CERT split a security risk: TrustDefender
The government's decision not to partner its own computer emergency response team, CERT Australia, with the existing AusCERT may have ramifications for Australian banks that rely on security updates, according to TrustDefender chief technology officer Andreas Baumhof.
(Credit: Andreas Baumhof)
Following the announcement in November last year that the government would establish CERT Australia as part of its cybersecurity strategy, the government entered into long-running negotiations with non-government organisation AusCERT to see if the two security organisations could work in partnership. In June, the government ceased negotiations with AusCERT and no partnership was formed.
At the time, AusCERT said it would continue to provide the same security bulletins it distributes daily to banks and other organisations in Australia, but warned that CERT Australia may ultimately end up providing duplication of services at the expense of taxpayers.
According to Baumhof, who sends security compromise information to AusCERT daily to pass onto Australian banking institutions, with more than just one entity for security experts to report to, some crucial information might slip through the cracks.
"It might backfire on the banks in Australia because they have gotten a lot of very positive information [on malware attacks] out of AusCERT and if CERT Australia isn't filling in the gap ... there will be no coordinated entity where [security experts] can give information," he said.
Baumhof told ZDNet Australia that AusCERT had done a "fantastic job" up until now, but he understood the government's need to bring its own security organisation in rather than just partnering with AusCERT.
"It's a tricky situation. I'm sure they were struggling to figure out how to integrate the current AusCERT operation into a full government entity," he said. "I think they saw this as important for something for them to control."
Baumhof said the recent parliamentary report into cybercrime, which suggested appointing a single national online reporting organisation and portal, was a step in the right direction to having an organised approach to dealing with cybercrime, but said "the devil will be in the detail".
"We have to build a bridge between the security researchers and translate it into something law enforcement can use," he said. "This is a gap at the moment."
However, Baumhof didn't agree with another report recommendation — to make the zombie code mandatory — as he didn't think the government forcing internet service providers (ISPs) to disconnect infected users would be right.
"I'm all for protecting consumers but a mandatory code? I'm almost certain this is not possible," he said. "It's still a democratic country, it might work in North Korea or something."
Ultimately, Baumhof said something needed to be done but suggested that the ISPs might need a business incentive from government to cover the costs associated with providing users with the additional level of protections the report suggested.
"ISPs don't have a big incentive to do anything now," he said. "But someone needs to care about the end user because at the end of the day it's about the end user doing something."