Silence over security does not ensure safety

A report that big businesses in New Zealand have come together in secret to develop security standards raises the question: does secrecy over security actually make you safer?
Written by Darren Greenwood, Contributor

The bane of many a journalist is getting organisations to comment on what they actually do, something noted in a revelation by Computerworld this week.

Just one large corporate — Genesis Energy — admitted that it was part of a new standards body, which has been developed by a number of corporates working with the New Zealand government's National Cybersecurity Centre.

We were not even told how many organisations were involved in setting up these voluntary standards, or even what these standards actually were.

Little was given as to the type of industries involved, other than they involve critical infrastructure, though a Genesis spokesman did say such standards were "available" to oil, gas, water, transport, and other industries.

Of course, the big fear is that if identified, organisations are creating targets for themselves. That hackers seeing a boastful business or government agency claiming to be safe, will look at that entity as a challenge ripe for exploitation and attack. Hence the secrecy, which is typically the case when reporting on ICT security.

If anything, I am reassured to hear that Genesis is so serious about taking security seriously that it has actually stuck its head above the parapet, as it were, to further highlight an issue that affects organisations large and small.

Its candidness will have added to what is a significant issue, one that still needs attention to from other organisations, even though ICT security has been an issue for decades and is something we should all be aware of.

Just last month, the National Cybersecurity Centre reported a 50 percent increase in cybersecurity breaches in New Zealand, more than half originating from overseas, though the 134 incidents reported in 2012 is believed to be an underestimate.

In 2013, New Zealand had also seen breaches ranging from a major incident affecting Telecom NZ and hundreds of thousands of its YahooXtra account users, to small organisations like the Gulf Harbour Yacht Club, the latter of which was one of many small organisations to be apparently hit by Turkish "script kiddies" last week.

Indeed, it is almost certain that all of these victims will have kept their mouths firmly closed about what they do in an attempt to keep themselves safe. But as we see, "No comment" offered no protection. Indeed, I bet the Australian Reserve Bank, the latest major victim of hackers in our part of the world, has been equally silent.

It will be interesting to see if Genesis Energy will be targeted by hackers in the days and weeks to come, and how the power company copes with any such attacks.

How it fares will probably have much impact on the willingness of organisations' ability to talk about security issues in the future and in turn, the industry's ability to openly discuss this important subject.

I wish Genesis Energy well, and I hope it does not come to regret its brave and seemingly unique decision.

Editorial standards