Penalties for insecure systems and fines for poorly performing
products form the linchpin of a submission to the Australian
government seeking new laws to lift IT industry standards.
Companies that do not secure their systems, and vendors who sell
products that are not up to scratch are targeted under the proposed
laws.
The get-tough legislation outlined in the submission has been
drafted by Internet law specialists Deacons Lawyers and will be
presented to the National Office for the Information Economy
(NOIE), the Federal attorney general Daryl Williams and IT minister
Richard Alston in March.
The submission is aimed at lifting Australia's e-security standards
and calls for government to be more active by introducing civil
laws to hit companies with financial penalties if "reasonable
steps" are not taken to ensure systems are secure.
An IT manager, supporting the submission, welcomed the move and
said it could put "a level of responsibility on the vendor's
shoulder."
National Jet Systems Group IT manager Steve Tucker said the
submission was reactionary with the exception of financial
penalties for vendors which "would be good for users."
He said it is up to business to lift e-security standards rather
than the government.
Deacons Lawyer Leif Gammertsfelder said formal processes need to be
in place before the "big bang" security disaster occurs, not after
the event.
"The Government is really abdicating responsibility in this area;
we have laws for fence heights and dog ownership but not e-security
which is fundamentally more important to the economy,"
Gammertsfelder said.
Gammertsfelder pointed to the situation in the U.S. where a raft of
cyber security legislation has been introduced in the wake of
September 11 including the Patriot Act, Cyber Security and
Enhancement Act and Cybersecurity Preparedness Act.
The submission also calls for laws to enforce better products from
software and hardware vendors and is seeking sanctions.
Gammertsfelder said fines could be introduced under the Trade
Practices Act forcing vendors to prove "reasonable steps are taken
to ensure products."
"Instead of getting caught up in IT technicalities, laws will put
broad processes in place which form the key tenets in every
standard around the globe," he said.
The Australian government was unwilling to comment until the
submission had been received. However, a spokesman for NOIE said
the government has accepted e-security responsibility at the
highest levels, which is demonstrated in the convening by the Prime
Minister of the business-government taskforce which is scheduled to
hold its first meeting in March.
"The Government is dealing with this issue and liaising with senior
executives without public grandstanding in the press," the
spokesman said.