Later in the CeBIT security stream, Greens Senator Scott Ludlam described how the Liberal and Labor Parties are steadily widening the powers of security agencies to gather even more data which they struggle to understand, let alone secure.

Underscoring Ludlam’s point the following speaker, Shadow Attorney General George Brandis, justified greater surveillance powers and data retention as essential to the War On Terror and Australia’s national security.

As the ASIO revelations show, protecting all of this information is not a trivial task and it’s not surprising that we’ve seen a conga line of security vendors in recent days all touting how their widget or software package will protect your secrets.

What happened to risk management?

Like much of business and life, data security is a matter of risk management and a question of attitude, as Huawei’s John Suffolk said at the CeBIT security session, “you cannot bolt security onto a product”.

Huawei itself is an interesting study in security paranoia with the current focus on Chinese hackers that overlooks the fact every country engages in cyber espionage, including Australia.

This of course doesn’t mean we shouldn’t protect our state or business secrets, but we have to start taking a mature attitude on what is valuable and what isn’t.

As John Suffolk pointed out, “people know they’ve been attacked, but they don’t know the value of their assets”.

For businesses and government, it’s a matter of identifying that valuable data which needs to be kept secure while letting things like 90-year-old military manuals, bus timetables and public servants’ speeches see the clear light of day.