![]() ![]() ![]() ![]() ![]() ![]() |
|||
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
|||
![]() |
|
<< Return to previous page | House of Representatives Standing Committee on Communications Navigation: Contents | Next Page Preliminary pagesForewordIn the past decade, cyber crime has grown from the nuisance of the cyber smart hacker into an organised transnational crime committed for vast profit and often with devastating consequences for its victims. A sophisticated underground economy provides the IT tools to commit these crimes and the market for stolen identities and financial information. In the technological world of cyber crime it can be easy to forget the human cost of the theft and deception inflicted on innocent people. We are reminded of the human cost by our constituents who face the emotional devastation and lasting financial consequences of the crimes perpetrated against them. There has been an exponential growth in the volume of malicious software and the sophistication and adaptability of cyber crime techniques. In the face of these trends, the Committee believes the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition. We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cyber crime threats that impact on society more generally. A key message throughout this inquiry was that a more integrated, coordinated and concerted effort is required to combat the cyber crime that victimises ordinary consumers and private businesses. This requires a commitment to cooperation, strategic thinking and a cyber space perspective to overcome the silos of traditional institutions. The Committee does not accept that the Internet is a kind of unpoliced ‘wild west’ − the Internet is a global communication medium that is subject to the same laws as the offline environment. It is true that technology enables criminals to obscure their identity and victimise people in different countries. It is equally true that technology allows us to trace perpetrators, to preserve, aggregate and analyse digital evidence, and to coordinate global enforcement action. Through a nationally led and coordinated policy, as well as regulatory and law enforcement effort, Australia can deliver a more effective and strategic response to this problem. By necessity this has to be a joint public-private effort because the architecture of the Internet and the IT technology is in private hands. While the capacity to negotiate and create international agreements between nations is in the hands of the State. The private sector, especially IT manufacturers, Internet Service Providers and web hosting companies, and the Domain Name Registrars and Resellers, all bear some corporate social responsibility to promote the integrity of the Internet. There is also a vast quantity of intelligence data that can be better shared between the public and private sector. To this end the Committee has recommended that the interests and needs of consumers and business generally be elevated in the national Cyber Security Strategy. Some of the concrete steps that can be taken immediately include:
These new institutional arrangements should be supported by a stronger commitment to detect botnets, remediate infected computers and deal with compromised and fraudulent websites. This will require additional funding to support the Australian Communications and Media Authority. The current strategy puts an emphasis on education and community awareness but seems to lack the coherence or clear benchmarks for success that might be expected for such an important priority. A clearly articulated national community education e-security strategy, including broader public campaigns, will help to promote more e-security awareness among the general public. The private sector must also play its part. The Internet industry has to accept that commercial gains also carry social responsibilities. IT manufacturers also need to give a higher priority to security through better product testing, design and the provision of information to support informed consumer choices. The reality of modern life is that information and communications technologies are a part of our everyday existence − the complexity and global reach of the Internet age can seem overwhelming but we should not lessen our commitment to protecting personal privacy or ensuring that informed consent and choice remain the central principles when transacting online. Online businesses and public agencies must observe Australia’s prohibitions against the over collection of personal information. The public also has a right to know if their personal information has been compromised because of a security breach. On behalf of the Committee, I wish to thank the agencies, IT companies, peak bodies and the consumer groups who gave us substantial and well considered evidence. We also thank the State Governments who recognise this is an important national and international issue and are seeking ways to cooperate across jurisdictions to deal with this problem. Finally, I also wish to thank my Committee colleagues who participated in this inquiry with enthusiasm for a difficult subject and with a commitment to bipartisanship. Members regularly hear the stories of their constituents seeking advice on where to take their complaints or how to protect themselves in the future. This first-hand experience and the cases we heard about during the inquiry served to remind us of the importance of tackling this insidious problem.
Ms Belinda Neal MP Chair Membership of the Committee
Committee Secretariat
Terms of reference
The House of Representatives Standing Committee on Communications shall inquire into and report on the incidence of cybercrime on consumers:
a) nature and prevalence of e-security risks including financial fraud and theft of personal information, including the impact of malicious software such as viruses and Trojans;
b) the implications of these risks on the wider economy, including the growing economic and security impact of botnets;
c) level of understanding and awareness of e-security risks within the Australian community;
d) measures currently deployed to mitigate e-security risks faced by Australian consumers: i) education initiatives ii) legislative and regulatory initiatives iii) cross-portfolio and inter-jurisdictional coordination iv) international co-operation;
e) future initiatives that will further mitigate the e-security risks to Australian internet users; and
f) emerging technologies to combat these risks.
Glossary and abbreviations
List of recommendations3 Research and Data CollectionRecommendation 1That the Australian Government nominate an appropriate agency(s) to: Recommendation 2That the Australian Government nominate an appropriate agency(s) to collect and analyse data, and to publish an annual or bi-annual report on cyber crime in Australia. 5 Domestic and International CoordinationRecommendation 3That the Australian Government establish an Office of Online Security headed by a Cyber Security Coordinator with expertise in cyber crime and e-security located in the Department of Prime Minster and Cabinet, with responsibility for whole of Government coordination. The Office is to take a national perspective and work with State and Territory governments, as well as federal regulators, departments, industry and consumers. That the Australian Government establish a National Cyber Crime Advisory Committee with representation from both the public and private sector to provide expert advice to Government. Recommendation 4That the Australian Government, in consultation with the State and Territory governments and key IT, banking and other industry and consumer stakeholders, develop a national online cyber crime reporting facility geared toward consumers and small and medium sized businesses. This model should include the following features: Recommendation 5That the Federal, State and Territory police forces establish an E Crime Managers Group to facilitate the sharing of information and cross jurisdiction cooperation. Recommendation 6That the Australian Government, in consultation with the State and Territory governments, industry and consumer organisations, develop a national law enforcement training facility for the investigation of cyber crime. Recommendation 7That the Australian Government consult with major IT security vendors, academia and key industry stakeholders to develop: Ž longer term analysis on cyber crime methodologies across a range of cyber crime types; Ž education on the preservation of digital evidence; and Ž support to law enforcement agencies for targeted prosecutions in Australia and overseas. 6 Criminal and Law Enforcement FrameworkRecommendation 8That the Federal, State and Territory Attorneys-General review the existing computer and identity fraud provisions and, if necessary, introduce or amend provisions to ensure consistency across all Australian jurisdictions. Recommendation 9That the Federal Attorney-General, in consultation with State and Territory counterparts, give priority to the review of Australian law and practice and move expeditiously to accede to the Council of Europe Convention on Cybercrime. Recommendation 10That Australia’s cyber crime policy strategically target the underground economy in malicious IT tools and personal financial information; the disruption of botnets and the identification and prosecution of botherders. Recommendation 11That the Commonwealth, State and Territory governments establish a national working group on cyber crime to maintain an ongoing, dedicated mechanism for the review and development of legislative responses to cyber crime. That the working group take a whole of cyberspace perspective and consider relevant IT industry, consumer protection and privacy issues as well as the criminal law. 7 Protecting the Integrity of the InternetRecommendation 12That the Australian Communications and Media Authority further increase its access to network data for the purpose of detecting malware compromised computers. This should include active consideration of how to increase access to network data held by global IT security companies and, in consultation with relevant departments, whether legal protections to address commercial, regulatory and privacy concerns are desirable. Recommendation 13That the Australian Communications and Media Authority consider how best the Australian Internet Security Initiative network data might be used to support the threat assessment and emergency response functions of government. Recommendation 14That the Australian Communications and Media Authority take the lead role and work with the Internet Industry Association to immediately elaborate a detailed e-security code of practice to be registered under the Telecommunications Act 1997 (Cth). That the code of practice include: Ž install anti-virus software and firewalls before the Internet connection is activated; Ž endeavour to keep e-security software protections up to date; and Ž take reasonable steps to remediate their computer(s) when notified of suspected malware compromise. Recommendation 15That the Australian Government, in consultation with the Internet industry, review the scope and adequacy of s.313 of the Telecommunications Act 1997 (Cth) to promote Internet Service Provider action to combat the problem of malware infected machines operating across the Internet. Recommendation 16That a more integrated model for the detection and removal of malware, built on the Australian Internet Security Initiative, be implemented. The new scheme should involve the Australian Communications and Media Authority, Internet Service Providers, IT security specialists, and end users in a more tightly coordinated scheme to detect and clean malware infected computers. Recommendation 17That the Australian Communications and Media Authority be funded to develop a system that can obtain data on compromised web pages from various sources (including developing an internal capability). This data be collated and provided as daily aggregated reports to Internet Service Providers identifying infected web pages residing on their networks. That in addition to Internet Service Providers, domain owners and hosting companies also be included in the new scheme. Recommendation 18That the system for reporting and detecting compromised web pages proposed in recommendation 17 be supported by a registered industry code that outlines industry procedures for dealing with infected websites. That the Australian Communications and Media Authority be empowered to enforce the provisions of the registered code, including, for example, where there is a need to direct a service provider to remove malicious content. That Internet Service Providers and hosting companies who act on reports of infected websites be indemnified against claims for losses. Recommendation 19That the Australian Communications and Media Authority and the Internet Industry Association review the Spam Code of Practice to assess the effectiveness of current industry standards for the reporting of spam. That serious consideration be given to obliging Internet Service Providers to include the Australian Communications and Media Authority’s SpamMatters program as part of their email service to subscribers. Recommendation 20That the Australian domain name registration industry be subject to a code of conduct that is consistent with the Anti-Phishing Working Group Best Practices Recommendations for Registrars. The code of conduct should: Recommendation 21That the Minister for Broadband, Communications and the Digital Economy make a reference to the House of Representatives Standing Committee on Communications to inquire into the regulation, standards and practices of the domain name registration industry in Australia. 8 Consumer ProtectionRecommendation 22That the Australian Government ensure that: Recommendation 23That the Treasurer amend the Australian Consumer Law to include specific protections against the unauthorised installation of software programs: Recommendation 24That the Australian Competition and Consumer Commission, in consultation with manufacturers and distributors of personal computers, mobile phones and related IT devices such as modems and routers, develop information standards to: Recommendation 25That the Treasurer direct the Productivity Commission to conduct an in depth investigation and analysis of the economic and social costs of the lack of security in the IT hardware and software products market, and its impact on the efficient functioning of the Australian economy. That, as part of its inquiry, the Productivity Commission address the merits of an industry specific regulation under the Australian Consumer Law, including a scheme for the compulsory independent testing and evaluation of IT products and a product labelling scheme. Recommendation 26That the Treasurer consult with State and Territory counterparts with a view to amending the Australian Consumer Law to provide a cause of action for compensation against a manufacturer who releases an IT product onto the Australian market with known vulnerabilities that causes losses that could not have reasonably been avoided. Recommendation 27That the manufacturers of IT products adopt a best practice approach that ensures products are designed to prompt and guide end users to adopt more secure settings. That the Australian Government monitor industry practice in this regard, and promote international standards that put a higher priority on security through product design. 9 Privacy Measures to Combat Cyber CrimeRecommendation 28That the Office of the Privacy Commissioner use the full extent of its powers to ensure that overseas organisations that handle the personal information of Australian citizens and residents are aware of, and adhere to, their obligations under the Privacy Act 1988 (Cth). Recommendation 29That the Office of the Privacy Commissioner expedite the adoption of an approved privacy code of practice for members of the Australian Internet industry, including smaller Internet Service Providers. Recommendation 30That the Office of the Privacy Commissioner encourage government agencies and commercial organisations to undertake regular audits to identify risks to personal information in both new and existing projects and policies. 10 Community Awareness and Education InitiativesRecommendation 31That the Department of Broadband, Communications and the Digital Economy, in consultation with relevant agencies, industry and community organisations, develop a nationally coordinated strategy for the education of consumers: Recommendation 32That the Stay Smart Online and SCAMwatch websites be linked to the national cyber crime reporting centre referred to in recommendation 4. Recommendation 33That the Department of Broadband, Communications and the Digital Economy implement a public health style campaign that uses a wide range of media to deliver messages on cyber security issues, technical precautions and appropriate user behaviours. Recommendation 34That the Department of Broadband, Communications and the Digital Economy support the development of IT literacy training that includes cyber security and is available to the community as a whole.
Navigation: Contents | Next Page |
![]() |