The explosion of the Internet of Things (IoT) has dramatically increased the scope and potential repercussions of cyberattacks and data security breaches.
In a modern context where everything is connected and our reliance on technology continues to grow, such attacks can threaten the operation of government, target national security and expose vulnerabilities in critical infrastructure. They can also have dramatic impacts on the broader community, damaging company reputations, threatening trade secrets and subjecting individuals to serious harm if their personal information is exploited.
Privacy is developing as a key issue for industry and governments alike. As the cybersecurity community deepens its understanding of how to minimise security vulnerabilities, we are increasingly seeing privacy protections being built into the latest evolution of security solutions.
At the same time, we are seeing a significant increase in our levels of exposure due to the flood of connected sensors and devices including door locks, smart fridges, thermostats and controls for a wide variety of appliances, many of which lack adequate security protections and can be easily hacked.
A recent three-day hacking competition by Independent Security Evaluators in the US identified 47 vulnerabilities in 23 devices from 21 different vendors, confirming that poor security practices are systemic.
Educating our ICT professionals
A key part of the solution must be education to ensure that ICT security professionals fully understand not only the technical issues, but also their legal and ethical responsibilities to their organisations and customers.
So I was pleased last month to see the ACM Joint Task Force on Cybersecurity Education release draft guidelines for the first tertiary qualification in cybersecurity for public feedback. The joint task force was established in 2015 to address the global shortage of cybersecurity professionals.
The International Federation for Information Processing (IFIP), established under the auspices of UNESCO, is a member of the joint task force and ACS as the country member represents Australia in IFIP. ACS Fellow and Cybersecurity expert, Professor Jill Slay, has been playing an active role in the joint task force through a global advisory committee.
“This is an important scope of work that will greatly assist Australian Universities to implement global best practice into their cybersecurity degrees. Once completed, the ACS will help contextualise the course for the nuances of our domestic need,” said Professor Slay.
In today’s connected world, the issues of security and privacy cannot be separated. Over the past few months, we’ve seen numerous reports of high profile hacks which have resulted in the theft of millions of personal records for sale on the black market.
Recent revelations by Yahoo of incidents back in 2013 and 2014 that compromised more than a billion personal records are now being investigated by the US Securities and Exchange Commission (SEC) over whether the breaches should have been reported sooner.
Data breaches must be reported
Regardless of the outcome, the scandal is likely to add impetus to the Australian Parliament’s deliberations over new mandatory data breach disclosure legislation. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 proposes a series of amendments to the Privacy Act 1988 to require entities subject to the Act to notify the Australian Commissioner and affected individuals if the entity experiences a data breach that a reasonable person would conclude would likely result in serious harm to individuals.
I believe data breach notification laws and greater privacy enforcement measures are essential counter-balances to the pervasive and intrusive nature of new and emerging technologies.
This week, I travel to the US with the Australian Cyber Security Mission to the San Francisco Bay areas, coinciding with the RSA Conference 2017, which is widely regarded as the leading security event in the world.
While on the Cyber Security Mission, I am particularly interested in attending a presentation by Ari Schwartz, who was Special Assistant to President Obama and Senior Director for Cybersecurity at the White House, and is now Managing Director of Cybersecurity Services at law firm, Venable LLP. He will discuss the Government’s role in vulnerability disclosures and consider the question, “How can governments build accountable, sustainable processes that catalyse security?”
The US SEC requires companies to report any cybersecurity breaches that are considered to have an impact on investors, but is yet to bring a case against a company for failing to disclose a breach. Some analysts have been reported as saying the Yahoo case is more clear-cut than previous incidents and could set a valuable precedent by clarifying expectations over the timing of disclosures.
We need regulatory measures to raise the standard on how organisations handle personal information and report on data breaches so that individuals are warned of potential consequences and can take action to protect themselves.
I look forward to sharing additional insights after my trip on the Australian Cyber Security Mission.
Anthony Wong is President of the ACS and Chief Executive of AGW Consulting P/L, a multidisciplinary ICT, Intellectual Property Legal and Consulting Practice.