Numerous legislative stumbling blocks mean there is little chance of industry participating in even the most remote level of information sharing as part of the Australian federal government’s critical infrastructure initiatives.
Under current legal framework, information shared with the government is not protected, leaving little regard for confidentiality.
Freehills solicitor Martin McEniery said under Australia’s Freedom of Information Act (FOI) there is no guarantee that the officer assessing the FOI application will grant the information confidential status.
“This is of obvious concern to companies which are being encouraged to share information (about) threats and vulnerabilities to what may be mission-critical systems,” McEniery said.
The federal government is trying to establish an IT security alert system with critical infrastructure industries such as banking, utilities and telecommunications under its Trusted Information Sharing Network (TISN).
However, even TISN identifies legislative obstacles including FOI legislation in a paper entitled Information Sharing Arrangements, which examines ways to ensure information shared to fix a potential problem does not become public knowledge to “avoid greater exploitation” of a vulnerability.
The Australian Bankers’ Association (ABA) is aware of the lack of information protection, with a spokeswoman admitting that a raft of legislative changes may be required to provide a suitable information-sharing environment.
“The problem relates to a number of Acts, but as it stands the government cannot protect the confidentiality of information provided by industry. This isn’t the only problem. We need to overcome competition laws as well. For example, if there are four banks in a room disclosing (vulnerability) information this could contravene competition laws. At the moment there is no legal framework in place,” the spokeswoman said.
While the spokeswoman admitted this could involve legislative changes she is optimistic that problems will be overcome because the banking industry does want to participate in TISN.
At the same time, the ABA has called for the implementation of uniform cybercrime and privacy legislation by all states and territories in its submission to a parliamentary inquiry into cybercrime.
Chaired by Australian MP Bruce Baird the parliamentary committee of the Australian Crime Commission has received more than 25 submissions largely from Police agencies; hearings will start in the week of July 14, 2003.
The ABA spokeswoman said while the Cybercrime Act and Privacy Act are federal law, similar provisions have been introduced only in New South Wales and Victoria, Australia. No other state or territory has followed suit.