Government agencies, like businesses, are spending increased time and effort to move their systems into the digital age, redesigning websites and introducing new applications to interact with stakeholders and citizens.
In the year ahead there will be a major acceleration of government digital programs spearheaded by the Digital Transformation Office, which has already committed to a new beta business registration site and a new Medicare application platform by March next year.“We are in a 21st century arms race between attackers and defenders …”
But the rapid shift to digital comes with the associated risk of cyber attackers seeking to make mischief, steal trade secrets and other sensitive information.
While cybersecurity awareness within government is growing, so too is the realisation that existing defense strategies are imperfect. There is, as yet, no “whole-of-government” or common security architecture. Individual agencies, each with special needs, stakeholder-facing services and privacy concerns, wrestle with getting as much value as possible from existing technology investments, while adding layers of security to address gaps.
How well agencies are able to weave together security point products from multiple vendors to create an effective and adaptable security framework — without losing system performance and ease of access for customers — is a key challenge for agency leaders, CIOs and web directors.
As cybercrime and cyber attacks grow in frequency, sophistication and intensity, reactive, “gap-filling” approaches to defence are costly, time consuming and ineffective.
“I see two broad attitudes toward cyber defence today, both of which are inadequate,” said John Ellis, chief security strategist across Asia-Pacific for Akamai, an American firm that is the world leader in content delivery networks. “One centres on pursuit of perfect security with zero breaches or incidents. The other takes the view, ‘you’ve already been breached’. Neither view provides meaningful direction to senior executives and stakeholders.”
A more effective approach is to build cyber resilience, a level of preparedness both technologically and organisationally that can quickly identify and cope with any situation, whether a DDos attack or a data breach. This approach takes the defence conversation and leadership away from implementing a specific set of technologies countering specific threats and toward a design goal about resilient business and technology systems.
“We are in a 21st century arms race between attackers and defenders at the same time government agencies are wanting to open up and transform their service delivery for citizens and stakeholders. It’s an extremely fluid and dynamic environment. So we need to reflect this in our approach and mentality toward cyber attacks,” said Ellis.
“We also need to move this discussion to the executive suite. Effective defence is no longer the sole responsibility of the IT team. Making sure all key stakeholders have a clear and realistic view of what’s happening in their agency and their role in creating a resilient environment is vital.”
Building resilience starts with asking some key questions, adds Ellis. “Does my agency have a total defence strategy? Do I have the skills and the budget to implement my strategy? Do I know where the gaps in my defence are and how can I address them in the next budget cycle? How confident am I?”