Information assurance and security

Return to full list of Think Pieces

Chris Roberts

Chris Roberts is widely experienced in the areas of e-fraud, cybercrime, other IT related investigations, and computer forensics, as well as with national Computer Emergency Response Teams and Critical Information Infrastructure Protection organisations. He is currently a Special Advisor for Information Assurance at the Government Communications Security Bureau.

Editor's preface

Work on information security across the New Zealand government continues to be patchy and scattered. Some coordination has been achieved through the Digital Strategy ICT Steering Committee (led by the Ministry for Economic Development). Other interdepartmental working groups are also examining aspects of information assurance and security. This paper discusses some of the challenges that e-government should anticipate as we look forward to the future.

Information assurance and security

A "Warrant of Fitness" for security

Although formal audit and compliance checking procedures are well recognised and established, there is no mandate or requirement, other than good governance practice, to undertake such reviews on a regular basis. Accordingly it is difficult to identify issues and corrective actions. Security reviews have been likened to the concept of a warrant of fitness for your car. As with a warrant of fitness, proper audit processes provide visible documentation of the fitness of ICT systems, although it should be noted that these are "snapshots" and relate only to the point in time at which the review was conducted.

Incident response

It is critical that we plan and prepare for incidents before they occur, and to have an incident response plan for how to respond in order to mitigate and contain any damage. All too often however, these plans are not in place.

Implementation of standards

The understanding and implementation of information management and related standards at the national level is perceived to be fragmented. A coordinated approach to interaction with international bodies is necessary. There are about 14-15 organisations in the world that deal with the relevant security standards, and we should look to engage with groups such as the Jericho Forum in the future, in much the same way that the State Services Commission has been working with Liberty Alliance on SAML (Security Assertion Markup Language, an XML-based standard).

The E-government Interoperability Framework (eGIF) Committee is primarily focussed on the development of business standards for architecture at present, but a lot more work is anticipated to be needed for security standards. The State Services Commission is leading an inter-departmental working group currently examining the IODEF (Incident Object Description and Exchange Format) , an XML-based standard recognised by the IETF (Internet Engineering Task Force).

International standards for information security ISO27001/27002 have replaced ISO 17799, and within the next two years, the Standards Australia and Standards New Zealand jointly developed standard AS/NZS 4360 is expected to be replaced by ISO3100. Again, conversations at strategic and implementation levels need to be had about how we can prepare the State Sector and implement these changes.

Education of ICT professionals

The education of ICT professionals supports the Confidence and Connection goals of the Digital Strategy. It is clear that global shortages in this sector are impacting NZ and that the IT industry’s needs are not being fully met. A partial solution is the introduction of a tertiary qualification in Information Assurance. However, it can be as much as 12 years before results become evident. (It takes about 8-10 years for an individual to become a fully trained professional). Only about 1-2% of technologists in New Zealand are security specialists. Some specific fields, such as risk management, are also seeing skills shortages.

A Digital Strategy research paper (2005) projected that 122,000 specialists will be needed in 2012, which marks an increase from 41,000 in 2005. Another Department of Labour study (referenced in a Computerworld article), on the other hand, projected that a growth from 22,000 to 66,000 jobs will be needed by 2010. Although estimates from these studies differ significantly, both point to the need for an enormous increase in ICT jobs in the near term.

While we can rely on retraining and immigration to fill some of the skills gaps, these are but partial solutions. The State Services Commission has been studying the issue of the ICT skills shortage since 2003, but it will need to take into account the international scene in the future. The newly established School of E-government could perhaps include some aspects of this at a later stage, but at the moment it appears to be primarily focussed on the policy aspect of e-government.

Working together to cope with cybercrime

A key defence against cybercrime, is the capability for automated defences and 24/7 response mechanisms in order to counter intrusions some of which can be potentially fatal to IT systems. For example the Slammer Worm, is reported to have had a global propagation time of 8 minutes from detection to infection. While some countries are equipped for this sort of response, New Zealand has no such defence mechanism.

To establish this sort of capability, law enforcement and other relevant agencies will have to work more closely together. They will need to both implement preventative measures while ensuring swift response to incidents, but may not have sufficient resources or time.

Cybersecurity and the economy

Cybersecurity is not only about protecting national systems from malicious code and cybercrime, but also from consequent economic damage. A 2004 study found that the cost of cybercrime to New Zealand organisations averages $42,000. Subsequent surveys are expected to show a substantial increase in this figure. Whether we look at this loss in terms of taxpayer money, the opportunity cost of alternative investment, or the GDP generally, it amounts to an absolute cost of lost productivity to the New Zealand economy.

Recent data also suggests that New Zealanders work longer hours than most OECD countries but productivity is low. This has been attributed to the lack of investment into productivity tools and infrastructure, such as communications, broadband rail and roads. However, any new infrastructure that we build needs to be secure, if we are to ensure that we get the best value possible out of the investment.

Regulatory coherence

Amendments to a number of conflicting regulations are under consideration (e.g., the Film and Video Classification, the Broadcasting Act and the Telecommunications Act). While these are not by themselves critical obstacles, they may prove to be time-wasters and the work on refining the regulatory frameworks to enhance security measures should continue.

The future

The State Services Commission must provide leadership over the long-term by taking a strategic view (5-10-15 year) rather than a tactical, project-based focus. For instance, building the capability and laying the underlying thought processes together with developing the ability to adapt to new environments and to take advantage of opportunities when they arise to anticipate longer term needs.

The "government mindset" may be characterised as somewhat risk averse. The education of ICT professionals may, for instance, be viewed as a 'risky' endeavour if we restrict ourselves to the short-term project-based view, but it would be essential to the long-term development of local security expertise. Thus, not devoting attention to the desired long-term outcome now could in fact be riskier. Industry is in fact showing its support for this move by agreeing to provide their own experts to train others.