Federal government to toughen information security

The 2006 Australian Computer Crime and Security Survey -- due for release next month at AusCERT's Asia-Pacific Information Technology Security Conference on the Gold Coast -- has been mailed out to a sample population about four times the number of previous years, an AusCERT representative confirmed.

Kathryn Kerr, manager of analysis and assessments at AusCERT, told ZDNet Australia in a telephone interview the response to the survey had been "substantial" but declined to make further details available ahead of its release.

Kerr said the increase in sample population had been made possible by additional funding that had allowed AusCERT to engage consultancy AC Nielsen to assist in compiling the survey.

A spokesperson for the Attorney General, Philip Ruddock, told ZDNet Australia by telephone the government had asked AusCERT to include in its questionnaire additional questions for business about the effectiveness of its Trusted Information Sharing Network (TISN), a discussion forum for owners and operators of critical infrastructure.

The government says critical infrastructure includes facilities, supply chains and networks that, if damaged, would harm Australia's social and economic well-being, defence or security. Up to 90 percent of critical infrastructure in some areas is in private hands.

Ruddock's department had increased its portion of funding for the AusCERT survey from about AU$10,000 to around AU$40,000 this year, in part to assist with distribution to TISN members.

Those businesses had also been directly encouraged by the department to fill the survey out.

Ruddock told a technology conference in Canberra this morning the 2005 AusCERT survey had found that the incidence of electronic attack and misuse had declined compared with the previous survey.

Thirty-five percent of respondents reported that confidentiality, integrity or availability of their network had been affected by an electronic attack, down from 49 percent in 2004.

Virus, worms and Trojan attacks were the most commonly reported problems, but these too were down from 88 percent in 2004 to 64 percent in 2005.

"This doesn't mean we can relax but it is pleasing progress," Ruddock said.

"To improve our knowledge base we intend to broaden the scope of the next Australian Computer Crime and Security Survey with a new emphasis on industries identified as managing critical infrastructure".

Ruddock also foreshadowed an agreement with Microsoft, due to be formally signed today, under which the software giant will provide the Australian government with early notification of identified vulnerabilities and specialised briefings in relation to any IT incidents.

"In return we will be sharing with Microsoft information about how the Australian government uses its products," Ruddock told the Government Technology World Conference at the National Convention Centre.

Ruddock also said Standards Australia had been commissioned to undertake an AU$100,000 study of the security implications of existing standards and identify gaps that could render networks vulnerable to attack.

It will look at national and international standards relevant to critical infrastructure, and identify the needs of owners and operators in securing their assets, developing risk management and business continuity plans.

Ruddock said the government preferred to take a standards based approach to IT security of critical networks rather than regulation and was supporting the development of an integrated security standards framework.

"We can work to encourage good practice through standards without being too prescriptive on how the standards should be met, or interfering unnecessarily with commercial decisions or industry operations," he said.

"Industry makes the hard headed decisions about investments in new systems and research, and it needs to be able to do so confident that there will be as little interference from government as possible, bearing in mind wider responsibilities."

He said that the work undertaken by the TISN had shown that network owners were willing to expose their systems to testing and that the majority of networks already meet high performance and security benchmarks.

Noting that the government was "now at the pointy end of the [federal] Budget process", Ruddock made a point of mentioning that the Prime Minister has nominated national security as one of the five major challenging areas for government in the years ahead.

"No one should be under illusion that in this area the Australian government lacks focus or commitment when it comes to protecting the lives and freedoms of our Australian people," he said.

"Information security is crucial in meeting the broader security challenge."