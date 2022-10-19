Agencies need to be battle-hardened to repel cyber attacks

How safe are Australia’s information systems and critical infrastructure from attacks? How well are specific agencies prepared to deal with the increase in digital attacks by rogue players?

Australia’s agencies are clearly aware of threats and cyber attacks attributed to foreign actors. High-profile corporate data leaks, such as those that impacted Optus and Telstra, have heightened concerns.

It’s a challenging environment for governments across the globe. A recent US survey found that 58% of state and local government organisations were hit by ransomware in 2021, with 72% reporting that hackers encrypted their data.

Agencies such as the Department of Home Affairs, Attorney-General’s Department, Australian Cyber Security Centre (part of the Australian Signals Directorate) and Digital Transformation Agency (DTA) have carriage of various aspects of ensuring appropriate levels of cyber resilience.

Determining how well government departments grapple with cyber threats will depend on a range of factors: how they strategise or war game what might happen in the future, what they’re doing to test new technologies designed to protect government infrastructure, and what gaps watchdogs have found in government processes that need tightening.

Dealing with cyber attacks

Wargaming – or scenario analysis – is one way governments, their departments and agencies work through threats to national security.

Professor John Blaxland from the Australian National University said wargaming tests strengths and vulnerabilities in systems to determine what might happen in conflict. “It’s an iterative process,” he says. “It’s like a board game with two or more players. It’s a critical tool in planning.”

Blaxland says wargaming provides a context for looking at possible decisions and how they might play out in a conflict or crisis. They enable governments and, in particular, their military forces to be prepared in the event of physical or digital aggression.

He says wargaming is particularly effective where there are ”forks in a road” – it can help authorities determine how to mitigate risks in a series of ‘what if’ scenarios.

Wargaming or scenario analysis looks at probable scenarios, but there are other steps for government to improve cyber resilience. Another factor is what departments do to make existing systems more resilient to attack.

The DTA participates in a program piloting cybersecurity hubs to regulate access to the online world. But according to the 2022 annual report of the Cyber Security Industry Advisory Committee, cyber hubs need more resources to do the job for which they were designed.

“Government systems continue to be a prime target for malicious actors,” the report says. “There have been many examples of attacks on infrastructure both at a state and federal level, including service delivery agencies, government departments and political offices.

“The cyber hubs that have been established to lead this, coordinated by the government’s Digital Transformation Agency, need to be given more teeth and their work needs to be accelerated.”

The committee says the government has spent a lot of time focused on what businesses need to do to boost their cybersecurity but notes the government must make greater progress in protecting itself.

“It is also important that government makes progress to harden its own systems and cyber defences,” the report says.

“In asking Australians and Australian businesses to support the strategy, government needs to be role-modelling cyber best practice in its own operations, while also improving the security of increasingly digital government service delivery.”

Home Affairs cybersecurity audit

One way citizens become aware of government’s preparedness to deal with cybersecurity threats is when the Australian National Audit Office (ANAO) scrutinises an agency to see if it has the right processes and procedures to manage the monitoring and mitigation of threats.

The ANAO took a deep dive into the administration of critical infrastructure protection policy and found the Department of Home Affairs failed to ensure all of its processes were up to scratch.

“The department has partly effective governance arrangements to administer critical infrastructure protection policy,” the ANAO report says. “Implementation of critical infrastructure-related risk assessments and reporting was not captured in risk documentation.

“The effectiveness of the department’s stakeholder coordination arrangements is reduced by not having an engagement strategy and providing limited support to other critical infrastructure regulators.”

The ANAO also found the department’s performance framework that dealt with critical infrastructure left a little to be desired. A rather lengthy list of improvements appeared in the ANAO report, including performance statements, regulatory performance assessment and “use of internal measures to inform policy and regulation requiring improvement”.

The ANAO even found lacklustre governance arrangements.

“The department’s critical infrastructure risk management does not represent an integrated approach to risk management between its enterprise and operational, legislative and policy functions,” the report says.

“While the department undertakes coordination activities with key stakeholders, including through some long-established forums, it does not have a documented stakeholder engagement strategy to identify the engagement purpose, means by which engagement occurs or scenarios are managed, or the basis for there being more established information-sharing arrangements with some key stakeholders than with others.”

