I read a very wide ranging article quoting amongst others David Irvine who is the Head of ASIO, the Australian Security Intelligence Office and it details that
"The ordinarily shadowy DSD has published a detailed study on its top 35 cyber "mitigation strategies". In research that won the 2011 National Cybersecurity Innovation Award in the US, DSD found that 85 per cent of intrusions were thwarted by its first four mitigants alone.
DSD's Mike Burgess recalls that "a few years ago, one of my staff assisted ASIO in responding to a major incident on the network of one of Australia's biggest companies. The first thing he was asked by techies from the affected company was 'what can we do to stop this?'. "As legend has it, my staff member wrote down a list of things to do on the back of a cocktail napkin [which became DSD's] flagship document.""
So, on the back of a cocktail napkin, which I guess is a step up from the back of a fag packet four things that can stop up to 85 percent of intrusions are known, and so well known it didn't take an army of officials, experts et el… just a man (clearly talented), a writing instrument and a cocktail napkin. I might be wrong but I think this list was first published in 2010 (happy to be corrected) and was recently updated.
The question is does Australia or any other Government mandate these four things? When I asked Mike Burgess just over a year ago he said that Australia didn't mandate these items, I could find no evidence or confirmation that the position has changed and if it has not changed why not? If the 85% figure is correct and the USA validated this research why hasn't the G8 or G20, or the EU mandated this?
The article goes on to say how the ""target environment" is becoming richer by the day as our electricity, power, transport, and communications infrastructures are inexorably integrated into the internet" so you would think that there would be greater motivation to protect Federal Government as well as providers of Critical Infrastructure, especially as Irvine goes onto say:
"Electronic intelligence gathering is being used against Australia on a massive scale to extract confidential information from governments, the private sector and ordinary individuals," he says.
"It is used to steal intellectual property, all kinds of defence secrets, weapons designs, and commercially advantageous information. The security threat presented by the exploitation ... of the cyber world is both pervasive and insidious. It is ubiquitous and is enabled by what we would normally expect to be a great social and economic good – technological advance."
Governments around the world are calling for more data to be kept on their citizens (just look at the USA, the EU and Australia), but I do not see any mandatory action and standards on what Governments can do to protect themselves. Even this article states:
"Irvine argues that "the ability of the private sector and governments to protect the personal information of their customers and clients in accordance with modern privacy laws is called into question by the apparent ease with which hackers have been able to break into data banks around the world".
Attorney-General Nicola Roxon has referred the proposals to the Parliamentary Joint Committee on Intelligence and Security. She recognises that a signal issue remains – "whether the government needs to obligate the telecommunications industry to protect their networks from unauthorised interference"."
If the Australian Government (DSD) alone is quoting $4.5bn as the cost of cyber crime then Governments must take their own medicine and mandate the top 4 items to stop up to 85% of the intrusions. Governments and the technology community must collaborate and jointly invest to invent technologies that can mitigate the remaining 15% accepting we can never stop the ingenuity of man from doing something stupid. Surely if ever there was a business case that was compelling then this is it.
For some strange reason this article appeared to be quickly moved or updated as original links failed. If the link above does not work I have a copy of the full article if anyone is interested.