Australian Government Leaves Security to Private Sector

The Australian government has given up on direct
public sector involvement in the emerging digital certificate industry,
leaving the lucrative field to corporate partners after a failed attempt at
a government solution.

Senator Richard Alston, federal minister for Communications, Information
Technology and the Arts, admitted that the pace of change in technology had
made government strategies obsolete in less than a year.

“You can move too quickly on regulation, and the corporate sector is quick
to develop its own solutions,” he said.

Senator Alston was speaking at the launch of an electronic company
registration (ECR) service, an example of the way the private sector is
now being incorporated into the public service’s projects for electronic
service delivery.

The ECR service was developed for the Australian Securities and Investments
Commission (ASIC) by Rotek Consulting and TransactionSite, but will be
administered not by ASIC, but through around 100 “intermediary” resellers
of the service like accountants, solicitors and specialist registration
companies.

These intermediaries, in an industry worth AUS$70 million (US$47 million)
in annual revenue, will use one of four interface programs to the central
ASIC application, developed by Corporate Express, BGL, Kooyong Computing
and Solution 6.

Senator Alston also announced that the KeyPOST service, an ambitious
attempt by national postal service Australia Post to establish a digital
certificate authority for ordinary citizens, would be resurrected by Secure
Network Solutions.

Australia Post dropped KeyPOST earlier this year due to lack of take-up by
Internet users.

Secure Network Solutions was involved in both deals,
as it also owns Rotek.

ASIC’s ECR service is one of the first to give a glimpse to what the
eventual model for the Australian government’s public key infrastructure
might look like, which is still being developed by a cross-government
committee under the banner of Project Gatekeeper after years of discussions.

Authentication at the reseller end is handled through X.509 digital
certificates stored on smart cards, although ASIC said the system would be
open to any Gatekeeper-compliant certificate authority.

The central ECR system runs on an Apache Web server and uses the
Australian-developed cryptography freeware SSLeay for session encryption
and “digital certificate functionality”, according to ASIC.