Follow Oz on security: ex-NSA CIO

The private sector in other parts of the world could learn from Australia's example on cyber security by taking matters into their own hands, according to the former CIO of the US National Security Agency Dr Prescott Winter.
Written by Michael Lee, Contributor

The private sector in other parts of the world could learn from Australia's example on cyber security by taking matters into their own hands, according to the former CIO of the US National Security Agency Dr Prescott Winter.


(Spy image by Tim, CC2.0)

Winter, who is now CTO of HP's enterprise security portfolio, highlighted the recent results of a US study which found that over three quarters of the agencies failed to correct known vulnerabilities.

"I don't think that the numbers there are necessarily any worse than they are in governments elsewhere; they may be better in fact, in some cases," he said. "Many agencies with important information are just doing a sub-standard job of protecting themselves."

When it came to Australia's private sector, though, he said that the picture painted was very encouraging.

"People are well aware of the problem and are moving fast. I see action in some of the key areas that is highly focused and very effective."

Winter pointed towards the Internet Industry Association's voluntary Code of Practice as being something that no one else had done.

"The fact that it's done by industry taking a leadership role is just an incredibly important example for the rest of the world to take note of."

He also thought that other private sectors around the world could do better by taking matters into its own hands.

"I think every country needs to think about this at a global level and a national level in terms of where you can get the best response, but today the simple fact is that most enterprises are still the front line for protecting themselves.

"In the US, we've been waiting for the government to make some major actions on this point for a long time and while it has started to move fairly aggressively to protect internal government assets — cyber assets — I don't think it's doing as effective a job as some of the countries elsewhere in protecting the larger corporate environment, the private enterprise or the individual user."

But while the private sector should take the initiative, Winter said governments shouldn't shirk their responsibilities.

"Governments have a huge role to play in this because they are increasingly the stewards of an enormous amount of personal information, corporate data, tax data, healthcare data, other things like that, that all have lying in them, economic value and/or the possibility of fraud and other kinds of mischief."

He also raised the point that it was becoming clear that certain governments were moving to the offensive, with governments endorsing hacking for national interests, even if no one was openly stating so.

"There can't be any doubt that there is at least a level of support for these activities or certainly an open acceptance of these kinds of activities. It's pretty clear in the case of China, particularly, that there are national, strategic mandates that are being served by these kinds of attacks on intellectual property."

As an example, Winter brought up Rio Tinto and BHP Billiton, which, together with Fortescue Metals, had its networks compromised in April last year.

"Well, that doesn't sound very sexy, what's the big deal there? Well, China wants to build the world's biggest steel industry, so understanding what the world's biggest iron ore producers are doing, where the resource bases are, how they plan the market, what the cost structures are like, how that's going to roll out over the ensuing months and years, all that becomes really critical strategic information," he said.

"The fact is, these are big issues for countries that want to try to move forward. So they are national issues that may be reasonably seen to be driven by at least state needs if not state hackers. There's definitely a connection here."

But while Winter declined to specify whether Australia was involved in cyber espionage on a similar level, he did hint that all that was left was to connect the dots.

"Australia does have intelligence services and one has to draw your own conclusions about where the information is that people need to rely on to provide intelligence to policy makers in the military.

"These are not things that states talk about extensively, but it's clear that there are intelligence agencies in Australia, it's clear that the information that people need is in computers around the world and you can begin to imagine some of the things that are going on."

Editorial standards