NBN's benefits a lure for cyber crime

Paul McLachlan and Alex Hutchens
Thursday, 22 December 2011 21:37

IT Policy - Regulation

Under its corporate plan, NBN Co is tasked with delivering broadband services of up to 100 megabits per second (Mb/s) to the 93 per cent of Australian homes eventually serviced by its fibre network. However, recent warnings from cyber security experts in both the New South Wales and Victorian Police suggest that consumers, service providers and regulators should be considering the security risks posed by the very characteristics identified as benefits of the NBN.

 

The main risk identified arises due to the speed of the NBN. In a May 31, 2011 article in The Australian Financial Review, NSW Police Computer Crime's Detective Inspector Bruce van der Graaf is quoted saying that 'the speed will make it easier to get botnet infections...make infecting quicker and will create more victims'.

That is to say, with a faster network, existing cyber threats become more efficient.  In particular, distributed denial of service (DDoS) attacks (which rely on multiple infected computers to hit a targeted website to cause it to crash) become more effective when transmitted over a faster network.  A faster network also increases the efficiency of data theft.

Speed is not the only factor, however.  Having higher bandwidth leads to qualitative changes in the behaviour of internet users.
 
As greater functionality becomes available, greater reliance is placed on online applications for everyday tasks.  Increasingly, individual households use multiple computing devices, and 'smart' devices (fridges, televisions, even vending machines) embedded with internet connectivity are becoming increasingly common.
 
Greater reliance on the internet then leads to increasing numbers of devices being left connected to the network.  US hardware manufacturer Cisco has predicted that by 2015 there will be 25 billion devices connected to the internet, and 50 billion by 2020.

This explosion of connected devices (and connection time) creates increased opportunities to exploit security weaknesses and probe for data.

The cyber attacks earlier in 2011 on Sony's PlayStation network are a prime example of how 'always on' networks that incorporate large databases can increase security risks.  
It was reported that hackers managed to obtain access to Sony's customer database, which holds customer names, birth dates, passwords and credit card details.  The database contained details of approximately 77 million subscribers, including 700,000 in Australia.
 
The increasing reliance of people around the world on that network, and demands for it to be available 24 hours a day, made it a particularly appealing target for hackers.
 
In the future, networks related to data-intensive services including e-health, rewards schemes, banking, shopping and social networks will be similarly attractive.  The emergence of cloud computing and similar 'as-a-service' models also presents security risks as volumes of data are held in shared databases that must be available (often via public internet) 24 hours a day.

The risks of cyber crime are different for consumer customers, business customers and service providers.

For consumers, the security of personal information becomes an increasingly important issue.

Legislation is part of the response: for instance, the proposed Australian Privacy Principles include an obligation on service providers to take reasonable steps to protect information from misuse, interference and loss, and unauthorised access, modification or disclosure. Australian ISPs are also taking steps to assist consumers with the risks of cyber crime.

For business customers, the risk is to their customers' personal information, as well as their own sensitive and confidential information.  For these customers, the most important protection comes from choosing a service provider who employs proper technical protections, and negotiating a complementary contract that implements appropriate allocations of technical responsibility, legal responsibility and price signals.
 
For service providers, as well as compliance with relevant legislation and obligations of confidence, it will be a matter of corporate reputation to provide demonstrable security protection.

Those already using cloud computing services will no doubt be familiar with negotiating these risks.  As the NBN is built, these issues will become more common.
 
In the NBN supply chain, NBN Co's special access undertaking and Wholesale Broadband Agreement will establish its standard position, and the non-discrimination obligations and obligation to publicise variations from its standard positions mean NBN Co is unlikely to negotiate bespoke risk positions with each customer.
 
Therefore, providers in the higher layers of the supply chain will feel the need most acutely to identify, address and price these risks. By seeking the appropriate legal advice, the proper protections can be put in place against the threat of cyber crime.

Paul McLachlan is a Partner and Alex Hutchens a Senior Associate at McCullough Robertson law firm