The need for improved, preventative cybersecurity measures

This is from an email I sent to several of my local Members of Parliament: 

Dear Members of Parliament,

I continue to see media reports which highlight the need for improved cybersecurity - particularly here, in Australia, which is apparently "the worst in the world" (see here, "Australia ranks worst in the world for data breaches, with 22 accounts hacked every minute", from The New Daily).

I'll give some more of those links below (which is by no means an exhaustive list), but I wish to comment on a few basic principles beforehand.

Firstly, as a general principle, it is vital to never blame the victims. This has been probably most obvious in the case of sexual violence against women (and I note that men can also be victims of such violence, including from women), but the principle applies elsewhere.

This is partly offset by the requirement for people affected by some matter to also be responsible - for instance, to wear seatbelts or not drink when driving, but that example also involves car manufacturers being responsible by designing safer cars, better design of roads, and laws such as banning drink-driving.

That leads into my second point, which is that risks should be dealt with by those who can most appropriately deal with them. To continue with the driving example, personal conduct such drinking or not wearing seatbelts should be dealt with by individuals, safety risks with cars by car designers, road risks by road designers, and broader issues around public vs. private transport usage by government (through the provision and encouragement of public transport).

When it comes to the Internet, the typical user cannot affect inherent risks associated with the architecture of the Internet, policies of corporations, etc.

Similar to the issue of driving safety is my third point, which is that the consequences of Internet problems can be severe. Misuse of online technology is at the core of the RoboDebt scandal, which clearly cost lives, but every other major hack has also caused egregious harm - to nearly half of our population, in a couple of the recent hacks (including me, through the Optus hack - and I hadn't been a customer of theirs for years).

The Internet is a major, inescapable aspect of modern living - government services are increasingly delivered online to reduce costs, increase general access (although bad coding can actually reduce access - as with the initial abominable version of MyGov). Safe access to online services is not a frippery: it is an essential, and must be viewed as such - it is the same as effective health care, communal safety, and a safe drinking water supply.

That leads into my fourth point: just as after-the-fact fines only are inadequate for provision of other essential services (and the problems with the town of Flint in the USA [Wikipedia article here] are an example of that ): what is needed is the setting and enforcement of standards - standards that are adaptable, but standards nevertheless.

The implementation of such standards is shown by our approach to QA/QC: we have standards (see Standards Australia here) that require processes to be established, and then auditing to verify the adequacy of those systems and compliance with same.

However, unlike general QA/QC, this needs to also include challenges to the collection and storage of data itself. I have read quite a bit of commentary questioning the collection and/or retention of data - for instance, if data is required to verify identity, once that is done, delete the data (properly, which is more than just deleting the address from Windows Explorer - I use Eraser [Wikipedia link here]). If data has to be retained, consider one way storage (see here).

I have long considered Europe's GDPR approach (see Europe commission here, IAPP page here, Australian Government page here, Wikipedia page here) the current gold standard, and that we should ignore the objections of too many companies that have demonstrated and continue to demonstrate their inability to be trusted to be competent and responsible (at the expense of those companies which ARE competent and responsible), and adopt something similar.

To tie those points together:

• those who design and operate Internet systems have better capability to deal with the risks than users - and I recall an interview a few months on Radio National where a coder commented that most of the problems we have relating to the Internet are because of poor to bad coding, which can often be attributed to private industry not wanting to spend a cent more than they should - which is a sentiment expressed by every other serious coder I've known (which is not a large number);
  
• focusing on how individual users act has some validity (e.g., use safe passwords, don't share data unnecessarily, etc), but there is a limit past which it becomes victim blaming that lets corporations off the hook - which, if I may say so, I consider to be contrary to the worker-based values of the ALP;
  
• the Internet is, in my opinion, an essential service comparable to the provision of health or safe drinking water, and requires commensurate preventative management of risks in addition to punitive responses to breaches.
  Preventative measures should include:
  
• the establishment of appropriate QA/QC standards for systems;
  
• auditing of such systems, similar to this (SAI Global), which gives citizens the power to make informed choices;
  
• restrictions on unnecessary data collection and/or storage;
  
• private industry has shown that too many companies have vulnerabilities that are too critical to be trusted with managing this issue - and I consider their drive for profit can sometimes (not always - some companies are far sighted enough to want to be responsible) be a conflict of interest with the broader interest of the community.
  

Here are some additional links to illustrate the problem:

• a real estate agent has been hacked - which is particularly apt example of the collection of unnecessary data (particularly outside of Victoria, has introduced major improvements to renting) - https://www.vice.com/en/article/7k8apa/ransomware-gang-steals-employee-and-customer-data-from-lj-hooker;
• "millions of Twitter users hacked in ‘colossal’ security breach" - which is only to be expected given what Musk has done - https://news.yahoo.com/millions-twitter-users-hacked-colossal-130736003.html;
  
• and a call to not change passwords so frequently, which is a test I use to determine whether cyber security people actually understand the cyber risk aspects - https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#PasswordGuidance:UpdatingYourApproach-Don'tenforceregularpasswordexpiry. 

I appreciate that this a complex issue with multiple interests and that taking action is not easy nor quick. For that reason, I advise that no reply to this email is necessary.