blog Crikey columnist Bernard Keane has developed a nasty habit for pouring cold water all over ‘cybersecurity’ experts and government spin-doctors, who have constantly hyped-up perceived IT security dangers and Internet attacks into the kind of “cyberwar” scenarios that IT security vendors have wet dreams over. We’re sure ASIO, the Defence Signals Directorate and a bunch of other G-Men in black will be over shortly to arrange Keane’s compulsory education campaign. Better encrypt that data, Bernard — I’m sure ASIO would love to have a trojan keeping watch on your iMac. In the meantime, Keane’s still pumping out doubt-filled copy on this issue. The latest deconstruction is of the over-hyped Four Corners report last night (what else) that claimed a major breach of ASIO’s building blueprints. Probably Keane’s hero paragraph (we recommend you click here for the whole piece):
“The only solid material to emerge from the report was what anyone who works in IT already knew: some companies and government departments fail to do the basics of IT security, from using decent passwords (or at least change them from the factory default), keeping up-to-date with software patches, and not having confidential material on publicly-available servers. This is less “cyberwar” than the equivalent of leaving your front door unlocked so opportunist thieves rob you instead of going somewhere a little easier.”
We couldn’t agree more. This kind of basic IT security failure is the kind of issue which Australian Governments have consistently fallen prey to — not sophisticated ‘cybersecurity attacks’, but simple rootkits and emailed trojans, usually with no real nefarious purpose apart from adding additional machines to a botnet. AFR columnist Chris Joye, who appears to have no real experience in the IT security field, can wax lyrical all he likes about the so-called “Internet wars” going on at the moment. But as Keane points out, much of this whole debate is just fluff and hot air. Hardly surprising, is it, when most of those involved in the conversation have zilch in the way of technical qualifications.
Image credit: Paul Bodea, royalty free
Technical qualifications, skills, or even common sense…security by obscurity would hardly slow down “hackers” from China or anywhere else. The greatest security risks are the same as they’ve always been: incompetence and stupidity.
Hmmm … the whole saga has been a bit of a topic of conversation here in Sydney at CeBit today.
Without commenting on the specifics of this incident (if there indeed any specifics will ever be in the public arena), the way I look at this is that the security of any organisation’s information is purely a product of focused and sustainable investment in people+process+technology.
The key words are “focused and sustainable” … which tends not to be part of government’s modus operandi. Rather “diffuse and opportunistic”. Budgets come and go, agendas come and go, staff come and go, change is random and constant.
The essence of the issue is that the TCO of government ICT operations is obscure, so the ICT department is an ‘easy touch’ for budget cuts. “Just cut the budget by 10% while delivering the same services for increasing workload volume will you?” … “Oh, really … of well … OK”. As a consequence the services become progressively more under-invested, ageing, out-of-date and risky. Staff training is neglected and anyway there are few incentives on key individuals to really care … beyond individual professionalism (which is, of course, not to be underestimated).
The point of this discussion is to compare this pattern of activity in many agencies, a downward spiral during periods of fiscal restraint, to the pattern of activity exhibited by market leading enterprise-grade cloud-services.
The fully loaded and sustainable TCO of cloud services, the fact that they are large scale shared services with diverse customer bases, and their arms-length governance arrangements makes them more secure. The vendors know that security and trust are their lifeblood … so they invest accordingly … and sustainably. It is all about their ability to own and protect a critical mass of resources, to leverage economies of scale and to work transparently within externally assessed regulatory and quality assurance regimes. Quality in cloud services is not negotiable. “Cloudy is as cloudy does” … there is only one service shared by all customers … so it must be high quality and high security.
The good outcome of cloud services is that they create a direct line of discussion between business executives who ‘own’ and procure services to deliver business outcomes at a defined cost. If there is a ‘budget cutting’ imperative to cut costs, then the business executives must decide if the service is required or not. “Cut the cost? Cut the service”. This is a more defensible and sustainable position compared to the more traditional approach … “Cut the cost? Cut the service quality and security (again).”
This logic is an important element of why cloud services are actually good, and necessary, for government agencies. They protect agencies from the perverse outcomes of government’s traditional approach to managing ICT by externalising the decision making on the quality and security of the services.
Cloud services are sustainable and secure shared services which protect governments from themselves. [Not for all workloads and applications (yet) … but for some]
Of course the flipside to this is that with a single entity ensuring security, if they fail, then they fail a magnitude greater than a single company failure.
Of course being that most companies don’t take security as seriously as they should, the cloud option with the inherent security it should provide is a very good choice.
Like all things you need to take into account your specific needs. Cloud is great for most businesses. But there are always exceptions.
Hi Woolfe, yes … the bigger they are the harder they fall etc. It all comes down to a series of practical trade-offs which are largely driven by the adequacy of your status quo. Some agencies are well enough funded and managed to have good processes and systems and to attract and retain capable staff … but many are not. As budget cuts bite this situation starts to unravel further.
In this context, from a practical point of view, cloud services offer a more secure path forward … particularly when you also consider the fact that adoption of a cloud service usually frees up capacity for ICT staff to actually focus on process improvement and information management activities which they otherwise didn’t have time to do because their time was spent mucking around with low level infrastructure hygiene tasks.
The combination of more secure cloud services plus more effort spent on process improvement and information management can lead to a significant overall improvement in information security … IMHO … for many agencies.
Worthy points Steve, and that you wrote this during Harper’s expletive littered keynote is impressive!
Comments are closed.