Penalties for insecure systems and fines for poorly performing products form the linchpin of a submission to the Australian government seeking new laws to lift IT industry standards. Companies that do not secure their systems, and vendors who sell products that are not up to scratch, would be the target of the proposed laws.
The get-tough legislation outlined in the submission has been drafted by Internet law specialists Deacons Lawyers and will be presented to the National Office for the Information Economy (NOIE), the Federal Attorney General Daryl Williams and IT Minister Richard Alston next month.
The submission is aimed at lifting Australia’s e-security standards and calls for government to be more active by introducing civil laws to hit companies with financial penalties if ‘reasonable steps’ are not taken to ensure systems are secure.
Supporting the submission, an IT manager — who requested anonymity — at a consulting firm, said it is a “good move” and could put “a level of responsibility on the vendor’s shoulder.”
National Jet Systems Group IT manager Steve Tucker said the submission was reactionary with the exception of financial penalties for vendors, which “would be good for users.”
He said it is up to business to lift e-security standards rather than the government.
Deacons Lawyer Leif Gammertsfelder said data messages are the lifeblood of business today and formal processes need to be in place before the “big bang” security disaster occurs, not after the event.
“The Government is really abdicating responsibility in this area; we have laws for fence heights and dog ownership but not e-security which is fundamentally more important to the economy,” Gammertsfelder said.
Last year’s Cybercrime Bill (Cybercrime Bill 2001) is not enough, he said, because a criminal statute is hard to prove and new laws would catapult IT security standards into the boardroom as a corporate governance matter, not simply an IT issue.
Gammertsfelder pointed to the situation in the U.S. where a raft of cyber security legislation has been introduced in the wake of September 11 including the Patriot Act, Cyber Security and Enhancement Act and Cybersecurity Preparedness Act.
The submission also calls for laws to enforce better products from software and hardware vendors and is seeking sanctions “with teeth.”
Gammertsfelder said fines could be introduced under the Trade Practices Act forcing vendors to prove “reasonable steps are taken to ensure products.”
“Instead of getting caught up in IT technicalities, laws will put broad processes in place which form the key tenets in every standard around the globe,” he said.
The Australian government was unwilling to comment until the submission had been received; however, a spokesman for NOIE said the Government has accepted e-security responsibility at the highest levels — demonstrated in the convening by the Prime Minister of the business-government taskforce, which is scheduled to hold its first meeting in March.
“The Government is dealing with this issue and liaising with senior executives without public grandstanding in the press,” the spokesman said.