Disclosure Laws in Australia

Posted on August 8th, 2007 by Drazen Drazic

As reported in ComputerWorld, it seems Disclosure Laws are now on the agenda for Australia.

Related posts: http://beastorbuddha.com/category/disclosure-laws/.

Okay….some progress but lets hope we do get this right by ensuring that the framework and processes around monitoring and reporting are in place in organisations for them to be in a position to be able to detect and report. The real danger as we continue to document in here is organisations having no clue as to what is going on in their organisation. In such cases, what is there to report?….. the 3 monkey strategy beats all!

One Response to “Disclosure Laws in Australia”

  1. D2 Says:
    August 11th, 2007 at 12:51 pm

    And the wheel keeps turning. Detection and prosecution? Disclosure implies detection. Nothing is mentioned regarding prosecution and investigation?

    From: http://taosecurity.blogspot.com/2007/08/kung-fu-wisdom-on-threats.html

    QUOTE

    Given the seriousness of my last post, I though some words of wisdom from the great Kwai Chang Caine would improve everyone’s mood. Consider a scene from Kung Fu.

    Caine is talking to an Amish man who says “When someone hits me with a stick, I have three choices: I can hit him back, I can let him hit me again, or I can run away.” Caine replies with a fourth option: “You can take the stick away from him.”

    The unspoken element of Caine’s reply is that you can peacefully disarm an opponent, which may require Shaolin-like skill. Most people do not have such skills and are stuck with one of the three previous options.

    None of these work approaches for digital security.

    1. If you hit the intruder back, unless he’s incapacitated he remains ready for another attack. If you do knock out one of his drones, he activiates number two of ten thousand.

    2. If you let him attack again, you lose a second time. The threat is also free to hit again.

    3. If you run away by disconnecting from the network, you lose all the network’s benefits.

    4. Taking away the stick (perhaps by criminalizing “hacker tools”) only punishes law-abiding citizens. If you do peacefully shut down a drone, again he activates number two of ten thousand.

    The answer to this problem is you apprehend the criminal for assault, prosecute, and incarcerate. “Rehabilitation” is nice, but at least for the duration of his prison time he can’t hurt those outside prison. You may enjoy a deterrence effect, although this is debatable. Regardless, this is the only way to deal with a threat once it has obtained evil capabilities and intentions. (You can argue for shaping the threat’s life such that those evil capabilities and intentions are not reached, but that’s an issue for social scientists.)

    It’s all about the risk equation: Risk = Asset value * Vulnerability * Cost

    * No one is deploying worthless assets.

    * 30+ years of trying to develop resources that are vulnerability-free has failed.

    * Only the threat component has a chance to be reduced, thereby reducing overall risk (assuming it outpaces the asset and vulnerability categories, which is problematic still).

    QUOTE

Leave a Reply