The NSW Police Minister is considering a proposal that IT security providers be required to hold the same license as physical security operators before providing services to the state, after receiving a submission elevated to the department by the NSW Police this month.
An industry member of the advisory council associated with the NSW Police's Security Licensing and Enforcement Directorate (SLED) - which acts as a forum for discussion between the security industry and the force on regulatory issues - put forward a proposal [pdf] in March to require IT security consultants to attain a similar license to the NSW Security Licence Class 2A in order to offer infosec services.
The proposal was put forward by SLED Council advisor Julian Claxton, a technical counter surveillance measures (TCSM) specialist in the private sector.
The Class 2A license authorises physical security consultants to provide solutions and strategies to minimise identified security risks.
In a discussion paper, Claxton said the broadly-defined term of “security” was hastily moving toward the digital age, and consideration should therefore be given to how IT security providers were regulated.
He said while the current legislation had assisted to protect the community from unethical physical security operators, IT security providers were not often considered in the same light.
“IT staff are generally granted access to highly-secure digital environments, such as databases containing endless credit card numbers, personal information, health records, ﬁnancial data, access control systems, conﬁdential documents and more. All without a single check to determine whether they are ﬁt to be given access to such critical information.
“The altering of digital information for example, could just as easily result in an access pass being granted to someone, who could then run rife within an organisation, whether it be committing theft, fraud or otherwise.”
- Submission by Julian Claxton
Claxton stated that the damage which could potentially be caused by an unethical IT security provider “far outweighs” that caused by a rogue physical security operator, and could “potentially affect millions of individuals with a single keystroke”, alongside potentially “enormous” financial repercussions.
“The divide between physical and digital security is narrow. There are no checks or balances to ensure that the person protecting our most sensitive digital data is not a convicted criminal, bankrupt or otherwise. In some instances, these individuals could cause havoc on a persons’ life. Identify theft alone takes an average of seven years to resolve and sometimes, tens of thousands of dollars.
“It is essential that such operators are scrutinised before being granted access to the data hubs of multi-national organisations, governments and individuals.”
Claxton suggested IT security providers be licensed “at the very least” similarly to Class 2A, which would require evidence of experience and credentials to be set out as a minimum and would “weed out those operators with a criminal background”.
Convictions relating to fraud and misrepresentation would immediately disqualify an IT security firm from holding a license.
The proposal would require changes to legislation should the NSW Government choose to adopt it, as data security is not currently captured under security industry legislation, SLED director Cameron Smith said in response to the proposal.
Smith this month took the matter to the Ministry of Police and Emergency Services for discussion.
A spokesperson for NSW Police Minister Stuart Ayres said including data security in the requirements of current security legislation would be a "significant policy decision", and would be considered as part of the next, unscheduled statutory review of the Act.
Members of the local infosec industry were unconvinced the proposal was either necessary or destined for success.
Ty Miller, director of infosec firm Threat Intelligence, said he would support a licensing scheme for infosec professionals making recommendations on physical security control - such as access to data centres, physical social engineering, and CCTV.
“I think if you’re making recommendations on physical security then it does make sense that you might need a license, if that’s what the requirements are at the moment,” Miller said.
But he was opposed to licenses and background checks being required for general IT security firms on the basis of their access to sensitive data.
“If security professionals require a license because they have access to highly sensitive data and can affect the security of that data, are we then going to force [internal] system and database admins to become licensed?" he said.
"Because they too have access to highly sensitive data and have the potential to design and implement insecure systems that are vulnerable to attacks.”
Miller said dodgy and inexperienced security operators were already partially being dealt with by infosec certification not-for-profit CREST Australia, which started as a UK initiative and was brought to Australia by the Government several years ago.
It provides a standard for infosec testing and offers three levels of certification. Miller, a member of the body’s technology establishment team and one of the writers of the certification exams, said the organisation existed to give customers peace of mind as to the competencies of their chosen IT security provider.
CREST Australia currently counts 17 approved infosec firms and hopes to eventually become the default standard in Australia.
Chris Gatford, founder of pen testing firm HackLabs and member of the CREST board, said efforts to license infosec professionals had failed in other countries and were “ridiculous”.
“The industry regulates itself. Maybe it’s worth having the discussion, but I think there are already things in place to assure that IT security consulting companies and practitioners in our industry are doing the right thing,” he said.
“And those are state government panels like NSW 2020 [approved supplier panel], organisations like CREST - and if consumers are concerned about the organisation performing security testing, I highly advise they check the company’s references with AusCERT and CERT Australia.”
He said moves to regulate IT security firms would only serve to constrain an industry already struggling with finding the right skills to fill their teams, and make it more difficult and expensive for organisations to get security testing.
“Licensing these people doesn’t actually mean more work will get done. We have a shortage of skills in the industry and we have a shortage of buyers,” Gatford said.
“You’re going to limit the already-limited pool of resources. Many pen testers won’t want to get licensed to perform this type of work, they’re very privacy and security conscious - putting us all in a database is crazy talk.”