The financial system’s shift to an increasingly online environment heightens cyber security risks and the need to improve digital identity solutions. Government has the ability to facilitate industry coordination and innovation in these areas.
Cyber security’s growing importance
The rise of e-commerce and widespread internet connectivity expose financial institutions to increasingly more cyber crime. Cyber attacks may cause service outages, failure of core operating systems, increased fraud, theft of intellectual property and loss of sensitive data. Criminal and malicious actors — state and non-state — seek ways to disrupt services, access personal and corporate data, and steal resources. Organised crime uses increasingly sophisticated techniques, particularly in money laundering and identity crime, to facilitate other illegal activities.
Cyber attacks are no longer only a potential threat; they are occurring on an increasingly frequent basis. For example, recent figures show a 21 per cent rise in cyber threats to Australian Government networks between 2012 and 2013.88 In considering national security risks, the Government has assessed cyber security risk to the Australian economy as high.89 Consequently, cyber security is one of the Government’s top national security priorities, and the financial system is considered a component of Australia’s critical infrastructure.90 The financial industry is a key target of cyber crime, alongside the resources, defence, telecommunications and technology sectors.91
Although managing cyber security risks creates costs for industry and Government, there are also costs from failing to take action. For example, in 2013 cyber crime affected 5 million Australians at an estimated cost of $1.06 billion.92 Cyber crime may erode consumer and business trust and confidence in the financial system. Increasingly, cyber crime is also being identified as a potential source of systemic risk.93
Australia’s Cyber Security Strategy
In Australia, the Department of Prime Minister and Cabinet provides whole-of-Government coordination on cyber security policy under the Cyber Security Strategy (CSS). The CSS, released in 2009, is designed to maintain a “secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the benefits of the digital economy”.94
Submissions consistently raise concerns that the CSS needs to be reviewed and updated, and that a strategy from 2009 is out of date in a rapidly changing threat environment. A recent Government report also warns of the need for organisations to be continually vigilant and up to date in network security to deal with the “increasing skill and resourcefulness of cyber adversaries”.95
Australia’s CSS is the least up to date among the national cyber security strategies of the United States (2011), the United Kingdom (2011), Canada (2010), New Zealand (2011), France (2011), Germany (2011), Japan (2013) and Singapore (2013).96 Given the complexity and dynamic nature of the threat, stakeholders emphasise the importance of cyber security being managed strategically at a national level, hence the need for a refreshed strategy.
Implementation of cyber security policy
Due to its broad-ranging implications, many agencies are involved in implementing cyber security policy. The CSS identifies nine main agencies or bodies with significant cyber security responsibilities, such as the Attorney-General’s Department (AGD), and various communications, defence and intelligence agencies. The CSS also established two new organisations in 2009: the Computer Emergency Response Team (CERT) Australia and the Cyber Security Operations Centre, both of which will now be co-located within the recently announced Australian Cyber Security Centre (ACSC).97
In January 2013, the Government announced the establishment of the ACSC as part of the National Security Strategy.98 The ACSC is the joint responsibility of the Attorney-General and the Minister for Defence and will be overseen by the Cyber Security Operations Board (CSOB). The CSOB consists of agency heads and secretaries and is responsible for strategic oversight of the Government’s operational cyber security capabilities and coordination of cyber security measures.99
The ACSC brings together cyber security expertise from the Australian Signals Directorate (ASD), Australian Security Intelligence Organisation, AGD, Australian Federal Police and Australian Crime Commission (ACC).100 The ACSC will focus on threat identification and assessment, as well as coordinating operational responses to threats of national importance. The ACSC will also aim to improve partnerships between Government agencies and with industry.101 It is expected to be operational in late 2014.102
A range of other agencies also play roles in cyber security; for example, in areas such as anti-money laundering, privacy and international cooperation against cyber threats. In addition, a number of joint public–private sector committees exist for cyber and fraud threats. For example, the Australian Federal Government and Banking Industry Security Governance Forum for sharing intelligence on cyber threats, and the National Fraud Exchange for fraud intelligence sharing across Australian financial institutions.103
Stakeholders suggest there could be more cohesion and coordination in implementing cyber security policy. They note that many of the organisations involved tend to be focused on tactical and operational issues, rather than strategic matters. Consequently, some of the strategic and forward-planning aspects are given less emphasis. For example, if a major cyber attack occurs, the roles and responsibilities for Government and the private sector are unclear. Developing a forum for private and public sector discussion of strategic issues has been suggested as a way of addressing these matters.
Information sharing and collaboration
Although the private sector itself collects significant amounts of threat information, Government is in a unique position to gather intelligence and should have effective mechanisms to share information with industry. Currently, CERT Australia and the ASD play roles in disseminating threat information to industry. Other Government organisations, such as the Trusted Information Sharing Network, also contribute.104
However, stakeholders suggest that information flows between the public and private sector could be improved, particularly in relation to real-time actionable intelligence. Stakeholders also suggest improved sharing of intelligence with other sectors, such as the telecommunications sector.
While recognising industry collaboration already occurs, submissions argue that cyber security risk management could be improved by greater collaboration between Government, regulators and industry. Although stakeholders acknowledge that financial institutions retain ultimate responsibility for maintaining the security of their own systems, they note that collaborating with Government can help institutions fine tune their efforts. The CSS itself includes as one of its guiding principles the importance of partnerships and collaboration with the private sector and broader Australian community.
In a recent example of collaboration in the United Kingdom, the Bank of England is working with industry to test and improve the sector’s cyber resilience through its CBEST initiative.105 CBEST is a framework to deliver targeted cyber security tests, but differs from traditional testing in that it is based on real and current cyber threat intelligence. Tests replicate the sophisticated and persistent attacks of threat actors to assess an institution’s capabilities.106
Another collaborative model suggested by stakeholders is the Financial Services Information Sharing and Analysis Center (FS-ISAC) based in the United States. The FS-ISAC is a member-funded and -managed, government-endorsed organisation that gathers threat, vulnerability and risk information about cyber and physical security risks faced by the financial services sector globally.107 Information is sourced from government and law enforcement agencies, private sector institutions, and academic and other trusted sources. The FS-ISAC delivers alerts to member organisations and provides various services based on a tiered system of membership.
Stakeholders note that the global nature of both e-commerce and cyber threats increases the potential need for regional and international cooperation on cyber security issues. Recognising this, although it has always had members with global operations, the FS-ISAC recently extended its charter to specifically include information sharing with financial services firms worldwide.108
Lifting industry standards
Stakeholders argue that cyber security issues occur in an ecosystem where the capability of individual institutions affects the capability of the financial system as a whole. In other words, although some stakeholders have strong cyber security capabilities, they are still exposed to ‘weak links’ in the chain. Larger players generally have more capacity — and as larger targets, more incentive — to invest in cyber security. Smaller players are lesser targets; however, they can potentially be more vulnerable, as they typically lack the scale to invest to the same extent. Vulnerabilities can also arise from outside the sector; for example, during information transfer to technology service providers with inadequate data encryption standards. These differing capabilities heighten the need for Government to take a systems perspective in managing cyber security risks.
Firms with less capacity to invest in cyber security may require access to more information and advice from Government and industry sources. One submission suggests Government might follow the United States example in issuing guidelines to enhance cyber security across the industry and other critical sectors.109 In the United States, the Department of Commerce’s National Institute of Standards and Technology (NIST) recently released a Framework for Improving Critical Infrastructure Cybersecurity.110 The framework is the result of public–private sector collaboration and is voluntary and risk-based. It provides a set of industry standards and best practices to assist organisations in managing cyber security risks. It is intended to be scalable to meet different organisations’ needs, without adding regulatory burden.111
Policy options for consultation
The Inquiry would value views on the costs, benefits and trade-offs of the following policy option or other alternatives:
Review and update the 2009 Cyber Security Strategy to reflect changes in the threat environment, improve cohesion in policy implementation and progress public–private sector collaboration.
The Inquiry seeks further information on the following areas:
- Would a private–public sector discussion forum for strategic issues, such as cyber crisis planning, improve cohesion in implementing cyber security policy? What other mechanisms might assist to improve cohesion or coordination?
- Is there a need for more cross-sectoral or transnational mechanisms for information sharing, or for Government to work with industry to initiate the development of a collaborative model similar to the United States FS-ISAC?
- How useful would a voluntary cyber security framework, similar to that of the United States NIST, be in assisting industry to develop cyber capabilities?
An essential function
Participants in Australia’s financial system have always needed, and continue to need, confidence in a person’s identity. At its simplest, confirming a person’s identity helps prevent others from misappropriating that identity to conduct illicit financial transactions or other illegal activities.
Consumers’ growing preferences for accessing financial services through online and digital channels is increasing the need for efficient digital identity verification and authentication solutions. Traditionally, identity verification has involved sighting and collecting an individual’s original, government-issued identifying documents face to face. In a digital environment, this process is slow and onerous for customers and expensive and cumbersome for organisations.
Submissions note both the importance of trusted digital identities to the financial system and heightened concerns over identity theft. For example, one submission notes that the superannuation industry is becoming increasingly attractive as a target for identity theft, as the size of member account balances grows.112 Trusted digital identities can stimulate the digital economy by increasing trust and enabling more sensitive transactions to be conducted online. Conversely, lack of consumer trust can result in ‘e-friction’, impeding the growth of the digital economy.113 Arguably, as the digital economy grows, systems and processes associated with digital identity management may increasingly be considered a type of critical infrastructure.
Trusted digital identities are important in helping prevent identity-related crime and fraud. Identity crime costs Australian consumers, businesses and Government. For example, in 2011 Australians lost an estimated $1.4 billion through personal fraud incidents related to credit card fraud, identity theft and scams.114 Over five months in 2011, the ATO identified more than 7,300 income tax returns as suspected cases of identity crime; claimed refunds were worth approximately $36 million.115 The ACC rates identity crime as a key enabler of serious and organised crime, which in turn costs Australia $15 billion annually.116
Identity crime is one of the most common types of crime in Australia. A 2013 survey by the Australian Institute of Criminology found almost 10 per cent of Australians had suffered theft or misuse of their personal information in the previous 12 months.117 More than half of those who had suffered misuse of personal information had experienced financial losses as a result, with an average loss of approximately $4,000, ranging to over $300,000 in the most serious case.
Australia’s identity infrastructure
In Australia, there is no single government identity credential; instead, the identity infrastructure is provided by approximately 20 government agencies managing over 50 million core identity credentials.118 This decentralised model is referred to as a federated identity system, which tends to emphasise market-based solutions. Multiple identity credentials are produced by government and commercial providers to provide access to public and private sector services. Under a syndicated model, a single identity credential is issued — typically by government — providing single sign-on access to public and private sector services.
Financial services firms form an important part of Australia’s identity infrastructure. They both use the government-sourced identity infrastructure to perform identity management functions, and they form part of the infrastructure, as they themselves issue documents that are often subsequently used to prove identity, such as debit and credit cards. Financial services firms are also significant innovators in this area.
In Australia, when a person seeks to use financial services, anti-money laundering (AML) legislation requires firms to meet ‘know your client’ (KYC) identity management and verification obligations.119 Stakeholders observe that these requirements, combined with a federated identity model, can result in significant process duplication as firms verify and re-verify identities. This is particularly the case where firms are not permitted to rely on the identity verification processes of other trusted firms.
Although Australia has a National Identity Security Strategy, it does not set out a detailed comprehensive approach to the issue of digital identities.120 However, it has resulted in the development of significant building blocks, such as the Document Verification Service (DVS). This secure online service enables government agencies, financial institutions and other businesses to verify information on identity documents directly with the document issuing agency.121 In addition to preventing identity crime, the DVS helps to reduce AML and other compliance costs related to customer identity verification. Other initiatives include an assurance framework for accrediting commercial identity service providers,122 a national (identity) e-authentication framework,123 and identity proofing guidelines124 for government agencies and businesses.
The myGov digital service provides a potential basis for a Government-issued digital identity.125 myGov provides Australians with secure single sign-on access to various government services, including Medicare, Centrelink, electronic health records and tax records, including a digital mailbox to receive government correspondence. The National Commission of Audit has recommended that myGov be a core component of a strategy to shift government services to a default position of delivery by digital channels.126
Submissions question the cost and effectiveness of current identity arrangements, including compliance requirements under AML rules. Globally, AML compliance costs increased by an average of 53 per cent in the three years to 2014. This trend is expected to continue, driven by the increasing costs of transaction monitoring systems and meeting KYC requirements.127
Stakeholders are seeking ways to develop more efficient and secure identity processes. Existing commonly used processes such as passwords can be problematic. The average Australian maintains between five and 50 different login and password combinations for their online activities. This is challenging for individuals and firms: 20 to 30 per cent of all IT service desk requests relate to password problems. Estimates indicate the cost of password resets alone is approximately US$1 billion globally.128 For the Oceania region, enabling e-government services via digital identities could generate US$1.5 billion in savings annually by 2020.129
Stakeholders vary significantly in their views on how identity management can be improved in Australia. Some have suggested developing a Government-sponsored central utility for verifying customer identity. Others seek to develop identity services by leveraging their existing branch networks and services in partnership with Government. Some want access to additional Government information to provide these services themselves, rather than relying on Government.
Internationally, different jurisdictions are positioned at various points along the spectrum between federated and syndicated identity models. Towards the federated end, examples include the:
- United States National Strategy for Trusted Identities in Cyberspace — enables commercial providers to compete to produce credentials in accordance with standards set out under multiple accredited trust frameworks. A Federal Cloud Credential Exchange is being set up by the United States Government within the United States Postal Service to facilitate federal agencies in accepting accredited third-party digital credentials.130
- United Kingdom Identity Assurance Program — allows accredited commercial identity providers to issue credentials providing access to multiple government services.131 Its standards-based approach relies on a hub that enables authentication without unnecessary transfer, disclosure or storage of data, limiting privacy implications.
- Canadian Cyber Authentication Renewal Initiative — provides individuals with a choice of private or public sector identity credentials to access government services.132 It offers GCKey, a government-provided identity credential, or the option to use SecureKey Concierge, a service that enables individuals to use identity credentials previously issued by partner banks. This model is effectively an authorised brokering service that relies on previous identity verification performed by the banks.
A common theme among these initiatives is the growing role of financial institutions and other private sector organisations in providing identity-related services, traditionally the domain of government.
At the syndicated end, government-developed examples designed specifically to enable digital service delivery include:
- New Zealand’s RealMe credential — issued after an in-person interview at a New Zealand Post Office.133 The applicant must produce their passport, citizenship or birth certificate, or visa, and documents are verified using the Data Validation Service. RealMe allows individuals to consent to and share their personal information with other organisations, such as banks, if they wish.
- India’s Aadhaar identifier — India’s new national identification number is linked to fingerprint, iris and facial biometric information captured at registration. The identifier enables access to online and offline government services and is an acceptable form of identity for commercial services such as banking.134
Beyond government initiatives, private sector developments include the activities of groups such as the Fast Identity Online (FIDO) Alliance, members of which include MasterCard, Bank of America, Microsoft and Google. The FIDO Alliance is committed to “developing specifications that define an open, scalable and interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.135 Globally, the market for online identity authentication in the banking sector is forecast to reach US$1.6 billion by 2018, a 945 per cent increase since 2012.136
Using biometric systems for identity verification is becoming increasingly common. Public and private sector organisations are seeking greater levels of assurance in the identities of their customers. Many financial institutions, both in Australia and overseas, have adopted biometrics to improve security around ATMs and phone banking services. For example, one major Australian bank first introduced voice biometrics technology in 2009 and now has more than 150,000 customers with registered voice prints for identity verification when dealing with the bank’s call centre.137 The National Commission of Audit also recently recommended strengthening myGov with biometrics (or face-to-face verification) to enable broader use of the identity credential.138
Biometric systems offer considerable potential as a means of preventing identity theft and fraud, improving efficiency and convenience in service delivery, and enabling new online services and business models. However, they come with significant privacy issues and other potential drawbacks. In many cases, biometric information is not secret. For example, people leave fingerprints everywhere. Also, unlike passwords, biometrics cannot be reset after being compromised.
Benefits of different models
A system of trusted digital identities could have significant network benefits throughout the financial sector and the broader digital economy. If financial institutions and other companies could rely on trusted digital credentials, these firms could reduce their own duplicative identity verification processes. This would be more efficient for businesses and more convenient for consumers, who would need to maintain far fewer username and password credentials. Potentially, it could also be more secure, if designed and implemented effectively. Widespread acceptance and mutual recognition of trusted digital identities across the financial sector could also assist customers in transferring accounts between financial institutions.
If Government was the default provider of digital identities to Australians, there would be economies of scale and other potential benefits, such as ease of access to Government information sources. This approach is reflected in New Zealand’s RealMe service, in which the government conducts high-integrity identity verification, including biometric capture, equivalent to passport application processes, before issuing individuals with their government digital identity.
Equally, Government could help guide and stimulate a commercial market of digital identity products and services. It could work with industry to establish minimum standards in more of a federated ‘trust framework’ model. In this approach, similar to that of the United Kingdom and United States, consumers could choose between government- and commercially-issued identity credentials. Allowing people to use multiple trusted credentials would have privacy benefits. It would also help reduce the potentially severe consequences where an individual only has a single digital identity, which is then compromised.
Australia’s approach to developing trusted digital identities will need to take into account the broader international context. This will help Australian businesses compete in a global identity services market and benefit Australian consumers by facilitating wider acceptance of their digital identities. The Australian and New Zealand Prime Ministers have recently recognised these benefits and agreed to investigate options for mutual recognition of trusted online identities in both countries.139
Policy options for consultation
The Inquiry would value views on the costs, benefits and trade-offs of the following policy option or other alternatives:
Develop a national strategy for promoting trusted digital identities, in consultation with financial institutions and other stakeholders.
The Inquiry seeks further information on the following areas:
- In developing a national strategy, what should be the respective roles, responsibilities and expectations of Australian public and private sector organisations in creating, accepting and maintaining the digital identities used by Australians?
- Is there a need for Government to enhance identity authentication by facilitating interoperability standards in areas such as biometrics, enabling better access to Government information or improvements to the Documentation Verification Service?
90 Brangwin, N 2013, ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Parliament of Australia, Canberra.
91 Brangwin, N 2013, ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Parliament of Australia, Canberra.
92 Symantec 2013, 2013 Norton Report: Total Cost of Cybercrime in Australia amounts to AU$1.06 billion, media release 16 October, Sydney.
93 See, for example, Tendulkar, R 2013, Cyber-crime, securities markets and systemic risk, joint working paper of the International Organization of Securities Commissions Research Department and World Federation of Exchanges Office, Madrid, 16 July.
94 Australian Government 2009, Cyber Security Strategy, Australian Government, Canberra, page 4.
95 Cyber Security Operations Centre (CSOC) 2014, The Cyber Security Picture 2013, Australian Government, Canberra, page 1.
98 Brangwin, N 2013, ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Parliament of Australia, Canberra.
100 Brangwin, N 2013, ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Parliament of Australia, Canberra.
101 Department of Defence 2013, Defence White Paper 2013, Australian Government, Canberra.
103 ANZ 2014, First round submission to the Financial System Inquiry.
104 The Trusted Information Sharing Network enables information sharing between business and government to protect critical infrastructure and essential services in the face of all hazards.
109 Australian Bankers’ Association 2014, First round submission to the Financial System Inquiry.
110 National Institute of Standards and Technology 2014, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, US Department of Commerce, Gaithersburg , 12 February.
111 National Institute of Standards and Technology 2014, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, US Department of Commerce, Gaithersburg , 12 February.
112 Association of Superannuation Funds of Australia 2014, First round submission to the Financial System Inquiry.
113 The Boston Consulting Group (BCG) 2014, The Connected World: Greasing the Gears of the Internet Economy, BCG, January.
114 Australian Bureau of Statistics (ABS) 2012, Personal Fraud, 2010–2011, cat. no. 4528.0, ABS, Canberra.
115 Australian Crime Commission 2013, Organised Crime in Australia 2013, Australian Government, Canberra.
116 Australian Crime Commission 2013, Organised Crime in Australia 2013, Australian Government, Canberra.
117 Smith, R G and Hutchings, A 2014, Identity crime and misuse in Australia: Results of the 2013 online survey, Research and Public Policy Series 128, Australian Institute of Criminology, Canberra.
118 Attorney-General’s Department 2014, National Identity Proofing Guidelines, Draft Version 5.1, Australian Government, Canberra.
119 Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
120 Attorney-General’s Department 2013, National Identity Security Strategy 2012, Australian Government, Canberra.
122 Australian Government Information Management Office 2013, Third Party Identity Services Assurance Framework, Department of Finance, Australian Government, Canberra.
123 Australian Government Information Management Office, National e-Authentication Framework, Department of Finance and Deregulation, Australian Government, Canberra, January 2009.
124 Attorney-General’s Department 2014, National Identity Proofing Guidelines, Draft Version 5.1, Australian Government, Canberra.
126 National Commission of Audit 2014, Report of the National Commission of Audit, Australian Government, Canberra.
128 Research by the Australian Communications and Media Authority, cited by Senator George Brandis QC, Attorney-General and Minister for the Arts 2014, address at the opening plenary of the CeBIT Australia 2014 Conference, 5 February, Sydney.
129 Secure Identity Alliance 2014, The role of trusted digital identity in enabling the eGovernment 2020 vision, Secure Identity Alliance, Paris, February, viewed 14 May 2014.
131 Cabinet Office 2012, Identity assurance: delivering trusted transactions, United Kingdom Government, London, viewed 12 June 2014.
132 Canadian Radio-television and Telecommunications Commission 2014, Cyber authentication renewal initiative frequently asked questions for users, Government of Canada, Ottawa, viewed 12 June 2014.
136 ABI Research cited in Friedman, O 2013, Online ID and Authentication Market Expected to Grow 945% by 2018 Says ABI Research, But Have Back-End Enterprise Solutions Been Overlooked?, media release, 4 August, Nicosia, viewed 12 May 2014.
137 Elsworth, S 2014, ‘Biometric banking to become commonplace as banks test voice and facial recognition security’, News Corp Australia, 26 May, viewed 3 June 2014.
138 National Commission of Audit 2014, Report of the National Commission of Audit, Australian Government, Canberra.
139 Abbott, T (Prime Minister of Australia) and Key, J (Prime Minister of New Zealand) 2014 , Joint statement of Prime Minister Abbott and Prime Minister Key, media release 7 February, Sydney.