The Department of Human Services will take on three other giants of the Australian Public Service in its first cyber war game this September, and the invitation is still open to other agencies.
The Australian Taxation Office, Department of Defence and the Department of Immigration and Border Protection have all taken up the challenge, which is likely to become a yearly exercise.
The staged conflict will take place in a new cyber range being built by DHS, a virtual environment featuring various cyber-terrain designated as belonging to red and blue teams, as well as a grey area in between that simulates a group of innocent bystander organisations.
“That’s in the process of being built,” the department’s chief information security officer Narelle Devine explained.
The new cyber range will make use of an existing “urban vulnerability simulator” — basically a Lego city that was originally built to play out similar cyber attack-and-defence scenarios with high school students to promote information security careers.
“So once this is all built, those two things will be joined and we will be able to run a series of games where they will be able to actually practise trying to manipulate the code to get into different elements of critical infrastructure,” Devine told The Mandarin.
Her boss, chief information officer Gary Sterrenberg, told a recent conference that information security teams needed to learn how adversaries mount cyber attacks in order to defend against them. “It’s all a big game of chess really,” in Devine’s view.
“You need to be constantly scanning and you need to be doing a lot more — and a lot more proactively — if you want to be very good,” she said.
“There’s a bunch of different adversaries out there at the moment and they all have different motives, and while some of those motives are more applicable to us than others, it’s very beneficial for us to train against all of those types.”
The long-term intention is to open up the annual cyber war games to academics and info-sec professionals from the private sector and other organisations, including those in state and local government.
“We’re still sort of scoping out how that will look like into the future, but we’re certainly building this for longevity and to be able to use it repeatedly with different audiences,” the Human Services CISO said.
Raising the profile of government’s cyber and STEM roles
The virtual environment where the war games will take place is not based on the department’s real architecture, nor is it tailored to the various agencies under its umbrella, because it is designed as a training facility for other organisations to use.
“We wanted it for our staff, to be able to train them, and then when we started looking at the benefits, it was definitely worthwhile to do it so that it could be used for multiple government agencies,” said Devine, who came to the department following a cyber security role with the Navy.
She came into the public service role last October with an ambition to draw on elements of her experience in the military, such as realistic training scenarios.
“We accept that while critical infrastructure isn’t our game, it doesn’t really matter which environment you’re training in.”
“It’s all about that mindset and that thinking, and the ability to manipulate code to do what you want it to do. So it doesn’t matter what it is, really, and this provides us with a good backbone to do that.”
The simulated cyber war is not supposed to be a big secret either, or involve any sensitive or classified information.
“It’s supposed to be out there so that we can use it across departments and across industry,” said Devine.
“The whole concept is that it’s a more open mechanism for us to have that discussion about cyber and also be able to promote it, particularly to STEM [science, technology, engineering and mathematics] students and our grads and our apprentices, to give them a bit of exposure and to give them mini-targets to train on as well.”