07 August, 2013

If Nats can't pick some one to keep party web sites secure how can we trust their decision for all Govt security?

The National party has decided to let the GCSB do all of Government security. The worry here is that the National Party can't even pick people who can keep their own sites secure from a bunch of script kiddies. Web site security on the whole is far smaller problem than all of Government security, so if they can't pick someone do that how can we have any confidence in their picking of GCSB? Also script kiddies are far easier to defend against than committed Nation State backed adversaries. Their evaluation process for selecting a provider for their Party web sites was obviously flawed and giving the rushed nature of the GCSB bill I can only assume that their evaluation process this time isn't any better.

Surely the best option would be set up the CERT model. CERTs are independent civilian organisations that worry just about computer security and are working well in most other countries other than NZ. CERTs have a sole focus of Computer Security and don't have the distractions of Spying. CERTs also build strong links with government and the private sector which the GCSB isn't currently doing.