Government security is a "team sport"
Queensland’s $12.5 million, 4½-year commitment to establish a Cyber Security Unit is showing the way forward for government security projects.
Executive support for change doesn’t come with a much stronger pedigree than the sweeping reform of cybersecurity strategy outlined by US President Barack Obama in February, boosting IT-security spending by 35% — including a $4.3 billion (US$3.1bn) commitment to modernise ageing and insecure government systems.
That strategy, called the Cybersecurity National Action Plan (CNAP), has earned plaudits from security analysts the world over for initiatives including appointment of a federal chief information security officer (CISO), promotion of multifactor authentication across government services, formation of a Commission on Enhancing National Cybersecurity, provision of government-wide shared services for IT and cybersecurity, and more.
The broad scope of the CNAP strategy, as well as the significant amount of money put behind it, reflects a growing determination to get on top of the security threat that has continued to plague government organisations around the world.
“A policy without money behind it isn’t respected in Canberra or anywhere else,” said Eddie Sheehy, CEO of security analysis vendor Nuix, who earlier this year joined a delegation of Australian security industry pioneers to meet with Silicon Valley security specialists as part of an AusTrade Cyber-Security Delegation — where the Australian federal government’s $30 million Cyber Security Growth Centre was among many topics bandied about amongst government and industry dignitaries.
Queensland’s recent strong investment in a cybersecurity centre of excellence is a particularly strong statement of the importance of improving governments’ security posture, as the state’s chief information officer Andrew Mills knows all too well. Having seen a significant ramp-up in cybersecurity’s profile in the lead-up to the G20 Leaders’ Summit in Brisbane in late 2014, Mills realised the opportunity to maintain that momentum and progressively advocated the establishment of a dedicated cybersecurity capability to support all state government agencies and departments.
The result — a $12.5 million, 4½-year state government commitment to establish a Cyber Security Unit (CSU) that will be managed within the Queensland Government Chief Information Office — will maintain a nearly dozen-strong team of security experts whose sole focus will be on protecting the state against the rising tide of cybercrime.
Among the many initiatives are the appointment of the state’s first ever CISO, as well as the maintenance of security-related Queensland Government Enterprise Architecture (QGEA) documents and the expansion of IT security services including vulnerability scanning, internet gateway and monitoring, and service monitoring.
“Each agency remains accountable for protecting their own systems, but we will work with agencies to get commonalities and, where it’s feasible, to work with them,” Mills told GTR.
“The function of the unit is to enhance all-of-government protection, share information with security resources, and educate and make agencies aware of threats and how they respond. My job is to create the policies and frameworks, and to mature those as we go.”
Taking concrete steps
While Mills’ unit may have clear terms of engagement, the ongoing rise of security-related initiatives across Australian government agencies is inspiring increasingly proactive steps as they race to close the gaps that have seen government data stolen and public-facing systems violated over and over again.
The past few months have seen a virus outbreak ravage Melbourne Health’s installed base of now-obsolete Windows XP computers; the Western Australian Parliament suspended after a virus compromised its data and communications networks; and the Bureau of Meteorology targeted by a large attack that has been blamed on the Chinese government and caused damage estimated in the millions of dollars.
These and other successful attacks are probably just the tip of the iceberg, given that the lack of mandatory breach reporting means such incidents only tend to make their way into the public domain when they cause a service interruption that is noticed by citizens.
Yet in a climate of growing cybersecurity attacks and intensity — January’s distributed denial of service (DDoS) attack on the BBC, for example, was measured at 602 Gbps and claimed to be the largest ever such attack — government agencies are finally taking concrete steps to bolster their defences and strengthen their attack postures.
At a federal level, the amalgamation of previously disparate cybersecurity interests into the Australian Cyber Security Centre (ACSC) reflects the growing recognition of the importance of a unified defence. Likewise, Prime Minister Malcolm Turnbull’s November decision to reject a draft of a new national cybersecurity strategy as inadequate highlights the understanding that high-level motherhood statements are no longer adequate to defend government systems from increasingly capable and determined attackers.
Given the indictment of Australia’s cyber defences noted in a recent Australian Centre for Cyber Security (ACCS) research briefing, the eventual final strategy will be crucial in reinforcing Australia’s domestic cybersecurity capabilities as well as its ability to defend against cyberwarfare. The final policy must therefore avoid vagueness and should instead borrow from Obama’s CNAP plan in its spirit if not its letter, said Nuix’s Sheehy, who believes Turnbull’s decision to delay the review was “a good thing”.
“I think President Obama came up with some really great practical steps — tangible actions that can be taken — and I would hope that through the long process of review that has already happened here,” said Sheey. “There has been a floor set by what America has already done, and we have a lot of high expectations as to what [Turnbull’s policy] should have.”
Looking outwards for security
Queensland’s strategic security shift reflects the growing recognition that security is, as Mills puts it, “a team sport” — and in a growing number of cases, public as well as private sector organisations are expected to look externally for support. For some agencies this means greater involvement with a body such as the CSU; for others, it means shifting many core systems to cloud-based alternatives in which security — modern security — is a fundamental design consideration.
Indeed, a recent Gartner analysis predicted that by 2018, security will surpass cost savings and efficiencies to become the primary reason that government agencies embrace cloud services.
“Many cloud service providers, such as Amazon Web Services, Microsoft and Google, invest heavily in incorporating higher levels of security into their products to continue building confidence that their data is more secure,” said research director Neville Cannon.
“Many of these providers can invest more than what most nations could afford, let alone the average government agency.”
Fuelled by the Turnbull government’s actively supportive cloud-first policy — which has been positioned as an enabler of the ongoing Digital Transformation Office-led government transformation effort — agencies will also see value in cloud-based security to help them close a perceived gap in security capability that some feel has kept them on the back foot when it comes to cybersecurity-related risk management.
“Thinking about the manner in which Australian government and industry organisations respond to security manners, it’s quite different to other parts of the world that are a little more advanced,” explained Michael Shatter, a risk advisory partner with RSM Australia.
Some reports suggest that Australia is “in some areas up to 10 years behind the US with respect to the maturity of security processes conducted by organisations”, he told GTR.
“As budgets are tightened within IT and infrastructure areas, they have business-as-usual objectives to meet. And while security is given attention in some sectors, there are many sectors that simply can’t afford to give it the same level of access that you would otherwise expect to see in allocation of resources.”
Outsourcing — particularly as enabled by efforts to shift functions to cloud services — must also be taken with caution, however.
“Just because you’re now using a portal into an online business system, that doesn’t relieve you of responsibility for active security management of your environment and systems,” said Shatter. “You still need to be 100% confident that you understand and know where all your exposures are.”
In this regard, government agencies contemplating a move to embrace the cloud — and even those that aren’t — will do well to form long-term partnerships with risk and security advisory organisations that can help formulate accurate risk models that can be used to provide a governance layer around any major security initiatives.
RSM, like other security and risk management firms, offers rapid risk assessments that can home in on often glaring security shortcomings and focus future security strategies. Sometimes these shortcomings may fuel head-in-the-sand denial — “We’ve come across many organisations who don’t test their security posture because they don’t feel they have the capability of fixing the problems when they find them,” said Nuix’s Sheehy — but in more proactive organisations they can then be used to develop results-focused initiatives for organisational change and technological improvements.
If, that is, those improvements can be framed within the context of a viable business case. Such a business case will still have to be made in determining the extent of a security investment, although the current climate of fear about data security means CIOs and CSOs will likely get some latitude when it comes to allocating budget.
After all, as any public sector IT specialist knows, limited funding can often become a serious drag on even modest plans for IT improvement. This longstanding reality — which is becoming even more so amidst general government belt tightening — makes the allocation of $12.5 million to Queensland’s CSU a remarkable reflection of the state executive’s desire to get serious about cybersecurity.
“We’re happy that we’ve gotten what we need to do the role we need to do,” said Mills.
But how will the state government tell if its new security investments are working? This is an issue Mills, like many of his peers, has considered and will be revisiting as the CSU evolves over time. Consideration of objective measures, such as the Potomac Institute for Policy Studies’ Cyber Readiness Index, will factor into the evaluation of the program’s effect on overall government security readiness.
“You can’t do anything like this without measuring it properly these days,” said Mills. “It’s a real key issue of having measurements of success with where we’re heading. But it’s a pretty difficult thing when you don’t control anything.”
Yet while the CSU is “not a traditional program”, he added, “we’re going to take a program approach to this; it’s not going to be a part of business as usual, and we’re going to take a very structured approach. It’s too important not to govern properly.”
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...