The Federal House of Representatives’ Standing Committee and Communications has recommended that Australians be forced to install anti-virus and firewall software on their personal computers before internet providers allow them to be connected to the internet.
The committee – one of the Parliament’s main discussion venues with relation to the communications portfolio — handed down a report yesterday into Australia’s cyber-crime situation — entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.
Recommendation 14 of the report sees the committee recommend that the Australian Communications and Media Authority work with industry body the Internet Industry Association to create a code of e-security practice which would be registered under the Telecommunications Act.
The code of practice, according to the report, should include a provision that ISP acceptable use policies include “contractual obligations” that internet users “install anti-virus software and firewalls before the internet connection is activated”.
In addition, users would be required to “keep e-security protection software up to date” and take reasonable steps to remediate their machines when informed by their ISPs that they were likely to have been infected by viruses or other malware.
ISPs would be required to provide basic IT security advice when user accounts were set up, and would be forced to inform users when they became aware that their PCs had been infected. If necessary, the ISPs would eventually be forced to disconnect a users’ interne connection if they refused to get rid of the malware.
“The committee does not accept that the internet is a kind of un-policed ‘wild west’ — the internet is a global communication medium which is subject to the same laws as the offline environment,” the report stated.
The committee was staffed by members from all sides of politics — including high-profile politicians such as Labor MP Belinda Neal, and former and current Shadow Communications Ministers Bruce Billson and Tony Smith. Many of the more active players in the communications portfolio — such as Greens Communications Spokesperson Scott Ludlam, Communications Minister Stephen Conroy and Laborite Kate Lundy – are senators and so were unable to participate in the house committee.
Not everybody who participated in the committee was in favour of the recommendation that ISP customers be forced to install firewalls and anti-virus software.
“To dramatically and quickly institute a requirement that ISPs contractually require the subscriber to install anti-virus software and firewalls before connecting to the internet, whilst well-meaning, opens up a plethora of new liability issues for subscribers,” wrote Shadow Communications Minister Tony Smith in the report.
Smith was allowed a supplementary entry to the report as he only joined the committee in February. “I do not believe that this aspect of the recommendation could be implemented without creating major uncertainty and discloation,” he added.
The report also outlined a number of other wide-ranging recommendations that it thought the Government should implement — mainly relating to developing a coordinated national approach to cyber crime.
One recommendation would see the Government establish an Office of Online Security headed by “a Cyber Security Coordinator” with expertise in cyber crime and e-security — to be located in the Department of Prime Minister and Cabinet. This e-security czar would have responsibility of whole of government coordination of the cyber crime approach.
Image credit: Nikolaus Wogen, royalty free
And how exactly would this be enforced?
Fair question!
Actually news.com.au has the answer..
“”There is software available, which could be on end-user machines, that would allow my ISP, as I log in, to check that I have my firewall turned on, that I have an antivirus that [it] approves or recommends installed on my computer, and that my operating system and browser are patched. And if those things aren’t met, then [my ISP would not] give me [access],” MacGibbon said.”
http://www.smh.com.au/technology/security/secure-your-pc-or-lose-the-net-20100622-yuf5.html
So what the Government can do is enforce as a requirement people install a piece of software on their machines that will give the thumbs up that you can connect safely. Now won’t you feel a lot safer going online …. :-/
I give it a fortnight tops before this is cracked to always send a positive signal and we can carry on ignoring them. Honestly I don’t understand how this will work at all though… how will it differentiate between machines / connections? I have one central box I use as DHCP/Firewall (that I wrote my own damn self so I guess it’s not government approved?) / Connection sharing / NAS / Proxy – am I to be penalized because this committee got burned when they tried to help out that “totally legit Nigerian prince (seriously he told us he was for reals)”?
“… that my operating system and browser are patched. ”
Oh… I see… so you’re going to keep up with all the thousands of Linux distributions. Hell, here’s a small sampling of them just from a wikipedia article: http://en.wikipedia.org/wiki/Linux_distributions
Edge cases aside their argument as to the losses to businesses are…pointless because every large corporation uses a proxy or some form of centralized access. There are no browsers installed on these proxies soooooo it won’t pass the browser patch test even if it might pass the operating system test but if you have to offer two versions then what’s to stop me from getting one that doesn’t care about the browser test for my own private machine…. see where I’m going with this?
Can I just state the obvious? That we elected luddites that are afraid of something they can’t exert their power on?
@Stilgherrian
Being up to scratch in terms of electrical appliances means we won’t die due to shoddy wiring. If there was potential I could be flambeed by botnets then they might see a bit more support.
Suspiciously like the Green Dam proposal, and if the Chinese can not implement it, how do you think we could?
Part of the problem is that we are the wrong market for these policies, it is for people who run Windows XP without SP1 and get chills when installing a patch. For people who dont know what a Trojan is, they will think it is a good idea, thus easy to sell to the mainstream media.
Yes but the fact that this would even get recommended by a cross-party committee reveals that these politicians just do not really know what they are on about when it comes to technology. It’s just not the Government’s responsibility to try and mandate this stuff.
Ugh, just what I want, to be required to install bloated software that gives me zero benefit just to connect to the internet. Five plus years anti-virus-free and not a single problem, I’m not about to allow myself be “protected” by nanny Rudd when I don’t need protecting.
Yeap, it would be absolutely hilarious to see them try and enforce this one … I just don’t think that it’s possible. But it really disturbs me that these politicians would even recommend it. *sigh* Do not pass Go, do not collect $200.
Agreed. My wife and I have not used real-time antivirus for over 5 years either. We do run a weekly Norton scan but it has never found a thing, because we are not silly, don’t install celebrity screensavers, and we keep XP/Flash etc patched and use Firefox.
From time to time I am given the job of cleaning viruses from friends and relatives PCs and all those machines had antivirus programs installed, to little avail apparently. They will never be a 100% shield and to think otherwise is dreaming. Google’s malware warning on site searches is doing far more to keep users safe than this misguided policy could ever do.
hmm.. I don’t run windows on my machines, I run Linux and FreeBSD – two operating systems that run the majority of internet servers around the globe. They all have firewalls installed, however antivirus software is not really a requirement – virtually all viruses and trojans are written for flaws in the microsoft OS’s, with only a (literal) handful that are designed for MacOS, Linux or *BSDs. Not only are there almost no viruses for these OSs, they don’t run windows software – including windows-based antiviruses. How exactly are they going to enforce this? Would I be forced to lie and say ‘Yes, I will install antivirus software like a good little netizen’ thereby voiding the contract the moment I connect a (much safer) non-windows box to the ‘net?
To be honest, I don’t think this will get approved as a policy, but I completely agree with you, Mike — it also raises the question of what is a PC. If someone runs a Linux server as their main gateway box for the rest of the house to the internet, does that mean it has to have firewall and anti-virus installed? Would it void a contract with their ISP if it didn’t? It’s a ridiculous situation, I can’t believe the politicians have come up with it. What zany technology idea will they come up with next? Who knows!!!
With this proposal you really have to keep in mind that the device that establishes the connection to the ISP is the router (only real exception now being a cable modem with PC directly connected). From the ISPs perspective all they see is the router, what’s behind it, whether it be PCs, Macs, PS3s, XBoxs, Mobiles, Internet Fridges, etc, they have no visibility of.
So this means they will need to enforce some sort of control policy on peoples home routers to prevent them from being connected unless they meet virus control requirements. Great, this would mean the government would require access to my router, and that I would need to have virus control on my ethernet printer which is on the LAN connected via my internet facing router but doesn’t connect over the internet.
Basically this system is completely unworkable is technically absurd.
iPads, gaming consoles, PVRs, tethered devices, My-Fi’s (plus all the examples other have listed above). There are so many possibile devices and variables with today’s networked connected devices, that the suggestion of this is one of the most absurdly unworkable ideas I have ever heard!
I don’t know that I’d have headlined this as “parliament wants”. It’s the report of a parliamentary committee, full of recommendations for discussion, not the result of the full parliament expressing an opinion. How about “parliament to consider”?
On the idea itself, of having some minimum level of “being up to scratch” before connecting to a public network, I don’t see that as particularly evil. Any electrical appliance must conform to safety standards before being plugged in, any car has safety checks before being registered, any fixed-line telephone must be approved before connection etc. We don’t see them as some sort of fascism, just sensible precautions.
Such approvals are generally done at design or manufacture time, however.
In the case of a computer, the machine of concern is really the software machines of operating system plus applications plus whatever else — and they’re largely cobbled together by the end users, often people with no idea. The question would then indeed become one of how you ran the authorisation practically given the sheer number of possibilities.
I also think it’s a bit rich for people to just assert that they, personally, don’t need protection. Such arrogance! Research has consistently shown that even experienced infosec professions can only tell phishing from legitimate emails 80% of the time, and I daresay the same would go for identifying trojans or other social engineering attacks.
I see the internet as a ‘wild-west’ because around the time it was brought into existence, there was no laws.
I say keep it like that.
If not, gone will be the days of my level 1/2 support desk memories of finally hearing the penny drop after explaining how I know that the customer is looking at a phishing email, whenever they try to run a process it says ‘blah.exe can’t run, download this dodgy software’, or why they can’t download torrents and play counter strike with a low ping. The penny won’t drop. They’ll just be more confused.
“Isn’t the government supposed to protect me from that?”
Nope. Your tax dollars at work, old man.
Educate the end user. It doesn’t take long to Google anything these days.
Wow, this mentality sounds familiar…
– The Speech [3.4]
[Jen looks at small black box equipped with a single red LED light in the middle of the top side. Moss stands next to her.]
Jen: What is it?
Moss: This, Jen, is the Internet.
Jen: What?
Moss: That’s right.
Jen: This is the Internet?
Moss: [Moss is nodding his head]
Jen: (suspiciously) The whole Internet?
Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
The Hawk will be awfully busy demagnetizing all the internets in Australia!
That was a fabulous episode, what a great show.
Sounds very ‘Chinese’ to me and impossible to do given the types of PC like devices being connected, anyone seen anti-virus for iPad yet?
Far better to encourage ISP’s to send infected users to a ‘captive portal’ where they are given some options, like install anti-virus etc. Unwired have been doing this for years to try and maintain network ‘quality’.
Trouble with these type of committees is that the experts are often anti-virus companies (I worked for one and have been in front of one) so of course the push is towards this type of ‘solution’.
Good intentions, sure, but there are so many problems with this idea. Most people I see with ridiculous infections already have an antivirus program installed, often Norton or Trend. Plenty of other types of malware also exist that aren’t strictly ‘viruses’ but do similar damage. Then there’s firewalls, which the vast majority of people would never have to worry about because their router already does the job. Then there’s cases where someone’s not running Windows. It’s a noble cause but it’s not really manageable.
So long as they allow the free ones as well, like Avast, Antivir and AVG. If it’s an attempt to force people to pay for something, then I’d be against it. Also, if it has to be installed *before* they connect to the net, then they need to make it easy to get those antiviruses on disk.
But yeah, it’s more nannyism.
So let’s say I decide to create a new open source antivirus. It would need to be approved by the government before anyone could use it…. So noone will be using it, so the govt will not spend money OK’ing it, and even if they did, they’d take forever….
This would be death to new free AV software. (Not to mention easily bypassed etc etc)
FAIL.
Comments are closed.