Zero trust a must in govt cybersecurity

The Australian Government’s reported plans to ‘recast’ the country’s cybersecurity strategy are a timely opportunity for public sector organisations to build community confidence in government digital services.

Our view is the strategy should build on organisations’ growing use of ‘zero trust’ to secure applications and data, both for citizens using government digital services and employees, contractors and other parties that need to access these resources.

By embracing zero trust, departments, agencies and other public sector bodies can address the challenges presented by a threat landscape that continues to evolve quickly, due to the explosion in remote and hybrid working, growing geopolitical tension and the move to digital across all sectors.

Unfortunately, ignoring these challenges is not an option for government organisations. Community confidence in digital interaction is at risk from an increase in cyber attacks over the past 12 months, with one cybercrime report made approximately every eight minutes, and the Australian Cyber Security Centre estimating that cybercrime costs the economy more than $33 billion a year.

According to the recently released Cyber Security Industry Advisory Committee (IAC) Annual Report 2022, Australia is an increasingly attractive target for malicious actors. Using sophisticated tools and techniques, these cybercriminals steal money, data or intellectual property, disrupt business operations and compromise critical infrastructure.

Adopting and maturing Zero Trust initiatives can deliver the improved cyber hygiene needed to build trust, increase service take-up and reduce the threat of attack.

Complementing digital service delivery with an effective government cybersecurity strategy can help achieve these objectives and we welcome the recently reported comment by Cyber Security Minister Clare O’Neil that the country’s next strategy would be a “whole of nation effort”.

So, what is zero trust? Based on the belief that every user, device and IP address accessing a resource is a threat until proven otherwise, zero trust demands strict access controls and verification before allowing the connection to resources such as applications and data.

This approach should be continually encouraged, monitored and assessed to improve security outcomes.

Why the need for zero trust today? The approach recognises that security models based on ‘trusted’ internal networks and ‘untrusted’ external networks are not properly equipped to accommodate the need for trust relationships to extend to a wide range of people who need access — including citizens — regardless of their location, device or network.

Implementing MFA to secure digital services

Establishing those trust relationships means adopting an approach that puts identity at the centre of zero trust. Key to this approach are modern login technologies that replace or augment traditional passwords with authenticators that are more convenient and secure.

Based on our observations of how easily malicious individuals can compromise accounts protected only by passwords, we applaud the widespread use of multi-factor authentication as part of an identity-based approach to protect citizen access to government services.

Recent positive steps include the substantive overhaul in 2021 of the Australian Cyber Security Centre’s Essential Eight Maturity Model to require Australian Government agencies to apply multi-factor authentication to the digital services they provide to the Australian public. According to the updated advice, a baseline level of maturity demands that multi-factor authentication be applied when non-employees (Australian residents) connect to the agency’s internet-facing services.

Implementing zero trust to help protect citizen and government data — incorporating multi-factor authentication as part of an identity-based foundation — can help mitigate cyber risk, build trust and ensure the continued take-up of government digital services.

Image credit: iStock.com/Olivier Le Moal