One particular challenge is our personal identity. In the past, we established who we said we were with physical documents in an analogue world. That might be passports, licences, government identification numbers, specific documents or a combination of several of these.
“Creating secure, digital identities is a crucial step in making our digital lives more secure.”
Today, with more activities online, we still rely on the collection of that real world data - but it is not always securely stored. And that data, if stolen, can be used to establish fake identities, undertake illicit transactions, steal our money or coerce us.
That’s why creating secure, digital identities is a crucial step in making our digital lives more secure. Rather than providing that specific data, such as passports, driver’s licences or other critical information, we could provide the secure, digital identity to real estate agents or car rental firms or hotels or providers of other services.
The actual data would not be shared but held by a trusted, secure provider of the digital ID.
Around the world, many government and private sector operators are working towards schemes which satisfy this need. The ideas are frequently excellent although real world implementation is still likely to take some time.
My view is a more secure digital ID should be a priority element of Australia’s next National Cyber Security Strategy - but we also need better ways to ensure security in transactions or data sharing across organisations.
In a very inter-connected world, we need to assume major security incidents will happen and practice how we respond together to protect those who might be impacted.
My priorities for the next national cyber security strategy would be:
- A better system for secure identification of people - with the government to lead on a national digital identity capability. This more secure digital ID would complement a clearer understanding and tighter regulation of what data is required and how it is stored.
- A better way to help assure the security of the third parties with which we all work – often the challenge is in chains of information exchange so we must ensure the security and rigour in what is shared.
- Better exercising of our response to major security incidents across private and public sectors.
I know, historically, we have seen reluctance when people feel forced by government to comply with identity or security measures or when they think privacy is at stake, such as with proposals like a national identity card. At the extreme, we saw such concerns about mandated vaccinations despite the clear benefits for individuals and society.
It may be that, at least initially, an opt-in identity scheme might be an option. This would at least enable better identity protection for those who want it.
However, we do need to recognise the amount of personal data large companies are required to collect poses serious dangers to Australia’s overall cybersecurity. And currently there are huge vulnerabilities in our national identity capability.
I do believe government needs to play a leadership role, whether that’s in a centralised identity plan or a centralised way of checking whether third parties are secure.
A further complication at the moment is the lack of clarity around who has responsibility for what, inside and outside government, and this creates a roadblock to effective cybersecurity management.
The private sector and government do need to work well together – and there are models where this does happen in Australia, notably Austrac – and share information in a timely and effective way. Such collaboration is growing with other government organisations but there is more to do.
What is clear is we have reached a point where we know the ways we identify people, using a lot of the documents that have been exposed in data breaches, is no longer providing what we need. There must be a better way.
It is complex and obviously it needs to be done well. Of course, data needs to be well protected.
However, that’s not that different to a lot of other areas where we need to centralise data, whether it's medical information or other things, where people justifiably have concerns about privacy and how well that's managed.
A secure and efficient system will take time to set up which is one reason why we should be having a serious discussion about it today. It will be about balancing the need for the data with privacy and security.
And it is about better and clearer guidelines and regulation around what data really needs to be collected for a product or service – as opposed to what might be useful for marketing – and how and how long that data is stored.
It is the nature of data storage that the very place where large amounts of personal data are aggregated is exactly where criminals will focus their efforts.
We need the right balance between what do you centralise and the risk of creating a giant target.
Banks do have a long history of protecting valuable material, whether that is financial assets or the personal data associated with those assets. We can play a valuable role in this vital conversation.