Government security scorecard


By Jonathan Nally
Monday, 17 October, 2016


Government security scorecard

How good are our governments at keeping citizens’ data safe and secure? We polled seven industry experts to find out.

Every day we read about another major security hack somewhere in the world that results in identity theft, industrial espionage, national security consequences, immense personal embarrassment and so on. Australia is not immune to these system attacks, and they’re not restricted to private companies — government systems are attacked all day, every day. Think of the Bureau of Meteorology attack, which reportedly originated in China. And the Census night debacle, blamed at least partly on a DDoS attack.

It’s a problem that’s only getting worse. So with all levels of government holding vast amounts of sensitive data on members of the public, as well as the activities of businesses and government themselves, it’s more vital than ever that governments institute solid security practices and robust technical solutions to protect themselves, and us, from malevolent actors.

So how are our governments doing on this front, and what can they do better? To get a feel for the kinds of security challenges facing governments and how well they’re dealing with them, we polled a group of security industry experts to obtain their views — a sort of government security scorecard, if you will. Those experts are: Michael Steer, District Manager for Federal and NSW State Government for NetApp Australia; Gerard Nunez, ICT Government Specialist at ESET Australia; Andy Solterbeck, Regional Director for Cylance; John Ellis, Chief Strategist, Cyber Security (APJ) for Akamai; Guy Eilon, Senior Director and General Manager ANZ, at Forcepoint; Michael Wilkinson, Director of Security and Intelligence for Asia Pacific at Nuix; and Simon Green, Vice President, ANZ, Palo Alto Networks. We’re sure you’ll agree they have some interesting insights to share.

How is the availability of cloud-based security tools and services assisting government bodies?

SOLTERBECK: Australia has been extremely fast to adopt cloud-based applications, but the adoption of cloud-based security tools has been less expeditious. Cloud services are supposed to allow agencies to be more efficient and responsive in delivering services to the community, and at a significantly lower cost, and there has been a concerted push towards a ‘cloud first’ approach. But security has to be at the forefront to ensure adequate protection of data and minimisation of breaches occurring. We do recognise there is a group of customer-specific environments for which public cloud is an inappropriate approach; therefore, flexibility in deployment approaches is key.

STEER: Recent research into data management strategies amongst Australian government organisations showed that only 1 in 2 had a data management strategy in place, yet the primary issue they needed to address to ensure effective data management outcomes was to create a robust and compliant environment. Security is an extremely critical component, yet skills shortages, the fast pace of change in attacks and vulnerabilities, and the rise in state-sponsored activity mean that agencies may not necessarily have the resources immediately on hand to ensure a strong, secure environment. Also, unless there is a clear ability to scale and immediately patch or deploy new solutions, exposure remains anyway. Cloud tools help mitigate against these issues. Throw in a far greater awareness of attacks and vulnerabilities drawn from across a much wider range of customers and geographies, and cloud-based tools can be quicker to implement, more effective and easily shared across multiple agencies.

NUNEZ: The federal government could be seen to be taking a two-pronged and slightly cautious approach to cloud-based security tools and services. Reading the federal government’s Cyber Security document of 2016, you sense that there is a willingness to embrace technology and look at cloud computing as a new and exciting frontier on one hand, but then there is a sense of caution and paranoia as well relating to cloud-based security tools. This is still highly evident with some government departments and organisations not entertaining the thought of any of their networks being hosted anywhere but on-site.

ELLIS: There is certainly an increasing awareness amongst agencies of the need to leverage cloud-based tools and services from a security standpoint. At present, the Australian Signals Directorate (ASD) has actually set in place a Certified Cloud Services List that makes it necessary for government agencies to only deploy cloud services that are InfoSec Registered Assessors Program (IRAP) assessed and accredited. What this means is that, in theory, no agency is allowed to purchase any cloud technology unless it is listed as a certified cloud service. As such, most agencies are still trying to plot a pathway to the various gateway providers to assess how they can best utilise these cloud services.

WILKINSON: While a handful of agencies are embracing cloud-based security, due to the level of bureaucracy or red tape, most government bodies take time to implement changes, especially major infrastructure changes such as moving internal operations to the cloud. However, cloud-based security services are a quick win for smaller departments that do not have full-time security staff.

How does information security fit in with governments’ overall risk approaches?

GREEN: Government agencies are constant targets, and they are taking a number of steps to protect themselves. A proactive and agile approach to cybersecurity is critical. By integrating network security controls, and sharing threat intelligence, agencies can improve threat prevention and reduce response time. Also, understanding internal cyber ranks and processes, demanding accountability, and testing and evaluating to ensure teams are working together to address cybersecurity are key ways to address concerns. Agencies must gain visibility into what applications are running on their networks, who is using them and why. Using a zero-trust approach even with slower-than-desired patch cycles in large government networks helps prevent sophisticated attackers trying any opportunity to get in and move laterally.

NUNEZ: There has always been a focus on risk mitigation within government. Information security commands the highest priority for an organisation’s risk strategy. Attempting to identify uncertainty of future events and outcomes is at the core of any federal government risk strategy, whether information security risk or other identified areas of risk. The government has a systematic approach to minimising this potential risk, and it appears to be open to new initiatives and solutions for the reduction of information security risk.

WILKINSON: A reasonable level of security awareness now exists throughout the majority of government departments. At the federal level, this is pushed by the ASD and its ‘Strategies to Mitigate Targeted Cyber Intrusions’. However, it appears the motivation for improving security is still being pushed by IT staff and the CIO rather than being included as part of an overall risk management plan.

ELLIS: Historically, the ways in which systems are designed tend to focus on the ‘need to know’, but today information systems are very much structured around a ‘need to share’. The dichotomy between the two approaches is where the challenge lies at the moment, as a lot of the security models traditionally used by the government will no longer be as effective today. Therefore, it is vital for government agencies to address the finer details — they need to look at new security models and architectural frameworks by which information can be shared in a secure fashion, so as to narrow the gap in the risk profiles and scale more efficiently.

SOLTERBECK: Unfortunately, based on any objective view of the threat landscape, the current information processes and tools are not capable of creating the right balance. We believe that there needs to be a fundamental rethink of the current compliance-based approach. The adversaries are moving faster than our current tactics are capable of responding. New more agile process and procurement methods are required.

Is it better for agencies to build their own IT security capabilities, or can outsourced options meet government requirements?

GREEN: Demand for managed security services is on the rise as many governments struggle with an increasingly complex threat landscape, a shortage of skilled staff and the need to rapidly adapt to changing business conditions, while still keeping security costs under control. Agencies that are struggling to build their own capabilities should consider outsourcing IT security to managed security providers. Outsourced partners can simplify management, provide the flexibility to tailor solutions, give agencies more granular control over the IT stack and reduce the total cost of ownership.

NUNEZ: Typically, government agencies do not develop their own products for network security. Strategies such as the network segmentation and segregation guidelines and the ASD top four mitigation strategies, for example, are designed as the framework for good governance for an appropriate security strategy. But these steps are reliant on partnerships with external private organisations to provide the products and, in some cases, services to assist them to deliver the desired security outcomes. ICT security product providers and government need to continue to work closely together to ensure that there is adequate flexibility from both parties to meet all required governance.

STEER: Many organisations struggle to either hire or internally develop the requisite skills levels to keep abreast of the continually evolving environment. As compliance and regulatory environments also change, the security environment becomes even more complex to manage. Add in the issue of security threats now operating in an automated manner and many organisations cannot keep pace on their own with advances in attacks. We’re certainly not advocating a total handover of security to a third party as ultimately accountability for adherence and compliance remains the government’s responsibility. However, outsourced managed security solutions in conjunction with a robust internal security program can combine to create a flexible, compliant, partnership-driven approach that can be highly effective.

WILKINSON: There are a number of considerations that need to be taken into account when considering outsourcing security. Outsourcing has the potential to improve ROI through economies of scale. However, it is also important to ensure that outsourced services are properly managed by appropriately experienced staff. All too often the security function is outsourced and internal staff are reassigned, leaving no appropriately qualified stakeholders to ensure that the service provider is meeting the organisation’s needs.

EILON: There is not a one-size-fits-all approach to cybersecurity, and each department needs to be assessed on a case-by-case basis. What we do know is that today’s threat landscape sees increased use of kill chains and attacks that utilise multiple vectors in a blended attack. For those who outsource, this means the importance is no longer just about having ‘security in-depth’ by having multiple vendors, but instead having a single vendor who can provide intelligent and contextual security to stop threats across the entire kill chain. The benefit of outsourcing is the ability to quickly scale security programs. However, it’s critical for government partners that need to understand compliance obligations as they impact the delivery of services.

How well are information security concerns being addressed within the overall information strategies of government departments and agencies?

WILKINSON: This is a very broad question. Larger departments and agencies tend to be aware of the need for security and to have dedicated security staff, or at least have IT staff with a reasonable level of security competency. Having said that we are seeing compromises of government organisations; for example, the Bureau of Meteorology in December 2015 and Western Australian Parliament in February 2016. The fact departments are being compromised clearly indicates that their security is inadequate.

SOLTERBECK: The prioritisation of strong cybersecurity practices and understanding of the threat environment is probably not equal across all government departments. We have spoken with a number of federal government departments, and there has been a lack of consistency and comprehension of the strategies needed to better respond to threats, as well as the necessity of building a strong security culture — and not just within their security teams.

NUNEZ: The Australian Government takes information security very seriously. Developed through the Attorney General’s Department is the Protective Security Policy. The policy is comprehensive and is designed to assist agency heads and senior executives to identify their responsibilities in relation to major security risks to their people, information and assets; provide assurance to the government and the public that official resources and information provided to their entities are safeguarded; and to incorporate protective security in their culture. There are 36 mandatory requirements as part of the framework of the policy. The ASD’s information security manual has been developed to complement the Protective Security Policy framework.

ELLIS: Earlier this year, the Australian government established some really strong policy settings through the introduction of the national Cyber Security Strategy. However, every agency has a different degree of maturity, so there will always be challenges with how strategies are implemented due to resources, budgets and conflicting priorities, amongst other factors. So the biggest question is not the ‘what’, but the ‘how’. At a policy level, the federal government has certainly set up the right framework, and if we were to compare Australia to regional counterparts, we have certainly done a very good job at defining the policy settings for the government and industry.

How does the maturity of these processes compare between federal, state and local jurisdictions?

NUNEZ: The federal government’s approach could be seen as a more comprehensive strategy. As the goal posts continue to shift, the federal government is looking to be up to date and continually vigilant. Yet, as seen recently with the issues arising from the Census, it is evident that members of the public have very valid concerns about the security of their own personal information.

WILKINSON: There is significant difference between the efforts of smaller organisations and government departments compared to larger ones. For example, local councils appear to lack the resources to implement comprehensive security programs. Larger departments such as the defence and intelligence agencies, with a high level of security awareness, have better resources for cybersecurity. And as with business, smaller departments tend to underevaluate the risk.

SOLTERBECK: The disparity between the jurisdictions is very evident, especially with local and state governments where they typically lack the specialised security resources and skills to be able to protect their assets and constituents as rigorously. Local governments are prime attack targets as they have a wealth of private citizen data, which can be used for identity-related crimes — and they are typically viewed as an easier target due to less stringent preventive mechanisms and breach identifiers.

How much guidance are bodies such as the Australian Signals Directorate and Digital Transformation Office providing?

STEER: There has been a tremendous amount of support provided by bodies such as the ASD to help organisations continue to build and strengthen their security capabilities. The ASD has been integral in creating references; providing deep and relevant advice, awareness, education and evaluation; as well as working alongside agencies to help create stronger defensive and aggressive cybersecurity capabilities. There’s been a marked increase in support and engagement, as well as increased focus on sharing more relevant security information amongst all agencies as the security threat environment evolves.

ELLIS: ASD is world class when it comes to offering technical guidance to government and civilian agencies. This is evident by the numerous publications that ASD provides, specifically the Information Security Manual and the Strategies to Mitigate Cyber Intrusions. The problem isn’t with the ASD, which, along with the Prime Minister and Cabinet and the Australian Cyber Security Centre (which PMC and ASD are part of), has done a great job in defining the ‘what’ in what needs to be done. The issue is with the ‘how’, and this is centred on a shortage of skills, funding and prioritisation of investment.

EILON: In 2010, ASD developed a list of 35 strategies to assist Australian government entities achieve the desired level of control over their systems and mitigate the risk of cyber intrusions. ASD has advised that if fully implemented, the top four mitigation strategies would prevent at least 85% of the targeted cyber intrusions to an agency’s ICT systems.

However, while the ASD provides useful guidance on potential controls and strategies to prevent the malicious entities from entering the network, there are some pretty significant risks that these controls fail to address. Primarily, and unfortunately, third-party agencies agree that the types of risks that cause the greatest cost to agencies today come from inside the network, and not from outside. Therefore, strategies need to be developed to prevent data breaches not just from intrusions but from internal extractions too.

Related Articles

Building secure AI: a critical guardrail for Australian policymakers

While AI has the potential to significantly enhance Australia's national security, economic...

Building security‍-‍centric AI: why it is key to the government's AI ambitions

As government agencies test the waters of AI, public sector leaders must consider how they can...

State government agencies still struggling with securing user access

Audit reports have shown that Australian government agencies in four states experience challenges...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd