Question: Can you guess when this was written?
e-security in slow motion
Australia has for many years enjoyed international pre-eminence in e-security. We boast several world-class academic security centres, special concentrations of investment in security R&D, large scale e-government rollouts, much successful commercialisation from CRCs, some of the first progressive electronic transactions legislation, and pioneering IT testing schemes. Australia has indeed punched above its weight in security and trust.
Yet despite all this, everywhere today we find deep confusion. Industry struggles to measure and justify security investments; banks agonise over two factor authentication and so send mixed messages about their attitudes to identity theft. Vital, compelling programmes are being stymied by an inability to make security happen, transparently, economically, reliably and effectively. There are irresistible forces – mostly forces for good – behind e-health, national security, online financial services, electronic government and electronic voting. The nation will not put these programmes on hold. But an inability to think clearly and act decisively on security and trust is fast becoming endemic. Should even one of these social programmes collapse for want of proper security, the results would be unconscionable.
There is a lack of sophistication at most levels of the “security debate”. For example, the natural tension between counter-terrorism and privacy protection is met by idealism on both sides: privacy advocates refer to inalienable rights while defence analysts appeal to the greater good. But security and trust need not be a zero sum game. New security technologies – smartcards, anonymity protocols, permissions management infrastructure and resilient architectures to name a few – bring the promise of trusted secure solutions benefiting all.
The pressing challenge for e-security practitioners today is to form better ways to articulate, quantify and specify security practice, to break out of the apparent slow motion we find much of the field to be in. We must:
- progress from art to engineering, through standardised toolkits, handbooks, harmonised professional qualifications and so on
- modularise security building blocks in order to maximise architectural purity, break down vendor lock-in, and indirectly provide better commercial incentives for specialist companies in the Australian market
- at the same time, embed security methods and standards across all information systems to the same extent the automotive industry has done with safety engineering, where drivers have come to not only trust complex engineering but also to think and talk meaningfully about safety and performance
- deconstruct the language used to describe e-security, moving on from the silly metaphors of locks and keys and passports, to engender true trust, where people aren’t alternately lulled into a false sense of security on the one hand, or dazed and confused on the other.
Strategic e-security objectives
I offer the following distillation of security objectives over the next five to ten years in Australia, spanning business, government and the public:
- Best practice has yet to be accepted beyond the rarefied world of certain federal agencies for the protection of aggregated and/or distributed collections of sensitive information. Developments in longitudinal health records, inter-organisational data pooling under the banking sector’s Basel II Capital Accord, and international counter-terrorism related data mining have already outstripped our understanding of concomitant protection profiles and practicable security architectures.
- Similarly, information security techniques for Critical Infrastructure Protection are far from standardised. Assurance and risk management standards might be widely recognised but management standards do not define protection profiles or best practice. Organisations’ actual infrastructure protection remains ad hoc, and is extremely sensitive to the skills and resources of the individual security practitioners that happen to be on hand.
- Trusted e-business modules and appliances are needed at the front and back ends of Internet commerce systems. The required business outcome is that users are able to trust that their Internet connection is intrinsically clean and safe, in much the same way as they trust a telephone connection.
- The trustworthiness of Open Source software remains something of an article of faith. As Open Source moves into the mainstream, the traditional “ecological” view of Open Source quality needs to be bolstered. No convincing transparent methodology has yet to be developed for assuring the security of Open Source modules while preserving the community’s spirit and rapid responsiveness.
- Identity Management is much more than a buzzword yet most available approaches remain proprietary and narrowly focussed on particular commercial technologies. Organisations in many sectors – most notably banking, telecommunications, health and social security – are striving for the “single view of customer” to bring about improved service levels, enhanced up-sell and cross-sell, reduced identity fraud and reduced costs.
Answer: I once applied for the job of Security & Trust Program Leader at NICTA. Part of the application process was to write a vision paper for Australian e-security. The text above is a near verbatim extract from my essay.
It was written over six years ago, in March 2004. I feel it could have been written today.