Editor’s Note: The following story drawn from Australia’s experience in implementing cybersecurity regulations may be illuminating for US officials working on the Cybersecurity Framework. The report, “Cybersafety for senior Australians” prepared by the Austrailian Parliament’s Joint Select Committee of Cyber-Safety is attached here.
Summary: Trying to educate users on cybersecurity is like leading a horse to water, according to Telstra, and making such education a legal requirement isn’t going to solve the problem.
In a joint select committee on cybersafety (PDF) held on Friday, two Telstra representatives told the committee that laws forcing it to educate users on the perils of the online world would be useless.
Telstra’s director of corporate security and investigation and internet trust and safety, Darren Kane said that users currently have enough information about online risks, but that it sees the current education issue as one similar to “taking a horse to water”.
“Making it mandatory for us to provide the information would not solve the problem. I think we do that anyway, because we want to ensure they have a greater online experience and keep coming back for more,” Kane said, but also clarified that advising users was part of its commercial interests.
“If we were to sell a service or product or network access that did not deliver a good online experience, people would not connect with us. Therefore, it is absolutely in our interests to ensure that all of our customers understand the potential online risks.”
But when questioned on whether existing legislation is suitable or whether it needed improvement, the company’s representatives admitted that it was not something that came to the fore of its internet trust and safety working group meetings.
“I can say with hand on heart that one issue that does not come up at every meeting is whether we need more regulation or changes to the law in this space. It is not the first order issue that comes to mind when we talk about how we address the issue of cybersafety,” said Telstra director of government relations James Shaw.
He also admitted that raising the question of whether legislation is suitable would likely not get a large response from the company’s regulatory and legal departments.
Although it isn’t legally required to, Sydney University of Technology’s Communications Law Centre director, professor Michael Henry Fraser felt that Telstra could be doing more for users, beyond safety and security education.
“I think players like Telstra could do a lot more about providing information at the point of sale and on their bills, and in informing consumers more than they do about the existence of the TIO [telecommunication industry ombudsman] and other agencies. They are naturally commercially focused,” Fraser said, but warned that they should not be relied on to solve the problem.
“Educational efforts are in themselves not sufficient to ensure security online. And as we see, nor are the law enforcement efforts where we are trying to trace cybercriminals after the fact to investigate their alleged crimes, and then bring them to justice. We are having limited success with that.”
Instead, Fraser called for a more preventative approach to security, proposing that one agency, whether that is a law enforcement one or a new “cyber tsar”, take the lead to coordinate all stakeholders.
“That agency needs to bring all the players around the table: All the law enforcement agencies, the hardware companies, the software companies, the ISPs, the consumer groups, and the representatives of vulnerable groups, such as seniors or the young. It needs to bring these actors together to develop interoperable standards and industry codes that will reduce the opportunity for cybercriminals in what is now a very open network which is very vulnerable.”
Telstra believes it is already leading the way in that regard, at least from the point of view of de-duplicating the educational message and tailoring it towards different internet users.
“I think our company has got it right. I think we have a centralised point for the emission of cybersafety information, and we recognise that we are servicing a different market and different segments. We target our messaging and tailoring at those segments. I do not see that same approach in some government departments or in other agencies. If we are to work effectively in a taskforce approach, I think there has to be an acceptance of one firm approach,” Kane said.