Govt, spend up and keep it need-to-know

Govt, spend up and keep it need-to-know

Summary: Today the Federal Government asked for suggestions on how agencies could better protect citizens' online information.


Today the Federal Government asked for suggestions on how agencies could better protect citizens' online information.

It noted that it is easier for people to access government services when they are online, but that cyber criminals are becoming ever more bold — and government information is a wonderful repository of information for them.

The Australian Government Information Management Office wants to develop guidance to help government agencies reduce security risks to the public from their dealings with government.

My first suggestion would be, as I have said in a previous blog, that the agencies try to educate those using its services as much as possible. Users are often the reason that things go awry, as is made evidentby the PEBKAC acronym.

The government also needs to learn from Vodafone's recent security mishap when dealers were able to access too much information. The sharing of citizen information by governments should strictly be on a need-to-know basis.

This brings me to the new legislation passed in the Senate, which allows the Australian Security Intelligence Organisation (ASIO) to share the results of spying and interviews with other agencies. This really needs to be handled very carefully, or we could have all sorts of information flying around that shouldn't be.

I would also suggest that agencies make sure their cybersecurity spend is high enough, and that they not fall into business-as-usual slashing in this quarter. Yes, it's a cost, but our identity is precious. Spend especially needs to be made in the areas of training and keeping security staff happy so that they aren’t poached by the ravenous private sector. To take advantage of specialist skills, there should be constant connection with specialist centres such as CERT Australia and the Defence Signals Directorate.

Given how important our personal information is, especially medical information that is supposed to be going into a Personally-Controlled EHealth Record, I also wonder if we need to start thinking like a bank does; multiple-factor authentication, perhaps even involving biometrics.

To make sure it's not onerous, a federated ID should be rolled out across all levels of government. I am "me" for every transaction I have to make with the public sphere.

And when a data breach occurs, we want and need to know. Firstly, this will put pressure on agencies to learn from past mistakes. Secondly, it will allow citizens to take appropriate actions to protect their identities and spur us to take more care in our personal security. And lastly, it will hopefully lessen the likelihood of budgets being cut in that area, as it will become a public concern.

Topics: Government, Government AU, Security

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Interesting to note that while all the focus is on how to protect public information on Government databases, there isn't too much concern about government data stored on private company databases.

    ASIO has recently been alerted to an Australian company that is (was?) a supplier to departments such as DFAT, AFP, RTA, DoD, BOM, CSIRO, NSW Police and more, whose database was open to anyone on the Internet!

    If you wanted a govenment department's credit card details all you needed was an IP address to log on to the database, no user authentication needed. The company's extranet was taken off line on March 13 this year, thank goodness. But who knows who has had access to the data? My comment:

    As for personal information security? A joke, people post more information about themselves on Facebook and Linkedin than any gov't agency would ever need...
  • The answer to privacy is separation of one's identity from one's other data, which means all the things you own; all the things you do; and all the transactions you undertake. Project ERNA at aims to do just that.