Crime institute says govt tenders too soft

Crime institute says govt tenders too soft

Summary: Security requirements of government tenders should be toughened to reduce incidents of cybercrime, according to the Australian Institute of Criminology.

SHARE:

Security requirements of government tenders should be toughened to reduce incidents of cybercrime, according to the Australian Institute of Criminology.

Puzzle

(Complete image by Tim Geers, CC BY-SA 2.0)

Government agencies should also play a "major supporting role" to help IT vendors design more secure products.

Senior research analyst Raymond Choo said the moves would help "cultivate a culture of security" and reduce the instances of cybercrime.

"[Government should] create an environment conducive for ICT service or content providers to achieve marketing and competitive advantages if they offer products and services with higher levels and more innovative types of security," Choo said.

"There will never be enough policing resources to investigate all cybercrime."

He cited the example of the United States National Security Agency, which assisted Microsoft to develop the Windows Vista operating system according to Department of Defense security requirements.

Choo said a "one-stop 24/7 reporting website" could be established to help feed better cybercrime statistics to law enforcement agencies.

"This would also enable coordinated action by government and law enforcement agencies and the private sectors to have a better understanding of the frequency and extent of cybercrime incidents."

"Victims of cybercrime sometimes feel a sense of helplessness, as the mechanisms for reporting cybercrime have not kept pace with our use of ICT," he said.

The difficulties in prosecuting individuals for online crime stem from a lack of consistency of legal frameworks across countries, according to Choo. In order for a conviction to be successful, alleged misconduct must constitute an offence in both the country seeking prosecution and that in which the alleged offence was made.

"Cybercrime prosecutions involving multiple jurisdictions will be an essential response in the foreseeable future," Choo said. "… until the process of harmonisation of laws and sanctions is more advanced, disparities within and between jurisdictions will continue to create risks and impose serious operational burdens on the resources of a jurisdiction's prosecution services."

To this end, countries should establish laws to outlaw the creation of networks used for illegal purposes to crackdown on botnets and distributed denial-of-service attacks, Choo said, adding that Australia, Singapore, the United Kingdom and United States have a "relatively comprehensive" legislative framework in place to deal with cybercrime.

"I believe the international community is starting to understand the importance of cross-border cooperation in cybercrime cases not just in online child exploitation cases," he said.

Tougher measures should also be enforced to reduce abuse of the domain name system, according to Choo, including the creation of a stricter domain name registration regime, and ensuring domain names and IP addresses suspected of being used for cyber criminal activities are revoked.

Topics: Government, Government AU, Legal, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Almost thirty years ago the USA propagated its "Orange Book" or the "Trusted Computer System Evaluation Criteria (TCSEC)" and aimed at making its requirements for IT security mandatory for all government purchases (Remember the USA's "C2 by'92"?) Well, today Australia is a signatory to the "Common Criteria Recognition Arrangement (CCRA)" which sets out requirements for security under the now internationally standardised "Common Criteria" as IS15408 (See URL http://www.commoncriteriaportal.org ). BUT - what has happened - NOTHING!

    Governments worldwide MUST show the lead by MANDATING enhanced and evaluated security in ALL ICT products and systems for their use...once upon a time they did! Commodity, commercial systems were simply cheaper - and users knew them from their home, school and university usage - so, bye bye to security at the base operating system, middleware, database and like areas...and the result is history now.
    By now - for example - FLEXIBLE MANDATORY ACCESS CONTROL (FMAC) should be a basic requirement for all critical government systems, e.g. such as SELinux (developed and released by the USA's National Security Agency, etc. Cheap DISCRETIONARY ACCESS CONTROL systems just do not meet the security needs of modern government, participating in cyberspace with everything and everyone else. The need is there to create appropriate user/software/data SECURITY PROFILES that are rigorously enforced!
    Well - once upon a time - governments did care - but that was a long time ago!
    caelli